Use Sysmon DNS data for incident response

Recent versions of Sysmon support the logging of DNS queries. This is done via event ID 22 in Applications and Services Log > Microsoft > Windows > Sysmon Operational.

To enable DNS logging, you need to include the section DnsQuery in your Sysmon configuration file. For example via

Note that enabling DNS queries can be noisy. It’s best to apply filtering as proposed by the SwiftOnSecurity sysmon config file and, additionally, filter out the commonlyRead more.

BelgoMISP Meeting 0x01 : Belgian MISP User Group Meeting

Interested in sharing your MISP usage experiences? How did you integrate MISP in your incident response workflow? Have anything to say about threat sharing in general?

There’s a BelgoMISP Meeting 0x01 for all Belgian MISP users. Submit your proposals via Github or contact us via Twitter.

Use PyMISP to track false positives and disable to_ids in MISP

Attributes in MISP have a boolean flag to_ids allowing you to indicate if an attribute should be used for detection or correlation actions. According to the MISP core format data standard, the to_ids flag represents whether the attribute is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.

Unfortunately attributes markedRead more.

Docker image for PyMISP (and create MISP data statistical reports)

Installing PyMISP can sometimes be difficult because of a mixup between Python2 and Python3 libraries or problems with pip install. To solve this I created a PyMISP docker container that allows you to run the scripts in the example directory, without the need of installing PyMISP itself.

The Dockerfile is in the Github repository PyMISP-docker. The docker container is available via Docker Hub cudeso/pymisp.

In a previous post I covered how to create MISP dataRead more.

Feed honeypot data to MISP for blocklist and RPZ creation

I run a couple of honeypots which allow me to map some of the bad actors and scanners on the internet. The most popular honeypots are Dioanea, Cowrie (ssh, previously kippo) and Conpot (ICS). So far I’ve not really used this honeypot data that much for defensive purposes but a recent writeup on using ModSecurity and MISP gave me inspiration to transform this data into information that I can use as a defender.

The coreRead more.

Keeping a Git fork up-to-date

I sometimes contribute to open source projects on Github. The workflow then often consist of creating a fork, adding my own code and then submitting pull requests.p

Unfortunately sometimes when you do this the upstream (meaning, the ‘original’ repository) has changed so much that it’s not possible to easily submit (or include) your changes. You then need to sync your fork with the upstream repository.

For what concerns the repositories related to MISP, these areRead more.

Sync sightings between MISP instances

MISP sighting is a system allowing people to react on attributes on an event. It was originally designed to provide an easy method for users to tell when they see a given attribute, giving it more credibility. As such, the sighting system in MISP allows you to get feedback from your community on the quality of the data (the indicators).

There is not immediately an option within MISP to sync sightings between instances.You can syncRead more.

Submit malware samples to VMRay via MISP – Automation

End 2016 I contributed a module to extend MISP, the Open Source Threat Intelligence and Sharing Platform, with malware analysis results from VMRay : Submit malware samples to VMRay via MISP. VMRay provides an agentless, hypervisor-based dynamic analysis approach to malware analysis. One of it great features is the API, allowing you to integrate it with other tools.

One of the drawbacks of the module was that it required a two step approach : firstRead more.

Improving DNS logging, dnstap on Ubuntu

DNS logging and monitoring is important! Monitoring DNS logs allows you to analyze and detect C&C traffic and have access to crucial information to reduce the dwell time and detect breaches. Combined with Passive DNS it’s a very valuable data source to be used during incident response.

But DNS logging comes at a price. Every log operation requires the system to write out an entry to disk (besides also properly formatting the log string). ThisRead more.

Hunt for devices with default passwords (with Burp)

In my previous post I talked about using the nmap NSE scripts or Hydra to search for systems with default passwords. My approach involved two steps: first learn via Burp how the authentication works (getting to know the form elements etc.) and then use this information as input for the brute force scripts.

A colleague pointed out that you can also use Burp suite for this last step.

Similar as with the previous approach, firstRead more.