This workshop was given by Jared Atkinson on September 11th 2015 at 44CON London. The purpose of this workshop was to introduce participants to NTFS Internals and PowerForensics, an open source PowerShell digital forensics platform.
Talk for YOW! by Brendan Gregg. "Systems performance studies the performance of computing systems, including all physical components and the full software stack to help you find performance wins for your application and kernel. However, most of us are not performance or kernel engineers, and have limited time to study this topic. This talk summarizes the topic for everyone, touring six important areas: observability tools, methodologies, benchmarking, profiling, tracing, and tuning. Included are recipes for Linux performance analysis and tuning (using vmstat, mpstat, iostat, etc), overviews of complex areas including profiling (perf_events) and tracing (ftrace, bcc/BPF, and bpftrace/BPF), advice about what is and isn't important to learn, and case studies to see how it is applied. This talk is aimed at everyone: developers, operations, sysadmins, etc, and in any environment running Linux, bare metal or the cloud.
"
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
Boosting I/O Performance with KVM io_uringShapeBlue
Storage performance is becoming much more important. KVM io_uring attempts to bring the I/O performance of a virtual machine on almost the same level of bare metal. Apache CloudStack has support for io_uring since version 4.16. Wido will show the difference in performance io_uring brings to the table.
Wido den Hollander is the CTO of CLouDinfra, an infrastructure company offering total Webhosting solutions. CLDIN provides datacenter, IP and virtualization services for the companies within TWS. Wido den Hollander is a PMC member of the Apache CloudStack Project and a Ceph expert. He started with CloudStack 9 years ago. What attracted his attention is the simplicity of CloudStack and the fact that it is an open-source solution. During the years Wido became a contributor, a PMC member and he was a VP of the project for a year. He is one of our most active members, who puts a lot of efforts to keep the project active and transform it into a turnkey solution for cloud builders.
-----------------------------------------
The CloudStack European User Group 2022 took place on 7th April. The day saw a virtual get together for the European CloudStack Community, hosting 265 attendees from 25 countries. The event hosted 10 sessions with from leading CloudStack experts, users and skilful engineers from the open-source world, which included: technical talks, user stories, new features and integrations presentations and more.
------------------------------------------
About CloudStack: https://cloudstack.apache.org/
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
Talk for USENIX/LISA2014 by Brendan Gregg, Netflix. At Netflix performance is crucial, and we use many high to low level tools to analyze our stack in different ways. In this talk, I will introduce new system observability tools we are using at Netflix, which I've ported from my DTraceToolkit, and are intended for our Linux 3.2 cloud instances. These show that Linux can do more than you may think, by using creative hacks and workarounds with existing kernel features (ftrace, perf_events). While these are solving issues on current versions of Linux, I'll also briefly summarize the future in this space: eBPF, ktap, SystemTap, sysdig, etc.
Talk for YOW! by Brendan Gregg. "Systems performance studies the performance of computing systems, including all physical components and the full software stack to help you find performance wins for your application and kernel. However, most of us are not performance or kernel engineers, and have limited time to study this topic. This talk summarizes the topic for everyone, touring six important areas: observability tools, methodologies, benchmarking, profiling, tracing, and tuning. Included are recipes for Linux performance analysis and tuning (using vmstat, mpstat, iostat, etc), overviews of complex areas including profiling (perf_events) and tracing (ftrace, bcc/BPF, and bpftrace/BPF), advice about what is and isn't important to learn, and case studies to see how it is applied. This talk is aimed at everyone: developers, operations, sysadmins, etc, and in any environment running Linux, bare metal or the cloud.
"
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
Boosting I/O Performance with KVM io_uringShapeBlue
Storage performance is becoming much more important. KVM io_uring attempts to bring the I/O performance of a virtual machine on almost the same level of bare metal. Apache CloudStack has support for io_uring since version 4.16. Wido will show the difference in performance io_uring brings to the table.
Wido den Hollander is the CTO of CLouDinfra, an infrastructure company offering total Webhosting solutions. CLDIN provides datacenter, IP and virtualization services for the companies within TWS. Wido den Hollander is a PMC member of the Apache CloudStack Project and a Ceph expert. He started with CloudStack 9 years ago. What attracted his attention is the simplicity of CloudStack and the fact that it is an open-source solution. During the years Wido became a contributor, a PMC member and he was a VP of the project for a year. He is one of our most active members, who puts a lot of efforts to keep the project active and transform it into a turnkey solution for cloud builders.
-----------------------------------------
The CloudStack European User Group 2022 took place on 7th April. The day saw a virtual get together for the European CloudStack Community, hosting 265 attendees from 25 countries. The event hosted 10 sessions with from leading CloudStack experts, users and skilful engineers from the open-source world, which included: technical talks, user stories, new features and integrations presentations and more.
------------------------------------------
About CloudStack: https://cloudstack.apache.org/
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
Talk for USENIX/LISA2014 by Brendan Gregg, Netflix. At Netflix performance is crucial, and we use many high to low level tools to analyze our stack in different ways. In this talk, I will introduce new system observability tools we are using at Netflix, which I've ported from my DTraceToolkit, and are intended for our Linux 3.2 cloud instances. These show that Linux can do more than you may think, by using creative hacks and workarounds with existing kernel features (ftrace, perf_events). While these are solving issues on current versions of Linux, I'll also briefly summarize the future in this space: eBPF, ktap, SystemTap, sysdig, etc.
A collection of techniques that allow users to escalate privileges to local administrator and then to NT Authority\System. On a windows domain readers can use the described techniques to escalate to domain administrators.
Talk by Brendan Gregg for YOW! 2021. "The pursuit of faster performance in computing is the driving reason for many new technologies and updates. This talk discusses performance improvements now underway that you will likely be adopting soon, for processors (including 3D stacking and cloud vendor CPUs), memory (including DDR5 and high-bandwidth memory [HBM]), disks (including 3D Xpoint as a 3D NAND accelerator), networking (including QUIC and eXpress Data Path [XDP]), runtimes, hypervisors, and more. The future of performance is increasingly cloud-based, with hardware hypervisors and custom processors, meaningful observability of everything down to cycle stalls (even as cloud guests), and high-speed syscall-avoiding applications that use eBPF, FPGAs, and io_uring. The talk also discusses where future performance improvements might be expected, with predictions for new technologies."
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
This presentation covers all aspects of PostgreSQL administration, including installation, security, file structure, configuration, reporting, backup, daily maintenance, monitoring activity, disk space computations, and disaster recovery. It shows how to control host connectivity, configure the server, find the query being run by each session, and find the disk space used by each database.
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6David Pasek
We are observing different network throughputs on Intel X710 NICs and QLogic FastLinQ QL41xxx NIC. ESXi hardware supports NIC hardware offloading and queueing on 10Gb, 25Gb, 40Gb and 100Gb NIC adapters. Multiple hardware queues per NIC interface (vmnic) and multiple software threads on ESXi VMkernel is depicted and documented in this paper which may or may not be the root cause of the observed problem. The key objective of this document is to clearly document and collect NIC information on two specific Network Adapters and do a comparison to find the difference or at least root cause hypothesis for further troubleshooting.
In past few years, Subdomain takeover has been the one of the most reported bug. This amazing but tricky vulnerability might get you exciting rewards in bug bounty. So lets look it into it and figure out different ways of finding this bug.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
Talk by Brendan Gregg for USENIX LISA 2019: Linux Systems Performance. Abstract: "
Systems performance is an effective discipline for performance analysis and tuning, and can help you find performance wins for your applications and the kernel. However, most of us are not performance or kernel engineers, and have limited time to study this topic. This talk summarizes the topic for everyone, touring six important areas of Linux systems performance: observability tools, methodologies, benchmarking, profiling, tracing, and tuning. Included are recipes for Linux performance analysis and tuning (using vmstat, mpstat, iostat, etc), overviews of complex areas including profiling (perf_events) and tracing (Ftrace, bcc/BPF, and bpftrace/BPF), and much advice about what is and isn't important to learn. This talk is aimed at everyone: developers, operations, sysadmins, etc, and in any environment running Linux, bare metal or the cloud."
Session Description:
In this session, Ravi Described some use cases about harmonizing Ceph storage with Apache CloudStack for a CloudStack infrastructure setup. This includes using primary and secondary storage for CloudStack, synchronizing and rendering VM snapshots accessible across remote zones, fortifying storage for disaster recovery, and upholding client VM data backup.
Speaker Bio:
Ravichandran has 15+ years of technical expertise in Linux and Cloud solutions in Assistanz Networks Private Limited. Ravi is currently leading Business Development at Apache CloudStack consulting, Storage solutions and Stackbill CMP product.
---------------------------------------------
On Friday 18th August, the Apache CloudStack India User Group 2023 took place in Bangalore, seeing CloudStack enthusiasts, experts, and industry leaders from across the country, discuss the open-source project. The meetup served as a vibrant platform to delve into the depths of Apache CloudStack, share insights, and forge new connections.
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
The DRM and KMS APIs have won in the Linux graphics ecosystem. Long gone are the days when KMS meant only a handful of desktop graphics drivers. As a side effect, new problems have been uncovered, and API extensions are being designed to address advanced use cases. Atomic updates is the latest significant of such extensions.
While the userspace API extension is simple, a lot of work went under the hood and the in-kernel KMS helpers went through major changes that are not trivial to implement in drivers. This talk will present KMS atomic updates and explain how to update KMS drivers to take advantage of the new API, using the Renesas rcar-du-drm driver as an example.
Laurent Pinchart, Ideas on Board
Writing Character driver (loadable module) in linuxRajKumar Rampelli
It covers the step by step approach on how to write a simple loadable character device driver in linux. What are Device files in linux detail. How user application interact with character driver using a device file.
A collection of techniques that allow users to escalate privileges to local administrator and then to NT Authority\System. On a windows domain readers can use the described techniques to escalate to domain administrators.
Talk by Brendan Gregg for YOW! 2021. "The pursuit of faster performance in computing is the driving reason for many new technologies and updates. This talk discusses performance improvements now underway that you will likely be adopting soon, for processors (including 3D stacking and cloud vendor CPUs), memory (including DDR5 and high-bandwidth memory [HBM]), disks (including 3D Xpoint as a 3D NAND accelerator), networking (including QUIC and eXpress Data Path [XDP]), runtimes, hypervisors, and more. The future of performance is increasingly cloud-based, with hardware hypervisors and custom processors, meaningful observability of everything down to cycle stalls (even as cloud guests), and high-speed syscall-avoiding applications that use eBPF, FPGAs, and io_uring. The talk also discusses where future performance improvements might be expected, with predictions for new technologies."
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
This presentation covers all aspects of PostgreSQL administration, including installation, security, file structure, configuration, reporting, backup, daily maintenance, monitoring activity, disk space computations, and disaster recovery. It shows how to control host connectivity, configure the server, find the query being run by each session, and find the disk space used by each database.
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6David Pasek
We are observing different network throughputs on Intel X710 NICs and QLogic FastLinQ QL41xxx NIC. ESXi hardware supports NIC hardware offloading and queueing on 10Gb, 25Gb, 40Gb and 100Gb NIC adapters. Multiple hardware queues per NIC interface (vmnic) and multiple software threads on ESXi VMkernel is depicted and documented in this paper which may or may not be the root cause of the observed problem. The key objective of this document is to clearly document and collect NIC information on two specific Network Adapters and do a comparison to find the difference or at least root cause hypothesis for further troubleshooting.
In past few years, Subdomain takeover has been the one of the most reported bug. This amazing but tricky vulnerability might get you exciting rewards in bug bounty. So lets look it into it and figure out different ways of finding this bug.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
Talk by Brendan Gregg for USENIX LISA 2019: Linux Systems Performance. Abstract: "
Systems performance is an effective discipline for performance analysis and tuning, and can help you find performance wins for your applications and the kernel. However, most of us are not performance or kernel engineers, and have limited time to study this topic. This talk summarizes the topic for everyone, touring six important areas of Linux systems performance: observability tools, methodologies, benchmarking, profiling, tracing, and tuning. Included are recipes for Linux performance analysis and tuning (using vmstat, mpstat, iostat, etc), overviews of complex areas including profiling (perf_events) and tracing (Ftrace, bcc/BPF, and bpftrace/BPF), and much advice about what is and isn't important to learn. This talk is aimed at everyone: developers, operations, sysadmins, etc, and in any environment running Linux, bare metal or the cloud."
Session Description:
In this session, Ravi Described some use cases about harmonizing Ceph storage with Apache CloudStack for a CloudStack infrastructure setup. This includes using primary and secondary storage for CloudStack, synchronizing and rendering VM snapshots accessible across remote zones, fortifying storage for disaster recovery, and upholding client VM data backup.
Speaker Bio:
Ravichandran has 15+ years of technical expertise in Linux and Cloud solutions in Assistanz Networks Private Limited. Ravi is currently leading Business Development at Apache CloudStack consulting, Storage solutions and Stackbill CMP product.
---------------------------------------------
On Friday 18th August, the Apache CloudStack India User Group 2023 took place in Bangalore, seeing CloudStack enthusiasts, experts, and industry leaders from across the country, discuss the open-source project. The meetup served as a vibrant platform to delve into the depths of Apache CloudStack, share insights, and forge new connections.
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
The DRM and KMS APIs have won in the Linux graphics ecosystem. Long gone are the days when KMS meant only a handful of desktop graphics drivers. As a side effect, new problems have been uncovered, and API extensions are being designed to address advanced use cases. Atomic updates is the latest significant of such extensions.
While the userspace API extension is simple, a lot of work went under the hood and the in-kernel KMS helpers went through major changes that are not trivial to implement in drivers. This talk will present KMS atomic updates and explain how to update KMS drivers to take advantage of the new API, using the Renesas rcar-du-drm driver as an example.
Laurent Pinchart, Ideas on Board
Writing Character driver (loadable module) in linuxRajKumar Rampelli
It covers the step by step approach on how to write a simple loadable character device driver in linux. What are Device files in linux detail. How user application interact with character driver using a device file.
Most of this session will focus on Kernel Module Programming. We will briefly talk about the interaction of different layers of operating system from userspace to kernel space. Starting from simple Hello World kernel modules, we will learn the development of more sophisticated modules related to device drivers and interrupt handlers. We will also briefly touch upon the shell scripts and how they can be used to extract system level information. Since, this will be a hands on session, attendees are expected to try the examples on their machines. Basic understanding of operating systems and C programming is expected for the tutorial.
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UKHARDWARIO
Pavel Hübner (from HARDWARIO) will provide a crash course into the Zephyr RTOS. Zephyr is an innovative operating system targeting 32-bit microcontrollers and is suitable for connected IoT products. Such devices are often low-power and provide a multi-year battery lifespan. The ambitious 60-minute live session with be held on a configurable IoT gateway CHESTER - a platform based on Nordic Semiconductor SoCs nRF52840 / nRF9160. Throughout the course, Pavel will go from the key Zephyr fundamentals to connecting a fully-fledged IoT application over the NB-IoT network.
Have you heard about Purple Teaming, but you were unsure of exactly what it is? Maybe you've heard it explained as "the red and blue teams working together to improve the organization's security posture." While that may be a good high level description of Purple Teaming as a concept, it lacks a clear direction of how this outcome is achieved. As they say, "The Devil is in the details." At SpecterOps, we believe that a Purple Team exercise is one that leverages an adversarial mindset to evaluate the overall efficacy of security controls, whether they are detective or preventative.
Join us for an hour-long webinar where we will dive into the major questions regarding Purple Team including:
- Why small changes in adversary tradecraft have a profound effect on detectability.
- How to map variations between tools that implement the same technique.
- How to construct a representative sample set of test cases.
In this presentation, Jared Atkinson and Jonathan Johnson discuss the problem that many security professionals are facing today. How exactly do I know if my detection will actually detect the thing I want to detect? We discuss the importance of testing telemetry coverage and using abstraction to build a representative sample set of Atomic tests to validate detection coverage.
Scripts used in presentation can be found below:
Process Access: https://gist.github.com/jaredcatkinson/9c7a1af2261a752432230a4148ecfe02
Process Read: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.ps1
A Process is No One - Jared Atkinson and Robby Winchester
Does your organization want to start Threat Hunting, but you're not sure how to begin? Most people start with collecting ALL THE DATA, but data means nothing if you're not able to analyze it properly. This talk begins with the often overlooked first step of hunt hypothesis generation which can help guide targeted collection and analysis of forensic artifacts. We will demonstrate how to use the MITRE ATTACK Framework and our five-phase Hypothesis Generation Process to develop actionable hunt processes, narrowing the scope of your Hunt operation and avoiding "analysis paralysis." We will then walk through a detailed case study of detecting access token impersonation/manipulation from concept to technical execution by way of the Hypothesis Generation Process. Along the way, we will detail some of the most common access token manipulations in use and detail the defensive detection implications for each of these cases. This comprehensive case study will better arm both attackers and defenders with how to better utilize their toolset to detect or avoid detection of token theft and manipulation.
Does your organization want to start Threat Hunting, but you’re not sure how to begin? Most people start with collecting ALL THE DATA, but data means nothing if you’re not able to analyze it properly. This talk focuses on the often overlooked first step of hunt hypothesis generation which can help guide targeted collection and analysis of forensic artifacts. We will demonstrate how to use the MITRE ATTACK Framework and our five-phase Hypothesis Generation Process to develop actionable hunt processes, narrowing the scope of your Hunt operation and avoiding “analysis paralysis.” We will then walk through a case study of Golden Ticket detection from concept to technical execution by way of the Hypothesis Generation Process. Along the way, we will detail some of the most common Golden Ticket indicators and will release a new PowerShell script for extracting Kerberos ticket information without any dependencies on external binaries.
Automated, Collection, and Enrichment (ACE)Jared Atkinson
Blackhat Arsenal Presentation introducing the Automated, Collection, and Enrichment (ACE) platform which is a suite of tools for threat hunters to collect data from many endpoints in a network and automatically enrich the data.
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)Jared Atkinson
Slides for Jared Atkinson's talk at BSidesDC titled "**** it, Do It Live (PowerShell Digital Forensics)". The presentation was given on 17 October 2015
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
44CON London 2015: NTFS Analysis with PowerForensics
1. NTFS Analysis with PowerShell
Jared Atkinson
Veris Group’s Adaptive Threat Division
2. @jaredcatkinson
○Jared Atkinson
□Hunt Capability Lead for Adaptive Threat Division
○ Leads the service line responsible for proactive
detection and response to advanced threats in Fortune
100 commercial environments
□Adjunct Lecturer at Utica College
□Developer of PowerForensics, Uproot IDS, and
WMIEventing
□Researcher of forensic artifact file formats
○ Makes really cool posters :-)
□History
○ U.S. Air Force Hunt (2011 - 2015)
○ GCFA, GREM, and more
4. What is PowerShell
○Task-based command-line shell and
scripting language
○Built on the .NET Framework
□Cmdlets for performing common system
administration tasks
□Consistent design
□Powerful object manipulation capabilities
□Extensible interface
○ Independent software vendors and enterprise
developers can build custom tools and utilities to
administer their software.
□Full access to the Windows API
6. Requirements
○Centralized forensic toolset
○Forensically sound
□Parse raw disk structures
□Don’t alter NTFS timestamps
○Can execute on a live host
○Operationally fast
□Collect forensic data in seconds or minutes
○Modular capabilities
□Cmdlets perform discrete tasks and can be tied
together for more complicated tasks
○Capable of working remotely
□At the proof of concept stage
7. Forensically Sound?
“A forensically sound duplicate is obtained in a manner that does
not materially alter the source evidence, except to the minimum
extent necessary to obtain the evidence. The manner used to
obtain the evidence must be documented, and should be
justified to the extent applicable.” - Richard Bejtlich and Harlan
Carvey
16. Unblock-File
○ PowerShell v3 gives us Unblock-File
Unblock-File -Path "$env:UserProfileDownloadsPowerForensics-master.zip"
○Can also “Unblock” via the
file’s properties dialog
□Best to Unblock the zip before
extraction
○Unblocking will remove the
Zone.Identifier Alternate
Data Stream
20. Invoke-DD
○One Cmdlet to rule them all
□Underlying API is basis for all of PowerForensics
○Allows raw access to Physical Drive or Logical Volume
□Uses Platform Invoke to call CreateFile Windows API
□Opens a file handle to .PHYSICALDRIVEX or Logical
Volume
□Reads from file handle via FileStream object
□Warning: Must read in Sector increments (BlockSize
must be a multiple of 512)
$InFile = ‘.PHYSICALDRIVE0’
Invoke-DD –InFile $InFile –Offset 0 –BlockSize 512 –Count 1
23. Master Boot Record
○1st Sector of the Disk
□Also referred to as the Boot Sector
○Boot Code
□Locate Partition Table
□Find 1st “Bootable” partition
□Determine partition Logical Cluster Number
□Pass execution to first sector of partition (Volume
Boot Record)
○Partition Table
□Space for 4 partitions by default
□“Extended Partitions” allow for additional partitions
above 4
24.
25. Get-MBR
○Cmdlet to parse the MBR and return MasterBootRecord objects
○Use WMI to list available Devices:
$Devices = Get-WmiObject –Class Win32_DiskDrive
○Run Get-MBR against one of the returned drives:
Get-MBR –Path $Devices[0].DeviceID
26. Boot Kits
○Attackers can alter MBR Boot Code
□ Code runs in Ring 0 (before the OS Loads)
○Set-MasterBootRecord
□Proof of concept written by Matt Graeber
(@mattifestation)
□Allows a user with administrator privilege to
overwrite the Master Boot Record with arbitrary
code
○Get-MBR takes known Boot Code into
account and detects any changes
(tampering)
31. GUID Partition Table
○Replacement Boot Sector format for MBR
□UEFI compliant devices must support GPT
□Maintains a Protective MBR, in the disk’s 1st Sector,
for compatibility
○Alternative to Legacy Master Boot Record
□Maintains a Protective MBR, in the disk’s 1st Sector,
for compatibility
□Allows for increased partition sizes (2 TiB -> 8 ZiB)
□Supports many primary partitions (MBR supports 4)
□Creates Primary and Backup partition table for
redundancy
32.
33. Get-GPT
○Cmdlet to parse the GPT and return GuidPartitionTable objects
○Use WMI to list available Devices:
Get-WmiObject –Class Win32_DiskDrive
○Run Get-GPT against one of the returned drives:
Get-GPT –Path .PHYSICALDRIVE1
○Warning: Get-GPT will error if device is MBR formatted
○If Get-MBR is run against a GPT formatted device, then Get-
MBR will return the information about the Protective MBR
34. Get-BootSector
○Format agnostic Cmdlet to parse Boot Sectors (MBR or GPT)
○Use WMI to list available Devices:
Get-WmiObject –Class Win32_DiskDrive
○Run Get-BootSector against one of the returned drives:
Get-BootSector –Path .PHYSICALDRIVE0
Get-Bootsector –Path .PHYSICALDRIVE1
38. Volume Boot
Record
$Boot (7)
○1st Sector of partition
□Location of partition is pointed to by the Partition
table (MBR of GPT)
○Loads the BOOTMGR Loader
○Defines partition attributes
□ Bytes per Sector
□Sectors per Cluster
□Total Sectors
□Location of MFT
□Size of MFT Record
□Size of INDX Structure
39.
40. Get-VolumeBootRecord
○Cmdlet to parse the VBR and return VolumeBootRecord objects
○Execute Cmdlet with “VolumeName” parameter
$VBR = Get-VolumeBootRecord –VolumeName .C:
○Often useful to pair with low level cmdlets like Invoke-DD
41. Master File Table
$MFT (0)
○NTFS file table
□First file present on NTFS partition
□Contains at least one entry for every file, on an
NTFS Volume, including itself
□As files are added the MFT grows
□When files are deleted, the MFT marks the file’s
record as unallocated so a new file can take its
place
○Each record contains file metadata
□MACB Timestamps
□File name details (name, path, hard links)
□Location of Data
42.
43. Get-FileRecord
○Cmdlet to parse the MFT and return FileRecord objects
○Three different ways to use:
1) Get all MFT Records
$mft = Get-FileRecord -VolumeName .C:
2) Get a FileRecord by path
Get-FileRecord –Path C:Windowsnotepad.exe
3) Get a FileRecord by Record Number/Index value
Get-FileRecord -VolumeName .C: -Index 0
44. Temporal Funneling
○Large amounts of data may not be relevant to
our case
□Temporal Funneling/Pivoting allows analysts to reduce
noise & focus on artifacts associated with the investigation
$mft = Get-FileRecord
$start = New-Object DateTime(2015,08,21,13,05,00)
$end = New-Object DateTime(2015,08,21,14,05,00)
$mft | ? {($_.BornTime -gt $start) –and ($_.BornTime –lt $end)}
53. Get-ContentRaw
○Cmdlet to parse $DATA Attributes to determine the location
of a file’s contents on disk
□Finds the file’s MFT Record and the main $DATA Stream
□Outputs the contents of the file to Standard Out
○Different Encoding Options
□ASCII
□Unicode
□Bytes
Get-ContentRaw –Path C:Windowssystem32configSAM
54. Copy-FileRaw
○Cmdlet to parse $DATA Attributes to determine the location of a
file’s contents on disk
□Finds the file’s MFT Record and the main $DATA Stream
□Creates a copy of the specified file without accessing the file
itself
$Path = C:Windowssystem32configSAM
$Destination = C:tempSAM
Copy-FileRaw –Path $Path –Destination $Destination
55. Alternate Data
Streams
○NTFS allows files to store data in multiple
“$DATA” attributes
□These additional $DATA attributes are commonly
referred to as Alternate Data Streams (ADS)
○Attackers have found ways to hide and even
execute malware from ADS
□Windows legitimately uses ADS to identify files
downloaded from the internet (Zone.Identifier)
○PowerShell added ADS compatibility to many
cmdlets, but did not add the ability to
recursively list all files with ADS
56. Get-
AlternateDataStream
○Cmdlet to easily find and list Alternate Data Streams on NTFS
○Use cases:
1) List all Alternate Data Streams
$ads = Get-AlternateDataStream
2) List files downloaded via Internet Explorer
$ads | Where-Object {$_.StreamName –eq ‘Zone.Identifier’}
3) List Alternate Data Streams for a specific file
Get-AlternateDataStream –Path ‘C:$Extend$UsnJrnl’
4) List Alternate Data Streams not created by the Internet Explorer
$asd | Where-Object {$_.StreamName –ne ‘Zone.Identifier’}
60. Get-ChildItemRaw
○Cmdlet to parse $INDEX_ROOT and $INDEX_ALLOCATION
attributes to output a directory’s contents
□Lists system and hidden files
□Output object has a RecordNumber parameter
Get-ChildItemRaw
Get-ChildItemRaw –Path C:Windows
62. Get-FileRecordIndex
○Cmdlet to parse $INDEX_ROOT and $INDEX_ALLOCATION
attributes and returns a file’s MFT Record Number
□Starts with the root directory’s MFT entry (index 5) and works
through the tree until the requested files index can be found
□Can be teamed with Get-FileRecord
$rnumber = Get-FileRecordIndex –Path C:Windowsnotepad.exe
Get-FileRecord –VolumeName .C: -Index $rnumber
64. $UsnJrnl
○NTFS Change Journaling
□Keeps track of changes to files or directories in a
volume
□Changes are documented with the filename,
timestamp of change, and description of change
□Can be leveraged by backup utilities (ex Volume
Shadow Service)
○Two named data streams:
□$MAX: UsnJrnl metadata (first entry number,
maximum size of journal, etc.)
□$J: Contains the actual Journal entries
75. Get-Prefetch
○Cmdlet to parse the Windows Prefetch binary file format
○Use Cases:
□Get all Prefetch objects from files in the “WindowsPrefetch”
directory
Get-Prefetch –VolumeName .C:
□Get the Prefetch object from the file specified by the Path parameter
Get-Prefetch –Path C:WindowsPrefetchCMD.EXE-01C678D0.pf
□Another option is looking for .pf file operations in the UsnJrnl
Get-UsnJrnl | ? {$_.FileName –like “*.pf”}
77. Get-
ScheduledJobRaw
○Cmdlet to parse the Scheduled (At) Job binary file format
○Use Cases:
□Get all ScheduledJob objects from files in the “WindowsTasks” directory
Get-ScheduledJobRaw –VolumeName .C:
□Get the ScheduledJob object from the file specified by the Path parameter
Get-ScheduledJobRaw -Path C:WindowsTasksAt1.job
78. Moving Forward
○More artifacts!!
□Registry support
□ESE database support
○Organic Remoting (more robust)
○Support for alternate file systems
□Windows: FAT12, FAT16, FAT32, exFAT
□Linux: Ext2, Ext3, Ext4
□Mac: HFS+
○Online documentation (Open API)
○WMI Provider with Events
○Community Involvement!!!
81. $Volume (3)
○File containing metadata about its partition/volume
○Made up of two special attributes $VOLUME_NAME and
$VOLUME_INFORMATION
□Two cmdlets: Get-VolumeName and Get-
VolumeInformation
Get-VolumeName –VolumeName .C:
Get-VolumeInformation –VolumeName .C:
82.
83.
84. $AttrDef (4)
○System file that contains details about all
file attributes available to the volume
Get-AttrDef –VolumeName .C:
85.
86. $Bitmap (6)
$BadClus (8)
○NTFS has two files to tell the File System
what Clusters can be used
○File contents are bit fields where each bit
represents a specific cluster
□$Bitmap: Each bit represents whether the
associated cluster is allocated by the file system
□$BadClus: Each bit represents whether the
associated cluster is corrupted or not
87. Get-Bitmap
Get-BadClus
○Cmdlet to parse bit fields contained within their
respective files ($BITMAP and $BADCLUS)
○Use cases:
□Parse the $BITMAP file to determine if the specified
cluster is allocated
Get-Bitmap –VolumeName .C: -Cluster 1000
□Parse the $BADCLUS file to report on any clusters
that have been marked as corrupt by the file system
Get-BadClus –VolumeName .C: