BloodHound Active Directory queries for Defenders

Getting Active Directory security right can be a challenging task. Individual groups of computers or user privileges will most likely be properly configured but there are always some trade-offs that have to be made. Attackers will try to find an attack path by abusing the weaknesses that are caused by these trade-offs. Jumping from one host to another, compromising user accounts and abusing active sessions might get them to their final objectives. Whether this isRead more.

Drupal SA-CORE-2018-002 aka Drupalgeddon2

The Drupal team released a security advisory for all Drupal sites recommending all these sites to upgrade to the latest Drupal version.

The discovered vulnerability could lead to remote code execution in Drupal 7.x and 8.x.

I have a mindmap on this vulnerability

Further information from Drupal can be found at

Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002 The FAQ on SA-CORE-2018-002

According to bojanz this vulnerabilityRead more.

MISP-Dashboard, real-time visualization of MISP events

You are running a MISP instance and you want to visualize the MISP events in real-time?

MISP-Dashboard can do that! An example :

Vimeo video :

In this post I will walk you through how to setup MISP-Dashboard, based on the event data made available via

MISP-Dashboard is a new repository showing live data and statistics from the MISP ZMQ. It means you need to have MISP-ZMQ configured.

The MISP ZeroMQ pluginRead more.

Basic Security Tools You Cannot Afford to Miss in Your Risk Management Program

I published an article on IBM Security Intelligence on Basic Security Tools You Cannot Afford to Miss in Your Risk Management Program. The article covers essential, freely available, tools for doing security risk management.

Upgrading Apache, unmet dependencies

I use a couple of Ubuntu Linux virtual machines via VMWare Fusion (OSX) for security testing. Some of the security tools have a web interface. Because I want to test with different environment setups I have /var/www/ mounted via Shared Folders on the host OSX. This has as advantage that

Files are stored centrally (on the host OS) Different environments can use the same files and configuration (if stored in /var/www) I can use nativeRead more.

Monitor your public assets via Shodan

Shodan is a powerful tool for doing passive reconnaissance. It’s also a great source of information that you can put to good use to monitor your publicly available assets. Shodan acts as a search engine (also see: : What is, whatever that is connected to the internet will get indexed by their crawlers.

I wrote a script that takes one parameter (ideally a string) and

Fetches the information that is available at Shodan forRead more.

Submit malware samples to VMRay via MISP

I’m a happy user of MISP, Malware Information Sharing Platform & Threat Sharing. MISP core already contains a lot of features to satisfy your needs when it concerns threat and information sharing. But there’s always room for improvement. If you submit a feature request, MISP can be extended with your request. However changing the core is not always desirable. Also sometimes you want some feature to work just the way you want it, this doesn’tRead more.

Malware scanning of web directories with OWASP WebMalwareScanner

One of the recent incidents I had to handle involved a compromised webhost. This allowed me to do some Exploring webshells on a WordPress site. In the aftermath of the investigation I searched for tools that could have improved my tasks (evaluating which files might have been compromised).

One of the approaches I had in mind was take a hash of every file and then verify that hash with Virustotal. This would have worked inRead more.

Using Bro for building Passive DNS data

Passive DNS describes an historical database of DNS resolutions. I’ve written a previous post on Using Passive DNS for Incident Response, more specifically combining it with Moloch.

If you run your own corporate -internal- nameservers it makes sense to monitor what domains have been queried and what results were returned in the past. You can use the collection of internal queries for future incident response. You can use this collected information to cross-check with informationRead more.

Using the Digital First Aid Kit for Incident Response

Dealing with security incidents is always a collaborative process, involving both your constituency and external players. There are a number of tools that help you with detecting (and preventing) incidents. One of those tools is for example the MISP – Malware Information Sharing Platform & Threat Sharing

But once you have an incident … how you deal with it? Everyone has (or should have) written their own incident response procedures but did you know thatRead more.