I recently was talking to an organization about their security posture and mostly everything I recommended to them, they had already implemented and plus some. The audits I conducted for them seconded what they were saying. I must say, I was thoroughly impressed. There was, however, one gray area that
Year: 2017
Hidden Gems in McAfee ePO Audit Logs
There is no shortage of organizations these days running McAfee’s ePolicy Orchestrator in an effort to combat maliciousness. Much like any endpoint security platform, it has its strengths and weaknesses. One of the great features of the application is that it contains an audit log containing authentication information to include
Finding Reflective DLL Injections
DLL injections that originate from a malicious DLL written to a disk are commonly detected by any decent AV product. Detecting reflective DLL injection, however, are not as straightforward. Malware injected directly into a process using reflective DLL injection typically will not exist on disk. A co-worker of mine developed
Hunting Self-signed Certificates
Self-signed certificates could be indicative of malicious behavior on a system and being able to identify them is a key task in responding to an incident. Having self-signed certificates in an environment isn’t always a bad thing but not being able to identify them and their purpose is! Nonetheless, taking
Hashes of All Running Processes
A great starting point for anyone analyzing a system is the running processes. Taking the time to not only retrieve the command line execution of the process but also the parent process will enable you to find outliers. Taking it a step further, retrieving the hashes of the binary of
PowerShell Cheat Sheet
I recall when I started out in PowerShell coming from Python. Some aspects of the language I was able to pick up on rather quickly while other aspects took some take. I found myself writing down notes until I was able to remember them on my own. Reminiscing on that
Find Malicious Versions of CCleaner
In light of the recent discovery about the malicious versions of CCleaner and the millions affected, it felt like a great time to write some PowerShell scripts that enable a person to identify if the malicious versions of CCleaner are on a system and if so, provides a method to
Determining WinRM connections to a Machine
PSRemoting is an awesome feature in Microsoft Windows that serves as a ssh-like function. In Server 2012 and newer, it is enabled by default. You will, however, need to enable the feature on any client system you’d want to use it on. Some organizations feel having the service enabled throughout
Base64 with PowerShell
All too often I find myself on a Windows system and need to either encode or decode base64. Rather than using an online service, installing a program, or going to a *nix based system, I took to PowerShell. In PowerShell, we can use .NET to accomplish this. Encoding: $Text2Encode =
Getting hashes with Microsoft’s File Checksum Integrity Verifier (FCIV)
Are you responding to an incident? Are you trying to hash particular portions of the disk for comparison with a known good hashes? Are you questioning whether or not to trust the binaries on the possibly compromised system disk in order to get said hashes? Well have no fear, Microsoft
Get Registry Hives and Keys Remotely
Talking with a buddy of mine, the conversation about retrieving Registry Hives and Keys remotely came up. He initially was looking for something he could use and eventually sided with an open-source program on the web. I, myself, tested said program as well and it for the most part did
Finding Passwords in Text Files with PowerShell
Using PowerShell, we can look in text files for strings that fit the criteria for passwords and return the potential password, file path, and line number. The criteria that is being search uses regex expressions and looks for at least four characters but no more than 15 with at least
Mass Import of McAfee Firewall Domains to block
As of late, I’ve been experimenting more and more with the McAfee HIPS Firewall with the McAfee ePO. So far, I think it is decent. It is at least stateful, so that’s a plus. The firewall has a feature to block domains and using the GUI, you can only add
Sinkhole Domains Using DNS with the help of PowerShell
Thanks to Jason Fossen, there was no need to create a PowerShell script to input domains to sink. He had already created one called Sinkhole-DNS.ps1 (located here). One of the options in the script is to read in a file with domains listed. I like to frequent www.malwaredomains.com for my