Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s…
Docker Hub [https://hub.docker.com/r/asonger/elastic-detection-cli]
Before continuing, please create the custom python file for JIRA integration by doing the following :
sudo touch /var/ossec/integrations/custom-jira OR as root touch /var/ossec/integrations/custom-jira
For full post please click link:
How I took a issue created by another github user and added value to the original query and helped mold it into a new detection rule. Original Query process where event.module == “powershell” and process.args : ( “powershell.exe”, “Set-Service”, “EventLog”, “Disabled”)
Example Data { “_id”: “89933b5f64737a55c666fd1a7155b02c533e65e040dddfb611d83e563afa6796”, “_index”: “.siem-signals-siemplify-000002”, “_score”: “1”…
You first begin by looking up API or PowerShell cmdlets that will help assign permissions to a specific mailbox. So for this rule of detecting when a permission is delegated to specific user in the organization.
Add-MailboxPermission [-Identity] -AccessRights <MailboxRights[]> -User [-AutoMapping ] [-Confirm] [-Deny] [-DomainController ] [-GroupMailbox] [-IgnoreDefaultScope] [-InheritanceType…
DEBIAN Install Wazuh Agent curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.1.5-1_amd64.deb && sudo WAZUH_MANAGER=’10.10.10.110' WAZUH_AGENT_GROUP=’default’ dpkg -i ./wazuh-agent.deb
sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent
Register Wazuh Agent /var/ossec/bin/agent-auth -m 10.10.10.110
Edit File
nano /var/ossec/etc/ossec.conf
10.10.10.110 …
Restart File
systemctl restart wazuh-agent
WINDOWS Install Wazuh Agent Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.1.5-1.msi -OutFile wazuh-agent.msi; ./wazuh-agent.msi /q WAZUH_MANAGER=’10.10.10.110' WAZUH_REGISTRATION_SERVER=’10.10.10.110' WAZUH_AGENT_GROUP=’default’
Register Wazuh Agent PowerShell Command
&’C:\Program Files (x86)\ossec-agent\agent-auth.exe’ -m 10.10.10.110
Open File and edit
C:\Program Files (x86)\ossec-agent\ossec.conf
…
Restart
Restart-Service -Name wazuh
OS/Dok Malware Example Lets take a example. If was working and got notification through Cyware social threat feeds and read the following malware research:
- OS/Dok [https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/]
After reading this research about this threat, I can automatically develop a couple (in “development”) rules for this specific threat [In the real world…
In this post I will be covering ways of hardening your Microsoft 365 and Azure Active Directory Tenant.
Enable MFA Security defaults make it easier to help protect your organization from these attacks with preconfigured security settings:
- Requiring all users to register for Azure AD Multi-Factor Authentication.
- Requiring administrators to…
This tutorial how to install ELK stack on Docker Containers
Install Docker on Debian-Based Distributions apt update apt install apt-transport-https ca-certificates curl software-properties-common -y echo ‘deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable’ >> /etc/apt/sources.list.d/docker.list curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
apt update apt install docker-ce -y curl -L https://github.com/docker/compose/releases/download/1.20.0/docker-compose-uname -s-uname…
This post will breakdown on ways of hardening Active Directory.
Windows Firewall Maintain at least a workstation and server Group Policy Object (GPO) to control the Windows Firewall
Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security
Generally, it is best to limit…
