GitHub

Sooty – A SOC Analysts Tool – Part I

| | intrusion analysis, SOC, Sooty
 Sooty is a SOC analysts tool that would also work well for an individual intrusion analyst. It's available at https://github.com/TheresAFewConors/Sooty. I've installed it on a Fedora test box at my day job; I'm going to install it on one of my laptops at home and go through the steps here as ... Read More

Quick Tip #4 – Dshell

| | dshell, GitHub
Dshell is a network forensics tool that extracts data from network traffic, either from a pcap or live from a network interface.You can us Git or Subversion to install the tool.[root@legolas opt]# git clone https://github.com/USArmyResearchLab/Dshell.gitCloning into 'Dshell'...remote: Enumerating objects: 29, done.remote: Counting objects: 100% (29/29), done.remote: Compressing objects: 100% (22/22), ... Read More

Quick Tip #2 – dnsmap

|
dnsmap - command line utility to map out DNS records, bypassing the prohibition on zone transfers...dnsmap is a great little tool to enumerate as many sub-domains on a target as possible. It's very easy to use and add to a script. Here's the parameters:[root@legolas /]# dnsmapdnsmap 0.30 - DNS Network ... Read More

Cleaning up Splunks .CSV export

|
Exported a bunch of IPs from Splunk that met a certain criteria.. best it could do was .csv, which gave me this… I needed the count too, temporarily...10.61.2.66",1”10.61.3.253",1”10.61.6.74",1”10.61.9.102",1”10.61.9.141",1”10.62.11.161",1”….Fortunately Linux has the built in tools to take this output and easily give me a list of IPs, one per line with ... Read More
Katrina K.

Guest Post – Katrina K.

|
Gatekeepers Pigeonholed My DreamsKatrina K.Feb 11Naysayers claimed I would not be well-suited to pursue a role in STEM — look at me now!I have always loved computers, video games, and messing with technology, both new and old. A lot of my closest friends throughout the years have been the geekiest ... Read More
Nmap for Beginners - Part 2

Nmap for Beginners – Part 2

| | connect scan, Nmap, syn scan, udp scan
The first parameter to add is the type of scan, and there are many. The most common are -sS for Syn scan and -sT for a Connect scan. A syn scan is also called a half open scan because it sends a syn packet, and if it receives a syn-ack, ... Read More
Nmap for Beginners - Part 1

Nmap for Beginners – Part 1

|
Nmap is the most well known and most used port scanner in existence. It's not the fastest.. MassScan and UnicornScan are much faster. Masscan is a duplex scanner, using one port to send packets and another to listen for responses. However, nmap has made great progress over the years in ... Read More

Behavioral analysis versus artifacts/IOC’s

| | AI, EDR, IOC, ML
Much of our defensive architecture today is based on the ability to extract indicators of compromise from logs, packet data and flow data and the monitoring of processes on the system. While this is good, to work through the enormous amounts of alerts and data, the analyst needs more than ... Read More

Mining Packets Via The Command Line (Repost)

|
I've previously posted this, but I am moving back over to the Blue Team and thought it might be helpful for new analysts. Dusted off and updated where needed.Mining Packets Via The Command LineIf you're considering becoming an intrusion analyst, there are two other sources of data that go hand ... Read More

Netcat and Ncat

Everyone in NetSec knows of, or has at least heard of netcat, the brainchild of Hobbit, written in 1995 and ported to Windows by Weld Pond in 1998. It's called the "TCP/IP Swiss Army Knife of Networking" for good reason. You can create just about any type of network connection ... Read More