Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s…

How I took a issue created by another github user and added value to the original query and helped mold it into a new detection rule. Original Query process where event.module == “powershell” and process.args : ( “powershell.exe”, “Set-Service”, “EventLog”, “Disabled”)

Example Data { “_id”: “89933b5f64737a55c666fd1a7155b02c533e65e040dddfb611d83e563afa6796”, “_index”: “.siem-signals-siemplify-000002”, “_score”: “1”…

You first begin by looking up API or PowerShell cmdlets that will help assign permissions to a specific mailbox. So for this rule of detecting when a permission is delegated to specific user in the organization.

Add-MailboxPermission [-Identity] -AccessRights <MailboxRights[]> -User [-AutoMapping ] [-Confirm] [-Deny] [-DomainController ] [-GroupMailbox] [-IgnoreDefaultScope] [-InheritanceType…

DEBIAN Install Wazuh Agent curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.1.5-1_amd64.deb && sudo WAZUH_MANAGER=’10.10.10.110' WAZUH_AGENT_GROUP=’default’ dpkg -i ./wazuh-agent.deb

sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent

Register Wazuh Agent /var/ossec/bin/agent-auth -m 10.10.10.110

Edit File

nano /var/ossec/etc/ossec.conf

10.10.10.110 …

Restart File

systemctl restart wazuh-agent

WINDOWS Install Wazuh Agent Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.1.5-1.msi -OutFile wazuh-agent.msi; ./wazuh-agent.msi /q WAZUH_MANAGER=’10.10.10.110' WAZUH_REGISTRATION_SERVER=’10.10.10.110' WAZUH_AGENT_GROUP=’default’

Register Wazuh Agent PowerShell Command

&’C:\Program Files (x86)\ossec-agent\agent-auth.exe’ -m 10.10.10.110

Open File and edit

C:\Program Files (x86)\ossec-agent\ossec.conf

Restart

Restart-Service -Name wazuh

OS/Dok Malware Example Lets take a example. If was working and got notification through Cyware social threat feeds and read the following malware research:

  • OS/Dok [https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/]

After reading this research about this threat, I can automatically develop a couple (in “development”) rules for this specific threat [In the real world…

This tutorial how to install ELK stack on Docker Containers

Install Docker on Debian-Based Distributions apt update apt install apt-transport-https ca-certificates curl software-properties-common -y echo ‘deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable’ >> /etc/apt/sources.list.d/docker.list curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

apt update apt install docker-ce -y curl -L https://github.com/docker/compose/releases/download/1.20.0/docker-compose-uname -s-uname…

This post will breakdown on ways of hardening Active Directory.

Windows Firewall Maintain at least a workstation and server Group Policy Object (GPO) to control the Windows Firewall

Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Generally, it is best to limit…

Austin Songer

Trusted Veteran | Compassionate. Aspiring. Resourceful.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store