this Cybersecurity Platform is FREE

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

security information event management platforms or seams or Sims you can pronounce it however you want but it's that centralized location where all of your security information and events get poured into so you can manage them and endpoint detection response or an EDR maybe you can even up the ante if that takes in some Network Telemetry you can call that an extended detection response platform or xdr that's the security tool that detects and responds to incidents or malicious Act ity hackers in the network now those tools and all the others for modern-day cyber security defense can get pretty expensive but I want to tell you about one awesome utility that combines that seam and xdr solution and it's totally free and open source and awesome all around I want to tell you about wza wza is exactly that it is the open-source security platform and it is super duper easy to kick the tires and get it running we're going to set it up in like less than 5 minutes but but look at all the cool things you can do with it it is endpoint security after all it's running on your computer on your devices but you can do some threat hunting like look for hackers try to find malware dig into logs different vulnerabilities and do some instant response if something goes wrong or track a whole lot of those regulations like gdpr PCI Hippa all those and even Cloud security with Office 365 or AWS Integrations I could keep singing the Praises of wza it is super duper cool but you know what let's just dive in let's set it up in an on premise environment so that we can play with it it is open source after all and we can roll with it completely free all we have to do is click that big install wza button now here's the gist wza started as a fork of the OS SEC project way back in I think 2015 like eight years ago and it worked a lot with elastic surch so there are different components that make up the sort of server and agent architecture you have a Wasa indexer you have the wza server itself and then the dashboard for you to be able to look look into things and explore that makes up the server component but the agents the actual computers that are under management with wza that's all worked by the agents and the Agents can run on like anything there's support for Linux there's support for Windows Mac OS even Solaris I got like hpux in here it's super cool let's try it out we can go ahead and click the quick start button and then we get dropped into the documentation now I know not Everyone likes to read but I am a huge proponent of showing you the documentation and getting it in front of you because that is literally the guide book that has all the answers just a matter of taking a look so I will be showcasing a lot of the documentation but I think that is super important if you want to play with this so here is the quick start guide on spinning up wza completely free open source you can take a look at the licenses but here the hardware requirements are pretty easy not going to lie we can just spin this up in our own virtual machine takes whatever operating system here but the backend sort of central components the server side should be on 64-bit Linux we can just get this cruising on a modern Ubuntu 22.4 and I got to be honest this is just copy paste you can download and install the wza installation assistant with just a simple curl and then hey okay run it with pseudo bash I know some folks might get a little bit squeamish on o pipe curled to bash but look we can dig into the source code we could examine that script if we really wanted to and I think we can trust it and run it now if you don't already have an Ubuntu Linux machine kind of set up for yourself maybe just something that you could kick the with and run with we can go ahead and download the Ubuntu desktop or Ubuntu Server versions from their website but I do happen to have just maybe a simple little test bed that we could play with an Ubuntu all right so we are in our Ubuntu box let's go ahead and open up the terminal here I'll go ahead and full screen this amp up the text size a little bit now let's get back to the wza documentation and just sort of copy and paste this curl command to go ahead download and install wza before I do that I know I'm going to be hopping in and out of a lot of different computers for this demo so I am going to go ahead and change the background on this terminal to just something that we are able to recognize maybe just uh White text on a black background that way we'll know that that is our server now I'll go ahead and paste this all in and let's fire it up need to enter our password with pseudo starting the Wasa installation assistant this is the modern version current release I think is 4.5.4 and then it'll just start cruising not too much to this you really just kind of let it do its thing hey it'll add the repository it'll set up the indexer and soon enough it'll be done it'll just spit out hey our username and password to be able to log in to the web interface of the was a dashboard and well let's go ahead and store this password are just somewhere safe so we'll be able to remember it and use it here and with that we can go ahead and access our dashboard we'll need to know our dashboard IP address which is just local host for the sake of a perspective of the server but if we actually took a look at our current IP address we are 1 192168 11111 161 so keep that in mind when we start to install our agents but first things first let's just go take a look I'll open up my web browser Firefox and easy peasy let's just go to 19216 81111 161 I'll hit enter here and this is a self-signed certificate but that is a okay we know we just installed this thing so let me go ahead and hit Advanced and just accept the risk continue oh here we are the was a open source security platform all right the username was admin and the password we can go ahead and paste in let's log in sweet firing in all cylinders making sure everything is good to go and here we are so this is the wza dashboard there's not a whole lot to it right now because we need to go ahead and add agents to the manager to This Server instance but take a look at all the different things that we could dig into once we get started you know what hey let's just keep cruising let me go ahead and add an agent here brings up this deploy a new agent Little Wizard and look at all the different things it supports check it out if you show more you can see all the different operating systems that you might be able to just fire up in here open soua Alpine we're keeping it easy let's just use another Ubuntu instance and we'll use Ubuntu 15 and up right we're just using 22.4 architecture is 686 that's fine our server address needs to be the IP address of our server which we know is61 here it's optional but we could set up an agent name sort of like hey an identifier for that specific endpoint I want to be able to add a Windows host later so I'm just going to call this one Linux now if we scroll down hey here is the command here's everything that we need to just get this thing hooked up to wza but of course we need a computer we need another box to be able to put this agent on I'm going to keep it easy let me just go ahead and flown another Ubuntu instance here we go let's go ahead and cook up that box and okay here we are in that new Ubuntu instance that will be our agents or sort of our client here and we can go ahead and just copy and paste that curl command here let's click to copy that from the Wasa dashboard setup here right click and paste and hit enter enter that password for pseudo and that's it it's done Wasa is installed and ready on this sort of client agent box but we can't forget we should get this thing started we need to have it run as a service and they'll be using system CTL to go ahead and reload that Damon and get it cruising this is actually worth noting here because I'll go ahead and paste these commands in uh but keep in mind we'll use this pseudo system CTL start or restart or status of the Wasa agent over on our client and our agent boxes right let me do that pseudo system CTL let's do status of our Wasa agent and now we can see it is active and and running when we are over on our server side let me get back to the terminal here that should be pseudo system CTL status of our was- manager you can see that if I fill out that password that is active and running but it is Dash manager over on the Linux server side so let's get back to Firefox and this has everything done for us if I go ahead and go home on wza can I see I have one new Total agent that is awesome let's go and click on that go see our total agents and there it is there is our Linux agent super cool super duper easy let's add another one cuz it's so fast and so simple let's go ahead and spin up for our Windows box we'll go ahead and get a Windows machine booted up for us let's go ahead and log in all right Windows is ready and ripping here for us and deployment should be super duper easy again fill in that server address it shouldn't need its own he set agent name because again that is optional and Windows host name will be pretty unique as it is and this is the command we can simply copy and paste in an administrator Powershell prompt to get this thing rolling let's open up Powershell I'll rightclick and run as administrator yes I'm good to run with it let's get full screen with f11 here and now I am inside windows Powershell and let's go ahead and paste in all that Powershell to run this oh there it goes download it all and done easy peasy now we just need the commands to go ahead and start the service which is pretty simple it's just wza on Windows we can use net start to run that or just start service and Powershell start service Wasa all righty looking good on the Windows front let's get back to the homepage of wza and look at that two agents all right so you can see getting agents hooked into this thing is like crazy easy to do you can push that out with like group policy or whatever rmm remote monitoring and management you want just fire it out to all the endpoints and the Agents don't do a whole lot they just like report back all this information it's meant to be lightweight and keep all the processing on on the server components and the server components like all the Clusters the indexing the dashboards all that brains and the Heart of the operation can really be kind of spread out and distributed if you want we did it super easy with just some on premise box like a virtual machine but you could even do it with Docker if you wanted to was it even supports like multi-tenant options now let's go take a look at some of those events right like everything that our seam or Sim security information event management platform is just pulling up here for us let's look at those security events for all of our agents and look at this you can see the breakdown here in these beautiful little graphs and charts this is gorgeous by the way but look it digs into the miter attack framework attacks different alert levels or what some of the most talkative and chatty agents are and O it looks like maybe Linux the our Ubuntu agent was going through an update tried to install a whole bunch of different packages so we have that visibility and honestly we can go up to just the event section here and then we can see in like basically the same sort of elastic search or it's it's really open search now in the back end but just like we might be familiar with an elk you can search through all these different events dig into and interrogate some of the actual fields and information in there or we could search for whatever we want so let's say back on our uh Linux host our Ubuntu agent here right what if we had some operations I don't know we were running the who Ami command maybe we were firing up different applications we can open up the calculator nice and cheesy or we could start to become the administrator like pseudo bash to try to see hey can we actually make any configuration changes or system administrate uh administer this machine let's get back to the dashboard and let's actually go look at the agents so we could drill down into specifically whatever one we wanted right let's go look at our Linux agent here our runtu all that sexy and interesting for you maybe as you're a student or hey just kind of want to get in the weeds and the operations here learning about gdpr and Hippa and PCI is its own thing but for companies and organizations that need to obey those specific regulations and standards this is awesome you can dig into whatever you really wanted to for either of these compliance standards nist is in here here's Hippa gpg13 whenever a rule is fired within wza or any events come through often times they're actually even tied to those compliance settings so you could just dig into I don't know do we match this specific requirement I was showing that more drop- down dialogue box and you could get into other policies or system modeling if you wanted to here and one of my favorites is the security configuration assessment because look uh if folks are trying to spin up in an organization a hardened system like a secure network that's boarded up all the doors and windows here often times you'll go for the CIS benchmarks if if you aren't familiar the CIS benchmarks these come from the center for information security these are a godsend for actually configuring and having like the Playbook to structure and set up your environment and Harden your systems and it's really really cool because Wasa will just like Delta this like find The Benchmark differences that you need to go ahead and configure and back over here on the dashboard like look we're just triing this up against the Ubuntu Benchmark from the center for information security and hey there's a lot of work that we can do from just this flat vanilla install what if we actually made sure to go through all of these hardening configuration settings make sure temp is a separate partition make sure that hey things can't execute out of the temporary Drive disable autom mounting of devices remove some unneeded tooling so you can limit your attack surface or you actually configure hey some things that make you secure this is super cool and I love that wza will just show you that right out of the gate okay now we have wza set up and we can already see a whole lot of really cool dashboards and some insights in Telemetry that are coming from our agents but let's do some demos I want to show you some other really cool stuff and I know here there's a little bit of a delineation on how and where you get security in your environment right your workstations are usually Windows computers that our users use and our servers are often times Linux boxes that are running the services we want Security on both but sometimes there's different things to solve for in different circumstances so let put together the scenario where our users might have installed or downloaded or done some stupid stuff on their workstation and maybe they've introduced new vulnerabilities in the environment let me tell you wza can help track down all those different vulnerabilities across the different endpoints now if we want some of that Telemetry I'm going to hop back over to our server to the dashboard right in our server virtual machine in a black terminal where we've been working here and these all kind of uh uh all the settings and configurations for wza are inside of a static directory and a lot of the text files the things inside there allow us to tweak and tune what wza might do now those are inside of the VAR OS SEC directory now that is owned by root by the way because we set this all up as our super user so let me pseudo bash to become the root user and we'll hop into that VAR osc directory now take a look at all the stuff in here we have some active response folders that we'll dig into a little bit some of the Frameworks some of the rules that we could configure and different modules that we might work with but I want to show you the etet r directory first we're going to hop into all these others in just a little bit but inside of the etet red directory we have this one specific file called our OS sec. comp file now that if I fire it up that file that OS sec. comp is our configuration file for wza now here on the server in the dashboard right this is for the manager but the exact same path location is how we could configure our agents on all the little client machines take a look at all the stuff you could do here we can configure our alerts we can choose our logging format we can determine how it's all communicating here how often maybe some potential Integrations like working with OS query or system inventory work here's what I want to show you though this is our vulnerability detector now right now it is not enabled you can see in this XML structure here we can just toggle this to yes I'll hit save contrl s on my keyboard and if you wanted to look down below hey maybe you can take a look at where you're seeing all these other potential vulnerabilities for what versions you're supporting but let's get back to the terminal and remember system CTL restart for those changes to take effect for our wza manager I'll let enter on that looking good let's make sure that is running a okay with the status yep no issues active in running and let's see it in action now maybe this is a little bit of a poor man's trick here but I am going to go ahead and force the restart cuz we saw in the configuration file it would run on the start for every agent that we want so let me go ahead and system control restart was a agent over on our Linux box over in our Windows world let's do the very same and now on Windows I'm going to do something crazy and just install a boatload of software say I'm a silly user I know this sounds kind of wild but let me go ahead and install literally everything from N Night how long will it take to click on every single checkbox on nite.com all right firing it up let's go ahead and install everything here it's going oh my goodness look at my desktop it's just getting flooded with new programs okay it's still installing a whole lot of stuff uh and there's still more to download and install but I think I've got the point across you know what if we go take a look back at our dashboard back in Wasa taking a look at our agent let's dig into our Windows 11 machine and obviously we've added kind of more to the attack service right we've installed a whole lot of applications and programs that we totally don't need in fact maybe some of them have different vulnerabilities and let's see can wza track that down yeah okay say we've got I don't know 22 different critical vulnerabilities almost 300 High vulnerabilities and maybe some of that software that we installed we totally didn't need and maybe that'll just have even more problems we can of course click into the events tab here and maybe get that big long listing of all of these different cves different vulnerabilities that we could click into maybe learn a little bit more about and it might even tell us hey what has been fixed or what has been solved from patching that we've done from an update like a system upgrade that's so sweet and actually if we go back to our security events tab you can actually dig into everything that kind of been happening here and even a whole lot of the installation process from all those things that we just grabbed off of 9ite you can see Windows installer hey started up something new we installed Evernote yep installed Zoom o and do you see these uh these new windows service created like yeah sure we've installed this new application in the program but these are tagged with some of the specific miter attack framework techniques or the sub techniques everything that we could drill down into say we're learning about four different thread actors or hackers or adversaries and what they do to hack into computers oh take a look they showcase everything from miter attack framework and you can actually dig into maybe different things for different techniques software the tactics techniques and procedures here and there's so much of the miter attack framework that you could just explore but the best part is these are all tied into specific events like we could go drill down into this and see hey what activity maps to what technique this could be super duper helpful for threat hunting or detection engineering or anything that you might be doing on the security Operation Center like watch floor and with that one thing that we could do cuz I know a lot of folks especially in comments on past videos we say look it's cool yeah we see some security Tooling in the windows realm but what about Linux I'd love to see some of these defensive capabilities in the Linux and server world so wza can do that one of the best things about wza is that it's open source and crossplatform and still runs on Linux so let me show you something else right what if I were on my Ubuntu Linux machine right we have our Wasa agent running but what if I actually wanted to test some of those miter attack framework like all those Tech tequ that we were just digging into now I've shown you before we could actually use something like the atomic red team to be able to see what visibility do we have what is it going to actually catch in our seam solution in our xdr solution in the past we've done that on Windows but it will just as easily work on Linux you can run these tests with an execution framework like invoke Atomic and that is going to fire stuff up with Powershell but we can just simply run Powershell core on Linux let me keep this super easy let me just pseudo snap install Powershell and that will probably need classic that's fine by me now we've got powers shell installed I can fire it up with pwsh inside a Powers shell now I can just simply go ahead and install some of the invoke atomics if we wanted to here's their Wiki on telling you how you can install and invoke Atomic red team let me scroll down to grab the execution framework and the whole atomics folder I'll pull this back in Powershell we'll just slap it in okay installation of invoke Atomic red team is complete and now we can use the invoke Atomic test function let's try it out and this should be really cool too because obviously all of this is going to get funneled right back into wza we can supply any Atomic Technique we might like and remember all those tests are based off of The Miner attack framework and we could dig into whatever we wanted to here like what if I search for something to look for passwords how about that over on Linux that is usually in like Etc Shadow and Etc password let's see here here's a technique that it might pull it down we could actually dig into this if we wanted to adversaries May dump the contents of it at rep password it at R Shadow to enable offline password cracking that technique is t138 okay can the atomic red team test fire that up let's see it yeah it did it okay it's going look at all that I was hacking myself we were able to read and access it set radow hey pull down maybe the specific hash for our user and then we could pull from ET set rep password do that all locally and all of that data all of the events all the artifacts everything here should be reflected back in wza and let's try some other tests uh let's fire up I don't know we can tab complete here see anything that might work for Linux we just ran uh 008 we could fire it up again uh and we could try to run I don't know seven is that going to work for Linux oh yeah okay it's going to try with Mimi penguin something like MIM cats to try to steal passwords but running on Linux looks like there were a whole lot of issues with that one that didn't seem to fire but I'm curious will it see the attempt within wza we could try some of the others like six uh okay doesn't have something for Linux could try five also not applicable on Linux but let's go check wza back over here on the server dashboard let's go to our agents let's take a look at Linux and oh okay miter attack section has a whole lot of new numbers here let's go see in the security event section lot of events let's dig into it oh yeah command not allowed okay looks like there were some errors when it was trying to run Mimi penguin right didn't have that uh set up and and installed here but it was seemingly getting in and out of the root user probably cuz there were Ouya credentials when it was trying to pull it's at radow oh that's so cool now we've looked at vulnerabilities we've looked at tradecraft we've even kind of looked at some of the regulations and compliance that you could dig into but I know folks are going to ask what about malware what can wza do to help protect from malware now this is one of like the craziest coolest Parts because again it's not just the seam or Sim security information event management platform it's also that xdr where it can respond to malicious activity if you do dig into some of the documentation like I showcased earlier like look these are all the different ways you can spin this thing up even an OVA file that's already preconfigured or Amazon machine images Docker kubernetes all that great stuff take a look at some more of the user manual though because it tells you a little bit of all the different components of the server and the agent but the capabilities is where it gets into even more crazy stuff it can do like file Integrity monitoring seeing hey are there any changes made on the file system or even like the Windows registry or some of this gets into like Mau detection you can hook it up with virus total or Yara Windows Defender log collection an active response being able to do something after a rule is filed or one event is is captured they dig into all these in the capabilities section but the proof of concept guide has a really really cool structure and how you could actually build a lot of this out and test different things like blocking a known actor like literally setting a firewall rule to no deny all RDP or SSH requests detecting Brute Force attacks monitoring AWS infrastructure Network IDs even SQL injection but let's learn how we can literally detect and remove malware using virus totals integration I really want to know your thoughts on this cuz I tend to think like oh is that an AV like are you getting sort of an antivirus in the mix alongside all these other bells and whistles and when you hook it to virus total it's not just one antivirus it's like it's all of them look at this we can use the file Integrity monitoring module which will literally be like scanning and looking at file changes inside of a directory with a virus total API key and we can configure anything that we might like the way we set up file Integrity monitoring though is again in that configuration file but over on our agent and again we'll look at this on Linux because I know a lot of folks were looking at hey what about that Linux Mal Linux defense but remember this works just as well on windows so let's get back to our Linux Ubuntu host where we were running our Atomic test just a moment ago inside a Powershell though let me get back into bash and let's move into that VAR OS SEC directory remember inside of the atet component is where we have our osc.com file and here we are back in the default configuration file now you can actually modify this like not just on the agent itself but through the server dashboard you can modify the serers configuration all within the web UI alongside all of the other different agents you don't need to SSH into them or try to control each and every one but if we keep scrolling down just like we did earlier for some of the Integrations and we were working with the vulnerabilities here this is the file Integrity monitoring section It's all under this Cy check now it's not disabled so we can play with it and these are directories that is is always going to be looking for different changes and we can go ahead and configure one let's go ahead and say like one that we can scan in real time we'll set that attribute to yes and let's actually look inside of our users downloads directory how about that we'll close that out with Slash directories let me make sure to save this file and if we hop back to the documentation now they do some interesting stuff because they install some utilities like JQ something to actually handle Json or that jav script object notation and they create a whole new bash script something that will remove a threat running on the endpoint like o okay we get the current directory we check out our present working directory we read in some of the input Json and then we start to interact with the API for virus total all we do is we hey actually remove the file if we know that it's gets a bad response or virus total tells us it's malicious and then we can set that as executable and restart the agent so that those changes are set let's grab JQ that utility let's copy and paste in the pseudo appt install for JQ and let's grab the script that they use to respond and remove a threat let's go ahead and copy this JQ is done installing so let's go ahead and put that in the VAR OS SEC active response bin directory now if you take a look this has all of the functionality that wza already gives us for hey doing something after an event has occurred you can deny something at the firewall you can remove a user you can restart wza you can do all this cool stuff and it's totally custom that you can make an add to these with whatever you want so let's sble our remove threat let's go ahead and paste all this code in now that should be able to remove malware as we find it thanks to virus total next we just need to hook up the integration but first we do need to remember to change the permissions we'll make that executable for our user and own it with the wza group paste those in and finally let's remember to restart our wza agent looking good now we have to go back and configure the Wasa server because bear in mind wza isn't going to do a whole lot of this proactive effort like taking action on a malicious sample that it found without you giving it that permission like if you actually wanted to check out some of the settings here you could go dig into the modules see what else it can do but we need to give it permission this is a cool dashboard by the way you can see all the other things could toggle on or play with for auditing and policy the threat detection response all the Regulatory Compliance work but let's make sure virus total is on and good for us here and now that we've given it permission let's get back to the documentation and see okay we're going to end up adding some local rules these will end up changing the alerts capability to see new changes to they're using the SL root directory as an example but let's see if we could actually toggle it to do something in our users down downloads in our server terminal remember that black background let's move into the rules directory inside of the it set R folder here and let's modify those local rules. XML looks like we'll just add a new group underneath this example here we could paste in hey rules for our Linux system under the CIS check here that we were using for our file Integrity monitoring let's check out modified files in that home user downloads directory we'll copy and paste that so that is where we are tracking for these rules save that file and now let's tweak our own Wasa server configuration file and actually enter our own virus total API key so let's grab this syntax hop out of the rules directory modify our OS sec. comp file and this can go way down at the bottom honestly we'll go ahead and paste this in note the rule IDs here are likely set for when we get a trigger for the file Integrity monitoring in fact we can actually see that you know what let me uh before we play with our virus total API key let me bring us back into the wza dashboard and let's go take a look let's go see if our Linux agent here remember that's Linux that's the one that we just configured for the file and integrity monitoring section let's go see the thing is we just don't have any files in our downloads folder so let's get back into our Linux agent here and let me create a new tab say that I'm back my user and oh I don't know I went into my downloads directory what if I just added a hello into anything. text that I I don't know potentially downloaded or I can fire up Firefox and just genuinely download something let's go ahead and refresh the page on our Wasa server and let's see does it see that anything. text oh I think it does files added you can see it right there let's dig into the event section look at that it added my stupid anything. text file is added to the system from the user user just a simple hello is only six bytes here but now we're getting the hash for it we could check out the Integrity of that file and we could monitor for oh maybe that's being modified or deleted let's Echo Please Subscribe into our anything. text right and then maybe we could go ahead and remove it how about that now it's just not there anymore let's refresh Wasa see if it tracks it down yeah look at that in the event section you can see it has been modified and then deleted okay so we have the proof of concept for file Integrity monitoring but let's finish up our virus total integration so we could actually have it remove malware let me jump over to virus total and I'll grab my API key here we can see it let's go ahead and copy that API key jump back to our server configuration and we'll go ahead and replace the virus total API key with what it should be so I'll go ahead and paste that here fingers crossed I remember to redact and obscure that but you can use the free API if you want honestly the free API rate limits request to about four per minute if you have a premium virus total API key uh you are able to do a little bit more now we need to make sure that our server is configured in the configuration file to actually trigger that remove threat script that we staged on the agent that way we say look okay we're going to put together this potential command that can be ran our remove threat Dosh and Stage some of the active response capability to just fire it up let's copy this let's paste that at the very bottom of our osc.com file and we also have the local rules that presumably will hate notify and sort of toggle okay whether or not we successfully removed the threat or not let's grab those remember those should be in our local rules. XML file so let's go ahead and paste in that to create a new group here for our virus total functionality we'll save this and I think all we have left to do is restart our server let's get back to the command line and let's do a system CTL restart our wza manager and now back on our Ubuntu client like a regular agent running here uh downloads folder is currently empty but let's go I don't know Bop around like a regular user say I were browsing the old internet I don't know I got some Discord token stealer running maybe some uh remote axess Trojan could be anything here let's do a super simple example that will obviously blow up virus total the iar file the malware test and Sample file super simple example but if we wanted to if you still didn't believe me after this look uh we could go ahead and get some real malware running but let me go ahead and download the icar.com file it has been uh successfully downloaded let me try to open up oh you seen the downloads it was there for half a second and then deleted did wza do what it should have here you know what let me put these side by side and let's see how fast we can see it go ahead and clean up with the active response in action let me click the iar download again here it is and I don't know how long it's going to last oh that's so cool let's hop back to the server and let's see those logs let me uh Refresh on our file Integrity monitoring page here for the agent here are the events getting started let's load it up here and there it is hey uh it's already being downloaded you can see even the part files there and they all get deleted what do our uh security events tell us here l agent let's go to that pain look at that active response remove threat remove the threat located at our downloads i.com file let's get some real Mal in there now oh you know what here is maybe a fun example we're hosting this uh little Capture the Flag competition that has a good bundle of Mau accessible for us we could grab one of the uh remote access Trojans here I think we genuinely have a rat accessible let's see if I can download that it is szip as the archive so let's see I'll go Ahad and extract that into the current directory oh it removed it like like that I tried to download it multiple times now it was it keeps deleting it it's not even extracted virus total must already be tracking that I mean the password is infected right it's pretty clearly malware how about uh this batch script one let me look back at my uh virus total integration it is obviously going to be seeing Oh there's the slight uptick yep we're starting to use the API hey now bear in mind I just showcase this example on l because I know there were a whole lot of asks oh what about defense on Linux and this is one way you can do it but this works just as well on Windows like you could fire this up with the same exact virus total integration and anything that whatever antivirus might scan look now you've got it covered from a seam perspective an xdr perspective an antivirus perspective this is just too cool and there's so much more that you can do like we have just scratched the surface and honestly I'm really looking forward to I want to do a whole lot more videos with wza to Showcase all the things we could cook up cuz think about look we've covered regulations compliance we've talked about different vulnerabilities we've talked about our whole security configuration we've talked about identifying different trade craft like living off the land techniques miter attack framework and how hackers hack and malware and we can do so much more like block hosts the firewall we could actually hook up some slack Integrations or email notifications whenever something's going off but look the best part about wza is that it is open Source you can find all of the stuff on GitHub and tons of contributors putting in great work whether it's creating new Integrations or making new active response capabilities or playing with some of those oh file Integrity monitoring capabilities you can just crack it open like digging into the code here seeing how the whole framework thing comes together oh and by the way like literally everything that we've been doing all the stuff that we've got a chance to play with inside of the dashboard is also accessible through the API it's just running on the server port 55,000 and like seriously if you wanted to go into the tools section here API console you could literally just do all of this through code in API if you wanted to hey maybe that was a long video I don't know look wza is just blowing my mind I'm sorry I think it is crazy cool all the different things you can do with it file Integrity monitoring that active response diing a Mau with Yara and virus total and all the stuff like it genuinely makes for a seam and an R solution that is great open source and free if you want to make your life a little bit easier yes wza does offer some software as a service capability where like they'll do it all for you but if you want that control and you want to build it all you can and we just did so hey seriously I hope you go play with it I hope you kick the tires I think it's awesome all the things you could build out I think in the future we can put together some cool videos where I don't know we're looking at the latest new Mau samples or different thread actors and what they do in their ttps with the miter attack framework and then kind of I don't know building our defenses with file Integrity monitoring and active response and all the other cool stuff that wza can do completely for free all open source accessible and ready for you to play with right now I hope you go take a look seriously Link in the video description if you would like to play with wza and all the stuff that we got to experiment with in this video huge thanks wza did sponsor this video and I'm just grateful for their support but seriously I think it is such a cool thing to play and learn all the cyber security stuff with thanks so much for watching thanks so much for bearing with me I hope you learned something I hope you had some fun I hope I don't know you just it opened your eyes to what you can do for free with open source tooling to bring more cyber security defense and help protect your environments wza can be a part of that thanks so much for watching see you in the next video

Info

Channel: John Hammond

Views: 541,291

Rating: undefined out of 5

Keywords: cybersecurity for beginners, cybersecurity, hacking, ethical hacking, dark web, john hammond, malware, malware analysis, programming, tutorial, python programming, beginners, how-to, education, learn, learn cybersecurity, become a hacker, penetration testing, career, start a career in cybersecurity, how to hack, capture the flag, ctf, zero to hero, cybersecurity for noobs, ethical hacking for noobs, networkchuck, learn to hack, how to do cybersecurity, cybersecurity careers

Id: i68atPbB8uQ

Channel Id: undefined

Length: 39min 46sec (2386 seconds)

Published: Tue Oct 31 2023