- It requires being thorough.
- It required documenting things.
- It requires conducting training and drills.
- It adds what can be viewed as additional effort/cost to the primary goals (sell widgets/services/time)
- It involves weird and wonderful ways of abusing functionality that is not always apparent or expected, thus to the typical consumers/user of a service, the idea that it might be abused actually seems very unlikely (to a criminal or security pro, the idea it will be abused seems far more likely based on threat intelligence etc.)
Do you have a VDI solution in use at your business? Be that something like CITRIX, VMware View or Remote Desktop Services (VDI mode or Server Based Computing SBC) mode?
Well let’s consider this with regard to cyber essentials.
In a recent update post:Read more “Virtual Desktop Infrastructure (VDI) & Cyber Essentials”
Whilst every marketing person will talk about the latest and greatest tech innovation and product, how much does that reflect the reality of technology deployed in the world? Everyone is running Windows 11 and Windows Server 2022 right?! They also don’t use computers, because everything is cloud and mobile first right! and security, well everyone has that down as well! Great… let’s just go and check those statements out… oh wait…. no maybe err.. let’s take a look with our friends at shodan.ioRead more “Technology in the Wild”
Ok this is going to be really short post, but expect more later! Did you ever want to run CME but you were stuck on a Windows machine? Well don’t worry you can! How do we do this?
First we download CME
Extract the zip file
Make sure you have python3 installed!Read more “CrackMapExec (CME) on Windows”
Did you ever read about ransomware actors? They often use mega upload to exfiltrate data! So I figured, why would we not detect this with MDE?
I mean sure we should probably block this with a custom indicator using Web Content Filtering and sure it would probably get blocked by Protective DNS but let’s say for whatever reason you don’t have those in place, let’s look at a really simple query to find mega connections in MDE:Read more “Ransomware + Mega = Mega Cyber Pain”
You never know what you will find when you go hunting! So here’s a quick tale of an explore I did using Advanced Hunting!
I went hunting here in Advanced Hunting:Read more “Threat hunting with some funny results!”
Did you want to check out some of your detections? This isn’t everything of course but it’s a simple batch file to simulate a range of enumeration techniques used by actors like CONTI or LOCKBIT affiliates/operators:Read more “Simulating Human Operated Discovery”
A common way to deploy an encryption routine used in Ransomware scenarios is to create a scheduled task to launch a cyptor exe. This is commonly deployed via a Group Policy Object (GPO).
So I wanted to look at how with Microsoft Defender for Endpoint (MDE) we could detect this both on domain controllers but also on CLIENT devices (MEMBER SERVERS/PCs)Read more “Hunting for New Group Policies Where Scheduled Tasks are used”
A very common technique in ransomware scenarios is the deployment of Scheduled Tasks via Group Policy object.
So I thought I’d start to post some content around this. To start with I was looking locally to enable the following:
“Show me all the command lines used in scheduled tasks on Windows with PowerShell”
So I knocked up this really simple proof of concept (there are other ways to write this obvs)Read more “Malicious Scheduled Tasks”
If you are having fun today with Defender ASR deleting lnk files then you will see the MS Script has a v1.1 which looks to VSS to see if it can restore shortcuts from shadow copies, so whilst here I thought I’d note down a few different ways to list the Volume Shadow Copies.
You will need admin rights for these to work:Read more “Volume Shadow Copy”