If you have ever been a bit paranoid about files you have received per mail, or you work in a sensitive environment, you have searched online for tools which can help you analyze a file and give you a detailed overview if it could be harmful or not. Virustotal is one of the more prominent online services, which offers a way to upload any suspicious files and analyze them.
ReadTools Offensive Security APT Detection
Defining cyber attacks is a difficult task. They vary in origins, goals and, at first glance, the techniques used might seem very different. Luckily a popular model was defined by Lockheed Martin, still used to this day, which illustrates very well the lifecycle of a typical cyber attack. The Cyber Kill Chain, popular but controversial, defines the 7 principal steps of an attack. There have been many advances, since its original conception, one of which is the wildly acclaimed ATT&CK Matrix for Enterprise.
ReadDon't remember all the command line tools or which parameters go where? At some point getting lost in all these terminal screens running different algorithms one after the other? Let CyberChef prepare and cook all this for you!
ReadFor years, hackers have been the main characters of movies, books and generally have captured the imagination of regular folks. When we see these hackers use the tools of their trade, we usually see a black screen with green text flashing as fast as possible on the screen, lost in commands and bright flashing lights. This can't be any further from reality, as most hackers will spend hours and days on end to accomplish their tasks, usually staring at a screen, using their programs of choice.
ReadPentesting Offensive Security Linux Virtualization
Some time ago I wrote a blog about Installing Linux Bash Shell (and Metasploit) on Windows 10. This is great, when we want to enjoy the best of both worlds- keep using Windows, with its out-of-the-box configuration and set-up, and still be able to use the powerful tools available for the Linux distribution. In my previous blog I went through the steps necessary for setting up WSL and installing an Ubuntu and Kali Linux distribution. Since then, a lot of advancements have been made to facilitate the use of these distributions for Windows Users.
ReadDetecting suspicious or malicious activity in a network is not a trivial task. In recent years the attacks perpetrated have grown in sophistication and frequency. For this reason a new detection tool was developed, in the form of the Multi Agent Ranking framework (MARk). MARk sets the groundwork for the implementation of large scale detection and ranking systems through the implementation of a distributed storage in conjuncture with highly specialized, stand-alone detector agents. The detector agents are responsible for analyzing specific predefined characteristics and producing a report of any suspicious activity encountered.
ReadIn the process of analyzing a suspicious machine, the first thing we need to do is to actually image the machine we want to investigate. There are different tools available to do this, but the one I most often use is FTK Imager by AccessData. The FTK Imager tool is easy to use and more importantly, there is a free version.
ReadRecently I have encountered an error I wasn't too familiar with how to resolve, working with the ELK Stack. This specific error is the "[circuit_breaking_exception] [parent] Data too large, data for [<http_request>]". It is not directly visible where the error originates from, but with some sleuthing I discovered that it is caused by Elasticsearch preventing some requests from executing to avoid possible out of memory errors, as detailed in Elasticsearch Circuit Breaker documentation.
ReadIn everyday life we need to constantly keep ourselves reminded of important information. Some people write this information on post-it notes, notebooks or using programs such as Microsoft Word or Google Notes. The problem is, that information is in itself transitive- one piece of data or a note can lead to another one and it can become cumbersome and difficult to follow the trail of information. Our brain works the same way, usually we store information by association- to remember a fact, we try to think, for example, of where we learned the fact, or who told it to us, and follow the links to the information we try to remember.
ReadIn modern network infrastructures, there are a lot of sources of data, that can be of interest for collection and analysis, to see if possible suspicious activity is present in the network. More often than not, this data is collected and send to a Security Information and Event Management (SIEM) tool, running on the network, where it can be processed and reviewed by domain specialists.
ReadManaging big networks can be quite complicated- many inbound and outbound requests, network traffic, email correspondence and other activities that need to be monitored. It is quite easy for an attacker to obfuscate his actions, when we are confronted with large amounts of network data to analyze. Luckily there are ways to aggregate all this data and store it so it can be reviewed and hopefully discover any abnormal activity. Of course, I am talking about the use of a Security Information and Event Management (SIEM) framework. One such framework that has gained a lot of popularity, because of its modularity and open-source nature, is the ElasticSearch/Logstash/Kibana framework.
ReadAs I mentioned in the previous blog posts on the subject of the GHOSTS framework, I often use virtual machines to set up and run my tests. In the case of GHOSTS, i have the main GHOSTS server API running on a Linux VM with docker and docker-compose, and the GHOSTS client is running on a Windows 10 virtual machine. If you are interested to read about it, you can find the previous blogs at the following links:
Read