Lame
In this blog, we explore the process of identifying and exploiting vulnerabilities in Samba using the CVE-2007-2447 exploit. By leveraging Metasploit, we demonstrate how to gain unauthorized access to a server through the manipulation of shell metacharacters. This post provides a detailed, step-by-step guide on executing the exploit and capturing the root flag. Perform an…
Blue
This walkthrough demonstrates exploiting a vulnerable Windows 7 machine using the infamous EternalBlue (MS17-010) vulnerability. Initial nmap reconnaissance reveals an SMB service with critical misconfigurations including disabled message signing, guest account access, and an outdated operating system. After enumerating SMB shares and identifying the vulnerability, the machine is successfully compromised using Metasploit’s EternalBlue exploit module,…
Campfire
Analysis of memory dump (recollection.bin) from compromised Windows 7 SP1 machine (USER-PC) revealed evidence of multi-stage attack including clipboard hijacking, credential exfiltration, malware execution, and data theft via network shares. Timeline indicates attacker gained initial access and executed obfuscated PowerShell commands to establish persistence and exfiltrate sensitive files.
Recollection
Analysis of memory dump (recollection.bin) from compromised Windows 7 SP1 machine (USER-PC) revealed evidence of multi-stage attack including clipboard hijacking, credential exfiltration, malware execution, and data theft via network shares. Timeline indicates attacker gained initial access and executed obfuscated PowerShell commands to establish persistence and exfiltrate sensitive files.
Tracer
Detection of unauthorized PsExec lateral movement activity originating from workstation FORELAWKSTN001. Investigation confirmed 9 separate PsExec execution instances indicating sustained adversary activity and systematic lateral movement across the network. Adversary utilized legitimate Microsoft Sysinternals PsExec tool (Living Off The Land technique) to execute remote commands with SYSTEM privileges.
Trojan
Windows 10 workstation (DESKTOP-38NVPD0) compromised through user execution of malicioussoftware masquerading as legitimate data recovery tool. Malware downloaded from compromisedwebsite, established C2 communications, and downloaded secondary payload. Investigationconducted using memory forensics (Volatility 3), disk forensics (FTK Imager), and prefetch analysis(PECmd.exe).
Lame
In this blog, we explore the process of identifying and exploiting vulnerabilities in Samba using the CVE-2007-2447 exploit. By leveraging Metasploit, we demonstrate how to gain unauthorized access to a server through the manipulation of shell metacharacters. This post provides a detailed, step-by-step guide on executing the exploit and capturing the root flag. Perform an…
Setting up secure email automation with Proton Bridge and MCP
Proton Bridge Email Automation using Docker MCP and Claude I want to create a secure email automation system that doesn’t compromise on privacy. Most email automation tools require storing credentials in third-party services and granting broad access permissions. Requirements Outcomes Step #1: Create the MCP Server Files Set up your project directory and create the…
Raspberry Pi project ideas
Raspberry Pi’s are a great start to learning IT. I started doing some fun projects with them while studying for my Network+ and Security+ certifications. It helped tremendously in understanding foundational topics in networking, cybersecurity, and how the internet works. Here is a list of some of the projects I have completed. I hope they…
Using Ollama & Fabric to build Sigma rules
In this blog, we are going to learn how to use an open-source llm (ollama) to build sigma rules. first, we will run tests, analyze the logs in splunk, and run a command to build our sigma from the splunk raw log we identified. Step 1: Collect Data Start by gathering detailed network information from…
Detection As Code (DAC) with Elasticsearch
One of the coolest things I like most about the ELK stack is the open-source nature of the solution, as well as the contributions it has been making to Detection as Code (DAC) development. https://github.com/elastic/detection-rules Let’s go through the development life cycle to complete testing of this rule. First, we must validate the syntax and…
Detecting discovery commands using MITRE Caldera and Splunk
We are going to review logs in Splunk based on our BAS testing of Discovery techniques from MITRE Caldera. One discovery technique we want to detect is identifying which antivirus software is running on a machine. An attacker can use this information to disable or evade detection by the antivirus. We can review the report…
Cloud Resume Challenge – AWS
Use this link to navigate to my project: https://djp5iudtdudt5.cloudfront.net Overview The Cloud Resume Project is a hands-on initiative designed to help individuals build and showcase their cloud computing skills through the creation of a professional resume website hosted on the cloud. This project provides a practical and tangible way for participants to demonstrate their expertise…
MITRE Caldera demo
Breach and Attack Simulation (BAS) is a technology that enables organizations to continuously and automatically simulate cyberattacks, replicating the tactics, techniques, and procedures (TTPs) used by real-world threat actors. BAS tools are designed to test and assess the effectiveness of an organization’s security controls, helping identify vulnerabilities and weaknesses in their defenses before an actual…
How to Generate YARA Rules with YarGen
This guide provides a straightforward method for creating YARA rules from malware samples using YarGen and MalwareBazaar. 1. Setup Your Environment CRITICAL: Before you start, use a completely isolated virtual machine (VM). Do not handle malware on a machine connected to your network or containing sensitive data. Inside your VM, open a terminal and follow…
Using Hayabusa
Analyzing Local Windows Event Logs with Hayabusa This guide shows how to use Hayabusa to scan local Windows Event Logs for threats and view the results in Timeline Explorer. 1. Setup and Update Rules 2. Scan Local System Logs Hayabusa scans local EVTX files and saves all findings into a single results.csv file for analysis.…
Detecting Windows memory based attacks
For effective detection, it’s crucial to collect the right data. A best practice is to enable the collection of DLL load events (Event ID 7) using Sysmon on your Windows endpoints. Be aware that this can generate a high volume of data, so you may want to create filters to exclude routine DLL loads from…
Ingesting Cribl logs into Amazon S3 bucket
In this blog, we will learn how to send Cribl Edge logs to a data lake. The purpose of doing this is to store logs in a cost-effective, long-term storage solution without needing to use or store them in a SIEM. This approach allows for incident response investigations if needed, while avoiding the necessity of…
Ingesting Cribl Edge logs into Splunk HEC
In this blog, we will demonstrate how to send Cribl Edge logs to Splunk using the HTTP Event Collector (HEC). HEC is a Splunk feature that allows you to send data and application events to your Splunk deployment over HTTP or HTTPS protocols using token-based authentication. To start, ensure you have a source ingesting logs…
Cribl Edge to Cribl Stream
I have completed my Cribl user certification and wanted to showcase what I learned through a quick demo. The goal of this assignment was to run Cribl Edge on my local computer using WSL and Cribl Stream on a Virtual Machine in VirtualBox. I then wanted to forward the logs from Cribl Edge to Cribl…
Forwarding Sysmon logs to Splunk
System Monitor (Sysmon) is a Windows service and device driver that remains active across system reboots to monitor and log system activities in the Windows event log. It provides detailed insights into process creations, network connections, and changes to file creation times. By collecting events generated by Sysmon through Splunk and analyzing them, you can…
Splunk install and configuration
Splunk is a Security Information and Event Management (SIEM) platform designed to search, monitor, and analyze machine-generated data in real-time. It helps organizations transform raw data from various sources, such as logs and events, into valuable insights, enabling them to troubleshoot issues and enhance security. In this blog, we will install and configure Splunk Enterprise…
Homelab build Components
Desktop Hardware inventory Component Item Specs / Notes Case NZXT H7 Flow 2024 – Mid-Tower ATX Airflow Case Airflow-focused, 3 x 120mm pre-installed fans, supports bottom-mounted GPU fans, good cable management Power Supply Corsair RM850x – 850W Fully Modular PSU ATX 3.1 compliant, PCIe 5.1 support, Cybenetics Gold, 12V-2×6 cable ready CPU AMD Ryzen 7…
ELK installation
Setting Up Elasticsearch, Kibana, and Fleet Server on Ubuntu (Step-by-Step Guide) This guide walks through setting up a full Elastic Stack (Elasticsearch, Kibana, and Fleet Server) on a single Ubuntu server using DEB packages. This setup is ideal for local testing or small deployments. Prerequisites Step 1: Install Elasticsearch 1.1 Add Elasticsearch’s GPG Key 1.2…
How to Backup Proxmox VM’s using Rclone
Setting Up Proxmox Backups with Rclone and Backblaze B2 Backing up your Proxmox VMs and containers is critical for maintaining a secure and reliable environment. This guide walks you through setting up backups with Rclone and Backblaze B2 cloud storage. Step 1: Locate Proxmox Storage Navigate to the storage directory for your backups and identify…
Jerry
Jerry is a machine that uses Apache Tomcat, an open-source application designed to serve web pages developed in Java. We are going to exploit this machine using Metasploit. First, let’s confirm we have a connection to the target machine by using the ping tool, and then check for running applications using nmap. You can…
Creating a Honeypot server for threat intel IOC matching
Honeypot using IONOS VPS and Cowrie I want to create a safe honeypot to try to capture malicious IPs and perform research on them. To do so, I am going to run a cheap VPS in the cloud and remotely pull logs from it. Requirements Optional Outcomes Step #1: Login to public facing VPS using…
How I built my own Autonomous SOC
This project has the goal of creating a production security stack, with the capability to gain visibility into all alerts without the alert fatigue experienced by an individual homelabber. This article assumes you have ELK installed, if you have not done that, navigate to my other blog on the subject at: ELK Stack Install Project…
Greenbone Vulnerability Scanning on Proxmox
Greenbone on Proxmox I want to run a vulnerability scanner from my Proxmox instance. Greenbone provides a solution, but its native format is meant for VirtualBox or VMware. In this blog, we are going to upload the OVA image to Proxmox and adjust it to be compatible with our system. Requirements: Software Outcomes Step #1:…
How to install a open-source firewall on Raspberry Pi 4
IPFire On Raspberry Pi The goal of this project is to get an open source firewall distribution to boot in a raspberry pi so I can get a inline firewall for my network. I want to get an idea of who is trying to break in from the outside, increase my security from external attackers…
Networking-Dojo 