I spent a short while googling around to find a way to install Suricata on Windows and it would actually work. Turns out, it’s not that simple to install and there was no easy button. Eventually, I got something to work, albeit not pretty, but it is reproducible!

In my case, I am using Splunk Attack Range and the Server has the Splunk UF installed. If you are using Splunk, you will need the Suricata TA.

My simple little script will:
1. Download Suricata
2. Download NPcap
3. Prompt for clicking of NPcap
4. Restart Splunk UF
5. Download suricata.yaml (from GIST)
6. Start all the…

Like most defenders out there today we keep hearing and seeing CobaltStrike used by actors. I wanted to share some notes on some back of the napkin research I’ve been doing related to it in hopes that it sparks interest in others to begin investigating more.

It wasn’t until about 2 years ago I realized how powerful CobaltStrike is. If I am this late, I can’t imagine how far heavily funded adversaries are in generating their toolsets. I know some more advanced Red Teams have been using these capabilities to their fullest, but many are still using the defaults. Some…

A while back, I tweeted how to setup BOTS on DigitalOcean, but I never blogged it for easier access. Let’s get started.

For $10 (or $5) on DigitalOcean, you can setup a simple Ubuntu instance with Splunk and BOTS (Boss of the SOC) v2 dataset OR BOTSv3 dataset.

Head over to DigitalOcean —
Or use my referral link —

Create your account, or login.

Now, make your first droplet -

Droplet choices

If you want to build it and performance is not a big issue - $5 instance is perfect. If you want to ensure things perfrom decently — go…

I’ve been having a lot of conversation with @subtee about hunting and blue team that I decided it would be beneficial to showcase how I hunt through all sorts of data in a scenario where I was just “dropped in”. In this scenario, I decided to use the Splunk Boss of the SOC dataset as it contains:

  • WinEventLog:Application
  • WinEventLog:Security
  • WinEventLog:System
  • XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  • fgt_event
  • fgt_traffic
  • fgt_utm
  • iis
  • nessus:scan
  • stream:dhcp
  • stream:dns
  • stream:http
  • stream:icmp
  • stream:ip
  • stream:ldap
  • stream:mapi
  • stream:sip
  • stream:smb
  • stream:snmp
  • stream:tcp
  • suricata
  • winregistry


In this scenario, I am acting as a data analyst who was given a mass dataset and was told to find…

We have come a short ways since the initial revolution of Sysmon posts related to hunting and App creation in different log management platforms. In that short span, many ELK and Graylog apps have cropped up. Today, to help those in need on the Splunk side, @jarrettp and I have combined our two Splunk Apps to make a single great Splunk App for Sysmon. We hope this helps you with visibility and increased threat detection using Splunk and Sysmon.

In short, this is a combination of my previous blog posts related to hunting with Sysmon and Jarrett’s great Splunk dashboarding…

Previously I mentioned I would release my simple generic Splunk App to help anyone almost instantly operationalize Sysmon data. So, here it is! It is nothing completely fancy or of superior wizardry caliber, but it will get you everything you ever wanted to begin monitoring for evil in your environment. The goal of this project is to contribute back to the InfoSec industry in relation to Threat Hunting. I believe we all need to share our hunting methodologies along with tools. …

As usual, there has been a lot of chatter about threat hunting, but never enough tactical guides or threat hunting methods from individuals. I recently gave a talk at BSidesSD titled “Detecting and Preventing the Adversary”. A majority of the talk was focused on hunting and the methodology I implement. In the past, I worked at a large MSSP where we pulled in every datasource small and large, along with more recently with focus on a single datasource. Before threat hunting was a buzzword, very few people talked about going off the grid to identify patterns. There is no voodoo…

Michael Haag

I write, sometimes, about InfoSec related topics and I love coffee.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store