ØSecurity

Plaso Windows Build

I'm trying to nail down the steps to build the Log2Timeline Plaso Windows executable. Part of this is to make it more accessible to the community (for example, Autopsy, which still uses a 2018 version). Part is to make my job faster and easier (rather than having to stand up

VSS Carving - Pt. 2, Halfway There

I intended for this to at least be a two part series, part 1 is here [https://nullsec.us/carving-for/]. I'm not sure yet if this will be the end of it or not. I did successfully recover some information from a deleted snapshot, so success there. However, I still

VSS Carving - Pt. 1, Setup

I'm actually having some problems getting the final results in a lab, so I'm going to go through the tool and lab setup first. Hopefully this will encourage someone to point out what I'm doing wrong or a lab setup that will work. I'm using WSL 2, Ubuntu 22.04,

Windows Baseline Logging

When people ask what their baseline configuration should be, in terms of logging, I feel like it often gets answered with general advice regarding knowing your environment, having different configurations for file servers vs domain controllers, etc. This is true advice, but not particularly helpful. You might not know your

Log4j / Log4Shell / CVE-2021-44228

For average/home users Someone on twitter [https://twitter.com/Rooster_75/status/1470746847790706698] asked two questions that I thought might be valuable for this article, paraphrasing: > Can someone explain the Log4j vulnerability in non-IT terms, and is there any mitigation my level as average mere mortal? 1) A log

Super Timeline Quick Reference

If you haven't watched it already, there's some great YouTube videos by Richard Davis of 13cubed that I suggest you start with. If you're just looking for the commands to run, scroll towards the bottom. There are a LOT of advanced options that could be used, this is just my

PSScriptPolicyTest Files

There is an often-referenced article here [https://www.deploymentresearch.com/psscriptpolicytest-script-gets-blocked-by-applocker-in-the-event-log-why-and-what-are-those-files/] that lays out what these files look like, what they do, and where they originate. From the perspective of trying to identify them however, it was a bit out of date, and nobody really goes over everything that these

Finding Unusual PowerShell with Frequency Analysis

I have, for a long time, been watching my logs for unusually long command line artifacts. Something suspicious doesn't have to be long, but except for a few well-known and easily ignored applications, most long command lines are suspicious. For example, imagine you came across this [https://threatpost.com/powershell-payload-analysis-malware/

Mongo 3.6 on Ubuntu 20.04

I'm sure the first thing you're asking yourself is why. Stubbornness is your answer. I was playing with Zeek at home (if you want to get started, check out Zeekurity Zen [https://www.ericooi.com/zeekurity-zen-part-i-how-to-install-zeek-on-centos-8/] on Eric Ooi's page, quality stuff) and built everything on Ubuntu 20.04. I

Cloud-Hosting FoundryVTT in Lightsail

Plus CloudFlare and proper LetsEncrypt Certs I got bored and decided to play with a cloud-hosted Foundry VTT [https://foundryvtt.com/] server. They have some great guides [https://foundryvtt.wiki/en/setup/hosting/DigitalOcean-Initialization-Script] for getting started with some of these. I could get a little more bang for my

Converting .sid (MrSID) files

Just notes because every forum post I came across for this was 10 years old, and all the references and links were out of date. Once you find the files, there's nothing difficult here. From the Wiki [https://en.wikipedia.org/wiki/MrSID] "MrSID (pronounced Mister Sid) is an acronym

Battery Powered PIR IR Illuminator

I've spent some time searching for an additional IR illuminator to supplement my security cameras. For those of you not familiar with what these are, the IR lights (or near-infrared, 850nm) on your camera are what allows it to see in the dark. Most cameras have decent lights, especially for

Volatility 3 Framework (v 1.0.0-beta.1) Requirements

Very quick post, mostly notes for myself. When using Volatility 3 you might noticed that some plugins cannot be loaded # ./vol.py -h [...] The following plugins could not be loaded (use -vv to see why): volatility.plugins.windows.cachedump, volatility.plugins.windows.callbacks, volatility.plugins.windows.hashdump, volatility.plugins.windows.

Discussion on Domain Credential Extraction

It's been a while since I have posted anything, and today I ran across a Tweet and had a conversation that I thought would make a perfect subject. It begins with "A mini thread: I periodically see folks suggest that to prevent weak passwords you should dump AD and compare

Password Analysis - LiveJournal

Updated: 29 May 2020 @ 13:25 UTC - Added additional Pipal analysis. This is the first of my "Password Analysis" posts that I've published, but the second one I've written. I started with 000webhost, but had not completed that when this breach hit. This one is more relevant at the

"Deleted" LiveJournal Accounts

Update 27 May 2020 @ 13:17 UTC - See bottom Update 27 May 2020 @ 19:48 UTC - Related post analyzing passwords in use: https://nullsec.us/livejournal-password-analysis/ [https://nullsec.us/livejournal-password-analysis/] There's a lot of talk about the LiveJournal breach going on right now. I wasn't too surprised to

Generating Offline Passphrases

I'm a huge fan of https://makemeapassword.ligos.net/generate/readablepassphrase, and regularly advise people to use it when generating passwords that need to be memorized or typed frequently. However, there's been numerous times people have expressed concerns that they're effectively generating passwords on someone else's computer. This is (typically)

Passphrase Length

I wanted to address a tweet posted today by the UK's National Cyber Security Centre advising people to use three random words as a passphrase. > When choosing your password, use #threerandomwords [https://twitter.com/hashtag/threerandomwords?src=hash&ref_src=twsrc%5Etfw]: memorable but not easy to guess, a good

CVE-2020-0796

There's a lot of useless posts going around about this right now. I hope mine is a little more useful since most of these don't mention if this is being exploited in the wild. TL;DR - no, it isn't, no need to panic right now. Keep an eye on

Proxying Non-browser Traffic Through Burp

Or "Microsoft SQL Express and the Truly Terrible, Just Awful, No Good Downloader" TL;DR up front. 1. On a secondary machine/VM, setup a Burp proxy to use the non-localhost interface (192.168.1.230 in my case) as a proxy. Turn off intercept 2. On your Windows system,

Windows Event Log - Audit-CVE

Update: This event appears for both binaries and websites in build 1809 and 1909, but only for binaries in 1903 (not web). So if you're looking for this event and not finding it, that may be why. I have not confirmed this myself, so if someone else comes across this,

Splunk REST API Python Example

There's really nothing special here except a mildly updated example of the code found here: https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTTUT/RESTsearches#Python_example Basically, updated to python3 due to the impending end-of-life (print() adjustment, and urlencode had changed in Python3). While I was at it,

Wireshark From Source / RHEL 7

Wireshark on Red Hat Enterprise Linux is, for some reason, about a decade out of date. The current version available via yum install is 1.10.14. This version was released in June 2013, and reached end of life in June 2015. Now, RHEL might be back-porting security patches (I'm

Auditing Default Credentials with a Custom Python Script

From time to time I need to audit a large number of devices for default credentials. I typically use Metasploits http_login module for this. You can pass it a file of rhosts with something like set rhosts file://root/hosts.txt and have it check numerous systems quickly. However,

Top 4 Cybersecurity Threats That Small Companies Face

I thought this tweet [https://twitter.com/granick/status/1154137384906153985] might make a good blog post. I'm sure everyone in infosec will have their own answers, and all will be, generically, correct. Most of what I've seen is disagreements over one or two of the points, or how to remedy