Proactive Threat Detection. Seek and ye shall find, otherwise: compromise
|
|
- Noreen Singleton
- 7 years ago
- Views:
Transcription
1 Proactive Threat Detection Seek and ye shall find, otherwise: compromise
2 Objectives Learn (very little) about who I am Understand the attack lifecycle Understand how host-based forensic artifacts can be used to detect threats and augment network analysis Review a few case studies Interrogate me (be kind) Do all that in one hour or less.
3 Introduction (/me) 15 years as a systems administrator and network engineer 5 years at Mandiant Investigation and remediation lead Researcher focusing on native exploitation of Windows frameworks (WMI, WSH, PowerShell) Presentations delivered at MIRCon, CanSecWest, SANS DFIR USA, SANS DFIR Europe Educator (internal and external) Internal coursework includes proactive threat detection, creating and using indicators of compromise, and various investigative techniques I tweet at people sometimes (@_devonkerr_)
4 The attacker lifecycle Learn how your prey behaves
5
6 Host-based Forensic Artifacts Index Tracking on Windows
7 Note To help manage the volume of material, this section is broken up by the type of source of evidence: Filesystem Registry Event logs Process memory The general value of each artifact has been indicated during each phase of an intrusion Please be aware that these are not always true Value is represented by color saturation rich colors are good, light colors are bad
8 Filesystem Initial Compromise Establish Foothold Escalate Privileges Internal Recon Move Laterally Maintain Persistence Complete Mission Prefetch INDX files NTFS Change Journal JOB files BAT files Enterprise AV logfiles Common Staging Folders LNK files WMI CIM Repo
9 Registry Initial Compromise Establish Foothold Escalate Privileges Internal Recon Move Laterally Maintain Persistence Complete Mission AppCompatCac he Amcache MUICache Service keys Run/RunOnce keys LSA Secrets Shellbags MRU keys UserAssist
10 Event logs Initial Compromise Establish Foothold Escalate Privileges Internal Recon Move Laterally Maintain Persistence Complete Mission EID 592/4688 (Process tracking) EID 601/4697 (Service creation) EID (Service start/stop) EID 540/4624 (NTLM Logon) EID 552/4648 (KERBEROS/Explicit) EID 21/23/24/ /529/4624/4625( Terminal Services) EID 602/4698 (scheduled task creation) EID 556/7036 (ntdsutil/vssadmin) Enterprise AV (various EIDs)
11 Process Memory Initial Compromise Establish Foothold Escalate Privileges Internal Recon Move Laterally Maintain Persistence Complete Mission Import hashing/analysis Unsigned binaries/drivers Conhost/csrss strings Injected processes Network Connections DNS Cache Mutexes Process path anomalies Svchost.exe artifacts
12 How to use this information
13 Develop a plan of action Often, a compromise is detected during one of the intrusion phases. Using these tables, an investigator could prioritize which artifacts to collect. Here s a for-instance: your organization receives a notification from law enforcement. The notification tells you that on May 15, 2015 approximately 25GB of multipart WinRAR archives were stolen from a webserver in the DMZ. The naming convention resembles aa[1-87].jpg. What can we collect that helps with the data theft portion of an intrusion: Prefetch Shimcache Amcache INDX records Common staging folders NTFS change journal
14 All phases: Shimcache/amcache, process tracking Assume compromise Instead of waiting for a compromise to occur, what are the highest value artifacts we can collect and which phases will they be relevant? Initial Compromise: AV logs Establish a Foothold: Services keys, run keys Escalate Privileges: Prefetch, AV logs, LSA secrets registry key, events related to VSS Internal Recon: Prefetch, BAT files Move Laterally: JOB files, events related to logons/rdp/scheduled tasks Maintain Persistence: NTFS change journal, services keys, run keys, events related to services Complete the Mission: Prefetch, common staging folders, NTFS change journal, INDX records
15 Practical Examples I caught a fish this big
16 Scenario-driven examples All information was obtained from nonclassified environments. Note that each artifact in the presented examples was collected using an endpoint agent, however it would be relatively trivial to collect these using PowerShell, WMI, batch scripts, or other open source solutions. Using prefetch to identify credential harvesting Finding malware with Windows Services analysis Finding PlugX with import functions Similarly, each artifact can be parsed using a wide variety of open source tools the intent is to demonstrate the value of these artifacts without promoting a collection or analysis framework.
17 Example: Prefetch
18 Overview of Prefetch Helps answer what application previously ran? and when? File system artifact located in C:\Windows\Prefetch\ path and hash filename, same filename in different directories will result in different prefetch filenames Disabled on servers (default) Records the binaries loaded within ~10 seconds of execution Up to 128 on Win7, up to 1024 on Win8
19 Prefetch naming convention C:\WINDOWS\calc.exe C:\WINDOWS\Prefetch\CALC.EXE-1701A124.pf C:\WINDOWS\system32 \calc.exe C:\WINDOWS\Prefetch\CALC.EXE-77FDF17F.pf
20 Valuable Prefetch metadata The $SIA creation timestamp typically indicates the first run time The last modified timestamp typically indicates the most recent run time Other metadata includes The # of times executed The list of files accessed within 10 seconds of execution The last run time
21 Prefetch scenario: password dumping Scope: all prefetch files from Windows systems in a 10K node environment The average volume of prefetch was ~34MB per system Parsed out, this resulted in ~8600 accessed file references Searched accessedfiles lists for common archive utilities, found WinRAR to be quite rare (employees favored 7zip) Immediately identified 3 systems where WinRAR was used 1 false positive 2 valid systems, one which showed us the following:
22 Struck gold in AccessedFiles
23 Some options for Prefetch analysis Review all prefetch files for [1-3] character filenames (ex. aaa.exe ) Review all prefetch files for suspicious filenames (ex. rar.exe ) Review all prefetch files for administrative tool names (ex. ntdsutil.exe ) Review accessedfiles for suspicious filenames (ex. wceaux.dll ) Review accessedfiles for suspicious file extensions (ex..part.rar ) Review accessedfiles for suspicious directory names (ex. RECYCLE.BIN ) Frequency analysis of prefetch files and the distribution of accessedfiles filenames
24 Example: Windows Services
25 Overview of a Windows Service Windows Services are configured in the registry Can be started either automatically or manually May load a standalone binary using the ImagePath value An executable file ImagePath can execute a ServiceDLL as well
26 Windows Service metadata Windows Services are configured under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Let s look at a valid Windows service: RasMan, the Remote Access Service Manager ServiceName: RasMan DisplayName: Remote Access Connection Manager Description: Manages dial-up and virtual private network (VPN) connections from this computer to the Internet or other remote networks. If this service is disabled, any services that explicitly depend on it will fail to start. ImagePath: ServiceDLL: %systemroot%\system32\svchost.exe k netsvcs %systemroot%\system32\rasmans.dll
27 Windows Services scenario: malware Scope: all Windows Services metadata from systems in a 47K node environment The average size of a Service registry key is a few KB, in this environment ~14KB average Parsed out, this resulted in almost 50M rows of metadata (less than 4GB uncompressed) Automatically enriched the data: hashing each ImagePath and ServiceDLL binary, verifying digital signatures, checking NSRLs, etc. Next, we checked for service executables in unusual directories or valid names but unexpected ServiceDLLs Identified 119 interesting services ~50% false positives (curse you unsigned printers!) 38 systems with non-targeted malware, 17 systems with 2 targeted backdoor variants Here s one of those examples:
28 Anatomy of an evil Service key ServiceName: DisplayName: Description: ImagePath: ServiceDLL: NCRperfmon NCR SelfServ Platform Remote Monitor n/a %systemroot%\system32\ncrperfmon.exe n/a
29 Some options for Services analysis Review all ServiceDLL and ImagePath binaries Determine if signed, if so determine if the signature can be verified Review hashes of all executables, compare to a trusted NSRL Determine if binaries are running out of unusual directories Review the Service name and description compare against Microsoft published service information Examine frequency of occurrence does the service appear on more than 15% of systems? Are there outliers with a different ServiceDLL hash, signing status, or path? Look at ImagePath binaries do you see any instance of svchost.exe outside of system32?
30 Example: Binary Analysis
31 Overview of function imports An import is a DLL loaded by an executable which contains some functionality A program s capabilities can be tied to one or more imports Note that a capability, like keylogging, can be achieved through a few different collections of imports in most cases Upon execution, Windows examines the PE data and loads the executable into memory During this process it also loads any import DLLs into memory and maps all the necessary functions those DLLs support
32 Useful binary metadata The import name: this is the name of a DLL In some cases the DLL will exist on disk, in other cases the DLL will be unpacked from a binary and loaded into memory The import size: the size of the DLL The function name: this is the name of the function stored within the imported DLL which the executable will use Combinations of functions can make very reliable indicators
33 Something known: PlugX attributes PlugX (KORPLUG) has a fairly unique combination of import and functions Filesize: 4096 bytes Imported DLL: msvcrt.dll, a valid library which provides programs with C/C++ functions Imported functions (all must be present): Malloc: Memset: Strcat: allocates memory sets the content of allocated memory appends data
34 PlugX identified in process imports Scope: PE info from every binary in an environment of about 17K Windows systems (metadata only) The average size of metadata was ~22MB per system Using information known (previous slide) We searched for all files which imported msvcrt.dll We excluded results which did not import malloc, memset, and strcat Quickly identified 9 systems where PlugX was present 0 false positives
35 Some options for binary analysis Look at function imports which map to common malicious capabilities such as reverse shell, keylogging, memory injection, and network tunneling Look at binaries with a valid MZ executable header, but which have unusual file extensions Examine how binaries are packed like UPX and Themida - or compiled using less common compilers like Py2exe/PyInstaller Examine directories for multiple files with the same root name, but different extension (ex. abc.dll, abc.hlp, abc.exe ) Look for DLLs outside of system32 and which are not listed in the KnownDLLs registry key
36 Questions?
37 Next steps: Contact information: Complete similar presentations for OSX, Linux, and network analysis Develop outline for proactive threat collection and analysis curriculum
Old Web Shells, New Tricks
Ryan Kazanciyan Principal Consultant Old Web Shells, New Tricks AppSec DC 2012 Standard Disclaimer All information is derived from MANDIANT observations in non-classified environments Some information
More informationRedline Users Guide. Version 1.12
Redline Users Guide Version 1.12 Contents Contents 1 About Redline 5 Timeline 5 Malware Risk Index (MRI) Score 5 Indicators of Compromise (IOCs) 5 Whitelists 5 Installation 6 System Requirements 6 Install
More informationAll Information is derived from Mandiant consulting in a non-classified environment.
Disclaimer: All Information is derived from Mandiant consulting in a non-classified environment. Case Studies are representative of industry trends and have been derived from multiple client engagements.
More information5 Steps to Advanced Threat Protection
5 Steps to Advanced Threat Protection Agenda Endpoint Protection Gap Profile of Advanced Threats Consensus Audit Guidelines 5 Steps to Advanced Threat Protection Resources 20 Years of Chasing Malicious
More informationWho DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store
Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store Mike Middleton Justin Prosco Mandiant, A FireEye Company Mike Middleton Principal Consultant Joined
More informationFORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI
FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI DISCLAIMER: THE VIEWS AND OPINIONS EXPRESSED IN THIS PRESENTATION ARE THOSE OF THE AUTHOR S AND DOES NOT NECESSARILY REPRESENT THE
More informationRedline User Guide. Release 1.14
Redline User Guide Release 1.14 FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United States and other countries. All other trademarks are the property of their respective
More informationHunting for Indicators of Compromise
Hunting for Indicators of Compromise Lucas Zaichkowsky Mandiant Session ID: END-R31 Session Classification: Intermediate Agenda Threat brief Defensive strategy overview Hunting for Indicators of Compromise
More informationPersistence Mechanisms as Indicators of Compromise
Persistence Persistence Mechanisms as Indicators of Compromise An automated technology for identifying cyber attacks designed to survive indefinitely the reboot process on PCs White Paper Date: October
More informationTargeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge
Targeted Intrusion Remediation: Lessons From The Front Lines Jim Aldridge All information is derived from MANDIANT observations in non-classified environments. Information has beensanitized where necessary
More informationBeyond 'Check The Box': Powering Intrusion Investigations Jim Aldridge 11 March 2014
Beyond 'Check The Box': Powering Intrusion Investigations Jim Aldridge 11 March 2014 Introduction Many organizations have implemented a range of security products intended to facilitate security monitoring
More informationCourse Description. Course Audience. Course Outline. Course Page - Page 1 of 12
Course Page - Page 1 of 12 Windows 7 Enterprise Desktop Support Technician M-50331 Length: 5 days Price: $2,795.00 Course Description This five-day instructor-led course provides students with the knowledge
More informationEvolving Threat Landscape
Evolving Threat Landscape Briefing Overview Changing Threat Landscape Profile of the Attack Bit9 Solution Architecture Demonstartion Questions Growing Risks of Advanced Threats APT is on the rise 71% increase
More informationThe Value of Physical Memory for Incident Response
The Value of Physical Memory for Incident Response MCSI 3604 Fair Oaks Blvd Suite 250 Sacramento, CA 95864 www.mcsi.mantech.com 2003-2015 ManTech Cyber Solutions International, All Rights Reserved. Physical
More informationAPT Detection with Whitelisting and Log Monitoring
APT Detection with Whitelisting and Log Monitoring Aaron Beuhring Kyle Salous About Us Kyle Salous is a 10-year Info Sec vet, covering a broad spectrum of subjects. He has a BS in Information Security
More informationStop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats
Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats Jody C. Patilla The Johns Hopkins University Session ID: TECH-107 Session Classification: Intermediate Objectives Get more out
More informationDetecting Malware With Memory Forensics. Hal Pomeranz SANS Institute
Detecting Malware With Memory Forensics Hal Pomeranz SANS Institute Why Memory Forensics? Everything in the OS traverses RAM Processes and threads Malware (including rootkit technologies) Network sockets,
More informationHow We're Getting Creamed
ed Attacks How We're Getting Creamed By Ed Skoudis June 9, 2011 ed Attacks - 2011 Ed Skoudis 1 $ cut -f5 -d: /etc/passwd grep -i skoudis Ed Skoudis Started infosec career at Bellcore in 1996 working for
More informationSophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC
WHITE PAPER Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC www.openioc.org OpenIOC 1 Table of Contents Introduction... 3 IOCs & OpenIOC... 4 IOC Functionality... 5
More information24/7 Visibility into Advanced Malware on Networks and Endpoints
WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction
More informationAn Introduction to Incident Detection and Response Memory Forensic Analysis
An Introduction to Incident Detection and Response Memory Forensic Analysis Alexandre Dulaunoy - TLP:WHITE a@foo.be February 6, 2015 An overview to incident response Detection Analysis Containment Investigation
More informationTLP: GREEN FBI. FBI Liaison Alert System # A-000049-MW
Liaison Alert System # A-000049-MW The following information was obtained through investigation and is provided in conjunction with the s statutory requirement to conduct victim notification as outlined
More informationHide and seek - how targeted attacks hide behind clean applications Szappanos Gábor
Hide and seek - how targeted attacks hide behind clean applications Szappanos Gábor Principal Malware Researcher 1 Honourable mentions: 2010. Stuxnet digitally signed drivers: stolen certificate June 2012.
More informationRSA Incident Response: An APT Case Study
RSA Incident Response incident response RSA Incident Response: An APT Case Study RSA Security 8 April 2015 RSA Incident Response Case Study Table of Contents 1. Executive Summary... 5 2. Security Analytics
More informationDetection of Data Hiding in Computer Forensics. About Your Presenter
Detection of Data Hiding in Computer Forensics NEbraskaCERT Conference August 22nd, 2008 James E. Martin CISSP, JD About Your Presenter 2008-Present: Security Engineer, West Corporation 2004-2008: Senior
More informationAlert (TA14-212A) Backoff Point-of-Sale Malware
Alert (TA14-212A) Backoff Point-of-Sale Malware Original release date: July 31, 2014 Systems Affected Point-of-Sale Systems Overview This advisory was prepared in collaboration with the National Cybersecurity
More informationManage Traps in a VDI Environment. Traps Administrator s Guide. Version 3.3. Copyright 2007-2015 Palo Alto Networks
Manage Traps in a VDI Environment Traps Administrator s Guide Version 3.3 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
More informationWindows 7, Enterprise Desktop Support Technician
Course 50331D: Windows 7, Enterprise Desktop Support Technician Page 1 of 11 Windows 7, Enterprise Desktop Support Technician Course 50331D: 4 days; Instructor-Led Introduction This four-day instructor-ledcourse
More informationWindows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led
Lincoln Land Community College Capital City Training Center 130 West Mason Springfield, IL 62702 217-782-7436 www.llcc.edu/cctc Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led
More informationWithout a Trace: Forensic Secrets for Windows Servers. BlackHat Windows 2004. Presented by Mark Burnett and James C. Foster
Without a Trace: Forensic Secrets for Windows Servers BlackHat Windows 2004 Presented by Mark Burnett and James C. Foster Agenda Introduction Server Time Settings File Changes Tool Demo: Logz Recreating
More informationIBM Security. How BigFix Helps Investigate a Threat in Forensic Activities IBM
IBM Security How BigFix Helps Investigate a Threat in Forensic Activities IBM Document Author, Contributors, and Reviewers AUTHOR: Cristina Bonanni CONTRIBUTORS: Bernardo Pastorelli, Bradford Fisher, Rosario
More informationPost-Access Cyber Defense
Post-Access Cyber Defense Dr. Vipin Swarup Chief Scientist, Cyber Security The MITRE Corporation November 2015 Approved for Public Release; Distribution Unlimited. 15-3647. 2 Cyber Security Technical Center
More informationLogRhythm and NERC CIP Compliance
LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate
More information"Charting the Course... ... to Your Success!" MOC 50331 D Windows 7 Enterprise Desktop Support Technician Course Summary
Description Course Summary This course provides students with the knowledge and skills needed to isolate, document and resolve problems on a Windows 7 desktop or laptop computer. It will also help test
More informationRSA Security Anatomy of an Attack Lessons learned
RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1 Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack
More informationLEVERAGING PROACTIVE DEFENSE TO DEFEAT MODERN ADVERSARIES. Jared Greenhill RSA Incident Response. September 17 th, 2015
LEVERAGING PROACTIVE DEFENSE TO DEFEAT MODERN ADVERSARIES Jared Greenhill RSA Incident Response September 17 th, 2015 Current State of Detection Many organization's depend on alerts and feel this provides
More informationWhitepaper. Advanced Threat Hunting with Carbon Black
Advanced Threat Hunting with Carbon Black TABLE OF CONTENTS Overview Threat Hunting Defined Existing Challenges and Solutions Prioritize Endpoint Data Collection Over Detection Leverage Comprehensive Threat
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources
More informationData Hiding Techniques
Data Hiding Techniques You can run, but you can t hide for ever 2014/2015 Dr. Ali Hadi ali@ashemery.com # whoami University professor @PSUT by day, DFIR researcher by night! PhD research was in Network
More informationLumension Endpoint Management and Security Suite. L.E.M.S.S. AntiVirus v8.2. Migration Guide & Frequently Asked Questions
Lumension Endpoint Management and Security Suite L.E.M.S.S. AntiVirus v8.2 Migration Guide & Frequently Asked Questions [FOR INTERNAL USE ONLY - DO NOT DISTRIBUTE] Copyright 2015, Lumension Introduction
More informationSharePoint Server 2016. Quick Start Guide for Single Server Farms
1 SharePoint Server 2016 Quick Start Guide for Single Server Farms 2016 Microsoft Corporation. All rights reserved. This document is provided as-is. Information and views expressed in this document, including
More informationTZWorks Windows Event Log Viewer (evtx_view) Users Guide
TZWorks Windows Event Log Viewer (evtx_view) Users Guide Abstract evtx_view is a standalone, GUI tool used to extract and parse Event Logs and display their internals. The tool allows one to export all
More informationAdvanced Endpoint Protection Overview
Advanced Endpoint Protection Overview Advanced Endpoint Protection is a solution that prevents Advanced Persistent Threats (APTs) and Zero-Day attacks and enables protection of your endpoints by blocking
More informationQuick Start - NetApp File Archiver
Page 1 of 19 Quick Start - NetApp File Archiver TABLE OF CONTENTS OVERVIEW Introduction Key Features Terminology SYSTEM REQUIREMENTS DEPLOYMENT Installation Method 1: Interactive Install Method 2: Install
More informationHost/Platform Security. Module 11
Host/Platform Security Module 11 Why is Host/Platform Security Necessary? Firewalls are not enough All access paths to host may not be firewall protected Permitted traffic may be malicious Outbound traffic
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More information2016 EMEA EDITION M-TRENDS MANDIANT CONSULTING SPECIAL REPORT / JUNE 2016 AUTHORS. Bill Hau Matt Penrose Tom Hall Matias Bevilacqua
MANDIANT CONSULTING M-TRENDS AUTHORS Bill Hau Matt Penrose Tom Hall Matias Bevilacqua 2016 EMEA EDITION SPECIAL REPORT / JUNE 2016 SPECIAL REPORT / M-TRENDS EMEA EDITION 2016 1 INTRODUCTION S ince 2010,
More informationWindows PowerShell Cookbook
Windows PowerShell Cookbook Lee Holmes O'REILLY' Beijing Cambridge Farnham Koln Paris Sebastopol Taipei Tokyo Table of Contents Foreword Preface xvii xxi Part I. Tour A Guided Tour of Windows PowerShell
More informationGlobalSCAPE DMZ Gateway, v1. User Guide
GlobalSCAPE DMZ Gateway, v1 User Guide GlobalSCAPE, Inc. (GSB) Address: 4500 Lockhill-Selma Road, Suite 150 San Antonio, TX (USA) 78249 Sales: (210) 308-8267 Sales (Toll Free): (800) 290-5054 Technical
More informationAgency Pre Migration Tasks
Agency Pre Migration Tasks This document is to be provided to the agency and will be reviewed during the Migration Technical Kickoff meeting between the ICS Technical Team and the agency. Network: Required
More informationModule 3: Resolve Software Failure This module explains how to fix problems with applications that have problems after being installed.
CÔNG TY CỔ PHẦN TRƯỜNG CNTT TÂN ĐỨC TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC LEARN MORE WITH LESS! 50331 - Windows 7, Enterprise Desktop Support Technician Duration: 5 days About this Course This five-day
More informationQuick Start - Generic NAS File Archiver
Page 1 of 19 Quick Start - Generic NAS File Archiver TABLE OF CONTENTS OVERVIEW Introduction Key Features Terminology SYSTEM REQUIREMENTS DEPLOYMENT Installation Method 1: Interactive Install Method 2:
More informationManage the Endpoints. Palo Alto Networks. Advanced Endpoint Protection Administrator s Guide Version 3.1. Copyright 2007-2015 Palo Alto Networks
Manage the Endpoints Palo Alto Networks Advanced Endpoint Protection Administrator s Guide Version 3.1 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara,
More informationEVTXtract. Recovering EVTX Records from Unallocated Space PRESENTED BY: Willi Ballenthin OCT 6, 2013. Mandiant Corporation. All rights reserved.
EVTXtract Recovering EVTX Records from Unallocated Space PRESENTED BY: Willi Ballenthin OCT 6, 2013 What do we have here today? A technical presentation on a novel forensic technique for recovering past
More informationBackoff: New Point of Sale Malware. 31 July 2014. National Cybersecurity and Communications Integration Center
Backoff: New Point of Sale Malware 31 July 2014 National Cybersecurity and Communications Integration Center Contents: Executive Summary... 3 Analytic Overview... 3 Capabilities... 3 Variants... 4 Command
More informationThis report is a detailed analysis of the dropper and the payload of the HIMAN malware.
PAGE 5 Check Point Malware Research Group HIMAN Malware Analysis December 12, 2013 Researcher: Overview This report is a detailed analysis of the dropper and the payload of the HIMAN malware. This malware
More informationWindows Attack - Gain Enterprise Admin Privileges in 5 Minutes
Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes Compass Security AG, Daniel Stirnimann Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel +41 55-214 41 60 Fax +41
More informationForensic Analysis of System Restore Points in Microsoft Windows XP
Forensic Analysis of System Restore Points in Microsoft Windows XP Kris Harms MANDIANT Corporation 675 N Washington Street Suite 210 Alexandria, VA 22314 Forensic Analysis of System Restore Points in Microsoft
More informationNetwork Architecture & Active Directory Considerations for the PI System. Bryan Owen - OSIsoft Joel Langill - SCADAhacker
Network Architecture & Active Directory Considerations for the PI System By: Bryan Owen - OSIsoft Joel Langill - SCADAhacker Agenda Moore s Law Network Architecture Domain Services in a DMZ 2 HD Moore
More informationFeedback Ferret. Security Incident Response Plan
Feedback Ferret Security Incident Response Plan Document Reference Feedback Ferret Security Incident Response Plan Version 3.0 Date Created June 2013 Effective From 20 June 2013 Issued By Feedback Ferret
More informationPowerShell for Penetration Testers
Training: PowerShell for Penetration Testers Dates of the training: March 14-15,2016 in Heidelberg, Germany Book Now using the code: TR16HMTRAINING and save an additional 10% of the current valid rate!
More informationOperation Liberpy : Keyloggers and information theft in Latin America
Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation
More informationMcAfee Avert Labs Finding W32/Conficker.worm
McAfee Avert Labs Finding W32/Conficker.worm By Kevin Gudgion, Avert Labs Services Contents Overview... 2 Symptoms... 2 Characteristics... 2 Fighting W32/Conficker.worm... 5 Finding W32/Conficker.worm...
More informationProtecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!
We protect your most sensitive information from insider threats. Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes! VARONIS SYSTEMS About Me Dietrich
More informationArcserve Backup for Windows
Arcserve Backup for Windows Agent for Microsoft SharePoint Server Guide r16 Pre-release Document, only for reference This Documentation, which includes embedded help systems and electronically distributed
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations
More information05 June 2015 A-000061-MW TLP: GREEN
05 June 2015 Alert Number A-000061-MW Please contact the FBI with any questions related to this FLASH Report at either your local Cyber Task Force or FBI CYWATCH. Email: cywatch@ic.fbi.gov Phone: 1-855-292-3937
More informationWorkflow Templates Library
Workflow s Library Table of Contents Intro... 2 Active Directory... 3 Application... 5 Cisco... 7 Database... 8 Excel Automation... 9 Files and Folders... 10 FTP Tasks... 13 Incident Management... 14 Security
More informationA Study on the Live Forensic Techniques for Anomaly Detection in User Terminals
A Study on the Live Forensic Techniques for Anomaly Detection in User Terminals Ae Chan Kim 1, Won Hyung Park 2 and Dong Hoon Lee 3 1 Dept. of Financial Security, Graduate School of Information Security,
More informationUser Migration Tool. Note. Staging Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0(1) 1
The (UMT): Is a stand-alone Windows command-line application that performs migration in the granularity of a Unified ICM instance. It migrates only Unified ICM AD user accounts (config/setup and supervisors)
More informationPerforming Advanced Incident Response Interactive Exercise
Performing Advanced Incident Response Interactive Exercise Post-Conference Summary Merlin Namuth Robert Huber SCENARIO 1 - PHISHING EMAILS... 3... 3 Mitigations... 3 SCENARIO 2 - IDS ALERT FOR PSEXEC...
More informationStreamlined Malware Incident Response with EnCase
Streamlined Malware Incident Response www.encase.com/ceic C:\>whoami Joseph R. Salazar Information Technology since 1995 Information Security since 1997 Major (retired, USAR) with 22 years as a Counterintelligence
More informationModule 11. Configuring and Managing Distributed File System. Contents:
Configuring and Managing Distributed File System 11-1 Module 11 Configuring and Managing Distributed File System Contents: Lesson 1: DFS Overview 11-3 Lesson 2: Configuring DFS Namespaces 11-15 Lesson
More informationMaking the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION
Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION MOST OF THE IMPORTANT DATA LOSS VECTORS DEPEND ON COPYING files in order to compromise
More informationAutomating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
More informationVISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation
VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE Distribution: Merchants, Acquirers Who should read this: Information security, incident response, cyber intelligence staff Summary Kuhook
More informationApplication Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions
Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions 1 Agenda What is Application Whitelisting (AWL) Protection provided by Application
More informationANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details
Sub: Supply, Installation, setup and testing of Tenable Network Security Nessus vulnerability scanner professional version 6 or latest for scanning the LAN, VLAN, VPN and IPs with 3 years License/Subscription
More informationPenetration Testing with Kali Linux
Penetration Testing with Kali Linux PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security, 2014 No part of this publication, in whole or
More informationTitle: Setting Up A Site to Site VPN Between Microsoft Azure and the Corporate Network
Dean Suzuki Blog Title: Setting Up A Site to Site VPN Between Microsoft Azure and the Corporate Network Created: 6/17/2014 Description: In this blog post, I record the process that I went through to: Setup
More informationAdvice from the Trenches: Preparing for the Challenges and Pressures of a Security Incident Investigation
Advice from the Trenches: Preparing for the Challenges and Pressures of a Security Incident Investigation Marshall Heilman Managing Director Craig A. Hoffman Partner Who we are Marshall Heilman Craig Hoffman
More informationTrend Micro OfficeScan 11.0. Best Practice Guide for Malware
Trend Micro OfficeScan 11.0 Best Practice Guide for Malware Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned
More informationAnatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow
Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow Agenda Background & Threat landscape Breach: A Case Study Incident Response Best Practices Lessons Learned
More information50331D Windows 7, Enterprise Desktop Support Technician (Windows 10 Curriculum)
This course can be purchased by authorized Microsoft Learning Centers at the Courseware Marketplace web-site. Microsoft Certified Trainers (MCTs) can get a free copy at the same website. About the Course
More informationRunbook Activity Reference for System Center 2012 R2 Orchestrator
Runbook Activity Reference for System Center 2012 R2 Orchestrator Microsoft Corporation Published: November 1, 2013 Applies To System Center 2012 - Orchestrator Orchestrator in System Center 2012 SP1 System
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationAventail Connect Client with Smart Tunneling
Aventail Connect Client with Smart Tunneling User s Guide Windows v8.7.0 1996-2006 Aventail Corporation. All rights reserved. Aventail, Aventail Cache Control, Aventail Connect, Aventail Connect Mobile,
More informationVisa Data Security Alert Malicious Software and Internet Protocol Addresses
Risk Management Data Security April 1, 2009 Visa Data Security Alert Malicious Software and Internet Protocol Addresses The protection of account information is a responsibility shared by all participants
More informationCA DLP. Stored Data Integration Guide. Release 14.0. 3rd Edition
CA DLP Stored Data Integration Guide Release 14.0 3rd Edition This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationAPPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK
APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK John T Lounsbury Vice President Professional Services, Asia Pacific INTEGRALIS Session ID: MBS-W01 Session Classification: Advanced
More informationObjectives. At the end of this chapter students should be able to:
NTFS PERMISSIONS AND SECURITY SETTING.1 Introduction to NTFS Permissions.1.1 File Permissions and Folder Permission.2 Assigning NTFS Permissions and Special Permission.2.1 Planning NTFS Permissions.2.2
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches easily Allows only white-listed applications in workstations to run Provides virus protection for Ovation Windows stations Aggregates,
More informationNASA Consolidated Active Directory Overview ( August 20, 2012 ) Les Chafin Infrastructure Engineering HPES
NASA Consolidated Active Directory Overview ( August 20, 2012 ) Les Chafin Infrastructure Engineering HPES Introduction Les Chafin; Infrastructure Engineering Manager» HPES NASA ACES Responsible for:»
More informationIncident Response and Computer Forensics
Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident
More informationMissing the Obvious: Network Security Monitoring for ICS
Missing the Obvious: Network Security Monitoring for ICS If ICS are so vulnerable, why haven t we seen more attacks? We aren t looking! Two Key Reasons Intent Visibility Intent Why are targeted attacks
More informationVisa Data Security Bulletin (AP)
Visa Data Security Bulletin (AP) Targeted Hospitality Sector Vulnerabilities December 1, 2009 To promote the security and integrity of the payment system, Visa is committed to helping clients and payment
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationConfiguring WMI Performance Monitors
Configuring WMI Performance Monitors With WMI, WhatsUp Gold Premium Edition monitors and sends alerts based on performance counters that are reported from Microsoft Windows devices. The data collected
More information