tag:blogger.com,1999:blog-87105332024-02-24T13:44:38.406-07:00Eric ConradAuthor, SANS Faculty Fellow, and CTO of Backshore CommunicationsEric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.comBlogger85125tag:blogger.com,1999:blog-8710533.post-27232281306481275892023-06-29T10:16:00.007-06:002023-06-29T10:28:43.750-06:00Introducing DeepBlueCLI v3<p> Here are <a href="https://www.dropbox.com/s/z758sr9stqqkpyc/DeepBlueCLI-V3.pdf?dl=0">my slides</a> from my SANS Webcast Introducing DeepBlueCLI v3.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzE2P3YB6ppzmyL4wmYi4-vVnn5JnLQ4Zk2iRagmAKZWcCUlnOMa97DdFYtXs83iRt187dIpSiUK9uCYBoGwOJBCR3-INYLij8Y-i0ZwsGvWDv36tYgoD7Xkv-lgWKByJJ3OH2-F_LWQzhRwLqQigwzcDYitEBjgwbIz0jp_g_Yq_n-IupisDQtQ/s1117/Screen%20Shot%202023-06-29%20at%2012.24.13%20PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="639" data-original-width="1117" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzE2P3YB6ppzmyL4wmYi4-vVnn5JnLQ4Zk2iRagmAKZWcCUlnOMa97DdFYtXs83iRt187dIpSiUK9uCYBoGwOJBCR3-INYLij8Y-i0ZwsGvWDv36tYgoD7Xkv-lgWKByJJ3OH2-F_LWQzhRwLqQigwzcDYitEBjgwbIz0jp_g_Yq_n-IupisDQtQ/w532-h304/Screen%20Shot%202023-06-29%20at%2012.24.13%20PM.png" width="532" /></a></div><p>DeepBlueCLI <a href="https://github.com/sans-blue-team/DeepBlueCLI">is available here</a>.</p>Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-25979529962868689862023-06-11T15:38:00.004-06:002023-06-29T09:49:07.996-06:00Leave Only Footprints: When Prevention Fails<p>Here are links and EVTX files from my SANS Blue Team Summit keynote Leave Only Footprints: When Prevention Fails.</p><p></p><ul style="text-align: left;"><li>Here are <a href="https://www.dropbox.com/s/195q5mrcm0e9py0/Leave%20Only%20Footprints.pdf?dl=0">my slides</a></li><li>Here are the <a href="https://www.dropbox.com/s/m1qj0b66rb9jm3j/Leave%20Only%20Footprints.zip?dl=0">EVTX files</a></li><li><a href="https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon">Sysmon</a></li><li><a href="https://www.thec2matrix.com/matrix">The Rise of C2 Frameworks</a></li><li><a href="https://twitter.com/teamcymru_S2/status/1662103798050066432">Most Popular C2 Frameworks – May 2023</a></li><li><a href="https://www.youtube.com/watch?v=bTU5xTIXoI4">Busting the Ghost in the Logs </a>- Randy Pargman & Jean-Francois Maes</li><li><a href="https://www.mandiant.com/resources/blog/tracking-malware-import-hashing">Tracking Malware with Import Hashing</a></li><li><a href="https://github.com/fortra/impacket">Impacket</a></li><li><a href="https://github.com/vanhauser-thc/thc-hydra">Hydra</a></li><li><a href="https://www.metasploit.com/">Metasploit</a></li><li><a href="https://github.com/BishopFox/sliver">Sliver </a></li><li><a href="https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-auditing-faq">Enabling logging of failed logons on Windows</a></li></ul><div>Here are a few Powershell commands to parse the logs (also check out <a href="https://github.com/sans-blue-team/DeepBlueCLI">DeepBlueCLI</a>):</div><div><div><ul><li>Any command referencing <span style="font-family: courier;"><b>ADMIN$</b></span>:</li><ul><li><span style="font-family: courier;"><b>Get-WinEvent @{Path="metasploit-sysmon.evtx";id=1} | Where {$_.Message -like "*ADMIN$*"} | fl</b></span></li></ul><li>Any command referencing both <span style="font-family: courier;"><b>cmd.exe</b></span> and <span style="font-family: courier;"><b>wmiprvse.exe</b></span>:</li><ul><li><span style="font-family: courier;"><b>Get-WinEvent @{Path="<b>metasploit-sysmon</b>.evtx";id=1} | Where {$_.Message -like "*cmd.exe*" –and $_.Message -like "*wmiprvse*"} | fl</b></span></li></ul><li>Create Remote Thread (Hashdump and process migration): </li><ul><li><span style="font-family: courier;"><b>Get-WinEvent @{Path="<b>metasploit-sysmon.</b>evtx";id=8} | fl</b></span></li></ul></ul></div><p></p><p><br /></p></div><p></p>Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-82424564274484190882023-01-12T11:21:00.001-07:002023-01-12T11:23:14.000-07:00Blind Data Exfiltration Using DNS and Burp Collaborator<p>Here's a copy of my slides for my SANS webcast Blind Data Exfiltration Using DNS and Burp Collaborator:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://www.dropbox.com/s/pmhwr5wyqakvm35/Blind%20Injection.pdf?dl=0" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img alt="" data-original-height="1274" data-original-width="2314" height="276" src="https://blogger.googleusercontent.com/img/a/AVvXsEhcihyKUwTbOmW5QXrLnTXGv3Bbu2BAUl-ysAFTT4SgGIlMZgqUc1D1Xn0S8o3i4PIpqrZILqJqbFZ_O7cp0xf_KOABexjjKwsAjqPxp75-APhxbAUMOQfehD4f9BK_JU6VVs1bC4N0xEQTnEs39_eyw-ESCf5ATQXbOtlvVMvx1aX4YrMBqzE=w502-h276" width="502" /></a></div><p></p><p><a href="https://www.dropbox.com/s/pmhwr5wyqakvm35/Blind%20Injection.pdf?dl=0">Blind Data Exfiltration Using DNS and Burp Collaborator</a></p><p>Here are the links:</p><p></p><ul style="text-align: left;"><li><a href="https://www.sans.org/webcasts/blind-data-exfiltration-using-dns-burp-collaborator/">Link to the webcast</a> (this will link to the webcast archive afterward)</li><li><a href="https://github.com/sans-blue-team/DNS-Exfiltrate">DNS-Exfiltrate Github site</a></li><li><a href="https://isc.sans.edu/diary/DNS+Query+Length...+Because+Size+Does+Matter/22326">DNS Query Length... Because Size Does Matter</a></li></ul><p></p><p><br /></p>Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-41948475543162110262022-04-07T22:25:00.007-06:002023-09-30T17:53:55.852-06:00Information Security for the Long Haul: Building a Career That Lasts<p> </p><p>Here's a list of links from my <a href="https://atlseccon.com/">AtlSecCon</a> 2022 talk<a href="Information Security for the Long Haul: Building a Career That Lasts."> Information Security for the Long Haul: Building a Career That Lasts</a>. </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://www.dropbox.com/s/jfnp9tgb5ekt0b0/AtlSecCon%20-%20Eric%20Conrad.pdf?dl=0" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="1212" data-original-width="2134" height="228" src="https://blogger.googleusercontent.com/img/a/AVvXsEjV5YNichp7eed5Em2JJDng7q2dm8fA8cEBQgpljeWb7-Q4u0SpDGX5BLDcj3BsBjO79J7tN6dKZaNeJepABWdsZzDOxUaP5zQoWK0p7Wlcp83oSUK4rXmBp5Zjf-3qTgm6EkPR4kdgAULr76_iprfSs6P-8EbtNMBcHVWXsWvEcQxhBRK3FH0=w400-h228" width="400" /></a></div><br /><p></p><p></p><ul style="text-align: left;"><li><a href="https://www.dropbox.com/s/jfnp9tgb5ekt0b0/AtlSecCon%20-%20Eric%20Conrad.pdf?dl=0">Link to my talk</a></li><li><a href="https://www.wired.com/story/meet-the-mad-scientist-who-wrote-the-book-on-how-to-hunt-hackers/">Cliff Stoll </a>makes <a href="https://www.kleinbottle.com/">Klein Bottles</a></li><li><a href="https://en.wikipedia.org/wiki/Clifford_Stoll">Cliff Stoll </a>on <a href="https://www.youtube.com/watch?v=-k3mVnRlQLU">Numberphile</a></li><li><a href="https://believermag.com/logger/stuck/">Stuck</a> by <a href="https://twitter.com/ReardonAmy">Amy Reardon</a> </li><li>$300 in <a href="https://cloud.google.com/free">Google Compute Credits</a></li><li>Free <a href="ttps://cloud.google.com/training">Google Compute Training</a></li><li>Free <a href="https://aws.training">AWS Training</a></li><li>Free <a href=" https://docs.microsoft.com/en-ca/learn/">Azure Training</a></li><li><a href="https://podcasts.apple.com/us/podcast/east-coast-infosec-podcast/id1511921343">East Coast Infosec Podcast</a> <a href="https://podcasts.apple.com/us/podcast/we-all-have-our-masters-degree-with-eric-conrad/id1511921343?i=1000474800401">We All Have Our Masters Degree!" with Eric Conrad</a></li><li><a href="https://www.toastmasters.org/">Toastmasters</a></li><li><a href="https://searshalifaxtoastmasters.com/">Sears-Halifax Toastmasters Club</a></li><li><a href="https://schoonertoastmasters.toastmastersclubs.org/">Schooner Toastmasters Halifax</a></li><li><a href="https://easy-speak.org/portal.php?c=5158">Creatively Speaking Toastmasters Halifax </a></li></ul><p></p>Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-79460212052201693592020-08-19T12:45:00.002-06:002020-08-19T12:45:50.704-06:00Decrypt all the Things: How Encryption is Impacting Network-Based Security Controls<p>Here's a copy of my SANS @Mic webcast slides: <a href="https://www.dropbox.com/s/0hvenyn2t6uubek/Decrypt%20All%20the%20Things.pdf?dl=0" target="_blank">Decrypt all the Things: How Encryption is Impacting Network-Based Security Controls </a></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi88sf4Mo1BcgeC0bJOLo_sXvql4aJn2TGCpm7uatpAFS-aD1uwuxqLhxWb_1bi-TfsstWQXcEGkLP5yvtvZa4e07LC9is7dyq_g8F4QP9jkrrIH5_IRNxkqF_C9UDsN0bHJAL8Fw/s1480/Screen+Shot+2020-08-19+at+2.43.42+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="837" data-original-width="1480" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi88sf4Mo1BcgeC0bJOLo_sXvql4aJn2TGCpm7uatpAFS-aD1uwuxqLhxWb_1bi-TfsstWQXcEGkLP5yvtvZa4e07LC9is7dyq_g8F4QP9jkrrIH5_IRNxkqF_C9UDsN0bHJAL8Fw/w400-h226/Screen+Shot+2020-08-19+at+2.43.42+PM.png" width="400" /></a></div><p><br /></p>Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-16731977384365282732020-06-24T13:34:00.000-06:002020-07-10T17:15:47.729-06:00Threat Hunting via DNS<div>
My <a href="http://sans.org/u/14Ra">SANS @Mic</a> talk <a href="https://www.dropbox.com/s/s0ay5srcdoyivrb/Threat%20Hunting%20via%20DNS%20Bsides%20Halifax.pdf?dl=0">Threat Hunting via DNS</a></div>
<div>
<br />
Link to the <a href="https://www.youtube.com/watch?v=144uhgJE3mg&feature=emb_logo">Youtube video</a>.<br />
<br /></div>
<div>
Here are the links:</div>
<ul>
<li><span style="color: #0000ee;"><u><a href="http://www.nepeeringforum.org/troutman/troutman-DoH-DoT-QuadX-Da-Faq.pdf">DNS New World Order: QuadX! DoH! DoT! Da Fuq?</a></u></span></li>
<li><a href="https://twitter.com/paulvixie/status/1053765281917661184">Paul Vixie on DoH</a></li>
<li><a href="https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/">Firefox continues push to bring DNS over HTTPS by default for US users</a></li>
<li><a href="https://techcrunch.com/2020/02/25/firefox-dns-https-default-united-states/">Firefox to enable DNS-over-HTTPS by default to US users</a></li>
<li><a href="https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging">Firefox HTTP logging</a></li>
<li><a href="https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/">Tutorial to setup your own DNS-over-HTTPS (DoH) server</a></li>
<li><a href="https://www.aaflalo.me/2018/10/dns-over-https-with-pi-hole/">DNS-over-HTTPS with Pi-Hole</a></li>
<li><a href="https://github.com/MarkBaggett/domain_stats">https://github.com/MarkBaggett/domain_stats</a></li>
<li><a href="https://www.arin.net/resources/registry/whois/rdap/">https://www.arin.net/resources/registry/whois/rdap/</a></li>
</ul>
Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-35262653511735984732020-06-08T10:29:00.001-06:002020-06-08T10:29:51.841-06:00CISSP Cram SessionHere are the slides for my <a href="https://www.dropbox.com/s/p76leufxr0ipgwp/CISSP%20Cram%20Session.pdf?dl=0">CISSP Cram Session</a> webcast.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXlUYHN6XrV_Gr2KwJt-ByrHL1asFABsgxLqg50Ry6RhC2UxIRCifu7m-j2X3SOMwleT598H-mS5KO6Sa2OXqOpLFlNLVAFNlYy_ZWOXM2m7sWaWuCNkeO7L96qNWWNGZPiyKoGw/s1600/Screen+Shot+2020-06-08+at+12.28.29+PM.png" imageanchor="1"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXlUYHN6XrV_Gr2KwJt-ByrHL1asFABsgxLqg50Ry6RhC2UxIRCifu7m-j2X3SOMwleT598H-mS5KO6Sa2OXqOpLFlNLVAFNlYy_ZWOXM2m7sWaWuCNkeO7L96qNWWNGZPiyKoGw/s320/Screen+Shot+2020-06-08+at+12.28.29+PM.png" width="320" /></a><br />
<br />
The webcast is available here: <a href="http://sans.org/u/140g">http://sans.org/u/140g</a><br />
<br />Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-72992629322423139552020-05-22T11:23:00.001-06:002020-05-22T11:23:39.014-06:00BSides HalifaxHere's a link to my <a href="https://bsideshalifax.ca/">BSides Halifax</a> talk <a href="https://www.dropbox.com/s/s0ay5srcdoyivrb/Threat%20Hunting%20via%20DNS%20Bsides%20Halifax.pdf?dl=0">Threat Hunting via DNS</a><br />
<a href="https://www.dropbox.com/s/s0ay5srcdoyivrb/Threat%20Hunting%20via%20DNS%20Bsides%20Halifax.pdf?dl=0"><br /></a>
<br />Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-27684218953783270472020-01-13T17:16:00.002-07:002020-01-13T17:16:25.244-07:00Here's a link to my SANS Miami 2020 keynote talk:<br />
<br />
<a href="https://www.dropbox.com/s/x5ovarsppdwe7fn/Threat%20Hunting%20via%20Sysmon%20Miami%202020.pdf?dl=0">Threat Hunting via Sysmon</a>Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-35007473330474734982019-11-14T14:14:00.002-07:002019-11-14T14:14:52.769-07:00Maine DEFCON 207Here's a copy of my DEFCON 207 talk <a href="https://www.dropbox.com/s/yx5bcy64zi32zf8/Threat%20Hunting%20via%20Windows%20Event%20Logs%20Secwest%20DEFCON%20207.pdf?dl=0">Threat Hunting via Windows Event Logs</a><br />
<br />
DeepBlueCLI GitHub site: <a href="https://github.com/sans-blue-team/DeepBlueCLI">https://github.com/sans-blue-team/DeepBlueCLI</a><br />
<br />Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-3916161605609630192019-05-09T19:38:00.002-06:002019-05-09T19:38:47.808-06:00Threat Hunting via Windows Event LogsHere's a copy of my SANS Security West keynote <a href="https://www.dropbox.com/s/4wwb3bd4z1a5y28/Threat%20Hunting%20via%20Windows%20Event%20Logs%20Secwest%202019.pdf">Threat Hunting via Windows Event Logs</a>Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-2183906027124600022019-04-24T05:16:00.001-06:002019-04-24T05:16:09.786-06:00Here's a copy of my <a href="https://atlseccon.com/">Atlantic Security Conference</a> talk: <a href="https://www.dropbox.com/s/eil0fplx7q3typs/Build%20It%20Once-AtlSecCon.pdf?dl=0">Build it Once, Build it Right: Architecting for Detection</a>Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-53399595216695034782018-12-13T16:44:00.000-07:002018-12-13T18:47:44.622-07:00The Perimeter is DeadHere's a copy of my <a href="https://www.sans.org/event/cyber-defense-initiative-2018/bonus-sessions/15685/#bonus-box">SANS CDI</a> Keynote <a href="https://www.dropbox.com/s/lfsbx7juzgx7220/The%20Perimeter%20is%20Dead%20December%202018.pdf?dl=0">The Perimeter is Dead.</a>Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-18945184959042560532018-12-04T09:03:00.001-07:002018-12-04T09:03:52.747-07:00Build it Once, Build it Right: Architecting for DetectionHere's a copy of my <a href="https://www.sans.org/event/tactical-detection-summit-2018">Tactical Detection & Data Analytics Summit & Training 2018</a> keynote: Build it Once, <a href="https://www.dropbox.com/s/hxgdn4vw2novpwy/Build%20It%20Once%20December%202018.pdf?dl=0">Build it Right</a><br />
<br />Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-45194621091084931912018-04-23T08:08:00.000-06:002018-04-23T08:08:03.173-06:00SANS Blue Team Summit<br />
Here is a copy of my SANS Blue Team Summit talk <a href="https://www.dropbox.com/s/fr7zrodf9wx1m9v/Threat%20Hunting%20via%20Windows%20Event%20Logs%20Blue%20Team%20Summit.pdf?dl=0">Threat Hunting via Windows Event Logs</a>Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-61571664701370260662018-04-03T16:49:00.001-06:002018-04-03T16:49:08.666-06:00Threat Hunting via Windows Event LogsCopy of my #SANS2018 keynote talk:<br />
<br />
<a href="https://www.dropbox.com/s/50623g2yahys6bz/Threat%20Hunting%20via%20Windows%20Event%20Logs.pdf?dl=0">Threat Hunting via Windows Event Logs</a>Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-25099811058798493882017-09-22T12:11:00.002-06:002017-09-25T07:56:09.301-06:00DerbyCon 7: DeepBlueCLIv2 Talk and linksHere's a link to my <a href="https://www.derbycon.com/">DerbyCon 7</a> talk: <a href="https://www.derbycon.com/friday-schedule/#event-47">Introducing DeepBlueCLI v2, Now Available in PowerShell and Python</a><br />
<div>
<br />
Viedo of my talk (thank you: <a href="https://twitter.com/irongeek_adc">Adrian Crenshaw</a>): <a href="http://www.irongeek.com/i.php?page=videos/derbycon7/t205-introducing-deepbluecli-v2-now-available-in-powershell-and-python-eric-conrad">http://www.irongeek.com/i.php?page=videos/derbycon7/t205-introducing-deepbluecli-v2-now-available-in-powershell-and-python-eric-conrad</a><br />
<br /></div>
<div>
DeepBlueCLI GitHub site: <a href="https://github.com/sans-blue-team/DeepBlueCLI">https://github.com/sans-blue-team/DeepBlueCLI</a></div>
<br />
Last year's talk: <a href="http://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html">http://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html</a><br />
<br />
<a href="https://www.dropbox.com/s/hv8zdibr663dldr/DeepBlueCLIv2-DerbyCon.pdf?dl=0"><img alt=" DeepBlueCLIv2" border="0" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt9QxaqOFZRVVRpwHsbhMWKdG5DtJjTUU1L-mU9t4pvvR4kwTlpyyTJ7cL4mGITZ5Ax4HWtxxMojgUoMHN9rkTOultqubunWz2Calosl2oZLmDrpgB1zMMOdVGc7fLOipgrjTEfQ/s400/Screen+Shot+2017-09-22+at+2.07.35+PM.png" width="400" /></a><br />
<br />
References:<br />
<ol>
<li>Deconstructing Petya: how it spreads and how to fight back, https://nakedsecurity.sophos.com/2017/06/28/deconstructing-petya-how-it-spreads-and-how-to-fight-back/</li>
<li>Mandiant M-Trends 2015, https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf</li>
<li>Command Line Kung Fu Episode #31: Remote Command Execution, http://blog.commandlinekungfu.com/2009/05/episode-31-remote-command-execution.html</li>
<li>https://github.com/jaredhaight/PSAttack</li>
<li>https://github.com/darkoperator/Posh-VirusTotal</li>
<li>https://www.virustotal.com/en/documentation/public-api/</li>
<li>http://blog.securityonion.net/2017/09/elastic-stack-alpha-release-and.html</li>
<li>https://github.com/philhagen/sof-elk</li>
<li>https://nxlog.co/products/nxlog-enterprise-edition</li>
<li>https://github.com/williballenthin/python-evtx</li>
<li>https://github.com/libyal/libevtx</li>
</ol>
Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-74284094798952262002017-04-16T14:13:00.002-06:002017-04-17T12:07:04.307-06:00ShadowBrokers PCAPs, etc.I spent some time enjoying Easter Sunday by analyzing the Shadowbrokers EternalBlue attacks vs. a Windows 7 system. It is a service-side attack vs. TCP port 445. On Monday I analyzed EternalRomance and DoublePulsar.<br />
<br />
I will update this post as I test other exploits and victim operating systems.<br />
<br />
<a href="https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/">EternalBlue </a>is the 2017 version of <a href="https://technet.microsoft.com/en-us/library/security/ms08-067.aspx">MS08-067</a>, which was the last universal service-side vulnerability in Windows systems. EternalRomance is a similar SMB exploit.<br />
<br />
I created EternalBlue PCAPs showing successful compromise vs. an unpatched system, reconnecting to a previously-infected system (using DoublePulsar), plus failed compromise vs. a patched system. I just added successful EternalRomance exploits.<br />
<br />
PCAPs are here: <a href="https://cyber.gd/shadowbrokers">https://cyber.gd/shadowbrokers</a><br />
<br />
Includes:<br />
<ul>
<li>eternalromance-success-2008r2.pcap (new)</li>
<li>eternalromance-doublepulsar-meterpreter.pcap (new)</li>
<li>eternalblue-success-unpatched-win7.pcap</li>
<li>eternalblue-failed-patched-win7.pcap</li>
<li>doublepulsar-backdoor-connect-win7.pcap</li>
</ul>
<ul>
</ul>
VirusTotal PCAP analysis (Includes both Snort and Suricata alerts):<br />
<ul>
<li><a href="https://www.virustotal.com/en/file/56c48b644c5527d709fe037ca207b35b4688d035e194aa622fad4c7ebd446e07/analysis/1492363656/">EternalBlue successful compromise</a></li>
<li><a href="https://www.virustotal.com/en/file/23d89befb363b4966b05ed69f08c582a555de22e7352a0a9273039ff11789fbf/analysis/">DoublePulsar backdoor</a></li>
</ul>
I confirmed that <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx?f=255&MSPPError=-2147217396">MS17-010</a> mitigates this attack. Patch now!<br />
<br />
Default Windows event logging shows nothing. Neither <a href="https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit">EMET</a> nor <a href="https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396">Applocker</a> stopped EternalBlue.<br />
<br />
Promising Wireshark display filters to detect EternalBlue (unconfirmed; there may be false positives):<br />
<ul>
<li>EternalBlue: smb.mid == 65</li>
<li>DoublePulsar: smb.mid == 81</li>
</ul>
I <a href="https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012">disabled SMB1</a> on Windows 7, which stopped EternalBlue with default settings. I need to test more since EternalBlue can allegedly use SMB2. EternalRomance appears to be SMB1-only.<br />
<br />
<a href="https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/">SMB1 is awful</a>, and should be disabled regardless (be sure to test).<br />
<br />
It appears Windows 2003 and XP will be vulnerable forever, barring a change in policy by Microsoft.<br />
<br />
DoublePulsar is the backdoor (which listens via SMB or RDP) installed by both EternalBlue and EternalRomance. It allows you to inject other DLLs or code. I used it to inject Metasploit's Meterpreter payload, which will probably be a common approach once attacks take off in the wild.Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-41079669882245642532016-10-24T19:43:00.000-06:002016-10-24T19:43:04.688-06:00Quality not Quantity talk, commands, and links<br />
<a href="https://drive.google.com/file/d/0ByeHgv6rpa3gWi1xaWhZaWFQSjA/view?usp=sharing" style="font-size: medium; font-weight: normal;">Quality not Quantity: Continuous Monitoring's Deadliest Events</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyu_JYeTy468M8yczIspmLKinrbjSZpoHzlKPDZrNu5UT7N6FznW_BUw1A4LI9x9Y783igwtEpM4XJbehV6cZk93XPVeR4wo3ht_iPPCEhpTxBj-oghxhtm8XO-iu4CsLEz7eFFw/s1600/Screen+Shot+2016-10-24+at+6.42.14+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyu_JYeTy468M8yczIspmLKinrbjSZpoHzlKPDZrNu5UT7N6FznW_BUw1A4LI9x9Y783igwtEpM4XJbehV6cZk93XPVeR4wo3ht_iPPCEhpTxBj-oghxhtm8XO-iu4CsLEz7eFFw/s400/Screen+Shot+2016-10-24+at+6.42.14+PM.png" width="400" /></a></div>
<br />
<h2>
<b></b></h2>
<div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h2>
<b>Commands:</b></h2>
<div>
Search service creation events and errors:</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">PS> <b>Get-WinEvent -FilterHashtable @{logname='system'; id=7045,7030}</b></span></div>
<div>
<br /></div>
<div>
User creation events and users added to local and global security-enabled group:</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">PS> <b>Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4720,4732,4728}</b></span></div>
</div>
<div>
<br /></div>
<div>
Full command line of all processes (requires <a href="https://support.microsoft.com/en-us/kb/3004375">https://support.microsoft.com/en-us/kb/3004375</a>):</div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">PS> <b>Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}</b></span></div>
</div>
<div>
<br /></div>
<div>
AppLocker Events (requires AppLocker):</div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">PS> <b>Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-AppLocker/EXE and DLL"; ID=8003,8004}</b></span></div>
</div>
<div>
<div>
<br /></div>
<div>
Detect when EMET blocks malware (requires EMET):</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">PS> <b>Get-WinEvent -FilterHashtable @{LogName="application"; ProviderName="EMET"; id=2}</b></span></div>
</div>
<div>
<br /></div>
<h2>
References:</h2>
<ol>
<li>Mandiant M-Trends 2016: <a href="https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf">https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf</a></li>
<li>Verizon DBIR: <a href="http://www.verizonenterprise.com/DBIR/2015/">http://www.verizonenterprise.com/DBIR/2015/</a></li>
<li>USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers <a href="https://www.youtube.com/watch?v=bDJb8WOJYdA">https://www.youtube.com/watch?v=bDJb8WOJYdA</a></li>
<li>Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data: <a href="http://www.bloomberg.com/news/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data">http://www.bloomberg.com/news/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data</a></li>
<li>The ASD 35 Strategies to Mitigate Targeted Cyber Intrusions: <a href="http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm">http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm</a></li>
<li>Patch-crazy Aust Govt fought off EVERY hacker since 2013 <a href="http://www.theregister.co.uk/2015/06/02/patchcrazy_aust_govt_fought_off_every_hacker_since_2013/">http://www.theregister.co.uk/2015/06/02/patchcrazy_aust_govt_fought_off_every_hacker_since_2013/</a></li>
<li>CIS Critical Security Controls: <a href="https://www.cisecurity.org/critical-controls/download.cfm?f=CSC-MASTER-VER%206.0%20CIS%20Critical%20Security%20Controls%2010.15.2015">https://www.cisecurity.org/critical-controls/download.cfm?f=CSC-MASTER-VER%206.0%20CIS%20Critical%20Security%20Controls%2010.15.2015</a></li>
<li>AppLocker: <a href="https://technet.microsoft.com/en-us/library/mt431813(v=vs.85).aspx">https://technet.microsoft.com/en-us/library/mt431813(v=vs.85).aspx</a></li>
<li>AppLocker CSP: <a href="https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx">https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx</a></li>
<li>Windows 10 Enterprise 90-day Trial: <a href="https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise">https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise</a></li>
<li>Microsoft EMET: <a href="https://support.microsoft.com/en-us/kb/2458544">https://support.microsoft.com/en-us/kb/2458544</a></li>
<li>Enable Windows command-line auditing: <a href="https://support.microsoft.com/en-us/kb/3004375">https://support.microsoft.com/en-us/kb/3004375</a> </li>
<li>Windows Commands Abused by Attackers <a href="http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html">http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html</a></li>
</ol>
<br />Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-62013085332629497352016-09-23T15:30:00.002-06:002022-06-16T10:16:51.783-06:00DeepBlueCLI: a PowerShell Module for Hunt Teaming via Windows Event LogsHere's a <a href="http://www.irongeek.com/i.php?page=videos/derbycon6/211-introducing-deepbluecli-a-powershell-module-for-hunt-teaming-via-windows-event-logs-eric-conrad">video of my 2016 DerbyCon talk DeepBlueCLI</a>. Thank you, @irongeek_adc<br />
<br />
A copy of my <a href="https://www.dropbox.com/s/2sw7gmk297b5y5y/DeepBlueCLI%20DerbyCon2016.pdf?dl=0">2016 DerbyCon talk DeepBlueCLI</a> slides:<br />
<br />
<a href="https://drive.google.com/a/backshore.net/file/d/0ByeHgv6rpa3gNU4wLVZKNjd4cTA/"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxCBHnRlSW1wmg6AikAlB-3jxiQahVe4x2F7EKQ9MAvLHaJKHTlReykraOn7zBM240oNbHPoANeNaWy0laiVe5JwXipWnyPNLm7-X6n3NKUd5tcvzmB7BvAImZ1Yqm78A39iKcWw/s320/Screen+Shot+2016-09-23+at+5.26.24+PM.png" width="320" /></a><br />
<br />
Github site: <a href="https://github.com/sans-blue-team/DeepBlueCLI">https://github.com/sans-blue-team/DeepBlueCLI</a><br />
<br />
<a href="http://www.ericconrad.com/2016/04/quality-not-quantity-talk-commands-and.html">Link to my Quality Not Quantity talk</a>, which inspired DeepBlueCLI.<br />
<br />Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-73093586774359023142016-09-07T18:09:00.003-06:002021-11-12T07:22:04.699-07:00C2 Phone Home: Leveraging SecurityOnion to Identify Command and Control Channels<br />
<a href="https://www.youtube.com/watch?v=ViR405l-ggg">Video of the talk</a><br />
<br />
Links from my <a href="https://www.eventbrite.com/e/security-onion-conference-soc-2016-tickets-26353204143">Security Onion Con 2016</a> talk:<br />
<a href="https://drive.google.com/file/d/0ByeHgv6rpa3gX1g5VmdUX253ZEU/"><br /></a>
<a href="https://www.dropbox.com/s/ud8oajqkihhqxm2/C2%20Phone%20Home%2020160907.pdf?dl=0">C2 Phone Home: Leveraging SecurityOnion to Identify Command and Control Channels</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://drive.google.com/file/d/0ByeHgv6rpa3gX1g5VmdUX253ZEU/" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHtfQjzidqmc91oD6Ght2J_5ahMTnOFxrXUKJUzNvxxKzioJla-G0aDxeTjcZsCcjrtSCKYHate8EUHivtNVpYk7-MxXD_pkO4TFgeN9-ZwngbH0ASbcWXxpqo3A5D8NJj_C0RYQ/s400/Screen+Shot+2016-09-07+at+8.07.32+PM.png" width="400" /></a></div>
<br />
<br />
<br />
<a href="https://www.dropbox.com/s/17t5avk41pio9hr/c2phonehome.zip?dl=0">Link to all pcaps, Bro logs and Whitecap Snort Rules</a>Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-43028374390365736992016-08-09T15:35:00.002-06:002016-08-09T15:36:31.309-06:00Time is on your Side talk and links<div>
<br /></div>
<div>
<a href="https://drive.google.com/file/d/0ByeHgv6rpa3gLVBaYnJVdDNzRVE/">Time is on you Side: Username guessing via Timing Attacks</a></div>
<div>
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://drive.google.com/file/d/0ByeHgv6rpa3gLVBaYnJVdDNzRVE/"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0GPKLuFJvcd90TcckEWehWTJk6uqM40V2Ffhv69-C5EQ7neB5iHImtKQEwHy9jZlAW4UBeSD6c1ntc-9d_X0uYkxqZod-n80PVkIVPfCY_CuqOMq1N1Xgx3_nmBY6e2NaeWn5Sg/s320/Screen+Shot+2016-08-09+at+5.34.28+PM.png" width="320" /></a></div>
<div>
<br /></div>
<div>
Links from the talk:</div>
<ul>
<li>Eddy Harari's "opensshd - user enumeration" post to the Full Disclosure Mailing List: <a href="http://seclists.org/fulldisclosure/2016/Jul/51">http://seclists.org/fulldisclosure/2016/Jul/51</a></li>
<li>enumer8-ssh: <a href="https://github.com/eric-conrad/enumer8">https://github.com/eric-conrad/enumer8</a></li>
<li>First names from the 1990 US Census: <a href="http://www2.census.gov/topics/genealogy/1990surnames/">http://www2.census.gov/topics/genealogy/1990surnames/</a></li>
<li>Last names from the 2000 US Census: <a href="http://www.census.gov/topics/population/genealogy/data/2000_surnames.html">http://www.census.gov/topics/population/genealogy/data/2000_surnames.html</a></li>
<li>Account Enumeration via Timing Attacks <a href="https://littlemaninmyhead.wordpress.com/2015/07/26/account-enumeration-via-timing-attacks/">https://littlemaninmyhead.wordpress.com/2015/07/26/account-enumeration-via-timing-attacks/</a></li>
<li>Password Spraying Outlook Web Access – How to Gain Access to Domain Credentials Without Being on a Target’s Network: Part 2 <a href="http://www.blackhillsinfosec.com/?p=4694">http://www.blackhillsinfosec.com/?p=4694</a></li>
<li>Question: What Can I Learn from Password Spraying a 2FA Microsoft Web App Portal?<a href="http://www.blackhillsinfosec.com/?p=5089">http://www.blackhillsinfosec.com/?p=5089</a></li>
</ul>
Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-62737528947314347882016-04-01T21:00:00.000-06:002016-04-07T06:21:27.055-06:00Quality not Quantity talk, commands, and links<h2>
<a href="https://drive.google.com/file/d/0ByeHgv6rpa3gc0g2aFVob19jeUE/" style="font-size: medium; font-weight: normal;">Quality not Quantity: Continuous Monitoring's Deadliest Events</a></h2>
<h2>
<b></b></h2>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://drive.google.com/file/d/0ByeHgv6rpa3gc0g2aFVob19jeUE/view?usp=sharing"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCCn-yLLDS2WFJ5YfQ4LYqkiSaLLdyTkS5EUdZxCpBYKha_gzlXU_WRQAUG2xBc-ZrVyYyDAcxJW0i8e4h_Dh5aPtqN6P5_DoMTToJXVSCtH0JDHmjrr5jL-4vpTfOl7l5ygKYbw/s400/Screen+Shot+2016-04-03+at+12.44.00+PM.png" width="400" /></a></div>
<h2>
<b>Commands:</b></h2>
<div>
Search service creation events and errors:</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">PS> <b>Get-WinEvent -FilterHashtable @{logname='system'; id=7045,7030}</b></span></div>
<div>
<br /></div>
<div>
User creation events and users added to local and global security-enabled group:</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">PS> <b>Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4720,4732,4728}</b></span></div>
</div>
<div>
<br /></div>
<div>
Full command line of all processes (requires <a href="https://support.microsoft.com/en-us/kb/3004375">https://support.microsoft.com/en-us/kb/3004375</a>):</div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">PS> <b>Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}</b></span></div>
</div>
<div>
<br /></div>
<div>
AppLocker Events (requires AppLocker):</div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">PS> <b>Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-AppLocker/EXE and DLL"; ID=8003,8004}</b></span></div>
</div>
<div>
<div>
<br /></div>
<div>
Detect when EMET blocks malware (requires EMET):</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">PS> <b>Get-WinEvent -FilterHashtable @{LogName="application"; ProviderName="EMET"; id=2}</b></span></div>
</div>
<div>
<br /></div>
<h2>
References:</h2>
<ol>
<li>Mandiant M-Trends 2016: <a href="https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf">https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf</a></li>
<li>Verizon DBIR: <a href="http://www.verizonenterprise.com/DBIR/2015/">http://www.verizonenterprise.com/DBIR/2015/</a></li>
<li>USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers <a href="https://www.youtube.com/watch?v=bDJb8WOJYdA">https://www.youtube.com/watch?v=bDJb8WOJYdA</a></li>
<li>Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data: <a href="http://www.bloomberg.com/news/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data">http://www.bloomberg.com/news/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data</a></li>
<li>The ASD 35 Strategies to Mitigate Targeted Cyber Intrusions: <a href="http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm">http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm</a></li>
<li>Patch-crazy Aust Govt fought off EVERY hacker since 2013 <a href="http://www.theregister.co.uk/2015/06/02/patchcrazy_aust_govt_fought_off_every_hacker_since_2013/">http://www.theregister.co.uk/2015/06/02/patchcrazy_aust_govt_fought_off_every_hacker_since_2013/</a></li>
<li>CIS Critical Security Controls: <a href="https://www.cisecurity.org/critical-controls/download.cfm?f=CSC-MASTER-VER%206.0%20CIS%20Critical%20Security%20Controls%2010.15.2015">https://www.cisecurity.org/critical-controls/download.cfm?f=CSC-MASTER-VER%206.0%20CIS%20Critical%20Security%20Controls%2010.15.2015</a></li>
<li>AppLocker: <a href="https://technet.microsoft.com/en-us/library/mt431813(v=vs.85).aspx">https://technet.microsoft.com/en-us/library/mt431813(v=vs.85).aspx</a></li>
<li>AppLocker CSP: <a href="https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx">https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx</a></li>
<li>Windows 10 Enterprise 90-day Trial: <a href="https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise">https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise</a></li>
<li>Microsoft EMET: <a href="https://support.microsoft.com/en-us/kb/2458544">https://support.microsoft.com/en-us/kb/2458544</a></li>
<li>Enable Windows command-line auditing: <a href="https://support.microsoft.com/en-us/kb/3004375">https://support.microsoft.com/en-us/kb/3004375</a> </li>
<li>Windows Commands Abused by Attackers <a href="http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html">http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html</a></li>
</ol>
<br />
<br />
<ol></ol>
Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com0tag:blogger.com,1999:blog-8710533.post-82654955550900264072015-12-11T08:58:00.000-07:002015-12-11T08:59:18.532-07:00CISSP Study Guide 3E - Shipping Now<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 12.8px;">Just a note to say the CISSP Study Guide 3E is in stock and shipping from Amazon.</span><br />
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<a href="http://www.amazon.com/CISSP-Study-Guide-Third-Conrad/dp/0128024372" style="color: #1155cc;" target="_blank">http://www.amazon.com/CISSP-<wbr></wbr>Study-Guide-Third-Conrad/dp/<wbr></wbr>0128024372</a></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZZiNOjbGQFDvirUzMGwbdKlYhfGefW98Oy5L00GZPdpIFLpC37kX-PjRwi0i4ce5liJ_rG5VR63AcuNU6ok2JlS4XMIs3mv5awrtDwOynIVFAXzPuV8PwTpOoN9DdBLEsYi72Dw/s1600/Screen+Shot+2015-12-11+at+10.46.03+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZZiNOjbGQFDvirUzMGwbdKlYhfGefW98Oy5L00GZPdpIFLpC37kX-PjRwi0i4ce5liJ_rG5VR63AcuNU6ok2JlS4XMIs3mv5awrtDwOynIVFAXzPuV8PwTpOoN9DdBLEsYi72Dw/s400/Screen+Shot+2015-12-11+at+10.46.03+AM.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br />
<span style="font-size: 12.8px;">Electronic editions should be available in January. We are working on the 11th Hour CISSP Study Guide update now, chapters are due by April (but I hope to have it done before then).</span></div>
Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com8tag:blogger.com,1999:blog-8710533.post-46614674436583998842015-11-23T09:09:00.001-07:002015-11-23T09:09:12.425-07:00CISSP Study Guide 3E is Complete<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
Lots of people have asked me for the release date of the CISSP Study Guide 3E. <a href="http://www.amazon.com/CISSP-Study-Guide-Third-Conrad/dp/0128024372">Amazon</a> (now) lists <span class="aBn" data-term="goog_1895001628" style="border-bottom-color: rgb(204, 204, 204); border-bottom-style: dashed; border-bottom-width: 1px; position: relative; top: -2px; z-index: 0;" tabindex="0"><span class="aQJ" style="position: relative; top: 2px; z-index: -1;">December 29th</span></span>, but it will be sooner.</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
I can confirm the book done and is at the printers now. I ordered copies as a surprise Christmas gift for students of my MGT 414 class coming up at <a href="https://www.sans.org/event/cyber-defense-initiative-2015/">SANS CDI</a> in 3 weeks, and Syngress has confirmed the books will ship by then.</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<a href="https://www.sans.org/event/cyber-defense-initiative-2015/course/sans-plus-s-training-program-cissp-certification-exam" style="color: #1155cc;" target="_blank">https://www.sans.org/event/<wbr></wbr>cyber-defense-initiative-2015/<wbr></wbr>course/sans-plus-s-training-<wbr></wbr>program-cissp-certification-<wbr></wbr>exam</a></div>
Eric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.com4