Thursday, December 13, 2018

Monday, April 23, 2018

SANS Blue Team Summit

Here is a copy of my SANS Blue Team Summit talk Threat Hunting via Windows Event Logs

Tuesday, April 03, 2018

Friday, September 22, 2017

DerbyCon 7: DeepBlueCLIv2 Talk and links

Here's a link to my DerbyCon 7 talk: Introducing DeepBlueCLI v2, Now Available in PowerShell and Python

Last year's talk:


  1. Deconstructing Petya: how it spreads and how to fight back,
  2. Mandiant M-Trends 2015,
  3. Command Line Kung Fu Episode #31: Remote Command Execution,

Sunday, April 16, 2017

ShadowBrokers PCAPs, etc.

I spent some time enjoying Easter Sunday by analyzing the Shadowbrokers EternalBlue attacks vs. a Windows 7 system. It is a service-side attack vs. TCP port 445. On Monday I analyzed EternalRomance and DoublePulsar.

I will update this post as I test other exploits and victim operating systems.

EternalBlue is the 2017 version of MS08-067, which was the last universal service-side vulnerability in Windows systems. EternalRomance is a similar SMB exploit.

I created EternalBlue PCAPs showing successful compromise vs. an unpatched system, reconnecting to a previously-infected system (using DoublePulsar), plus failed compromise vs. a patched system. I just added successful EternalRomance exploits.

PCAPs are here:

  • eternalromance-success-2008r2.pcap (new)
  • eternalromance-doublepulsar-meterpreter.pcap (new)
  • eternalblue-success-unpatched-win7.pcap
  • eternalblue-failed-patched-win7.pcap
  • doublepulsar-backdoor-connect-win7.pcap
VirusTotal PCAP analysis (Includes both Snort and Suricata alerts):
I confirmed that MS17-010 mitigates this attack. Patch now!

Default Windows event logging shows nothing. Neither EMET nor Applocker stopped EternalBlue.

Promising Wireshark display filters to detect EternalBlue (unconfirmed; there may be false positives):
  • EternalBlue: smb.mid == 65
  • DoublePulsar: smb.mid == 81
I disabled SMB1 on Windows 7, which stopped EternalBlue with default settings. I need to test more since EternalBlue can allegedly use SMB2. EternalRomance appears to be SMB1-only.

SMB1 is awful, and should be disabled regardless (be sure to test).

It appears Windows 2003 and XP will be vulnerable forever, barring a change in policy by Microsoft.

DoublePulsar is the backdoor (which listens via SMB or RDP) installed by both EternalBlue and EternalRomance. It allows you to inject other DLLs or code. I used it to inject Metasploit's Meterpreter payload, which will probably be a common approach once attacks take off in the wild.

Monday, October 24, 2016

Quality not Quantity talk, commands, and links

Quality not Quantity: Continuous Monitoring's  Deadliest Events


Search service creation events and errors:
PS> Get-WinEvent -FilterHashtable @{logname='system'; id=7045,7030}

User creation events and users added to local and global security-enabled group:
PS> Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4720,4732,4728}

Full command line of all processes (requires
PS> Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}

AppLocker Events (requires AppLocker):
PS> Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-AppLocker/EXE and DLL"; ID=8003,8004}

Detect when EMET blocks malware (requires EMET):
PS> Get-WinEvent -FilterHashtable @{LogName="application"; ProviderName="EMET"; id=2}


  1. Mandiant M-Trends 2016:
  2. Verizon DBIR:
  3. USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers
  4. Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data:
  5. The ASD 35 Strategies to Mitigate Targeted Cyber Intrusions:
  6. Patch-crazy Aust Govt fought off EVERY hacker since 2013
  7. CIS Critical Security Controls:
  8. AppLocker:
  9. AppLocker CSP:
  10. Windows 10 Enterprise 90-day Trial:
  11. Microsoft EMET:
  12. Enable Windows command-line auditing: 
  13. Windows Commands Abused by Attackers