Detecting Malware via HTTPS Analysis

 Here is a copy of my talk: Detecting Malware via HTTPS Analysis and ja4db-search.

Building Containment Fields: How to Secure Containers

Links for my AtlSecCon talk: 

• My slides
• Docker: https://www.docker.com/
• Container Escape CVEs: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=container+escape
• CIS Docker Benchmark: https://www.cisecurity.org/benchmark/docker
• Docker Bench Security https://github.com/docker/docker-bench-security

Detecting Command and Control frameworks via Sysmon and Windows Event Logging

My talk: https://github.com/eric-conrad/c2-talk/ 

• Team Cymru - S2 Threat Research Team: Top C2 Frameworks
• My previous C2 detection talk: Leave Only Footprints: When Prevention Fails
• EVTX files from Leave Only Footprints: When Prevention Fails
• Sysmon: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Impacket: https://github.com/fortra/impacket
• wmiexec,py: https://github.com/fortra/impacket/blob/master/examples/wmiexec.py
• Imphash: https://www.mandiant.com/resources/blog/tracking-malware-import-hashing

Introducing DeepBlueCLI v3

 Here are my slides from my SANS Webcast Introducing DeepBlueCLI v3.

DeepBlueCLI is available here.

Leave Only Footprints: When Prevention Fails

Here are links and EVTX files from my SANS Blue Team Summit keynote Leave Only Footprints: When Prevention Fails.

• Here are my slides
• Here are the EVTX files
• Sysmon
• The Rise of C2 Frameworks
• Most Popular C2 Frameworks – May 2023
• Busting the Ghost in the Logs - Randy Pargman & Jean-Francois Maes
• Tracking Malware with Import Hashing
• Impacket
• Hydra
• Metasploit
• Sliver 
• Enabling logging of failed logons on Windows

Here are a few Powershell commands to parse the logs (also check out DeepBlueCLI):

• Any command referencing ADMIN$:
• Get-WinEvent @{Path="metasploit-sysmon.evtx";id=1} | Where {$_.Message -like "*ADMIN$*"} | fl
• Any command referencing both cmd.exe and wmiprvse.exe:
• Get-WinEvent @{Path="metasploit-sysmon.evtx";id=1} | Where {$_.Message -like "*cmd.exe*" –and $_.Message -like "*wmiprvse*"} | fl
• Create Remote Thread (Hashdump and process migration): 
• Get-WinEvent @{Path="metasploit-sysmon.evtx";id=8} | fl

Blind Data Exfiltration Using DNS and Burp Collaborator

Here's a  copy of my slides  for my SANS webcast Blind Data Exfiltration Using DNS and Burp Collaborator:

Blind Data Exfiltration Using DNS and Burp Collaborator

Here are the links:

• Link to the webcast (this will link to the webcast archive afterward)
• DNS-Exfiltrate Github site
• DNS Query Length... Because Size Does Matter

Information Security for the Long Haul: Building a Career That Lasts

 

Here's a list of links from my AtlSecCon 2022 talk Information Security for the Long Haul: Building a Career That Lasts. 

• Link to my talk
• Cliff Stoll makes Klein Bottles
• Cliff Stoll on Numberphile
• Stuck by Amy Reardon 
• $300 in Google Compute Credits
• Free Google Compute Training
• Free AWS Training
• Free Azure Training
• East Coast Infosec Podcast We All Have Our Masters Degree!" with Eric Conrad
• Toastmasters
• Sears-Halifax Toastmasters Club
• Schooner Toastmasters Halifax
• Creatively Speaking Toastmasters Halifax