The document discusses defending against attacks that use legitimate operating system tools and binaries ("living off the land") through defense-in-depth strategies. It recommends: 1) application whitelisting policies for high-risk binaries, 2) blocking child processes for those binaries, and 3) restrictive firewall policies. It also provides an overview of exploit protection techniques and tips for maintaining system visibility and inventory records.
Slides from session at Derbycon 8.0. Description: You have probably heard the term LOLBin, LOLScript or LOLLib by now. Want to get more insights on that? Then this is the talk you want to attend.This talk will cover the Living Off The Land Binaries and Scripts (LOLBAS) project, what the project is, how it became and how you can help this evolve into the future. The talk will also go over some of my favorite LOLBins that has came to light due to this project (at least that's what I like to think) and show you some cool stuff! I mean, everybody loves to see binaries misbehave.
PowerShell, the must have tool for administrators, and the long overlooked security challenge. See Kieran Jacobsen present how PowerShell, with its deep Microsoft platform integration can be utilised by an attack to become a powerful attack tool. Learn how an attacker can move from a compromised workstation to a domain controller using PowerShell and WinRM whilst learning how to defend against these attacks.
Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers.
In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.
Who should attend? Anyone that works in security and wants to leverage their machine data to detect internal and advanced threats, monitor activities in real time, and improve their organization's security posture.
Description: Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Slides from session at Derbycon 8.0. Description: You have probably heard the term LOLBin, LOLScript or LOLLib by now. Want to get more insights on that? Then this is the talk you want to attend.This talk will cover the Living Off The Land Binaries and Scripts (LOLBAS) project, what the project is, how it became and how you can help this evolve into the future. The talk will also go over some of my favorite LOLBins that has came to light due to this project (at least that's what I like to think) and show you some cool stuff! I mean, everybody loves to see binaries misbehave.
PowerShell, the must have tool for administrators, and the long overlooked security challenge. See Kieran Jacobsen present how PowerShell, with its deep Microsoft platform integration can be utilised by an attack to become a powerful attack tool. Learn how an attacker can move from a compromised workstation to a domain controller using PowerShell and WinRM whilst learning how to defend against these attacks.
Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers.
In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.
Who should attend? Anyone that works in security and wants to leverage their machine data to detect internal and advanced threats, monitor activities in real time, and improve their organization's security posture.
Description: Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
This presentation will provide a high level overview of the current role that desktop applications play in enterprise environments, and the general risks associated with different deployment models. It will also cover common methodologies, techniques, and tools used to identify vulnerabilities in typical desktop application implementations. Although there will be some technical content. The discussion should be interesting and accessible to both operational and management levels.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Many organizations and managed security providers are starting to move from SIEM, Security Information and Event Management, to EDR, Endpoint Detection and Response. The problem is this may not be the best decision for your organization. These technologies are similar but fundamentally different. This presentation also shares innovating ways to use your SIEM to catch the bad guys as well as learn some simple tricks for easing the burden of SIEM management.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.
This presentation will provide a high level overview of the current role that desktop applications play in enterprise environments, and the general risks associated with different deployment models. It will also cover common methodologies, techniques, and tools used to identify vulnerabilities in typical desktop application implementations. Although there will be some technical content. The discussion should be interesting and accessible to both operational and management levels.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Many organizations and managed security providers are starting to move from SIEM, Security Information and Event Management, to EDR, Endpoint Detection and Response. The problem is this may not be the best decision for your organization. These technologies are similar but fundamentally different. This presentation also shares innovating ways to use your SIEM to catch the bad guys as well as learn some simple tricks for easing the burden of SIEM management.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.
Now a days Cyber Crime is detected as Most Powerful Criminal Activities. If you have no awareness about Cyber Crime and Cyber Security then you might be victim of Any Cyber Crime.
As the industry’s first Secure Internet Gateway in the cloud, Cisco Umbrella provides the first line of defense against threats on the internet, protecting all your users within minutes.
Cisco Advanced Malware Protection offers global threat intelligence, advanced sandboxing and real-time malware blocking to prevent breaches while it continuously analyzes file activity across your network, so that you can quickly detect, contain and remove advanced malware.
Presentation of Cisco Security Architecture and Solutions such as Cisco Advanced Malware Protection (AMP) and Cisco Umbrella during Simplex-Cisco Technology Session that took place at the Londa Hotel in Limassol on 14 March 2018.
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
Presentation I gave at BriForum 2012 where I discuss Mobile Security Risks, BYOD and mobile privacy issues. Lastly, I wrap up with a discussion of Document Rights Management and mobile.
The Mobile Security Risks as adapted and updated from the Veracode Top 10 Mobile Security issues (With permission from Chris Wysopal)
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...AgileNetwork
Agile Chennai 2022
Everything there is to know about Cyber security is from movies and web series
Shyam Sundar Ramaswami
Sr. Staff Cyber Security Architect, GE Healthcare
September 2012 Security Vulnerability SessionKaseya
September is a nasty month for IT security threats…are you protected?
September 2012 has been an extremely busy month for active security threats world-wide. Oracle is dealing with a Java exploit that could allow a user’s PC to be infected with malware. Microsoft is trying to roll out a patch to address a critical IE zero-day bug. Are you aware? Are you ready?
Join Kaseya’s Security Analyst, Jason Dettbarn, in a 60 minute webinar on these – and other – top threats affecting enterprises right now. Learn more about the prevalent Java exploit that is still not fully addressed by Oracle, as well as the Internet Explorer Zero Day Bug posted September 17, which is still being actively attacked. Receive the latest information on these threats and learn how to leverage Kaseya to quickly address the above exploits in minutes. We also will describe how to leverage core Kaseya capabilities to guard against the famous Stuxnet threat that has affected large governments and millions of machines world-wide.
As threats are increasingly more sophisticated and targeted, traditional anti-virus detection is struggling to keep up. The traditional approach focuses on using fingerprint signatures of known malware to identify malware in the enterprise. This method of fingerprinting for detection is not only easily evaded, but it provides limited value to detecting targeted attacks against companies and emerging threats.
To combat this problem, Invincea developed a novel method for detecting and analyzing previously unknown malware and 0-day exploits. The advanced detection approach runs in conjunction with Invincea’s secure virtual container, which is used to isolate the operating system and user data from exploits against vulnerable applications. By running high-risk apps like web browsers in a secure container, no prior knowledge, including signatures and IOCs of threats is required in order to prevent their damage to the system and loss of data.
Presentation on conducting mobile device forensics without the use of expensive commercial tools, instead utilising FOSS alternatives. Conducting manual analysis makes you a better forensic analyst as well as helps to discover more potential evidence. From acquisition, to analysis, to malware disassembly, this presentation will provide a primer on all facets of mobile forensics.
Update from my previous presentation on dealing with SanDisk SecureAccess encrypted containers; including a bypass of the SecureAccess V2 software to see the contents of the encrypted containers.
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
This presentation follows on from some research I conducted earlier this year in relation to the encryption software utilised by SanDisk USB thumb drives. The presentation details how to best process this data forensically. The presentation also explains how to flash USB thumb drives as part of this process to mimic SanDisk devices.
This report details various security vulnerabilities facing organisations that are connected to the Internet. It focuses primarily on Denial of Service (DoS) attacks, providing an understanding of how these types of attacks are carried out and outlines the current technological resources available to provide countermeasures to DoS attacks. The recommendations provided at the end of the report allow organisations to gain the ability to minimise the harmful impact that DoS attacks can inflict upon their business.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
2. 1. LOLBINS / LOLBAS
2. LOLBINS in recent Campaigns
3. Ingress
4. External Threat Vectors
5. Defence-in-depth
i. Application Whitelisting (AppLocker)
ii. Exploit Guard
iii. Host-based Firewall
OVERVIEW
3. BIOGRAPHY
Working in the Cyber Security field for 10+ years, conducting investigations, incident response, etc.
Currently global head of Digital Forensics & Incident Response (DFIR) for Standard Chartered Bank
Malware, hacking, DDoS, etc.
Worked in Australian policing agency conducting digital forensic investigations
Fraud, Drugs, Homicide, etc.
Worked in Australia’s largest financial regulator (ASIC), leading the national forensic investigation team
Fraud, insider trading, crypto currencies, darkweb/darknet OSINT, etc.
Master IT Security, Queensland University of Technology
Bachelor Justice Studies (Criminology) with Honours, Queensland University of Technology
President of High Technology Crime Investigation Association (Australian Chapter)
4. LOLBINS / LOLBAS - Living Off the Land BINaries And Scripts
A LOLBin/Lib/Script must:
Be a Microsoft-signed file, either native to the OS or downloaded from
Microsoft.
Have extra "unexpected" functionality. It is not interesting to document
intended use cases.
Exceptions are application whitelisting bypasses
Have functionality that would be useful to an APT or red team
High-Risk Binary:
Microsoft-signed file, either native to the OS or downloaded from
Microsoft.
(Ab)used as part of an attack path.
17. Application Whitelisting (AppLocker)
AppLocker Recommendations:
1. Build policies per-LOLBIN binary (Publisher-based)
2. Restrict high-risk binaries to users/groups who require functionality
If binaries are not signed:
1. Request the software publisher sign their files (it’s 2020 after all!)
19. Exploit Guard
Code Integrity Guard
Ensures that all binaries loaded into a process are digitally signed by Microsoft.
Arbitrary Code Guard
Helps protect against a malicious attacker loading the code of their choice into memory
through a memory safety vulnerability and being able to execute that code.
Block Low Integrity Images
Prevents the application from loading files which are untrusted, typically because they have
been downloaded from the internet from a sandboxed browser.
Do Not Allow Child Processes
Blocks binaries from launching child processes.
Disable Win32k system calls
This mitigation prevents calls into win32k.sys by blocking a thread from converting itself into a
GUI thread – this will kill any GUI application, so be careful with this option.
20. Exploit Guard
Pros:
Can be configured in audit-only mode for additional visibility, without the
blocking capability
Cons:
when not configured in System settings, needs to be configured per-binary
name (which is ineffective, as binaries can be renamed)
Suggestion:
Look at high-risk binaries and develop additional hardening polices (either
blocking or audit-only)
Ingest relevant logs
Create use-cases for notable events
24. Host-based Firewall
Firewall Recommendations:
1. Deny all outbound traffic, without a specific rule
2. Deny all inbound traffic, without a specific rule
3. Build rules per-binary (IP, port, protocol)
4. Onboard logs when firewall rules are created/deleted
25. Helpful Tips
1. Remove unnecessary components of your operating
environments
2. Configure security controls granularly
per-business/user requirements
3. Ensure visibility into endpoints and network
4. Maintain accurate inventory records (HW, SW, etc.)