This site allows you to subscribe various vendors and products to receive CVE (Common Vulnerabilities and Exposures) alerts on new releases and changes to existing ones. The emails contain just your selections, so you do not need to scroll through multiple products or vendors that are not of interest. This allows more targeted alerts to products that you use in your environment. I really like this compared to other subscription services as looking through a list of various products/vendors that might be applicable was always a waste of time and had the risk of missing important CVEs.
Improvements: This website is new in the last 6 months and quite basic for the time being. I would like to see an option to specify the level of alerts based on the rating (low, medium or high). Right now, the website will alert you to all new CVEs for the specified products/vendors and any changes regardless of level. Luckily, you just need to go to the site and can filter based on the rating.
Below is the script that I have been working on to install Sysmon through group policy so you do not have to install it on each workstation/server. I hope to make a few more modifications around updating the .xml file or creating a separate script. The guide for this should be coming over the next week or two and will tie into our WEF deployment guide. From there we will export the logs from our WEF server to Splunk for easier manipulation of the data. To use the script, just replace the <<DOMAIN>> with your domain/file location.
IF NOT EXIST "C:\sysmon" (mkdir "C:\sysmon" & copy /v "\\<<DOMAIN>>\SYSVOL\<<DOMAIN>>\Sysmon\sysmonconfig-export.xml" "C:\sysmon\sysmonconfig-export.xml")
IF NOT EXIST "C:\Windows\Sysmon.exe" GOTO Install
IF EXIST "C:\Windows\Sysmon.exe" GOTO StartService
"\\<<DOMAIN>>\SYSVOL\<<DOMAIN>>\Sysmon\sysmon64.exe" -accepteula -i C:\sysmon\sysmonconfig-export.xml
net start Sysmon
END && EXIT
The following is a list of helpful user agent strings that I have found to help block bogus requests to your website. On an unknown site, you are going to see these block a few thousand attempts every day. The largest one I frequently see is Jorgee. They are vulnerability scanners which are using the default user agent. These are likely looking for low hanging fruit but nice to block them anyway. Below, I have separated my Wordfence user agent block and use the equal (=) sign as the delimiter between the string and a description. I will be updating this post when I find more and the new ones will be added at the end.
Here are some helpful nmap scans for SQL, SMTP, SMB, and FTP. These can give you ideas by helping to enumerate the target system. Just replace the 192.0.2.0/24 with the target address or range. If a single host is targeted, the option –open can be removed.
This was a new python script that I saw which works similarly to searchspoilt. Basically, it will search through all the CVEs for your search terms. If you are on a fresh install of Kali, you will need to install Pip for Python 3. This can be accomplished with:
This will be where I keep scripts and quick notes for what I find interesting on the topic of information security. I am currently working towards the OSCP and hope to have it completed this fall. Expect to see a few vuln hub write ups, general Active Directory information, and how to articles posted over the next few months. This is primarily a test website to try out using Amazon EC2 and further expand my knowledge of their hosted infrastructure offerings.