How to Build a Miniature Network Monitor Device

LogRhythm’s Network Monitor is a powerful forensics tool that allows organizations to capture, analyze, and alert on network data. Traditionally, NetMon is deployed on a blade server within an organization’s data center. However, there are many situations where a smaller, more tactical device is the optimal solution. To demonstrate how to easily deploy NetMon we decided to show you how to build a miniature device.

DPA-Powered Dashboards

With the proliferation of top-level domains, threat actors are using all sorts of DNS tricks to entice people to engage with malicious sites or to mask malicious traffic in the noise of normal traffic. So how do you sort through the noise to find abnormal top-level domains (TLDs)?

PowerShell Command Line Logging

PowerShell is one of the best post-exploitation tools out there—simply because it’s already built in to every modern Windows system. And like the name states, it’s extremely powerful. PowerShell can be used to gather data, steal system information, dump credentials, pivot between systems, create backdoors and much more. The problem is that, by default, Windows only logs that PowerShell was launched. No additional details about what exactly happened are preserved. The only thing we can tell is that PowerShell called additional programs and possibly opened up a few network sessions. However, there is a way to gather additional details on PowerShell sessions and the command line in general. How to Gather PowerShell Details Often, the ideal way to tackle this ...

Kippo Honeypot: Log Replay Automation

Kippo is one of my favorite honeypots due to its sheer simplicity, portability, and ease-of-use. It comes with a really neat feature that allows you to replay what the attacker did once they gained access to the honeypot by way of the script. This is a somewhat lesser-known feature within Kippo that can be valuable as it gives the analyst insight into how the attacker interacted with the server , what commands they ran, what services were installed, potentially what Command and Control server they are operating from and much more. While you can already pull this data in to LogRhythm to gather important information using the extracted metadata, it’s another thing entirely to watch the attacker in action. ...