Blue Team Tactics: Honey Tokens Pt. II

This is a multipart blog post, read part one and then continue here. We enabled filesystem auditing, created our audit template, and staged our honey tokens for deployment in part one. In part two, we will deploy the honey tokens and identify various methods for monitoring adversary interaction. Deploying honey tokens using PowerShell (PoSh) I … Read more Blue Team Tactics: Honey Tokens Pt. II

Load Balancing a Splunk Search Head Cluster

A Splunk Search Head (SH) enables an analyst to query a Splunk Indexer for data in a distributed configuration. A Search Heads group that shares knowledge objects and settings is known collectively as a Search Head Cluster (SHC). Deploying a SHC provides high availability (HA) and many other benefits to your users. However, as you scale out … Read more Load Balancing a Splunk Search Head Cluster

FreeIPA integration with Splunk

Splunk has built-in user authentication; however, if you have multiple deployments or a clustered environment, it makes sense to utilize centralized user management. FreeIPA provides a solution similar to a Domain Controller in an Active Directory (AD) environment. Setting up FreeIPA is outside the scope of this document, and we will instead focus on how to integrate Splunk … Read more FreeIPA integration with Splunk

Blue Team Tactics: Honey Tokens Pt. I

If you are defending an enterprise network, you should be using some form of honey token or canary, which is just something you place in your environment that no one should access. If any interaction is detected, it is usually an indicator of unauthorized activity. Using pseudo domain accounts as honey tokens usually illuminate the risk bubble … Read more Blue Team Tactics: Honey Tokens Pt. I

DIY IP Threat Feed

A threat feed is a collection of actionable information about threats that allows for mitigating harmful events. This blog post is concerned with developing an IP based threat feed or blacklist. We will look at how to gather, aggregate, enrich, and extract threat data for consumption. Gathering the threat data I have several servers in … Read more DIY IP Threat Feed

Deploying Splunk Universal Forwarders via GPO

When you want to get security event data from your Windows endpoints, there exists a myriad of ways to achieve that objective. Here I am going to outline how to deploy the Splunk Universal Forwarder (UF) using a Group Policy Object (GPO). From there, you can configure the agents using a deployment server to ship the logs … Read more Deploying Splunk Universal Forwarders via GPO

A Tale of an MSBuild In-Line Task

I analyzed a suspicious file found during an Incident Response (IR) that turned out to be an in-line MSBuild task. The file had a byte array with an extremely long sequence of bytes. My first thought was that it was a binary of some sort. I extracted the bytes and wrote a few lines of C … Read more A Tale of an MSBuild In-Line Task

Stack Smashing at Home

There are various wargaming sites such as SmashTheStack, OverTheWire, and IO Wargame that provide a platform for users to legally exploit real world software vulnerabilities. Source code is provided with a few of the challenges, which you can copy to a local research machine instead of working remotely. Keep in mind that the sites hosting … Read more Stack Smashing at Home

Ansible User Account Provisioning

Whenever I stand up a new Linux machine, I always find myself doing the same four things:  Creating my main user account  Creating an ansible user account  Configuring sudoers  Copying over SSH Public Keys. Definitely, not something that evokes fun. I have tried various automation tools, but ansible has found a very special place in … Read more Ansible User Account Provisioning

Replacing the Default Splunk Web SSL Certificate

This post  goes over how to sign a SplunkWeb Certificate Signing Request (CSR) using my Root CA in pfSense. I do not cover creating the Root CA. Step 1: Create the directory for the certificates splunk@siem:~$ mkdir /opt/splunk/etc/auth/certs Step 2: Generate the private key and temporary password splunk@siem:~$ cd /opt/splunk/etc/auth/certs splunk@siem:~$ splunk cmd openssl genrsa … Read more Replacing the Default Splunk Web SSL Certificate