For this post, I will provide you with my recommended path, in terms of what materials to read and how to practice for the exam. I took the CCSP because… [Continue Reading]
Author: Pablo Delgado
Rapid 7 Nexpose Data to Splunk
The following is a step-by-step approach to setup Nexpose Data Warehouse to export to a Windows PostGres Database setup and allow Splunk to import it. The current Rapid 7 Splunk… [Continue Reading]
Developing an Adaptive Threat Hunting Solution: The Elasticsearch Stack (Masters Thesis)
I had the opportunity to write a Thesis for my Security Masters Program at the University of Houston (Program Website here for those interested). It was a long, but fun experience… [Continue Reading]
Finding & Removing Malicious Google Chrome Extensions Via KACE K1000
Quest KACE K1000 (Former Dell Product), allows you to create “customized” inventory rules that provide flexibility to run commands, whether through standard command prompt, or other methods. For this particular… [Continue Reading]
Threat Hunting: Fine Tuning Sysmon & Logstash to find Malware Callbacks C&C
If you get a chance you may briefly look at old articles related to this topic as I will be briefly referencing them or quickly summarizing portions of my configuration…. [Continue Reading]
Tracking & Monitoring Domain Admins with Logstash
Whether your environment was compromised and someone got a hold of your Domain Admin account, or you’re just ensuring that domain admins are logging in to expected systems. It is… [Continue Reading]
Threat Hunting: Finding Persistence Mechanisms
I wanted to write about the importance of checking for new services as this is an avenue in which attackers leverage their persistence methods. While looking at newly created services… [Continue Reading]
Remote Connection Dashboards: VNC & RDP
Accountability is important, and sometimes we might need to investigate who made certain changes at a specific time, or ensure that our privileged accounts are not logging in to other… [Continue Reading]
Monitoring VPN Logins & Incorporating them to AD
Two articles ago I covered how to monitor Active Directory using ELK. Now you should be seeing account login information (successful logins, failed logins, lockouts, etc.). However; When looking at… [Continue Reading]
Labeling endpoint actions with Logstash – Threat Hunting
There’s been plenty of instances where I have to go through an investigation after a user has clicked on a phishing email and find out what happened later. After performing… [Continue Reading]