Home

Welcome!

I’m Koen . I live in Bruges (Belgium), a splendid medieval city also known as the Venice of the North.

I’m involved with computer security and I work as a freelancer in incident response, incident coordination, threat intelligence, vulnerability management and security best practices. Basically all tasks related to managing a CSIRT / CERT (Computer Emergency Response Team).

My main interests in computers are security, web applications (PHP, MySQL, Apache), system administration and free software.

This site hosts a blog and I have a photo collection at Flickr.

Latest posts

VMware ESXi with support for NUC-11 network interface

The Intel NUC Mini PCs are great mini computers to run VMware ESXi. Unfortunately, the image of VMware ESXi 7 doesn’t support the network drivers of the NUC 11th generation. A post on https://www.virten.net/2021/11/vmware-esxi-7-0-update-3-on-intel-nuc/ describes how to create a new image, with support for the network driver. I put this post here primarily as a personal reminder.

The image is build with VMware PowerCLI.

Now download the ESXi offline image and the network driver. ThenRead more.

How Attackers Exploit the Remote Desktop Protocol

I published an article on the IBM Security Intelligence blog : How Attackers Exploit the Remote Desktop Protocol.

This article covers the Remote Desktop Protocol (RDP) and how attackers attempt to exploit it. I provide a short introduction on what is RDP and who uses it and highlight some of its vulnerabilities, such as BlueKeep and DejaBlue. The article also includes a number of countermeasures that you can use to protect your RDP servers andRead more.

Parsing the O365 Unified Audit Log with Python

The Unified Audit Log contains crucial elements when you want to investigate an incident in O365. You can do this live (with PowerShell, for example via Hawk). Sometimes however you receive the log file offline, with no live access to the environment.

I could not find a tool that gives me a quick overview of what was in the log. So I decided to write my own simple Python script to parse the exported O365Read more.

When Is an Attack not an Attack? The Story of Red Team Versus Blue Team

I published an article on the IBM Security Intelligence blog : When Is an Attack not an Attack? The Story of Red Team Versus Blue Team. This article is a high level overview of a red team vs blue team engagement. It starts with the reconnaissance of the victim, the red team scenario building, attack delivery and also how the blue team can discover the activities from the read team.

Read more at https://securityintelligence.com/articles/red-team-versus-blue-team-attack/.

Install Elastic Filebeat as daemon on OSX

Filebeat is a lightweight shipper for logs. You can use it to collect logs from endpoints and store them centrally in Elastic. You can use it to collect logs from Linux systems, but it also works on Apple OSX. Installing filebeat is straightforward

After installing filebeat you have to enable the system module

Then update the configuration file (filebeat/filebeat.yml)

I used the information from a support post on the Elastic site: https://discuss.elastic.co/t/deploying-filebeat-on-macos-x/37785/11. This post describesRead more.

Use Mobile Verification Tool to check if your iPhone is affected by Pegasus spyware

The Pegasus spyware made by the Israel-based company NSO Group has been used in targeted surveillance attacks against activists, journalists and businesspeople. Its details, and methods to detect it, were revealed by CitizenLab (hacks from the Bahraini government on activists) with a forensic methodology report made available by Amnesty International.

Because both the tools and the indicators of compromise are made available it’s fairly easy to do these checks yourself.

Setup a Python virtual environmentRead more.

Identify malicious servers / Cobalt Strike servers with JARM

For a new assignment I wanted to use JARM to group servers with a similar configuration. Why JARM? Because it’s an easy way to quickly identify and group servers based on their configuration.

JARM is an active fingerprinting of TLS servers made available by Salesforce Engineering. It sends 10 TLS Client Hello packets to a server and captures specific attributes of the responses. These responses are then aggregated and hashed. A JARM fingerprint consists ofRead more.

Cobalt Strike Hunting – Key items to look for

Cobalt Strike (S0154) is a commercial penetration testing platform which is used by many red teams and, unfortunately, also by many criminal threat actors. In this post I summarise the findings from a SANS Digital Forensics and Incident Response keynote by Chad Tilbury : Cobalt Strike Threat Hunting. The YouTube video provides much more details but below you can find those findings that were relevant for me during an IR case.

This post includes referencesRead more.