Submit malware samples to VMRay via MISP – Automation

End 2016 I contributed a module to extend MISP, the Open Source Threat Intelligence and Sharing Platform, with malware analysis results from VMRay : Submit malware samples to VMRay via MISP. VMRay provides an agentless, hypervisor-based dynamic analysis approach to malware analysis. One of it great features is the API, allowing you to integrate it with other tools.

One of the drawbacks of the module was that it required a two step approach : firstRead more.

Improving DNS logging, dnstap on Ubuntu

DNS logging and monitoring is important! Monitoring DNS logs allows you to analyze and detect C&C traffic and have access to crucial information to reduce the dwell time and detect breaches. Combined with Passive DNS it’s a very valuable data source to be used during incident response.

But DNS logging comes at a price. Every log operation requires the system to write out an entry to disk (besides also properly formatting the log string). ThisRead more.

Hunt for devices with default passwords (with Burp)

In my previous post I talked about using the nmap NSE scripts or Hydra to search for systems with default passwords. My approach involved two steps: first learn via Burp how the authentication works (getting to know the form elements etc.) and then use this information as input for the brute force scripts.

A colleague pointed out that you can also use Burp suite for this last step.

Similar as with the previous approach, firstRead more.

Hunt for devices with default passwords

I wrote a follow-up on using Burp for both the analysis and attack phase : Hunt for devices with default passwords (with Burp).

Using a strong and unique password for authentication is a key element in security. Unfortunately there are still a lot of devices installed with a default password. This post describes how you can find the web interface of these devices.

Before we start, it’s to important to list the three different webRead more.

How to Use Passive DNS to Inform Your Incident Response

I published an article on How to Use Passive DNS to Inform Your Incident Response on the Security Intelligence blog.

This article gives you an insight on the different logging options for DNS traffic and how the historical records in passive DNS can help you during incident response. I included references to generating passive DNS data based on your traffic and which options you have for consuming it from a client perspective.

BloodHound Active Directory queries for Defenders

Getting Active Directory security right can be a challenging task. Individual groups of computers or user privileges will most likely be properly configured but there are always some trade-offs that have to be made. Attackers will try to find an attack path by abusing the weaknesses that are caused by these trade-offs. Jumping from one host to another, compromising user accounts and abusing active sessions might get them to their final objectives. Whether this isRead more.

Drupal SA-CORE-2018-002 aka Drupalgeddon2

The Drupal team released a security advisory for all Drupal sites recommending all these sites to upgrade to the latest Drupal version.

The discovered vulnerability could lead to remote code execution in Drupal 7.x and 8.x.

I have a mindmap on this vulnerability

Further information from Drupal can be found at

Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002 The FAQ on SA-CORE-2018-002

According to bojanz this vulnerabilityRead more.

MISP-Dashboard, real-time visualization of MISP events

You are running a MISP instance and you want to visualize the MISP events in real-time?

MISP-Dashboard can do that! An example :

Vimeo video :

In this post I will walk you through how to setup MISP-Dashboard, based on the event data made available via

MISP-Dashboard is a new repository showing live data and statistics from the MISP ZMQ. It means you need to have MISP-ZMQ configured.

The MISP ZeroMQ pluginRead more.

Basic Security Tools You Cannot Afford to Miss in Your Risk Management Program

I published an article on IBM Security Intelligence on Basic Security Tools You Cannot Afford to Miss in Your Risk Management Program. The article covers essential, freely available, tools for doing security risk management.

Upgrading Apache, unmet dependencies

I use a couple of Ubuntu Linux virtual machines via VMWare Fusion (OSX) for security testing. Some of the security tools have a web interface. Because I want to test with different environment setups I have /var/www/ mounted via Shared Folders on the host OSX. This has as advantage that

Files are stored centrally (on the host OS) Different environments can use the same files and configuration (if stored in /var/www) I can use nativeRead more.