Here's a copy of my Atlantic Security Conference talk: Build it Once, Build it Right: Architecting for Detection

The Perimeter is Dead

Here's a copy of my SANS CDI Keynote The Perimeter is Dead.

Build it Once, Build it Right: Architecting for Detection

Here's a copy of my Tactical Detection & Data Analytics Summit & Training 2018 keynote: Build it Once, Build it Right

SANS Blue Team Summit

Here is a copy of my SANS Blue Team Summit talk Threat Hunting via Windows Event Logs

Threat Hunting via Windows Event Logs

Copy of my #SANS2018 keynote talk:

Threat Hunting via Windows Event Logs

DerbyCon 7: DeepBlueCLIv2 Talk and links

Here's a link to my DerbyCon 7 talk: Introducing DeepBlueCLI v2, Now Available in PowerShell and Python

Viedo of my talk (thank you: Adrian Crenshaw): http://www.irongeek.com/i.php?page=videos/derbycon7/t205-introducing-deepbluecli-v2-now-available-in-powershell-and-python-eric-conrad

DeepBlueCLI GitHub site: https://github.com/sans-blue-team/DeepBlueCLI

Last year's talk: http://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html



References:

1. Deconstructing Petya: how it spreads and how to fight back, https://nakedsecurity.sophos.com/2017/06/28/deconstructing-petya-how-it-spreads-and-how-to-fight-back/
2. Mandiant M-Trends 2015, https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf
3. Command Line Kung Fu Episode #31: Remote Command Execution, http://blog.commandlinekungfu.com/2009/05/episode-31-remote-command-execution.html
4. https://github.com/jaredhaight/PSAttack
5. https://github.com/darkoperator/Posh-VirusTotal
6. https://www.virustotal.com/en/documentation/public-api/
7. http://blog.securityonion.net/2017/09/elastic-stack-alpha-release-and.html
8. https://github.com/philhagen/sof-elk
9. https://nxlog.co/products/nxlog-enterprise-edition
10. https://github.com/williballenthin/python-evtx
11. https://github.com/libyal/libevtx

ShadowBrokers PCAPs, etc.

I spent some time enjoying Easter Sunday by analyzing the Shadowbrokers EternalBlue attacks vs. a Windows 7 system. It is a service-side attack vs. TCP port 445. On Monday I analyzed EternalRomance and DoublePulsar.

I will update this post as I test other exploits and victim operating systems.

EternalBlue is the 2017 version of MS08-067, which was the last universal service-side vulnerability in Windows systems. EternalRomance is a similar SMB exploit.

I created EternalBlue PCAPs showing successful compromise vs. an unpatched system, reconnecting to a previously-infected system (using DoublePulsar), plus failed compromise vs. a patched system. I just added successful EternalRomance exploits.

PCAPs are here: https://cyber.gd/shadowbrokers

Includes:

• eternalromance-success-2008r2.pcap (new)
• eternalromance-doublepulsar-meterpreter.pcap (new)
• eternalblue-success-unpatched-win7.pcap
• eternalblue-failed-patched-win7.pcap
• doublepulsar-backdoor-connect-win7.pcap

VirusTotal PCAP analysis (Includes both Snort and Suricata alerts):

• EternalBlue successful compromise
• DoublePulsar backdoor

I confirmed that MS17-010 mitigates this attack. Patch now!

Default Windows event logging shows nothing. Neither EMET nor Applocker stopped EternalBlue.

Promising Wireshark display filters to detect EternalBlue (unconfirmed; there may be false positives):

• EternalBlue: smb.mid == 65
• DoublePulsar: smb.mid == 81

I disabled SMB1 on Windows 7, which stopped EternalBlue with default settings. I need to test more since EternalBlue can allegedly use SMB2. EternalRomance appears to be SMB1-only.

SMB1 is awful, and should be disabled regardless (be sure to test).

It appears Windows 2003 and XP will be vulnerable forever, barring a change in policy by Microsoft.

DoublePulsar is the backdoor (which listens via SMB or RDP) installed by both EternalBlue and EternalRomance. It allows you to inject other DLLs or code. I used it to inject Metasploit's Meterpreter payload, which will probably be a common approach once attacks take off in the wild.