Leadership

Why is security so hard?

  • It requires being thorough.
  • It required documenting things.
  • It requires conducting training and drills.
  • It adds what can be viewed as additional effort/cost to the primary goals (sell widgets/services/time)
  • It involves weird and wonderful ways of abusing functionality that is not always apparent or expected, thus to the typical consumers/user of a service, the idea that it might be abused actually seems very unlikely (to a criminal or security pro, the idea it will be abused seems far more likely based on threat intelligence etc.)
Read more “Why is security so hard?”
Leadership

Virtual Desktop Infrastructure (VDI) & Cyber Essentials

Do you have a VDI solution in use at your business? Be that something like CITRIX, VMware View or Remote Desktop Services (VDI mode or Server Based Computing SBC) mode?

Well let’s consider this with regard to cyber essentials.

In a recent update post:

The January changes to the Cyber Essentials scheme reflect the changing cyber threats in today’s digital environment – Iasme

Read more “Virtual Desktop Infrastructure (VDI) & Cyber Essentials”
Leadership

Technology in the Wild

Whilst every marketing person will talk about the latest and greatest tech innovation and product, how much does that reflect the reality of technology deployed in the world? Everyone is running Windows 11 and Windows Server 2022 right?! They also don’t use computers, because everything is cloud and mobile first right! and security, well everyone has that down as well! Great… let’s just go and check those statements out… oh wait…. no maybe err.. let’s take a look with our friends at shodan.io

Read more “Technology in the Wild”
Guides

Ransomware + Mega = Mega Cyber Pain

Did you ever read about ransomware actors? They often use mega upload to exfiltrate data! So I figured, why would we not detect this with MDE?

I mean sure we should probably block this with a custom indicator using Web Content Filtering and sure it would probably get blocked by Protective DNS but let’s say for whatever reason you don’t have those in place, let’s look at a really simple query to find mega connections in MDE:

Read more “Ransomware + Mega = Mega Cyber Pain”
Uncategorized

Hunting for New Group Policies Where Scheduled Tasks are…

A common way to deploy an encryption routine used in Ransomware scenarios is to create a scheduled task to launch a cyptor exe. This is commonly deployed via a Group Policy Object (GPO).

So I wanted to look at how with Microsoft Defender for Endpoint (MDE) we could detect this both on domain controllers but also on CLIENT devices (MEMBER SERVERS/PCs)

Read more “Hunting for New Group Policies Where Scheduled Tasks are used”
Uncategorized

Malicious Scheduled Tasks

A very common technique in ransomware scenarios is the deployment of Scheduled Tasks via Group Policy object.

So I thought I’d start to post some content around this. To start with I was looking locally to enable the following:

“Show me all the command lines used in scheduled tasks on Windows with PowerShell”

So I knocked up this really simple proof of concept (there are other ways to write this obvs)

Read more “Malicious Scheduled Tasks”
Guides

Volume Shadow Copy

If you are having fun today with Defender ASR deleting lnk files then you will see the MS Script has a v1.1 which looks to VSS to see if it can restore shortcuts from shadow copies, so whilst here I thought I’d note down a few different ways to list the Volume Shadow Copies.

You will need admin rights for these to work:

Read more “Volume Shadow Copy”
Copyright (c) Xservus Limited