Velociraptor is a cool name for a dinosaur, let alone a software package. I did a course today with one of the developers, and it looks like a great FOSS solution to EDR and threat hunting.

First, download the package from the releases page. It’s a very small, self contained file.

Here’s my notes from the day.

To configure the client

rem make the install dir
mkdir "c:\Program Files\Velociraptor\"
rem make the config file
velociraptor.exe --config velo_client.yaml config client > velo_client.yaml
rem connect the client
velociraptor.exe --config velo_client.yaml client -v

To run the server

I couldn’t find an easy list when I went looking for these, so I made a list.

View Window

Keyboard

I’ve been playing around with stackstorm for a little while now, and wanted to get back into it after a bit of distraction on other things. The idea of automating a lot of my daily repetetive tasks really appeals to me, so I started work on another module today.

The end result of today’s head-desking was st2-whois, a pack that does basic whois calls and saves me from having to find the website that works just right for it, or open a shell from a box with the right access.

This article on Naked Security is a little bit calmer than some of the other coverage I’ve seen. If I was doing physical/staff security for a large organisation with a global platform I’d totally be using any intel sources I could find to help improve my results. This has to be the least creepy thing they do with thier data.

What’s unique about Facebook’s approach to BOLOs is that it doesn’t just disseminate a list of names to security staff. Facebook also mines its platform for threatening posts. Sometimes, Facebook goes so far as to use its apps to discern the whereabouts of people whom it finds threatening, to determine whether they pose a credible threat.

[Read More]

I really like this idea from a longer post about the ethics of blogging by Brett Terpstra

I sometimes wish that job résumés and Tinder profiles required an appendix of all of the comments a person has left on other’s work in the last year. You can learn a lot about a person from how they approach offering criticism when it’s not face to face.

Anonymity’s a mess, I’m thankful I seem to live on a nicer part of the internet most of the time, more through lack of exposure.

I was trying to install TheHive and ran into some issues with configuration.

When trying to log in for the first time, I was getting “Elasticsearch cluster is not available” as a little red popup on the login screen.

When checking the log /opt/thehive/logs/application.log I found the following line:

2019-01-28 21:22:34,494 [WARN] from org.elasticsearch.client.transport.TransportClientNodesService in main - node {#transport#-1}{1eyCBCV1Rs-oVwFIHuQ7cw}{127.0.0.1}{127.0.0.1:9300} not part of the cluster Cluster [Cluster], ignoring...

This means the cluster name doesn’t match between TheHive and elasticsearch - mainly it is probably not set in elasticsearch - because that’s the default on install. The following two lines need to have matching outputs:

This fascinating story of a life-long journey to explore the story of President Lyndon Johnson’s life was amazing read. I don’t have any real interest in American politics, but I do love great writers, and Robert A. Caro is definitely one of them.

He didn’t look up. After a while, I said tentatively, “Mr. Hathway.” I couldn’t get the “Alan” out. He motioned for me to sit down, and went on reading. Finally, he raised his head. “I didn’t know someone from Princeton could do digging like this,” he said. “From now on, you do investigative work.”

[Read More]

This article by Dan Abramov about Bug-O Notation is a great one.

The Big-O describes how much an algorithm slows down as the inputs grow. The Bug-O describes how much an API slows you down as your codebase grows.

Without explicitly calling it out, he describes using simple Finite State Machine concepts that allow for explicit, identifiable state positions rather than nested calls and race conditions. It’s a great way of thinking about things - if you know where you are, you can explicitly reset the UI and rebuild it with much less effort.

This post has been updated - I found some errors which don’t brick devices, but cause issues with wifi. Don’t use old versions of esptool!

This is a pretty sparse example but it got me working on my Ubuntu machine.

2. Install esptool from pip - don’t use the one from apt, as of this writing it’s v2.1, where pip has v2.6. The command is pip install esptool
3. Download the M5Flow MacOS version from http://flow.m5stack.com/- M5Burner_MacOS.zip in my example.
4. Grab the firmware directory from the zip file and move it to Documents (for example):

• cd $(mktemp -d)
• unzip ~/Downloads/M5Burner_MacOS.zip 'M5Burner_MacOS.app/Contents/Resources/firmware/M5Flow/*
• mv M5Burner_MacOS.app/Contents/Resources/firmware/M5Flow/ ~/Documents

3. This’ll give you the firmware folder with a bunch of version in it, eg M5Flow/v1.1.1-en
4. cd ~/Documents/M5Flow/v1.1.1-en
5. Plug the M5Stack in, and then run ./flash.sh
6. This’ll reboot the device a few times until it’s in bootloader/flashing mode, then upload the firmware.
7. Once it’s done, tap the power button to reboot into the new firmware.

Below is the output when it can’t identify the device and is going to do it wrong. The important part is the “unknown” in Chip is ESP32D0WDQ6 (revision (unknown 0xa)).

Trying to log into the Citrix Xenapp Storefront at work today, it looks like they’ve got a new certificate.

This is a pretty easy fix, search for the certificate name and download it, then put it in the right place.

For me, on my Debian machine, it’s /opt/Citrix/ICAClient/keystore/cacerts.

I didn’t have to do anything else, it just worked at that point - start the client again and back to work.