ELASTIC SIEM: Kibana Query Language (KQL) 

by
This entry is part 13 of 17 in the series Threat Detection Engineering

Views: 28Different Syntax Languages Kibana supports two types of syntax languages for querying in Kibana: KQL (Kibana Query Language) and Lucene Query Syntax. Special Characters Certain characters are reserved in ELK queries and must be escaped before usage. Reserved characters in ELK include +, -, =, &&, ||, &, | and !. For instance, using the + character in a query will result in an error; to escape this character, precede it with … Read more

MITRE Framework

by
This entry is part 12 of 17 in the series Threat Detection Engineering

Views: 19MITRE ATT&CK Navigator https://mitre-attack.github.io/attack-navigator MITRE D3FEND https://d3fend.mitre.org MITRE ENGAGE MITRE Engage MITRE Engage Matrix ATT&CK Emulation Plans https://mitre-engenuity.org Center of Threat-Informed Defense (CTID) Cyber Analytics Repository https://car.mitre.org

Shodan 101

by
This entry is part 2 of 3 in the series Offensive Testing Enterprise Networks

Views: 15Shodan is a search engine for Internet-connected devices.It lets users search for various types of servers (webcams, routers, servers, etc.) connected to the internet using a variety of filters.Some have also described it as a search engine of service banners, which is metadata that the server sends back to the client.This can be information … Read more

Adversary emulation with Caldera and Wazuh: Part 02

by
This entry is part 2 of 5 in the series Wazuh - SIEM and XDR

Views: 23 Deploy Agents on Linux machines 2 Windows and 1 Linux agents Configure sysmon We configure the agent to capture Sysmon events by adding the following settings to the agent configuration file in “C:\Program Files (x86)\ossec-agent\ossec.conf” Restart the Wazh agent after modifying the agent configuration file. Detection using Wazuh The attacks against the Linux agent … Read more

Leveraging CALDERA to emulate various adversarial activities for detection capability testing – PART 01

by
This entry is part 1 of 5 in the series Red Team Engagements

Views: 43CALDERA™ is an open-source framework designed to run autonomous adversary emulation exercises efficiently. It enables users to emulate real-world attack scenarios and assess the effectiveness of their security defences. In addition, it provides a modular environment for red team engagements, supporting red team operators for the manual execution of TTPs and blue teamers for automated … Read more

GOAD v2 Installation

by
This entry is part 3 of 3 in the series Attack and Defend Active Directory

Views: 30Game Of Active Directory The following steps explain the procedure to setup the GOADv2 LAB environment to pentest Active Directory. Warning This lab is extremely vulnerable, do not reuse recipe to build your environment and do not deploy this environment on internet without isolation (this is a recommendation, use it as your own risk). This … Read more

Volatility: Perform Memory Forensics with Volatility (Part 01)

by
This entry is part 2 of 13 in the series Incident Response and Forensics

Views: 23Reference: TryHackMe Room “Core Windows Processes” Core Windows Processes Understanding how the Windows operating system functions as a defender is vital.  Task Manager doesn’t show a Parent-Child process view. That is where other utilities, such as Process Hacker and Process Explorer, come to the rescue. Process Hacker Process Explorer Command-line equivalent of obtaining information about the running … Read more

Remotely Upgrading Wazuh Agents – CLI Method

by
This entry is part 1 of 5 in the series Wazuh - SIEM and XDR

Views: 34To upgrade agents using the command line, use the agent_upgrade tool as follows: List all the agents with outdated software: [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_upgrade -lID    Name                                Version                   001   zyberpatrol-pdc                     Wazuh v4.7.1    Upgrade the agent with ID 001 using the ‘-a’ parameter followed by the agent ID: [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_upgrade -a 001 Upgrading… Upgraded agents:       Agent 001 upgraded: Wazuh v4.7.1 … Read more

L4 – L7 Load Balancing

by
This entry is part 3 of 3 in the series F5 Local Traffic Manager (LTM)

Views: 34 Load Balancers Despite the name, a Load Balancer does not only balance the load: some of its core functionalities are: L4 to L7 Network Services Definition L4-L7 Network Services Definition are a set of functions such as: load balancing, web application firewalls, service discovery, and monitoring for network layers within the Open Systems Interconnection (OSI) model. … Read more