Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process

What is Process Injection?


Docker Hub [https://hub.docker.com/r/asonger/elastic-detection-cli]


Before continuing, please create the custom python file for JIRA integration by doing the following :

sudo touch /var/ossec/integrations/custom-jira OR as root touch /var/ossec/integrations/custom-jira

For full post please click link:


How I took a issue created by another github user and added value to the original query and helped mold it into a new detection rule. Original Query process where event.module == “powershell” and process.args : ( “powershell.exe”, “Set-Service”, “EventLog”, “Disabled”)

Example Data { “_id”: “89933b5f64737a55c666fd1a7155b02c533e65e040dddfb611d83e563afa6796”, “_index”: “.siem-signals-siemplify-000002”, “_score”: “1”, “_type”: “_doc”, “@timestamp”: “2021–03–31T04:43:10.154Z”, “agent”: { “ephemeral_id”: “af1d7136–94f2–42bd-8ac6-c0c320381735”, “hostname”: “DESKTOP-AL49UOF”, “id”: “41e48758–8b2b-474a-bd22-b0d6356025e2”, “name”: “DESKTOP-AL49UOF”, “type”: “filebeat”, “version”: “7.12.0” }, “data_stream”: { “dataset”: “windows.powershell”, “namespace”: “default”, “type”: “logs” }, “ecs”: { “version”: “1.8.0” }, “elastic_agent”: { “id”: “ebe1c190–9026–11eb-97b7–670157a7fe8c”, “version”: “7.12.0” }, “event”: { “action”: “Provider Lifecycle”, “category”: “process”, “code”: “600”, “created”…


You first begin by looking up API or PowerShell cmdlets that will help assign permissions to a specific mailbox. So for this rule of detecting when a permission is delegated to specific user in the organization.

Add-MailboxPermission [-Identity] -AccessRights <MailboxRights[]> -User [-AutoMapping ] [-Confirm] [-Deny] [-DomainController ] [-GroupMailbox] [-IgnoreDefaultScope] [-InheritanceType ] [-WhatIf] []

So from this you can determined that -AccessRights <MailboxRights[]> is a important parameter that will be used in the detection rule.

EXAMPLE Add-MailboxPermission -Identity “Terry Adams” -User “Kevin Kelly” -AccessRights FullAccess -InheritanceType All

So I decided to go to the Elastic SIEM and see if I can…


DEBIAN Install Wazuh Agent curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.1.5-1_amd64.deb && sudo WAZUH_MANAGER=’10.10.10.110' WAZUH_AGENT_GROUP=’default’ dpkg -i ./wazuh-agent.deb

sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent

Register Wazuh Agent /var/ossec/bin/agent-auth -m 10.10.10.110

Edit File

nano /var/ossec/etc/ossec.conf

10.10.10.110 …

Restart File

systemctl restart wazuh-agent

WINDOWS Install Wazuh Agent Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.1.5-1.msi -OutFile wazuh-agent.msi; ./wazuh-agent.msi /q WAZUH_MANAGER=’10.10.10.110' WAZUH_REGISTRATION_SERVER=’10.10.10.110' WAZUH_AGENT_GROUP=’default’

Register Wazuh Agent PowerShell Command

&’C:\Program Files (x86)\ossec-agent\agent-auth.exe’ -m 10.10.10.110

Open File and edit

C:\Program Files (x86)\ossec-agent\ossec.conf

Restart

Restart-Service -Name wazuh


OS/Dok Malware Example Lets take a example. If was working and got notification through Cyware social threat feeds and read the following malware research:

After reading this research about this threat, I can automatically develop a couple (in “development”) rules for this specific threat [In the real world, I would sandbox the malware to trigger the rules for real], what I’m showing is just the process of the first go around of developing a rule based on malware research.

So this bundle name Truesteer.AppStore …


In this post I will be covering ways of hardening your Microsoft 365 and Azure Active Directory Tenant.

Enable MFA Security defaults make it easier to help protect your organization from these attacks with preconfigured security settings:

Compliance Controls:


This tutorial how to install ELK stack on Docker Containers

Install Docker on Debian-Based Distributions apt update apt install apt-transport-https ca-certificates curl software-properties-common -y echo ‘deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable’ >> /etc/apt/sources.list.d/docker.list curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

apt update apt install docker-ce -y curl -L https://github.com/docker/compose/releases/download/1.20.0/docker-compose-uname -s-uname -m -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose

Pull Elasticstack Image & Prepare git clone https://github.com/elastic/stack-docker /user/share/elastic sysctl -w vm.max_map_count=262144

Set the PWD Environment Variable echo ‘PWD=/usr/share/elastic/’ >> /usr/share/elastic/.env

Create Elasticstack containers docker-compose -f .\setup.yml up

Save the password given at the end

NOTE: The password will only be given this once


This post will breakdown on ways of hardening Active Directory.

Windows Firewall Maintain at least a workstation and server Group Policy Object (GPO) to control the Windows Firewall

Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Generally, it is best to limit the following scenarios

At a minimum, consider restrict the following ports where possible

Austin Songer

Trusted Veteran | Compassionate. Aspiring. Resourceful.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store