Skip to main content

blue tangle

blue team dreams, splunk related detections and security insights. I poke around red team and threat actor tools and try to shed some light for cybersecurity wins.

Posts

Showing posts from May 31, 2020

First post

Get link
Facebook
Twitter
Pinterest
Email
Other Apps

- June 04, 2020

I'll be uploading scraps and pieces of information relating to blue team and splunk infosec stuff here.

Powered by Blogger

𝕮𝖎𝖆𝖓 𝕳𝖊𝖆𝖘𝖑𝖊𝖞

search

what is popular

Fastening the Seatbelt on.. Threat Hunting for Seatbelt

- August 26, 2022

Quick blog entry on detections for the Ghostpack discovery/reconnaissance tool Seatbelt . This entry will focus on looking at command line parameters that can be caught even if the executable itself is renamed, if I have time we can delve into other event log artefacts another time. From the Seatbelt github repo: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. So essentially what the tool does is retrieve local system information that might have security or safety implications. In terms of commands that can be tacked on to Seatbelt there are a literal ton of options. But what we are going to focus on here are the command groups, which break the many, many available commands down into categories, so we have: All, User, System, Slack, Chromium, Remote, Misc. The groups above are invoked like this, if you wanted to run all checks: Seatbelt.exe -group=all And so

Capturing Pcap driver installations

- June 10, 2020

Today we're looking at Network Sniffing , ATT&CK technique T1040. This is very much a signature based rule but if you are ingesting WinEventlog:Security (and of course you are, right?) and specifically EventCode 4697 ("A service was installed in the system") then you can take the barebones splunk SPL from below and make it work for you. So how are we going to detect network sniffing on Windows endpoints? The installation of the drivers for the various Pcap variants. index=win10 sourcetype="wineventlog:security" EventCode=4697 AND Service_File_Name IN ("*pcap*", "*npcap*", "*npf*", "*nm3*", "*ndiscap*", "*nmnt*", "*windivert*", "*USBPcap*", "*pktmon*") | table _time Account_Name Computer_Name Originating_Computer Service_Name Service_File_Name The Service_File_Name list is derived from looking at the names of .sys files associated with the most popular packet capture o

subscribe

Posts

Posts

All Comments

All Comments

the archive

04/09 - 04/161
03/26 - 04/021
03/05 - 03/121
10/16 - 10/231
09/18 - 09/251
08/21 - 08/281
08/07 - 08/142
07/24 - 07/312
07/17 - 07/241
06/19 - 06/262

05/22 - 05/291
05/01 - 05/082
08/30 - 09/061
07/26 - 08/021
07/19 - 07/261
06/07 - 06/144
05/31 - 06/071

Show more Show less

labels

ATT&CK
batch file
bitcoin
bitpaymer
bsides
cli
command
commandline
conference
cybercrime

Show more Show less

Report Abuse