Category: Security Operations

Deploying (and using) TheHive4 [Part 1]

Posted on By A.McHugh 3 Comments on Deploying (and using) TheHive4 [Part 1]
  1. Deploying (and using) TheHive4 [Part 1]
  2. Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks.
  3. Building the Assemblyline Analyzer for TheHive’s Cortex.
  4. TheHive 4.1.0 Deployment and Integration with MISP

I have been an off and on user of TheHive for nearly a year now, and it is encouraging to see the development and release of TheHive4 (even if in pre-release). In this post I will walk through the deployment, configuration and migration of TheHive to TheHive4, and what improvements have been implemented into this release.

Read More “Deploying (and using) TheHive4 [Part 1]” »

Build

Threat hunting with Elasticsearch and Kibana (Part 1)

Posted on By A.McHugh 2 Comments on Threat hunting with Elasticsearch and Kibana (Part 1)

As part of my final Masters degree research component I have been collecting data from honeypots which I have seeded around the globe. The objective being to distil this data in to organisational threat data based on a fictitious business.

Part of the complication I am going to start facing, is how to how Elasticsearch and Kibana to find specific information for me from this live data set.

Previously I have indicated that a data set exists which was produced by the Canadian Institute for Cybersecurity, called IDS 2018, which contains Windows Event Logs and PCAP files relating to a set of simulated attacks generated for the purposes of teaching people how to hunt within similar datasets.

Here I will be discussing the deployment, configuration and interaction with this data set to achieve the outcome required.

Read More “Threat hunting with Elasticsearch and Kibana (Part 1)” »

Digital Forensics & Incident Response, Security Operations, Threat Intelligence

Loading Windows Event Logs to Elasticsearch

Posted on By A.McHugh No Comments on Loading Windows Event Logs to Elasticsearch

So whilst playing through an element of Kringlecon 2019 I came across a task which didn’t really suit my Christmas challenge of going to Linux full-time. One such challenge involved a Windows Event Log file with no ready access to a Linux derivitive of Event Viewer. My Kali laptop for my Christmas challenge was already…

Read More “Loading Windows Event Logs to Elasticsearch” »

Digital Forensics & Incident Response, Operate

Building a Cuckoo Sandbox

Posted on By A.McHugh 1 Comment on Building a Cuckoo Sandbox

Sometimes there is a need to analyse files in a live environment where their composition and provenance may not be entirely certain. For the most part we can try to reply on virus detection and heuristics to detect potentially malicious files, but what about those files which have not yet been identified, or have been specifically crafted for your organisation as a targeted attack?

Note: I have updated this article to reflect the current installation requirements for Cuckoo on Ubuntu 18.04 (as at 22nd Feb 2021).

Read More “Building a Cuckoo Sandbox” »

Build, Digital Forensics & Incident Response

Extracting RAM from VirtualBox session

Posted on By A.McHugh No Comments on Extracting RAM from VirtualBox session

Over the last few months I have been playing with Cuckoo, and reworking its function to suit my own requirements. Part of this has involved the separation of components within Cuckoo into functional units. This particular component relates to extracting the RAM from a VirtualBox machine for analysis after ceasing the VM. For this to…

Read More “Extracting RAM from VirtualBox session” »

Digital Forensics & Incident Response, Operate