Posts

Ghosts of Honolulu: A Japanese Spy, A Japanese American Spy Hunter, and the Untold Story of Pearl Harbor Cadillac Desert: The American West and Its Disappearing Water, Revised Edition The Unit: My Life Fighting Terrorists as One of America’s Most Secret Military Operatives Character Limit: How Elon Musk Destroyed Twitter Fat Leonard: How One Man Bribed, Bilked, and Seduced the U.S. Navy China After Mao Year of Living Constitutionally Cobalt Red: How the Blood of the Congo Powers Our Lives Ghost Wars American Soldier Careless People: A Cautionary Tale of Power, Greed, and Lost Idealism American Buffalo: In Search of a Lost Icon Lawrence in Arabia: War, Deceit, Imperial Folly and the Making of the Modern Middle East The Wire Someone Who Isn’t Me Life After Power: Seven Presidents and Their Search for Purpose Beyond the White House Why I Cook Who Is Government?: The Untold Story of Public Service World on the Brink: How America Can Beat China in the Race for the Twenty-First Century Sellout: The Major-Label Feeding Frenzy That Swept Punk, Emo, and Hardcore (1994–2007) Unrestricted Warfare Shoe Dog: A Memoir by the Creator of Nike White Rural Rage: The Threat to American Democracy Comanches: The History of a People The Wager: A Tale of Shipwreck, Mutiny, and Murder None of This Rocks: A Memoir The Guns of August Down with the System: A Memoir Breakneck: China’s Quest to Engineer the Future Odyssey: The Greek Myths Reimagined Stories of Your Life and Others Accidental Presidents: Eight Men Who Changed America Sailing True North: Ten Admirals and the Voyage of Character Right Moves: The Conservative Think Tank in American Political Culture since 1945

Way back in 2021 when I was working on my dissertation I used a Python library called macholibre to parse Mach-O files. There are several other options for parsing these file types. I’m sure they’re all great, but it’s a lot to go through to find some features I want. Mainly, outputting as JSON to easily load into other applications. This seemed like a good opportunity to try vibe-coding a Swift-based Mach-O parser using ChatGPT. After some trial and error, I’ve made MachP available. Let’s look at how this went. ...

Introduction This is a follow up to A Little Less Malware, applying the same techniques to Linux and Windows data. There are some differences with this experiment. In the last one, we used Apple’s ESF to collect telemetry, which gave us process group identifiers to work with. In this experiment, I’m using only the Elastic Agent and the process telemetry it provides. Unfortunately, Elastic Agent does not send PGID for Linux, and while Windows notionally supports the concept, in practice it does not exist. First let’s look at a couple of ways to group activity without PGIDs. ...

G-Man: J. Edgar Hoover and the Making of the American Century Surf When You Can: Lessons in Life, Loyalty, and Leadership from a Maverick Navy Captain Wilmington’s Lie: The Murderous Coup of 1898 and the Rise of White Supremacy Exit Interview: The Life and Death of My Ambitious Career Going Infinite: The Rise and Fall of a New Tycoon Born in Blackness: Africa, Africans, and the Making of the Modern World, 1471 to the Second World War Disillusioned: Five Families and the Unraveling of America’s Suburbs The Secret Life of Groceries: The Dark Miracle of the American Supermarket The Warmth of Other Suns: The Epic Story of America’s Great Migration Ametora: How Japan Saved American Style Enough The Revolutionary: Samuel Adams Good to Great: Why Some Companies Make the Leap…And Others Don’t Number Go Up: Inside Crypto’s Wild Rise and Staggering Fall On the Road Paved Paradise: How Parking Explains the World Fire on the Mountain: The True Story of the South Canyon Fire The Kingdom, the Power, and the Glory: American Evangelicals in an Age of Extremism Into Thin Air: A Personal Account of the Mt. Everest Disaster Burn Book: A Tech Love Story Dark Wire: The Incredible True Story of the Largest Sting Operation Ever 2054: A Novel Three Pianos: A Memoir New Cold Wars: China’s Rise, Russia’s Invasion, and America’s Struggle to Defend the West Chip War: The Fight for the World’s Most Critical Technology Midnight in the Garden of Good and Evil Demon Copperhead The CIA: An Imperial History Mill Town Russians Among Us: Sleeper Cells, Ghost Stories, and the Hunt for Putin’s Spies We Fed an Island Where Are Your Boys Tonight?: The Oral History of Emo’s Mainstream Explosion 1999-2008 Capital and Ideology Survival of the Richest: Escape Fantasies of the Tech Billionaires

Introduction A coworker and I gave a talk at Objective by the Sea v7 on using Large Language Models (LLMs) as a behavioral detection. Another speaker, Colson, gave a great talk on why behavioral detections are so useful. LLMs are particularly adept at understanding and processing language-like structures, which include not only traditional text but also command-line arguments. In cybersecurity events, where command-line interactions often reveal attacker behaviors, LLMs can be leveraged to do behavioral detection without needing to be an expert in analyzing malicious actions or writing detections. ...

Introduction After adding Kubernetes to my homelab, I wanted to learn how to hack and hunt for malicious activity involving containers. I found Kubernetes GOAT which provides a great way to practice hacking. To do the hunting, we need some additional work to enable telemetry on networks, containers, and Kubernetes. In this post I’ll walk through how I instrumented my Microk8s cluster to hunt for the hacking actions you can do in the GOAT. ...

Introduction I was recently catching up on some conference videos and saw a talk by Roberto Rodriguez on Empowering Security Teams with Generative AI: GPT models. This got me thinking about how to integrate GPT to hunting with Security Onion. Goals: Summarize activity found in Security Onion Enrich activity with MITRE ATT&CK attribution Convert English questions to Kibana Query Language to hunt In this post, I’ll tackle goals 1 and 2. I’ll do goal 3 in a separate post. These experiments will be conducted in Jupyter lab. ...

I run a few services for the threat intelligence and hunting course that I teach, including CAPE, MISP, and Caldera. Last semester, I used a few VMs and Docker to provide these, but I wanted to learn Kubernetes. Here are some notes on migrating over. Getting Started I started trying Kubernetes the hard way but ultimately ended up using microk8s. The install guide was straight forward. I made 1x control plane node and 2x worker nodes. I used this blog as a starting point. I used Robert’s suggestion for nfs-subdir-external-provisioner to provide the persistent storage for my pods. ...

Amazon Unbound: Jeff Bezos and the Invention of a Global Empire The Devil Never Sleeps: Learning to Live in an Age of Disasters All Blood Runs Red: The Legendary Life of Eugene Bullard―Boxer, Pilot, Soldier, Spy The Creative Gene: How books, movies, and music inspired the creator of Death Stranding and Metal Gear Solid The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime Meet Me by the Fountain: An Inside History of the Mall The Persuaders: At the Front Lines of the Fight for Hearts, Minds, and Democracy The Ministry for the Future: A Novel Anna Karenina Cheap Land Colorado: Off-Gridders at America’s Edge The End of the World Is Just the Beginning: Mapping the Collapse of Globalization The Art of Being Indispensable at Work: Win Influence, Beat Overcommitment, and Get the Right Things Done The Nineties: A Book Slaughter House Five Pandemic, Inc.: Chasing the Capitalists and Thieves Who Got Rich While We Got Sick Originals: How Non-Conformists Move the World Winners Take All: The Elite Charade of Changing the World Raw Dog: The Naked Truth About Hot Dogs The Fifth Act: America’s End in Afghanistan The Long Game: China’s Grand Strategy to Displace American Order Not a Good Day to Die: The Untold Story of Operation Anaconda Beautiful Swimmers: Watermen, Crabs and the Chesapeake Bay Poverty, by America Defeat into Victory: Battling Japan in Burma and India, 1942-1945 The Kingdom of Prep: The Inside Story of the Rise and (Near) Fall of J.Crew Be Useful: Seven Tools for Life Life Sentence: The Brief and Tragic Career of Baltimore’s Deadliest Gang Leader Frederick Douglass: Prophet of Freedom Toms River: A Story of Science and Salvation Guns, Germs and Steel: The Fate of Human Societies A Full Life: Reflections at Ninety Spies and Lies: How China’s Greatest Covert Operations Fooled the World Greenlights Elon Musk

I wanted to add some phishing scenarios to my hunting homelab. I’m more concerned with being able to hunt on malicious emails than on stopping them, so DMARC, DKIM, and SPF are out of scope. If you have an offensive lens, you’ll want to look at something like this for an effective phishing set up. Let’s look at two areas: external mail where phishing comes from and internal mail where phishes will be received. ...