Monday, October 24, 2016

Quality not Quantity talk, commands, and links


Quality not Quantity: Continuous Monitoring's  Deadliest Events



Commands:

Search service creation events and errors:
PS> Get-WinEvent -FilterHashtable @{logname='system'; id=7045,7030}

User creation events and users added to local and global security-enabled group:
PS> Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4720,4732,4728}

Full command line of all processes (requires https://support.microsoft.com/en-us/kb/3004375):
PS> Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}

AppLocker Events (requires AppLocker):
PS> Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-AppLocker/EXE and DLL"; ID=8003,8004}

Detect when EMET blocks malware (requires EMET):
PS> Get-WinEvent -FilterHashtable @{LogName="application"; ProviderName="EMET"; id=2}

References:

  1. Mandiant M-Trends 2016: https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf
  2. Verizon DBIR: http://www.verizonenterprise.com/DBIR/2015/
  3. USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers https://www.youtube.com/watch?v=bDJb8WOJYdA
  4. Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data: http://www.bloomberg.com/news/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data
  5. The ASD 35 Strategies to Mitigate Targeted Cyber Intrusions: http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm
  6. Patch-crazy Aust Govt fought off EVERY hacker since 2013 http://www.theregister.co.uk/2015/06/02/patchcrazy_aust_govt_fought_off_every_hacker_since_2013/
  7. CIS Critical Security Controls: https://www.cisecurity.org/critical-controls/download.cfm?f=CSC-MASTER-VER%206.0%20CIS%20Critical%20Security%20Controls%2010.15.2015
  8. AppLocker: https://technet.microsoft.com/en-us/library/mt431813(v=vs.85).aspx
  9. AppLocker CSP: https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx
  10. Windows 10 Enterprise 90-day Trial: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
  11. Microsoft EMET: https://support.microsoft.com/en-us/kb/2458544
  12. Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375 
  13. Windows Commands Abused by Attackers http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html

Tuesday, August 09, 2016

Time is on your Side talk and links





Links from the talk:

Friday, April 01, 2016

Quality not Quantity talk, commands, and links

Quality not Quantity: Continuous Monitoring's  Deadliest Events

Commands:

Search service creation events and errors:
PS> Get-WinEvent -FilterHashtable @{logname='system'; id=7045,7030}

User creation events and users added to local and global security-enabled group:
PS> Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4720,4732,4728}

Full command line of all processes (requires https://support.microsoft.com/en-us/kb/3004375):
PS> Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}

AppLocker Events (requires AppLocker):
PS> Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-AppLocker/EXE and DLL"; ID=8003,8004}

Detect when EMET blocks malware (requires EMET):
PS> Get-WinEvent -FilterHashtable @{LogName="application"; ProviderName="EMET"; id=2}

References:

  1. Mandiant M-Trends 2016: https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf
  2. Verizon DBIR: http://www.verizonenterprise.com/DBIR/2015/
  3. USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers https://www.youtube.com/watch?v=bDJb8WOJYdA
  4. Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data: http://www.bloomberg.com/news/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data
  5. The ASD 35 Strategies to Mitigate Targeted Cyber Intrusions: http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm
  6. Patch-crazy Aust Govt fought off EVERY hacker since 2013 http://www.theregister.co.uk/2015/06/02/patchcrazy_aust_govt_fought_off_every_hacker_since_2013/
  7. CIS Critical Security Controls: https://www.cisecurity.org/critical-controls/download.cfm?f=CSC-MASTER-VER%206.0%20CIS%20Critical%20Security%20Controls%2010.15.2015
  8. AppLocker: https://technet.microsoft.com/en-us/library/mt431813(v=vs.85).aspx
  9. AppLocker CSP: https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx
  10. Windows 10 Enterprise 90-day Trial: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
  11. Microsoft EMET: https://support.microsoft.com/en-us/kb/2458544
  12. Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375 
  13. Windows Commands Abused by Attackers http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html


    Friday, December 11, 2015

    CISSP Study Guide 3E - Shipping Now

    Just a note to say the CISSP Study Guide 3E is in stock and shipping from Amazon.





    Electronic editions should be available in January. We are working on the 11th Hour CISSP Study Guide update now, chapters are due by April (but I hope to have it done before then).

    Monday, November 23, 2015

    CISSP Study Guide 3E is Complete

    Lots of people have asked me for the release date of the CISSP Study Guide 3E. Amazon (now) lists December 29th, but it will be sooner.

    I can confirm the book done and is at the printers now. I ordered copies as a surprise Christmas gift for students of my MGT 414 class coming up at SANS CDI in 3 weeks, and Syngress has confirmed the books will ship by then.