Suricata Cheat Sheet

** WILL FIX CODE HIGHLIGHtING LATER, grr so annoying**

Just some learnings.

Some Cheat sheets so I can organize my notes

To Run Suricata:

Reading a PCAP

sudo suricata -r PCAP

Sudo suricata -r <PCAP> -k none -l .

After running on a PCAP, search log

cat eve.json | jq -c 'select(.event_type="alert")'

cat eve.json | jq -c 'select(.event_type="tls")'

cat eve.json | jq -c  'select(.event_type="http")'

cat eve.json | jq -c  'select(.event_type="dns")'

For listing rules:

More /etc/suricata/rules/emerging-trojan/.rules

Ls -lah /etc/suricata/rules/

Config

enabled http-log, ssh, dns events within suricata.yaml

enable:

Load signatures from another file. Edit yaml

Change default-rule-path to /home/user

change rule-fles to customsig.rules

then save customsing.rules in folder

create rule and run in pcap:

sudo suricata -r /home/test/test.pcap -k none -l .

Main Log Formats:

Eve.json

jsn objects, timestamp, flow_id, event_type etc –> Use jq

Fast.log

logs alerts onle

Stats.log

self explanator

Logs stored:

root@test:/var/log/suricata#

Breaking down rules.

Summarizing: https://suricata.readthedocs.io/en/suricata-5.0.0/rules/intro.html

Main sections

Great help to break up the rule into 3 sections, as seen in the image above.

drop == ACTION: alert etc

tcp == PROTOCOL

any == port. [80,81] [80-101] !80

HOME_NET any –> EXTERNAL_NET any == direction of traffic

-> Will only match rule on first packet, no response.

Parts in BLUE:

These are high level key words:

eg: Flow Keywords

Flow matches on direction of the flow.
established to server: means on established connections for CLIENT TO SERVER

Flowbits

<action>:name of flowbit

flowbits: isset, name == generate alwer when rule mataches and condition is set in the flow

Reference == refer to where signature or information came from

MSG == text want to be displayed, no impact on Rule processing

SID ==  Signature ID (needs to be unique)

Rev == Just version number of SID

So breaking down this rule:

alert dns $HOME_NET any -> any any (msg:"Trojam DNS Query Observed" dns_query; content:"testlol.net"; isdataat:!1,relative; reference:url,threatintelprovider.com/trojanx; classtype:trojan-activity; sid:1; rev:1;)

This rule specifies to alert on DNS for any traffic from the internal network out. Specifically on the DNS protocol, any DNS queries for testlol.net. **The isdataat:!1 means it should match with nothing else after the last byte (being .net)** Then the classtype and reference, sid and rev are there

Open Live Writer

I am unable to post when I copy paste images into Open Live Writer Directly. But I can post images when I copy paste them into drive then drop and drag into Open Live Writer.

I use a screen shot tool that places the image into my clipboard and I simply paste into note taking tool. Unfortunately I am unable to do this for OLW.

It works, but annoying

Zeek - Access Nested Data Structures of ::INFO

More of a reminder for myself.
I am doing an IR course, I went through the Zeek Lab and experimented. I went to go back for review and realized I had created the scripts within the VPN. The VPN has reset and I have lost the scripts I made. - Do not do that again Haydn!


1 screenshot of my script was in my Google Doc (course notes), which saved me some time.

I wanted to write about an annoying thing I found when scripting. It is a difference in the new version against the course with a slightly older version. -  How to access the nested structure of the ::INFO script

The Zeek Documentation:

The Writing Scripts tutorial I found overwhelming and hard for me to see on a 1:1 basis what they were talking about.



Mostly this bit:

I was confused because the description of "TeamCymruMalwareHashRegistry::Match" is not in the code block they mention. See imagine below:

I have scripted in Python, written Bash scripts, but I was unable to understand what that section meant.
It was a bit frustrating

The issue I was having between Versions

The course was using an older version and was using RDP as an example. If you look at the RDP script for current Zeek(3.0) that the client machine variable is within RDP::INFO variable. However, in the older version, it is within the rdp_connect_request event (2.6).

It took me a while to figure it out. 

I did not know how to dig into the RDP::INFO variable, or any ::INFO part for any other of the base scripts.

So in the 2.6 version of Zeek, we can print a client machine from RDP connections this way:

@load base/protocols/rdp
event rdp_connect_request(c: connection, cookie:string)
{
    print cookie;
}

Whereas in the 3.0 Version, it would look like:

@load/base/protocols/rdp
event RDP::log_rdp(rec RDP::Info)
{
    print rec$cookie;
}

As you can see, it's quite different to access the event ::INFO for rdp. To find the name it is mentioned in the documentation under Events. See below screenshot 

An SSH script I wrote within http://try.bro.org/ is below. I chose to test with SSH because the website had an SSH PCAP to try.

Again if you look at the current SSH script documentation, you will see similar to the RDP:

The output of the script is:

The documentation from Zeek for writing scripts does explain using the $ sign to access nested data structures. Nor did it explain how to access ::INFO section. It explains nested data structures.  I just feel that it covers so much and takes a while to reach that. Hence this blog post to remind me how to access nested data structures.

Home Lab ATT&CK Use Case

Hi All,

I was working on some presentaiton slides for my upcoming talk on 'communication'. I felt I made some good progress and wanted to reward myself by blogging.

Update: This idea was inspired from a blog post on ATT&CK by the Brakeing Incident Response Podcast crew, Episode 7

Blogging on what? The ATT&CK framework of course. Its super popular, very useful, and I was like: "I should try this in my home lab in just a basic use case". So the idea was to pick an attack and just investigate a local system. SUPER BASIC.

AKA: As a defender I want to investigate if my windows system has been compromised.

My Lab as the platform

I have a simple home LAB setup. Always needing to finish it off properly. The most important pieces is that I have a Domain setup and wanted to use that for the ATT&CK use case.

Example of my Home Lab (I am quite proud of this so far):

The Test Case from ATT&CK

So lets go to the mitre ATT&CK page and then to the Windows Techniques. There are many techniques to choose from.

Having many to choose from. I chose something simple. Something like "Brute Force". The idea here is that I can just check the event viewer for logs maybe. Without having to install tools like sysmon or OSquery for advanced logging and metrics.

From the section on "Brute Force" on ATT&CK the description is:

"Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained."

The below paragraph I thought would be a good use case

"Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies."

The Plan:

I want to check my Domain / systems for any instance of brute force attacks.

Where to start?

Let us Google Windows Password Brute Force Attack. But this more comes up with Password Cracking Tools.  Such as shown here:

This is in the right area. But not really Brute forcing a system.
There is a tool called THC- Hydra that can brute force Windows, such as SMB authentication.

But is that right?

So I've found a tool that brute forces SMB, but that does not help me look on Windows for Brute Force Attacks - It does help me emulate the attacks if I am unable to see anything on my Windows System.

ATT&CK Brute Force

I was Googling around and though that a failed brute force attack will show many failed logins on Windows Systems. I checked the ATT&CK Brute Force description page and I was correct.

There is a detection system and they suggest monitoring authentication logs for system and application login falies of Valid Accounts. - Lesson learned, ATT&CK will give a break down of mitigation and detection of attacks. Super cool!

So how does one monitor authentication logs? - GOOGLE ftw

Viewing Authentication Logs

I got lost in here for a while. Deep and helpful, but not specifically what I was looking for.

I found an article on monitoring logons in windows environments. Which fortunately covers Domain authentication and where to look for the logs.  The key point is that authentication in a Domain is by default managed by Kerberos.

Specifically for a Windows Domain

There are 2 places to monitor for a Windows domain:

• The Domain Controller
• Windows Client (computer a user logs into).

Domain Controller Security Log

So I have a Domain Controller installed headless. So I had to look at powershell commands to view the event logs.

Initially I ran the Get-EventLog Security command. Which was close, but results in a high amount of scrolling data:

I can search the Security events which is great. But I need to be more specific

Using Powershell on the Domain Controller, I had no 'failed login attempts':

I was not sure if my command was correct. So I quickly created some failed logins via Powershell.

I re-ran the command and it worked:

Clearly my DC has not had any bruteforce attacks on it.

I attempted to get the Username with some PowerShell fu (that I Googled), but I need more practice:

Windows Client Security Log

My Windows client is simply a base install of Windows10.

Being a home lab. That is fairly segregated. There are no failed login logs:

Wrap -up

So as expected I found very little evidence of BruteForce attacks specifically through the event viewer. This was a very basic example of using ATT&CK for detection / hunting.

None of this was advanced, and is a very simple of example of learning using the ATT&CK framework.

Cheers

Haydn

3 Books I highly recommend for anxiety, imposter syndrome & my own flaw

Bene' Brown

I first heard of Bene' Browns work when I saw a YouTube video on empathy. Someone had created a cartoon with Bene's voice-over from a talk of hers. I think the cartoon adds a lot of power to the message. She discussed the difference between sympathy and empathy, in a nutshell that being able to feel what the other person is feeling without Judgement. It can be found here: https://www.youtube.com/watch?v=1Evwgu369Jw

It was a good video and resonated with me really well. The imagery of the goat (I think) eating  sandwich and responding to someones marriage falling apart with 'at least you had a marriage' is quite strong. 

So many people when responding to your struggle or how you are feeling will respond with a silver lining, unable to accept that you are not 'happy'. Which reminds me of my mother, when I had exams, or an important interview, I was stressed, needing someone to listen and she would respond with 'you'll be fine', or 'you always pass the exam'... This coming across that she thinks me passing an exam or interview is easy or a given. This is certainly not the case and to pass an exam takes hours and hours of study, frustration and perseverance, a simple you'll be fine diminishes every effort I go through in passing an exam.

Anyhow, that is an example in my life of getting sympathy and not empathy.

Bene' Brown is a shame researcher, using research to understand shame and how best to deal with it. In short, she is like a doctor for your conscious.

3 books

So obviously with an introduction on Bene' Brown the 3 books I am going to recommend are by here.

#1) The Gifts of Imperfection

Someone first suggested this book when I was not accepting my anxiety, not aware of it and not understand why I could not control my emotions. This book helped so much.

This one as Bene' summarises is about being you, living genuinely yourself and accepting who you area.

Sidenote: I still struggle with anxiety and hate myself for it. - Something I am working on

#2) Daring Greatly

Honestly, I have not read this one yet.. But it is about having the confidence to be the real you. So I am looking forward to reading it.

#3) Rising Strong

This one is about when you fall, or fail and the long hard climb back to where you work.

I am reading / listening to this book now.

This one is much more relevant to my current situation. Especially with anxiety and that 'fake' story we jump to. Or I jump to when something bad is happening, or when my emotions explode.

I am unsure if it is an evolutionary trait, or bias, as a way to survive, but when something happens (bad, a fight, bad meeting etc) I think the worst. I have an issue with self-worth.  This can happen when you open yourself up to someone/colleagues etc etc. and they brush it off, or sharing something you are excited about and friends brush it off, or a thing at work that you are all pumped for and does not go well, things like that, that cause shame.. I instinctively go to I am not enough... It is my current worst flaw in my personal life. A nice video here sort of explains it: https://www.youtube.com/watch?v=5RsPjFnNdw4

This book is helping me to understand it, or at least become aware of it. I have not read it all, so I am unsure what exactly to do. I do know, that the easy path of shutting down, hiding and giving everything away is not the answer.. This is not something new, its always been there, one of those 'curses' we bare right?..

I will continue to work on this, and blog my experiences.

Cheers

Haydn

My quick Post on UAC.

So I have been reading a bit more on some foundational knowledge. I know about UAC, using getsystem in meterpreter for uac bypasses and all the super cool UAC bypasses implemented in powershell.

Below you will find my brain-dump on how UAC works and the bypasses (or 1).

Different Levels - for security right

So process run in different levels for security reasons. Thus if a process gets popped, it shouldn't necessarily mean straight to Local Admin. Same premise of popping Apache; you become www-data with minimal rights.

So what are these levels.

System - I believe I was told this is not a 'level' but transcends the levels.

High Integrity - basically admin rights

Medium Integrity - Standard user

Low - Restricted

This is relevant when you get a shell as a user who is local admin, because you type hashdump in Meterpreter and cannot dump the hash. It is annoying as an attacker, but Windows is basically like 'lol you can't execute admin actions as a medium integrity'. You have to explicitly state that you want to execute an administrative task (hence that annoying UAC PLEASE SELECT ACCEPT pop-up).

This annoying pop up was  designed initially in Vista... EVERY process that needed admin rights caused a UAC pop-up. It was annoying to everyone, I am sure you remember Vista.

So in the later versions of windows. The Microsoft peeps decided that some applications could automatically elevate themselves, thus gaining admin rights without annoying the user...... This sounds great until it was realised that the way this happens, could be manipulated to execute a DLL of an attackers choice. Thus the UAC bypass.

This is my summary, but obviously I have to give credit to here:

https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know/

In Short:

Using DLL hijacking to force a DLL chosen by the attacker to be loaded can allow one to bypass UAC. It is called Leo's Bypass Attack and uses sysprep.exe. When sysprep.exe ran it would look for a DLL called CRYPTBASE.dll, if you supplied it in an area that it found before the REAL dll, it would load the first dll, thus allowing High integrity. Pretty Cool huh, its an awesome trick.

The cool part is in lateral movement!

So that is awesome on that system. The cooler part I think is when you want to move laterally. If you can connect to another system, that high integrity token goes with it to the next system.

So in essence, which  named the bounceback UAC bypass (haha) is the idea of using this idea to get high integrity on your current system without DLL hijacking on that system (again mentione din the blog post above). You may have a normal user (not local admin) on a system, cannot find ways to priv esc or bypass uac, but on another system you do have local admin. So in a nutshell you connect over to that system as that user, gain the high integrity token and then connect BACK to the original system, gaining local admin on the original system.

I thought that was pretty cool.

Just a nice brain dump of what I 'remembered' from reading the post.

Cheers
Haydn

Tripwire Blog Posts

I realized I don't have a centralized place of links for all my 'guest' blogging. So here are my Tripwire ones :).


This one was the inspiration for my BsidesSLC talk. Pretty cool how things can snowball from one another. Basically someone from BsidesSLC liked the post and said be cool if it was turned into a talk. So I did.

https://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/top-4-tips-for-purple-team-exercises/


I was slowly getting more momentum on researching Purple Teaming / Colalboration and I was seeing a lot of us verse them with regard to Red and Blue. So I wrote this post to try to break those walls down.

https://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/red-team-v-blue-team-they-are-in-fact-one-the-purple-team/


Working at two Big 4's gives me lots of experience with a variety of different clients, wants and needs, and many different internal managers. This all resulted in different understandings of what a penetration Test is. So I wrote this one to  consider that maybe we need a completely new term to fix things.

https://www.tripwire.com/state-of-security/security-awareness/events/penetration-testing-do-we-need-a-new-term/