Basics of Tracking WMI Activity

WMI (Windows Management Instrumentation) has been part of the Windows Operating System since since Windows 2000 when it was included in the OS. The technology has been of great value to system administrators by providing ways to pull all types of information, configure components and take action based on state of several components of the OS. Due to this flexibility it has been abused by attackers that saw its potential since it early inclusion in the OS.

As security practitioners it is one of the technologies on Microsoft Windows that is of great importance to master. Until recently there was little to now logging of the actions one could take using WMI. Blue Teams where left leveraging third party tools or coding their own solution to cover gaps, this allowed for many year the abuse of WMI by Red Teams simulating the very actions that attackers of all kind have used in their day to day operation. We will take a look at how Microsoft improved the logging of WMI actions.

Read More

How Much Your Org Reaction to a Tweet Says?

Recently Tavis Ormandy a well known vulnerability researcher from Google made a tweet about a vulnerability he and researcher Natalie Silvanovich from Google Project Zero found on the Windows OS that could be wormable. 

The reaction from many organizations has been from one extreme all the way to the other side, where some are panicking and to the other side they simply take it as a nice to know heads up. So what is the difference between this different organizations? I would say a lot.

Read More

Posh-Sysmon Module for Creating Sysmon Configuration Files

Sysmon configuration can be complex in addition to hard to maintain by hand. For this purpose I created a module called Posh-Sysmon some time ago to aid in the creation and maintenance of configuration files. The module was initially written after the release of version 2.0 and has been maintained and expanded as new version have been released all the way to the current one at the time of this blog post being written with version 6.0. 

The module is written for PowerShell v3.0 and above and can be installed from the PowerShell Gallery if running version 5.0 or 5.1 using the cmdlet 

Read More

My Take on Application Whitelisting

One of the recent thoughts that I have notices in the last year in discussions with friends in the industry is that whitelisting is of no use do to:

* "It is hard to do"
* "Bypasses exist so why do it"
* "It does not scale"


Those are the 3 most common ones I have heard with my discussions over drinks, chat rooms and lobbycon sessions with friends. I would like to try to address why for me they are not valid and share my thought process and to the why.

Read More

Writing a Active Directory Audit Module - Getting a DirectoryEntry

In the previous blog post when we look at the object returned it has all of the information properly parsed and shown so I do not have to run around parsing fields and converting them but for me a critical piece of information is not shown and that is the SID of the forest domain. If you have played with analysis of some logs and with Mimikatz attacks you know the SID is of great importance. For this we will use the System.DirectoryServices namespace, specifically the DirecotryEntry class that represents a path in AD.

Read More