Using DoD Root Certificates with Git

Git clients perform certificate verification whenever you interact with a remote repository over TLS. Since the Department of Defense (DoD) certificates are not in most mainstream operating systems, the validation fails. The quick and insecure solution is to disable certificate verification globally. git config –global http.sslVerify false Or you can also use the -c option, … Read more

Blue Team Tactics: Honey Tokens Pt. III

This is the final part of a multipart blog post, read part one and two then continue here. In part 2, we simulated adversary interaction with our deployed tokens and then leveraged Windows Event Viewer to assess the generated artifacts. What follows will be several options for getting the audit logs from the endpoints to … Read more

Blue Team Tactics: Honey Tokens Pt. II

This is a multipart blog post, read part one and then continue here. We enabled filesystem auditing, created our audit template, and staged our honey tokens for deployment in part one. In part two, we will deploy the honey tokens and identify various methods for monitoring adversary interaction. Deploying honey tokens using PowerShell (PoSh) I … Read more

Load Balancing a Splunk Search Head Cluster

A Splunk Search Head (SH) enables an analyst to query a Splunk Indexer for data in a distributed configuration. A Search Heads group that shares knowledge objects and settings is known collectively as a Search Head Cluster (SHC). Deploying a SHC provides high availability (HA) and many other benefits to your users. However, as you scale out … Read more

FreeIPA integration with Splunk

Splunk has built-in user authentication; however, if you have multiple deployments or a clustered environment, it makes sense to utilize centralized user management. FreeIPA provides a solution similar to a Domain Controller in an Active Directory (AD) environment. Setting up FreeIPA is outside the scope of this document, and we will instead focus on how to integrate Splunk … Read more

Deploying Splunk Universal Forwarders via GPO

When you want to get security event data from your Windows endpoints, there exists a myriad of ways to achieve that objective. Here I am going to outline how to deploy the Splunk Universal Forwarder (UF) using a Group Policy Object (GPO). From there, you can configure the agents using a deployment server to ship the logs … Read more

Ansible User Account Provisioning

Whenever I stand up a new Linux machine, I always find myself doing the same four things:  Creating my main user account  Creating an ansible user account  Configuring sudoers  Copying over SSH Public Keys. Definitely, not something that evokes fun. I have tried various automation tools, but ansible has found a very special place in … Read more

Replacing the Default Splunk Web SSL Certificate

This post  goes over how to sign a SplunkWeb Certificate Signing Request (CSR) using my Root CA in pfSense. I do not cover creating the Root CA. Step 1: Create the directory for the certificates splunk@siem:~$ mkdir /opt/splunk/etc/auth/certs Step 2: Generate the private key and temporary password splunk@siem:~$ cd /opt/splunk/etc/auth/certs splunk@siem:~$ splunk cmd openssl genrsa … Read more

Working with Raw LVM Disk Images

Mounting disk images on Linux is fairly straight forward, however an image with a Logical Volume Manager (LVM) partition requires a little more attention. The first thing I do is find out some information about the image(s): root@box:# fdisk -l -o Device,Type,Size disk.img Device Type Size disk.img1 Linux 1G disk.img2 Linux LVM 952.9G -l lists … Read more

Slackware LVM over LUKS

This is mostly a post to document my process of setting up Full Disk Encryption (FDE) using the Linux Unified Key Setup (LUKS) and the Logical Volume Manager (LVM). Most major distributions already enable this process at installation, however Slackware does not and it must be done by hand. I am going to use an … Read more