We’re back after the weekend in Helsinki, and the office is resonating with Disobey-stories ranging from audit daemon to parties featuring Borat-swimsuits. Rumours about this event being great reached us long ago but a sincere bow to the organisers - it truly is one of the content-richest and crowd-vibrant infosec events in the Nordic region.
To get you in the mood, here's what happened before each main stage presentation. Video credits: @_kurimo_ (turn the bass up!):
Binging the CTF seemed like the central goal for a lot of folks at Disobey, the tables and cables were indeed crowded. Their passion was contagious because after spending some time as the fanbase of team Clarified Security, our CEO Renee decided it’s time to dig in. Thanks for the USB -> ethernet adapter, friends. Though we were too late and too few to put us onto the pedestal, it was fascinating to stroll around in the CTF machines using SpectX and figuring out what the organisers had had in mind. For example:
1. Get the
-----ORTVA BCRAFFU CEVINGR XRL----- ….
2. Execute
SELECT ROT13('-----ORTVA BCRAFFU CEVINGR XRL-----...')3. Use the key to configure a DataStore in SpectX.
4. Execute
Execute LIST('ssh://brutus/**************/*').....5. List all the files changed manually before 11 January (the first day of Disobey):
Exploring PowerShell Transcripts
Even if you’re not using PowerShell, your adversaries and pen-testers are. Why use custom hax0r tools when every Windows machine comes with a built-in scripting environment? Powershell lets the attacker do pretty much anything while leaving no traces on disks. It’s a mistake not to love PowerShell as an attacker and a mistake not to love PowerShell logs as a defender.
What to look for in your OpenVPN Access Server logs?
What’s the traffic load? What’s the user activity like? Where do they log on from? How much data is being sent and received? How many different IPs per user, users per IP? Any bad IPs in the mix? Here’s a tutorial on analysing and enriching OpenVPN Access Server logs with SpectX, a free tool that runs locally, skips ingestion and creates quick virtual views and queries directly on top of raw log files or databases.
Meet Free SpectX
To help security analysts analyse raw logs and any ad-hoc data in time-critical investigations, SpectX is glad to launch the free edition of its rapid log analyzer. The parser and query engine help investigators quickly parse and query unlimited volumes of raw and compressed log files without ingestion or indexing directly from their storages like on-prem servers, AWS, Azure, Hadoop and/or SQL databases.
Analyzing IIS logs: Microsoft Exchange, OWA and ActiveSync Activities
Need to audit a specific user connecting to their mailbox? Troubleshoot why users are not able to sync their mobiles via ActiveSync? Investigate errors in time intervals? The answer to these and many other questions lie in the IIS logs of the Microsoft Exchange server.
