I wrote an article on the VMRay website: Basic Automation with the VMRay API. This article walks you through the use of VMRay as a replacement of a Data Exchange Point.
The article documents how to Submit a Sample via VMRay API and look at the Behaviour Patterns to decide if a file is allowed into your environment or not.
The MISP galaxies and clusters are an easy way to add context to data. I’ve previously written an article “Creating a MISP Galaxy, 101” that describes how you can create your own galaxy and cluster.
Apart from the context, galaxies and clusters also allow you to describe relations between individual elements. These relations can for example be the synonyms (naming) for an APT group or the fact that a specific group uses a (MITRE ATT&CK) … Read more.
A good case management is indispensable for CSIRTs. There are a number of excellent case management tools available but either these are more tailored towards SOCs, are overpriced or are unnecessary complex to use. I have used TheHive, RTIR, Omnitracker, OTRS and ServiceNow and although TheHive and RTIR come close, I have never really found a solution that addresses my needs.
I currently use a combination of
TheHive Case management Template system to start … Read more.
I use a MISP instance to store malware samples that I came across during an investigation or incident. I also worked for example on an integration via a MISP module with the VMRay malware sandbox. The setup with MISP works very well but I needed an easier solution to make these samples available to other users (and tools), without the need of access to this MISP instance.
Enter Malware Repository MWDB, formerly known as … Read more.
The Intel NUC Mini PCs are great mini computers to run VMware ESXi. Unfortunately, the image of VMware ESXi 7 doesn’t support the network drivers of the NUC 11th generation. A post on https://www.virten.net/2021/11/vmware-esxi-7-0-update-3-on-intel-nuc/ describes how to create a new image, with support for the network driver. I put this post here primarily as a personal reminder.
The image is build with VMware PowerCLI.
Now download the ESXi offline image and the network driver. Then … Read more.
I published an article on the IBM Security Intelligence blog : How Attackers Exploit the Remote Desktop Protocol.
This article covers the Remote Desktop Protocol (RDP) and how attackers attempt to exploit it. I provide a short introduction on what is RDP and who uses it and highlight some of its vulnerabilities, such as BlueKeep and DejaBlue. The article also includes a number of countermeasures that you can use to protect your RDP servers and … Read more.
The Unified Audit Log contains crucial elements when you want to investigate an incident in O365. You can do this live (with PowerShell, for example via Hawk). Sometimes however you receive the log file offline, with no live access to the environment.
I could not find a tool that gives me a quick overview of what was in the log. So I decided to write my own simple Python script to parse the exported O365 … Read more.
I published an article on the IBM Security Intelligence blog : When Is an Attack not an Attack? The Story of Red Team Versus Blue Team. This article is a high level overview of a red team vs blue team engagement. It starts with the reconnaissance of the victim, the red team scenario building, attack delivery and also how the blue team can discover the activities from the read team.
Read more at https://securityintelligence.com/articles/red-team-versus-blue-team-attack/.
Filebeat is a lightweight shipper for logs. You can use it to collect logs from endpoints and store them centrally in Elastic. You can use it to collect logs from Linux systems, but it also works on Apple OSX. Installing filebeat is straightforward
After installing filebeat you have to enable the system module
Then update the configuration file (filebeat/filebeat.yml)
I used the information from a support post on the Elastic site: https://discuss.elastic.co/t/deploying-filebeat-on-macos-x/37785/11. This post describes … Read more.
The Pegasus spyware made by the Israel-based company NSO Group has been used in targeted surveillance attacks against activists, journalists and businesspeople. Its details, and methods to detect it, were revealed by CitizenLab (hacks from the Bahraini government on activists) with a forensic methodology report made available by Amnesty International.
Because both the tools and the indicators of compromise are made available it’s fairly easy to do these checks yourself.
Setup a Python virtual environment … Read more.