Security Ripcord

Cutaway Security Blog and Projects

BloodHound - Custom Queries

Veris Group’s AdaptiveThreat Divisions BloodHound is an exciting new tool to help Enterprises understand the current state, and possibly threat, of their Windows Active Directory environment. It is designed to augment Empire and, if I followed the DerbyCon talk / video correctly, the injestor will be built into Empire 2.0 to facilitate easy discovery / reconnaissance.

The BloodHound project is currently a work in progress but, like Empire, is well maintained and already functional. Documentation is still growing and I suspect that new users may find there is a bit of a learning curve until the documentation is updated. Personally, I would rather have the developers complete all of their current feature and functionality ideas and allow the documentation to be updated from the community for a while and then pull some of it into the projects wiki. To that end, here is a little bit I have learned about running queries on information BloodHound has collected.

DerbyCon 6.0 - Recharging Cutaway

It has been a few years since I have been out to DerbyCon. I really enjoyed the first experience and I enjoyed this year’s just as much. Here are a few notes from my week in Louisville, Kentucky with my friends.

HoneyPots Are Now Required. Errrr... No.

It started with an innocent tweet that turned into an interesting conversation and shameless plug (marketing campaign??) at the same time.

"Its time to start accepting that your NSM infrastructure is incomplete if you arent leveraging honeypots for detection. #DFIR"

Since I follow Chris closely (as should all of you) I immediately noticed this tweet and responded with my heart.

"No @chrissanders88"

RfCat Dongle Update for Docker IEEE 802.15.4 Toolkit on Windows 10

For the TL;DR crowd, Windows 10 was not recognizing any device flashed with older versions of RfCat firmware. Dominic Spill had already identified the issue and created a pull request to fix an extra byte in the USB descriptor length field. Turns out Atlas had originally added that extra byte so that older Windows versions would recognize the dongles. Thus, RfCat has been updated to address this issue and Windows 10 will now recognize devices flashed with RfCat firmware. The rest of this post will outline the process I took to track down this issue and help get Dominic’s pull request merged.

YS1 Running in Docker IEEE 802.15.4 Toolkit

Windows 10 Not Recognizing YARD Stick One

My problems started when I wanted to test the Docker IEEE 802.15.4 Toolkit. I plugged in my trusty YARD Stick One (YS1) and Windows 10 complained that it did not recognize the device.

ZigBee Packet Capture Analysis Using ZBAanalyzer

For the TL;DR crowd, the zbanalyzer.py (ZBAnalyzer) script provides an improved method for conducting analysis of ZigBee networks. It is designed to leverage the ZigBee Scapy functionality implemented within the KillerBee project with augmentation from an updated ZigBee Scapy layer provided by a Scapy-Com fork. The rest of this blog post provides a demonstration of how to use ZBAnalyzer.

Capturing ZigBee Packets with KillerBee

Capturing ZigBee network communications is accomplished using a ZigBee capture device. This is most commonly accomplished using the Atmel RZ RAVEN using firmware initially developed by Joshua Wright as a part of the KillerBee project. Riverloop Security is in the final stages of developing the ApiMote v4 beta which may change that in the near future.

Deploying GRR Clients With GRR Docker

For the TL;DR crowd, GRR Rapid Response can be configured to run on a development or small test network using GRR Docker. The GRR setup requires a repack of the GRR client as described in the repacking the client documentation and installation of the clients as described in the GRR Quick Start: Install the Clients documentation. There are a few caveats to getting it configured so that the GRR Clients can communciate with the GRR Server running in Docker. These steps are covered in this blog post.

In last weeks blog post, Creating a Docker IEEE 802.15.4 Toolkit, I talked about getting Docker up and running to test GRR Rapid Response. Installing GRR Docker is straight foward and outlined by GRRs Getting Started documentation. I will begin from there.

Creating a Docker IEEE 802.15.4 Toolkit

For the tl;dr crowd: I have started a project to consolidate IEEE 802.15.4 testing tools into a Docker image: cutaway/dot15d4_toolkit and a Githut repo: cutaway/dot15d4_toolkit. The Dockerfile in this project is designed to build, install, and run River Loop Securitys version of Killerbee, my implementation of Scapy-com, atlas rfcat, and Josh Wrights Killerzee.

While trying to understand Googles GRR Rapid Response framework I worked with the GRR Docker example deployment. Since I dont have any experience with Docker I decided I needed to understand what the GRR Docker was actually doing to get a grasp of how to communicate with systems running as a Docker container. I figured the best way to do this was to implement a simple Docker container of my own, other than the Docker Hello World.

Review OSX Program File Interactions Using Fslogger-yaml-parser

For the tl;dr crowd: fslogger-yaml has been updated to provide better user interactions relating to outputing data to files or remote UDP servers. The python parser has also been updated to provide analysis of processes detected and the files that were modified. The parser is designed to be modular and easily extended by users.

Last we left fslogger-yaml it did not have a script to easily parse the data and provide analysis of the events. Actually, as I discovered during troubleshooting, last we left fslogger-yaml it did not work properly. Both of these issues have been addressed.

Monitor Changes in OS X Using Fslogger-yaml

For the “TL;DR crowd,”: fslogger-yaml project page.

The release of EmPyre caused me to start thinking about the Indicators of Compromise (IOC) associated with it being used to interact with a system. The network artifacts, while they do need to be investigated, seem fairly straight forward to me. I am more interested in the system-based IOCs.

Since I’ve been out of the forensic arena for a while, I quickly realized that I have no idea how to track changes to system running OSX. There are, of course, system logs and Apple System Log (ASL) files. These do provide valuable information but they do not track everything. I wanted something that would provide me with enough detail that would assist in the generation of consistent IOCs.