jorritfolmer

Onboarding MITRE EDR evaluations round 2 (APT29) into Splunk

MITRE have just published the JSON results of their EDR evalutions simulating APT29. However also this time their structure makes it difficult to Splunk. Use this Python script for easier Splunking.

Usage

$ python transpose_mitre_eval_apt29.py file.json > file_for_splunk.json

jorritfolmer

Comparing MITRE ATTACK evaluations of EDR software in Splunk, APT3

The JSON results of the APT3 evaluations can be found here: Round 1, APT3. For easier Splunking you have to transpose the JSON files from MITRE with the script below. This allows you to perform searches to compare detection results from each EDR vendor.

Usage

$ python transpose_mitre_eval.py file_from_mitre.json > better_file_for_splunking.json

jorritfolmer

[Unit]
After=network.target
Wants=network.target
Description=Splunk Enterprise


[Service]
Type=forking
RemainAfterExit=False

jorritfolmer

Installing Windows Server 2016 on Ovirt v4 qemu/kvm

The install fails with BSOD and "Your PC ran into a problem and needs to restart. We're just collecting some error info, and then we'll restart for you."

After reboot it returns with the following message: "The computer restarted unexpectedly or encountered an unexpected error. Windows installation cannot proceed. To install Windows, click OK to restart the computer, and then restart the installation.":

jorritfolmer

NXlog config to create a syslog server on Windows

Creates a log file for each connecting syslog client, based on IP address. Also takes care of rotating the files, limiting the archive to 5 log files of 100M This config is meant to allow a Splunk Universal Forwarder to collect the syslog files, using the following inputs.conf:

inputs.conf (Splunk):

[monitor://c:/log/192.168.1.1/*.log]

jorritfolmer

Dockerfile

# Well ok CENTOS then
FROM centos:7

# Point to your local repository with Splunk(forwarder)s
RUN echo $'[splunk]\n\
name=Splunk\n\
baseurl=http://repo.testlab.local/splunk\n\

jorritfolmer

Docker on RHEL 7 quickstart

NOTE: below is an attempt to build a container that can be used as as OS-container instead of an application-container. Like OpenVZ, but by using Docker. Currently this requires running the containers in privileged more, which doesn't really seperate the containers in a secure fashion

It does result in a container with a public IP address, running systemd, that you can also SSH to

Prerequisites: enable the rhel-7-server-extras-rpms yum repository

Installation

jorritfolmer

Spec file to generate libnss-ato RPMS for RHEL systems

Name:		libnss-ato
Version:	1.0
Release:	1%{?dist}
Summary:	NSS catchall module

Group:		System Environment/Libraries
License:	GPL 2.0

jorritfolmer

pam_python.so on RHEL systems

pam_python.so is not readily available on RHEL systems. Here's how to create an RPM from Russell's tar.gz:

1. download pam-python.1.0.4.tar.gz to ~/rpmbuild/SOURCES
2. copy/paste pam-python.spec from below in ~/rpmbuild/SPECS/
3. copy/paste pam-python-1.0.4-fix-compile-rhel.patch from below in ~/rpmbuild/SOURCES
4. rpmbuild -bb ~/rpmbuild/SPECS/pam-python.spec

pam-python.spec

jorritfolmer

Kali OpenVAS NVT scanners that are not working by default

Arachni

Arachni could not be found in your system path.
OpenVAS was unable to execute Arachni and to perform the scan you
requested.
Please make sure that Arachni is installed and that arachni is
available in the PATH variable defined for your environment.