Posts on kimobu

The books I read in 2025

Wed, 31 Dec 2025 00:00:00 +0000

Ghosts of Honolulu: A Japanese Spy, A Japanese American Spy Hunter, and the Untold Story of Pearl Harbor
Cadillac Desert: The American West and Its Disappearing Water, Revised Edition
The Unit: My Life Fighting Terrorists as One of America’s Most Secret Military Operatives
Character Limit: How Elon Musk Destroyed Twitter
Fat Leonard: How One Man Bribed, Bilked, and Seduced the U.S. Navy
China After Mao
Year of Living Constitutionally
Cobalt Red: How the Blood of the Congo Powers Our Lives
Ghost Wars
American Soldier
Careless People: A Cautionary Tale of Power, Greed, and Lost Idealism
American Buffalo: In Search of a Lost Icon
Lawrence in Arabia: War, Deceit, Imperial Folly and the Making of the Modern Middle East
The Wire
Someone Who Isn’t Me
Life After Power: Seven Presidents and Their Search for Purpose Beyond the White House
Why I Cook
Who Is Government?: The Untold Story of Public Service
World on the Brink: How America Can Beat China in the Race for the Twenty-First Century
Sellout: The Major-Label Feeding Frenzy That Swept Punk, Emo, and Hardcore (1994–2007)
Unrestricted Warfare
Shoe Dog: A Memoir by the Creator of Nike
White Rural Rage: The Threat to American Democracy
Comanches: The History of a People
The Wager: A Tale of Shipwreck, Mutiny, and Murder
None of This Rocks: A Memoir
The Guns of August
Down with the System: A Memoir
Breakneck: China’s Quest to Engineer the Future
Odyssey: The Greek Myths Reimagined
Stories of Your Life and Others
Accidental Presidents: Eight Men Who Changed America
Sailing True North: Ten Admirals and the Voyage of Character
Right Moves: The Conservative Think Tank in American Political Culture since 1945

Vibe coding a Mach-o parser

Sun, 13 Apr 2025 00:00:00 +0000

Way back in 2021 when I was working on my dissertation I used a Python library called macholibre to parse Mach-O files. There are several other options for parsing these file types. I’m sure they’re all great, but it’s a lot to go through to find some features I want. Mainly, outputting as JSON to easily load into other applications. This seemed like a good opportunity to try vibe-coding a Swift-based Mach-O parser using ChatGPT. After some trial and error, I’ve made MachP available. Let’s look at how this went.

GPT Detections on Windows and Linux

Mon, 17 Feb 2025 00:00:00 +0000

Introduction

This is a follow up to A Little Less Malware, applying the same techniques to Linux and Windows data. There are some differences with this experiment. In the last one, we used Apple’s ESF to collect telemetry, which gave us process group identifiers to work with. In this experiment, I’m using only the Elastic Agent and the process telemetry it provides. Unfortunately, Elastic Agent does not send PGID for Linux, and while Windows notionally supports the concept, in practice it does not exist. First let’s look at a couple of ways to group activity without PGIDs.

Recap of the books I read in 2024

Tue, 31 Dec 2024 00:00:00 +0000

G-Man: J. Edgar Hoover and the Making of the American Century
Surf When You Can: Lessons in Life, Loyalty, and Leadership from a Maverick Navy Captain
Wilmington’s Lie: The Murderous Coup of 1898 and the Rise of White Supremacy
Exit Interview: The Life and Death of My Ambitious Career
Going Infinite: The Rise and Fall of a New Tycoon
Born in Blackness: Africa, Africans, and the Making of the Modern World, 1471 to the Second World War
Disillusioned: Five Families and the Unraveling of America’s Suburbs
The Secret Life of Groceries: The Dark Miracle of the American Supermarket
The Warmth of Other Suns: The Epic Story of America’s Great Migration
Ametora: How Japan Saved American Style
Enough
The Revolutionary: Samuel Adams
Good to Great: Why Some Companies Make the Leap…And Others Don’t
Number Go Up: Inside Crypto’s Wild Rise and Staggering Fall
On the Road
Paved Paradise: How Parking Explains the World
Fire on the Mountain: The True Story of the South Canyon Fire
The Kingdom, the Power, and the Glory: American Evangelicals in an Age of Extremism
Into Thin Air: A Personal Account of the Mt. Everest Disaster
Burn Book: A Tech Love Story
Dark Wire: The Incredible True Story of the Largest Sting Operation Ever
2054: A Novel
Three Pianos: A Memoir
New Cold Wars: China’s Rise, Russia’s Invasion, and America’s Struggle to Defend the West
Chip War: The Fight for the World’s Most Critical Technology
Midnight in the Garden of Good and Evil
Demon Copperhead
The CIA: An Imperial History
Mill Town
Russians Among Us: Sleeper Cells, Ghost Stories, and the Hunt for Putin’s Spies
We Fed an Island
Where Are Your Boys Tonight?: The Oral History of Emo’s Mainstream Explosion 1999-2008
Capital and Ideology
Survival of the Richest: Escape Fantasies of the Tech Billionaires

A Little Less Malware a Little More Context: Using AI to detect malicious activity

Fri, 27 Dec 2024 00:00:00 +0000

Introduction

A coworker and I gave a talk at Objective by the Sea v7 on using Large Language Models (LLMs) as a behavioral detection. Another speaker, Colson, gave a great talk on why behavioral detections are so useful. LLMs are particularly adept at understanding and processing language-like structures, which include not only traditional text but also command-line arguments. In cybersecurity events, where command-line interactions often reveal attacker behaviors, LLMs can be leveraged to do behavioral detection without needing to be an expert in analyzing malicious actions or writing detections.

Monitoring Kubernetes with Security Onion

Thu, 05 Sep 2024 00:00:00 +0000

Introduction

After adding Kubernetes to my homelab, I wanted to learn how to hack and hunt for malicious activity involving containers. I found Kubernetes GOAT which provides a great way to practice hacking. To do the hunting, we need some additional work to enable telemetry on networks, containers, and Kubernetes. In this post I’ll walk through how I instrumented my Microk8s cluster to hunt for the hacking actions you can do in the GOAT.

SecurityOnion GPT

Mon, 12 Feb 2024 00:00:00 +0000

Introduction

I was recently catching up on some conference videos and saw a talk by Roberto Rodriguez on Empowering Security Teams with Generative AI: GPT models. This got me thinking about how to integrate GPT to hunting with Security Onion.

Goals:

Summarize activity found in Security Onion
Enrich activity with MITRE ATT&CK attribution
Convert English questions to Kibana Query Language to hunt

In this post, I’ll tackle goals 1 and 2. I’ll do goal 3 in a separate post. These experiments will be conducted in Jupyter lab.

Learning Kubernetes

Mon, 01 Jan 2024 00:00:00 +0000

I run a few services for the threat intelligence and hunting course that I teach, including CAPE, MISP, and Caldera. Last semester, I used a few VMs and Docker to provide these, but I wanted to learn Kubernetes. Here are some notes on migrating over.

Getting Started

I started trying Kubernetes the hard way but ultimately ended up using microk8s. The install guide was straight forward. I made 1x control plane node and 2x worker nodes. I used this blog as a starting point. I used Robert’s suggestion for nfs-subdir-external-provisioner to provide the persistent storage for my pods.

Recap of the books I read in 2023

Sun, 31 Dec 2023 00:00:00 +0000

Amazon Unbound: Jeff Bezos and the Invention of a Global Empire
The Devil Never Sleeps: Learning to Live in an Age of Disasters
All Blood Runs Red: The Legendary Life of Eugene Bullard―Boxer, Pilot, Soldier, Spy
The Creative Gene: How books, movies, and music inspired the creator of Death Stranding and Metal Gear Solid
The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime
Meet Me by the Fountain: An Inside History of the Mall
The Persuaders: At the Front Lines of the Fight for Hearts, Minds, and Democracy
The Ministry for the Future: A Novel
Anna Karenina
Cheap Land Colorado: Off-Gridders at America’s Edge
The End of the World Is Just the Beginning: Mapping the Collapse of Globalization
The Art of Being Indispensable at Work: Win Influence, Beat Overcommitment, and Get the Right Things Done
The Nineties: A Book
Slaughter House Five
Pandemic, Inc.: Chasing the Capitalists and Thieves Who Got Rich While We Got Sick
Originals: How Non-Conformists Move the World
Winners Take All: The Elite Charade of Changing the World
Raw Dog: The Naked Truth About Hot Dogs
The Fifth Act: America’s End in Afghanistan
The Long Game: China’s Grand Strategy to Displace American Order
Not a Good Day to Die: The Untold Story of Operation Anaconda
Beautiful Swimmers: Watermen, Crabs and the Chesapeake Bay
Poverty, by America
Defeat into Victory: Battling Japan in Burma and India, 1942-1945
The Kingdom of Prep: The Inside Story of the Rise and (Near) Fall of J.Crew
Be Useful: Seven Tools for Life
Life Sentence: The Brief and Tragic Career of Baltimore’s Deadliest Gang Leader
Frederick Douglass: Prophet of Freedom
Toms River: A Story of Science and Salvation
Guns, Germs and Steel: The Fate of Human Societies
A Full Life: Reflections at Ninety
Spies and Lies: How China’s Greatest Covert Operations Fooled the World
Greenlights
Elon Musk

Putting phishing data into Security Onion

Thu, 20 Jul 2023 00:00:00 +0000

I wanted to add some phishing scenarios to my hunting homelab. I’m more concerned with being able to hunt on malicious emails than on stopping them, so DMARC, DKIM, and SPF are out of scope. If you have an offensive lens, you’ll want to look at something like this for an effective phishing set up.

Let’s look at two areas: external mail where phishing comes from and internal mail where phishes will be received.

Adding macOS to my security homelab

Wed, 10 May 2023 00:00:00 +0000

This post has notes on how I added a macOS machine to my security homelab.

Install macOS to Proxmox

Follow this guide to install macOS onto a Proxmox cluster. This will result in an x86 based VM. I plan on looking into an ARM node in the future. Reference this page if you don’t want to extract OSK yourself. Additional note, this installed to local-lvm, not my GlusterFS storage.

Bind macOS to Active Directory

Since the rest of the lab is a Windows Active Directory domain, I wanted to join the macOS VM to the domain so domain users could login. Follow the guide here for high level guidance. Ventura changed the look of the Directory Utility but the overall concepts are the same. In Directory Utility, tick the option to “create mobile account at login” and add the “Users” OU to allowed administration.

Recap of the books I read in 2022

Sat, 31 Dec 2022 00:00:00 +0000

The above are Amazon affiliate links. As an Amazon Associate I earn from qualifying purchases.

Reflecting on Completing a PhD

Fri, 13 May 2022 00:00:00 +0000

In March of this year, I successfully defended my dissertation An Application of Machine Learning to Packed Mach-O Detection. After four years, I completed a PhD in Cyber Operations from Dakota State University (DSU). In this post, I want to reflect on this journey, what I learned, and thoughts on the program.

Curriculum

The DSU PhD in Cyber Operations consists of core technical classes, core research classes, electives, and the dissertation. When I started the program, it was actually a Doctor of Science (DSc) vice a Doctor of Philosophy, but the South Dakota Board of Regents approved the transition to PhD relatively soon after my acceptance.

Recap of the books I read in 2021

Fri, 31 Dec 2021 00:00:00 +0000

The above are Amazon affiliate links. As an Amazon Associate I earn from qualifying purchases.

log4j JNDI Exploitation

Fri, 10 Dec 2021 00:00:00 +0000

Situation

A remote code execution (RCE) bug was found in log4j. CVE 2021-44228 has been assigned to it. The vulnerability lies in how log4j interprets Java Naming and Directory Interface (JNDI) URLs. JNDI lets an application look up a service. An attacker can craft a string that looks like “${jndi:proto://host/a}” where proto is ldap or rmi, and log4j will connect to the host to retrieve a, which would specify how to process the log entry. However, a can instead provide Java bytecode that log4j will execute.

Security Onion on Proxmox

Wed, 26 May 2021 00:00:00 +0000

Security Onion on Proxmox

I originally set up my homelab using Ovirt, but have since switched back to Proxmox. The reason for that is that the version of qemu that Ovirt ships with does not support the “applesmc” device that is needed to run macOS guests, whereas Proxmox does. Another benefit is that Proxmox supports running containers, while Ovirt required full virtual machines, and Proxmox is overall much faster at every day tasks like starting or migrating a VM. I kept the same infrastructure as before, including using Gluster as shared storage amongst the compute nodes.

Hacking a Computer Remotely through a Phone

Sat, 01 May 2021 00:00:00 +0000

In a recent demonstration of cyber and electronic warfare capabilities, I had the opportunity to enable access into a network by exploiting a computer remotely through a cell phone. In this blog post, I’ll document some of the challenges that were encountered and how they were overcome.

Scenario

The scenario for this demonstration was: an offensive cyber operations team wants to gain access into a targeted computer network which includes a wireless access point. The targeted network is firewalled and NAT’d, and social engineering techniques such as spear phishing have been unsuccessful. In order to gain access into the network, a human source is used to approach the facility that houses the network (think a residential building) and gains close enough proximity to sense the radio frequency (RF) emissions from the facility.

Converting DoH to DNS

Wed, 06 Jan 2021 00:00:00 +0000

In a previous post I wrote about investigations that I performed on DNS over HTTPS (DoH). That research was performed as part of Cyber Security Research. During Security Tool Development, I expanded on that research by implementing a Python script which creates DNS wire format packets from a DoH packet capture. This post describes how that script was made and how it works.

Updates to gen_doh.py

In addition to the use of sslkeylog which was discussed in the previous post, I needed to update the client_protocol.py file. Line 45 of that file contains:

Recap of the books I read in 2020

Thu, 31 Dec 2020 00:00:00 +0000

The above are Amazon affiliate links. As an Amazon Associate I earn from qualifying purchases.

Installing the Cuckoo Sandbox Using KVM

Thu, 23 Jan 2020 00:00:00 +0000

The Cuckoo project provides a safe environment in which to execute malware (also called “detonating”). I will be using Cuckoo as part of a malware analysis class. There are several guides that you could follow to setup Cuckoo, but almost all of the ones that I found used VirtualBox as a hypervisor. Since I have a homelab running on KVM, I wanted to install Cuckoo to use that as well. There is no groundbreaking information in this post, but it consolidates information that I had to find from several different sources while troubleshooting.

Investigating DoH

Tue, 31 Dec 2019 00:00:00 +0000

DNS Security

As a plain-text protocol, DNS lacks Confidentiality, Integrity, and Availability (CIA) protections. An attacker who can observe DNS activity can see where the DNS request originated from, where responses came from, what the query and response were, or tamper with the response.

DNS over HTTPS (DoH) effectively mitigates many of those weaknesses. Instead of being a plain-text protocol over UDP, DoH is an exchange of DNS queries and responses over a TLS encrypted connection, using the HTTP2 protocol to transmit messages. Because of this encryption, an attacker can neither observe nor tamper with DoH queries and responses.

Recap of the books I read in 2019

Tue, 31 Dec 2019 00:00:00 +0000

The above are Amazon affiliate links. As an Amazon Associate I earn from qualifying purchases.

Recap of the books I read in 2018

Mon, 31 Dec 2018 00:00:00 +0000

The above are Amazon affiliate links. As an Amazon Associate I earn from qualifying purchases.

Recap of the books I read in 2017

Sun, 31 Dec 2017 00:00:00 +0000

The above are Amazon affiliate links. As an Amazon Associate I earn from qualifying purchases.