Monthly DFIR Training in collaboration with DFIR Austin. This month's training covered the process of getting remote access during incident response investigations, delving into rapid agent deployment options such as GPOs and RMM tools as well as agentless triage channels such as WMI, Powershell Remoting, SSH, etc.
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
Learn the five stages of grief that organizations seem to pass through as they come to terms with security risks and how far we’ve come regarding Industrial Control Systems.
Matt Oh, Microsoft
We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already.
Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.
Nate Warfield, Microsoft
Ben Ridgway, Microsoft
MongoDB, Redis, Elastic, Hadoop, SMBv1, IIS6.0, Samba. What do they all have in common? Thousands of them were pwned. In Azure. In 2017. Attackers have shifted tactics, leveraged nation-state leaked tools and are leveraging ransomware to monetize their attacks. Cloud networks are prime targets; the DMZ is gone, the firewall doesn't exist and customers may not realize they've exposed insecure services to the internet until it's too late. In this talk we'll discuss hunting, finding and remediating compromised customer systems in Azure - a non-trivial task with 1.59million exposed hosts and counting. Remediating system compromise is only the first stage so we'll also cover how we applied the lessons learned to proactively secure Azure Marketplace.
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
Learn the five stages of grief that organizations seem to pass through as they come to terms with security risks and how far we’ve come regarding Industrial Control Systems.
Matt Oh, Microsoft
We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already.
Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.
Nate Warfield, Microsoft
Ben Ridgway, Microsoft
MongoDB, Redis, Elastic, Hadoop, SMBv1, IIS6.0, Samba. What do they all have in common? Thousands of them were pwned. In Azure. In 2017. Attackers have shifted tactics, leveraged nation-state leaked tools and are leveraging ransomware to monetize their attacks. Cloud networks are prime targets; the DMZ is gone, the firewall doesn't exist and customers may not realize they've exposed insecure services to the internet until it's too late. In this talk we'll discuss hunting, finding and remediating compromised customer systems in Azure - a non-trivial task with 1.59million exposed hosts and counting. Remediating system compromise is only the first stage so we'll also cover how we applied the lessons learned to proactively secure Azure Marketplace.
Saruhan Karademir, Microsoft
David Weston, Microsoft
Windows Defender Application Guard (WDAG) brings the next generation isolation into the browser space. It merges the best of Hyper-V virtualization and Microsoft Edge sandboxing technologies to bring hardware-enforced isolation of untrusted websites from the user’s data and operating system. In this talk, we will walk through the WDAG security promise and architecture. We will explain how it was built from the ground up with security as the number one priority showcasing the architectural decisions that added layers of defense. Finally, we explore how Microsoft’s internal security teams engaged from the very beginning of this feature’s development, helping shape WDAG’s design, finding and fixing critical vulnerabilities, and building additional defense-in-depth layers before the product reached a single customer.
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
Dragos Adversary Hunter Jimmy Wylie presents "TRSIS in Perspective" at the 13th annual API conference in Houston, TX. This presentation analyzes the 2017 TRISIS event at an unspecified gas facility in Saudi Arabia--the first deliberate targeting of SIS that could have resulted in potential loss of life. This presentation also examines post-TRISIS, as Dragos has observed that XENOTIME, the adversary group responsible for TRSIS, has expanded its targeting to North America and other safety systems.
Visit www.dragos.com to learn more.
The Dark Side of PowerShell by George DobreaEC-Council
PowerShell is now a ‘mandatory-to-use’ tool for IT professionals in order to automate administration of the Windows OS and applications, including Azure and Nano Server. Unfortunately, threat actors have recently taken advantage of this powerful scripting language just because PowerShell it’s already installed on your Windows machines, trusted by Admins and most AntiVirus tools! The session presents the steps that should get you starting on (Ethical) Hacking and Pen Testing with PowerShell and some new techniques like JEA (Just Enough Administration) that a defender can use in order to limit the effectiveness of PowerShell attacks.
Best Practices for Configuring Your OSSIM InstallationAlienVault
Because every network environment is different, OSSIM offers flexibile configuration options to adapt to the needs of different environments. Whether you are just getting started with OSSIM, or have been using it for years, thinking through the configuration options availble will help you get the most out of your installation.
Join us for this customer training webcast where our OSSIM experts will walk through:
How to deploy & configure OSSEC agents
Best practices for configuring syslog and enabling plugins
Scanning your network for assets and vulnerabilities
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
Discovery of TRISIS/TRITON was a landmark event in the Industrial Control Systems (ICS) security community. It is the fifth known ICS-specific malware (following Stuxnet, Havex, BlackEnergy2, and CRASHOVERRIDE), and the first such malware to specifically target safety instrumented systems. Since identification and public disclosure in early December 2017, much has been written on TRISIS, its operation, and mitigations; however, such mitigations are usually too specific to TRISIS and fall short in assisting defenders with safety systems other than a Schneider Electric Triconex. In May, Dragos discovered that XENOTIME, the activity group behind TRISIS, had expanded its targeting to North America and other safety systems. Given this new data, a generalized approach to safety system defense is critical knowledge for ICS security personnel. This discussion aims to provide such an approach to guarding safety systems. We will provide an overview of the TRISIS malware, including its installation, execution and modification to the controller. Next, we will break down the TRISIS event's specific tactics, techniques and procedures (TTPs) and generalize them across the ICS kill chain. Using this model, we provide present-day actionable defense strategies for asset owners, as well as guidance for forensics, restoration, and recovery should an attack be discovered. We also look to the future and recommend ways in which the state of the art can be improved by vendors and ICS owners to empower defenders with the information they need to stop future attacks.
Learn more here: https://www.dragos.com/blog/trisis/
Kymberlee Price and Sam Vaughan, Microsoft
Many developers today are turning to well established third-party open source components and libraries to speed the development process and realize quality improvements over creating an in-house proprietary font parsing or image rendering library from the ground up. Efficiency comes at a cost though: a single OSS component may have multiple additional OSS subcomponents, and an application or service may have dozens of different third party libraries implemented. The result is that third-party and open source libraries have the ability to spread a single vulnerability across multiple products - exposing enterprises and requiring software vendors and IT organizations to patch the same vulnerability repeatedly. This presentation will dive deep into vulnerability data and explore the source and spread of OSS vulnerabilities through products – as well as actions developers, the security research community, and enterprise customers can take to address this problem.
Securing your Windows Network with the Microsoft Security BaselinesFrank Lesniak
IT professionals everywhere strive to secure their network, but it can be a daunting task. Luckily, Microsoft provides some boilerplate templates to get you started.
In this session, Frank begins by providing an overview of the Microsoft Security Baselines, explaining what they are and how they relate to the Center for Internet Security (CIS) Benchmarks, why Security Baselines are important (especially in PCI- or HIPAA-regulated environments), what to expect to change when implementing a baseline, when it is appropriate to implement a Microsoft Security Baseline, and provide you with project success criteria.
Then it's time for the details: Frank explains how to inventory your systems, how to download the Microsoft Security Baselines, how to apply your first Baseline to Active Directory, and how to manage the implementation---including recommendations on how to make changes (or "overrides") to the Security Baselines both from a process standpoint and a technical standpoint (using Group Policy Management).
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...Soya Aoyama
The WannaCry cyber-attack all over the world in May, 2017 is still fresh in our minds. The malware encrypted and rendered useless hundreds of thousands of computers in over 150 countries. As a measure against ransomware, Microsoft introduced the function "Ransomware protection" in "Windows 10 Fall Creators Update". How does this function work? Is it really effective? In this talk, I will explain the operation principles of "Controlled folder access" of"Ransomware protection" through demonstration video. Then I show the requirements to avoid this function, and describe that this function can be avoided very easily. And I will ask you that we may have to reconsider the definition of vulnerability.
McAfee MOVE (Management for Optimized Virtual Environments) bietet Sicherheitsmanagement für virtuelle Umgebungen. Außerdem werden Lösungen für Endpoint Security vorgestellt.
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
During this technical one-hour session, Santiago Gonzalez, an OSSEC core team member (System integration, rules & SIEM) and AlienVault Director of Professional Services, will demonstrate how to integrate OSSEC with other 3rd party applications for greater security visibility and response.
To learn more, check out the video: https://www.alienvault.com/resource-center/webcasts/advanced-ossec-training-integration-strategies-for-open-source-security
This presentation will introduce the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK frameworks. By working through 4 different practical scenarios in a fictional company https://sensenet-library.com, the attendees will learn how they can use those frameworks to measure their security response in today's diverse security threat landscape. We'll go through categorising security controls, responding to a vulnerability report, assessing a threat intel report and decide on future of the company's toolset where you will be able to answer a question if you should continue investing in a tool or should you buy a new one.
Saruhan Karademir, Microsoft
David Weston, Microsoft
Windows Defender Application Guard (WDAG) brings the next generation isolation into the browser space. It merges the best of Hyper-V virtualization and Microsoft Edge sandboxing technologies to bring hardware-enforced isolation of untrusted websites from the user’s data and operating system. In this talk, we will walk through the WDAG security promise and architecture. We will explain how it was built from the ground up with security as the number one priority showcasing the architectural decisions that added layers of defense. Finally, we explore how Microsoft’s internal security teams engaged from the very beginning of this feature’s development, helping shape WDAG’s design, finding and fixing critical vulnerabilities, and building additional defense-in-depth layers before the product reached a single customer.
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
Dragos Adversary Hunter Jimmy Wylie presents "TRSIS in Perspective" at the 13th annual API conference in Houston, TX. This presentation analyzes the 2017 TRISIS event at an unspecified gas facility in Saudi Arabia--the first deliberate targeting of SIS that could have resulted in potential loss of life. This presentation also examines post-TRISIS, as Dragos has observed that XENOTIME, the adversary group responsible for TRSIS, has expanded its targeting to North America and other safety systems.
Visit www.dragos.com to learn more.
The Dark Side of PowerShell by George DobreaEC-Council
PowerShell is now a ‘mandatory-to-use’ tool for IT professionals in order to automate administration of the Windows OS and applications, including Azure and Nano Server. Unfortunately, threat actors have recently taken advantage of this powerful scripting language just because PowerShell it’s already installed on your Windows machines, trusted by Admins and most AntiVirus tools! The session presents the steps that should get you starting on (Ethical) Hacking and Pen Testing with PowerShell and some new techniques like JEA (Just Enough Administration) that a defender can use in order to limit the effectiveness of PowerShell attacks.
Best Practices for Configuring Your OSSIM InstallationAlienVault
Because every network environment is different, OSSIM offers flexibile configuration options to adapt to the needs of different environments. Whether you are just getting started with OSSIM, or have been using it for years, thinking through the configuration options availble will help you get the most out of your installation.
Join us for this customer training webcast where our OSSIM experts will walk through:
How to deploy & configure OSSEC agents
Best practices for configuring syslog and enabling plugins
Scanning your network for assets and vulnerabilities
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
Discovery of TRISIS/TRITON was a landmark event in the Industrial Control Systems (ICS) security community. It is the fifth known ICS-specific malware (following Stuxnet, Havex, BlackEnergy2, and CRASHOVERRIDE), and the first such malware to specifically target safety instrumented systems. Since identification and public disclosure in early December 2017, much has been written on TRISIS, its operation, and mitigations; however, such mitigations are usually too specific to TRISIS and fall short in assisting defenders with safety systems other than a Schneider Electric Triconex. In May, Dragos discovered that XENOTIME, the activity group behind TRISIS, had expanded its targeting to North America and other safety systems. Given this new data, a generalized approach to safety system defense is critical knowledge for ICS security personnel. This discussion aims to provide such an approach to guarding safety systems. We will provide an overview of the TRISIS malware, including its installation, execution and modification to the controller. Next, we will break down the TRISIS event's specific tactics, techniques and procedures (TTPs) and generalize them across the ICS kill chain. Using this model, we provide present-day actionable defense strategies for asset owners, as well as guidance for forensics, restoration, and recovery should an attack be discovered. We also look to the future and recommend ways in which the state of the art can be improved by vendors and ICS owners to empower defenders with the information they need to stop future attacks.
Learn more here: https://www.dragos.com/blog/trisis/
Kymberlee Price and Sam Vaughan, Microsoft
Many developers today are turning to well established third-party open source components and libraries to speed the development process and realize quality improvements over creating an in-house proprietary font parsing or image rendering library from the ground up. Efficiency comes at a cost though: a single OSS component may have multiple additional OSS subcomponents, and an application or service may have dozens of different third party libraries implemented. The result is that third-party and open source libraries have the ability to spread a single vulnerability across multiple products - exposing enterprises and requiring software vendors and IT organizations to patch the same vulnerability repeatedly. This presentation will dive deep into vulnerability data and explore the source and spread of OSS vulnerabilities through products – as well as actions developers, the security research community, and enterprise customers can take to address this problem.
Securing your Windows Network with the Microsoft Security BaselinesFrank Lesniak
IT professionals everywhere strive to secure their network, but it can be a daunting task. Luckily, Microsoft provides some boilerplate templates to get you started.
In this session, Frank begins by providing an overview of the Microsoft Security Baselines, explaining what they are and how they relate to the Center for Internet Security (CIS) Benchmarks, why Security Baselines are important (especially in PCI- or HIPAA-regulated environments), what to expect to change when implementing a baseline, when it is appropriate to implement a Microsoft Security Baseline, and provide you with project success criteria.
Then it's time for the details: Frank explains how to inventory your systems, how to download the Microsoft Security Baselines, how to apply your first Baseline to Active Directory, and how to manage the implementation---including recommendations on how to make changes (or "overrides") to the Security Baselines both from a process standpoint and a technical standpoint (using Group Policy Management).
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...Soya Aoyama
The WannaCry cyber-attack all over the world in May, 2017 is still fresh in our minds. The malware encrypted and rendered useless hundreds of thousands of computers in over 150 countries. As a measure against ransomware, Microsoft introduced the function "Ransomware protection" in "Windows 10 Fall Creators Update". How does this function work? Is it really effective? In this talk, I will explain the operation principles of "Controlled folder access" of"Ransomware protection" through demonstration video. Then I show the requirements to avoid this function, and describe that this function can be avoided very easily. And I will ask you that we may have to reconsider the definition of vulnerability.
McAfee MOVE (Management for Optimized Virtual Environments) bietet Sicherheitsmanagement für virtuelle Umgebungen. Außerdem werden Lösungen für Endpoint Security vorgestellt.
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
During this technical one-hour session, Santiago Gonzalez, an OSSEC core team member (System integration, rules & SIEM) and AlienVault Director of Professional Services, will demonstrate how to integrate OSSEC with other 3rd party applications for greater security visibility and response.
To learn more, check out the video: https://www.alienvault.com/resource-center/webcasts/advanced-ossec-training-integration-strategies-for-open-source-security
This presentation will introduce the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK frameworks. By working through 4 different practical scenarios in a fictional company https://sensenet-library.com, the attendees will learn how they can use those frameworks to measure their security response in today's diverse security threat landscape. We'll go through categorising security controls, responding to a vulnerability report, assessing a threat intel report and decide on future of the company's toolset where you will be able to answer a question if you should continue investing in a tool or should you buy a new one.
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueChris Sistrunk
Real Time Operating Systems (RTOS) form the backbone for embedded systems and control units used in vehicle control technology (such as automobiles, trucks, buses, locomotives, UAVs, etc).
In this session, we will get hands on red teaming a popular RTOS that's at the heart of vehicle control systems worldwide. To counter this activity, we will then provide a demo of memory extraction and data analysis following Mandiant’s Digital Forensics and Incident Response Framework for Embedded OT Systems
https://www.mandiant.com/resources/blog/mandiant-dfir-framework-ot
rpdebug tool
https://github.com/mandiant/rpdebug_qnx
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
Every admin tool is an attack tool, yet there are no good or bad shells - that part is up to you. Coming from dozens of engagements consulting various role-based remote operations architectures & Red Team assessments for organizations in 4 continents, with a fresh research hijacking full tokens from network logon-type sessions - we’ll dive into a technical, hands-on set of examples for both Offensive and Defensive teams, of what SUCKS and what ROCKS on the Windows ‘Living off the land’ remote admin operations, Protocols, and APIs. We'll talk about the Pros and Cons of jump server architectures, as well as role-based shells, limiting PowerShell in creative ways. We'll also introduce fresh research to achieve Full Token hijack from network logon-type sessions, without any hash and/or TGT!
Building your macOS Baseline Requirements MacadUK 2018Henry Stamerjohann
Slides from 2018 MacAD.UK confernce
Synopsis: https://www.macad.uk/speaker/henry-stamerjohann/
When tasked with (re)building a security baseline for macOS clients, where do you start?
There’s obviously decisions to be made about what’s feasible in your organization (beyond if admin privileges should be the default). You need to weigh system stability and security with end-user productivity. Luckily for the macOS platform a rich ecosystem of tools exist to fill in the gaps and general guidance is available. The crucial part of making mindful and informed decisions is to first aggregate data from your IT environment. You can then decide what configurations to deploy and run recurring compliance checks based on an appropriate strategy. This session will cover fundamentals, highlight advanced considerations, and outline practical examples to apply when you’re conducting a (new) baseline for macOS clients.
Similar to DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents (20)
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Hivelance Technology
Cryptocurrency trading bots are computer programs designed to automate buying, selling, and managing cryptocurrency transactions. These bots utilize advanced algorithms and machine learning techniques to analyze market data, identify trading opportunities, and execute trades on behalf of their users. By automating the decision-making process, crypto trading bots can react to market changes faster than human traders
Hivelance, a leading provider of cryptocurrency trading bot development services, stands out as the premier choice for crypto traders and developers. Hivelance boasts a team of seasoned cryptocurrency experts and software engineers who deeply understand the crypto market and the latest trends in automated trading, Hivelance leverages the latest technologies and tools in the industry, including advanced AI and machine learning algorithms, to create highly efficient and adaptable crypto trading bots
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Modern design is crucial in today's digital environment, and this is especially true for SharePoint intranets. The design of these digital hubs is critical to user engagement and productivity enhancement. They are the cornerstone of internal collaboration and interaction within enterprises.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Why React Native as a Strategic Advantage for Startup Innovation.pdfayushiqss
Do you know that React Native is being increasingly adopted by startups as well as big companies in the mobile app development industry? Big names like Facebook, Instagram, and Pinterest have already integrated this robust open-source framework.
In fact, according to a report by Statista, the number of React Native developers has been steadily increasing over the years, reaching an estimated 1.9 million by the end of 2024. This means that the demand for this framework in the job market has been growing making it a valuable skill.
But what makes React Native so popular for mobile application development? It offers excellent cross-platform capabilities among other benefits. This way, with React Native, developers can write code once and run it on both iOS and Android devices thus saving time and resources leading to shorter development cycles hence faster time-to-market for your app.
Let’s take the example of a startup, which wanted to release their app on both iOS and Android at once. Through the use of React Native they managed to create an app and bring it into the market within a very short period. This helped them gain an advantage over their competitors because they had access to a large user base who were able to generate revenue quickly for them.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
2. Austin DFIR - Gerritz (Infocyte)
Validating integrity via live forensic analysis of a set of hosts
Getting Remote Access
Situation:
• Network is compromised but you have no tools, sensors, or access to
endpoints/servers
Possible Solutions:
• Deploy and Execute Temporary Collector
• Agentless Collection
– SSH
– Powershell Remoting
– WMI
• Deploy/Install an Agent
– GPO Startup Script
– Use existing RMM Tool (InTune, SCCM, Kaseya, Atera, etc.)
4. Austin DFIR - Gerritz (Infocyte)
SSH
Description:
Remote Secure Shell for Linux platforms.
Use SCP via SSH to transfer files.
Availability:
- Installed by default on most linux distros
Mechanism Ports OS Availability
SSH TCP 22 Linux Ubiquitous
Authentication
Password
Public Key
Key + Sudo Password
Capability
File Transfer (using SCP) YES
Execution YES
# sudo syntax #
ssh -t user@hostname 'sudo command1 arg1 arg2'
# su syntax #
ssh user@hostname su -c "/path/to/command1 arg1 arg2"
# RHEL/CentOS specific #
ssh user@nas01 su --session-command="/path/to/command1 arg1 arg2"
5. Austin DFIR - Gerritz (Infocyte)
Validating integrity via live forensic analysis of a set of hosts
Powershell Remoting
Description:
Modern Remote Shell for Windows.
Availability:
- Installed by default on Windows 7+ (PS 2.0)
- Powershell Remoting needs to be enabled via GPO on a domain or Enable-PSRemoting locally
- Powershell Core (Pwsh 6.0+) is cross platform and also has built-in capability for access via SSH
on all platforms
Mechanism Ports OS Availability
Psh via WinRM TCP 5985 (HTTP) or
TCP 5986 (HTTPS)
Windows Common on TCP 5985
Pwsh (Core) via SSH TCP 22 Windows, Linux, MacOS Zero (new in 2019)
Capability
File Transfer (PS 5.1+ ONLY) YES
Execution YES
6. Austin DFIR - Gerritz (Infocyte)
Windows Management Instrumentation (WMI)
Description:
A set of accessing methods and functions to manage Windows systems.
Use `wmi process call create’ to execute a binary.
Transfer is not available so you’ll need to use SMB or a common file share.
Availability:
- Installed by default on Windows XP+
- Non-domain joined systems are deny by default
Mechanism Ports OS Availability
WMI via RPC TCP 135 + Dynamic Port
TCP 59152 - 65535
Windows Ubiquitous
Capability
File Transfer NO
Execution (process call create) YES
# cmd syntax #
wmic /node:10.0.0.5 /user:administrator /password:Pass1
"process call create cmd”
# powershell syntax #
Invoke-WMIMethod -ComputerName 10.0.0.5 -class win32_process -
name create -argumentlist ("cmd")
7. Austin DFIR - Gerritz (Infocyte)
Remote Scheduled Tasks (Schtasks)
Description:
Interacts with the task scheduler on remote systems.
Use Run Once to execute a binary/command.
Transfer is not available so you’ll need to use SMB or a common file share.
Availability:
- Installed by default on Windows XP+
- Non-domain joined systems are deny by default
Mechanism Ports OS Availability
Schtasks via RPC TCP 135 + Dynamic Port
TCP 59152 - 65535
Windows Ubiquitous
Capability
File Transfer NO
Execution (process call create) YES
# cmd syntax #
schtasks /Create /S 10.0.0.5 /RU "SYSTEM" /U administrator /P Pass1 /SC ONCE /TN MYTASKNAME /ST 00:00 /F /TR "c:tempMyProgram.exe"
schtasks /Run /S 10.0.0.5 /U administrator /P Pass1 /TN MYTASKNAME
schtasks /Delete /S 10.0.0.5 /U administrator /P Pass1 /TN MYTASKNAME
8. Austin DFIR - Gerritz (Infocyte)
Remote Service Manager (i.e. PSExec)
Description:
Interacts with the Service Controller Manager on remote systems.
Use PSExec to execute a binary/command.
Transfer is not available so you’ll need to use SMB or a common file share.
Availability:
- Installed by default on Windows XP+
- Non-domain joined systems are deny by default
Mechanism Ports OS Availability
SCM via RPC TCP 135 + Dynamic Port
TCP 59152 - 65535
Windows Ubiquitous
Capability
File Transfer YES
Execution (process call create) YES
# cmd syntax #
psexec 10.0.0.5 -u administrator -p Pass1 -c "c:tempMyProgram.exe" cmd
9. Austin DFIR - Gerritz (Infocyte)
GPO Startup Script
Description:
Configures systems in domain to run a script on startup.
Can be used to launch a script or powershell command.
Script is hosted on Domain Controller
NOTE: GPO Logon Scripts CANNOT be used to install agents (unprivileged)
Time: 24 hours to a month depending on domain propagation delays
Availability:
- Ubiquitous in Windows Domains
Mechanism Ports/Protocol OS Availability
GPO LDAP Windows Ubiquitous in Windows Domains
Capability
File Transfer NO
Execution YES
# GPO Editor #
Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown)
10. Austin DFIR - Gerritz (Infocyte)
GPO Startup Script Setup Instructions
Step 1: Configure Script Delay to 120 seconds:
Computer Configuration -> Administrative Templates -> System -> Group Policy
“Configure Logon Script Delay”
Step 2: Setup Command & Parameters
Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown)
“Scripts”
● Script Name:
%windir%System32WindowsPowerShellv1.0powershell.exe
● Script Parameters:
-Noninteractive -ExecutionPolicy Bypass –Noprofile -file
%~dp0MyPSScript.ps1
%~dp0 when launched on the client is automatically converted to the UNC path to the script directory
on SYSVOL:
yourdomainnameSysVolyourdomainnamePolicies{Your_GPO_GUID
}MachineScriptsStartup
12. Austin DFIR - Gerritz (Infocyte)
Validating integrity via live forensic analysis of a set of hosts
Reverse Download Commands
• Many remote management mechanisms and tools do not support or
make it easy to transfer files (scripts or executables)
Best Solution:
• Execute Reverse Download Command
• Any remote execution mechanism can utilize this
# Powershell Reverse Download & Execute #
(new-object
Net.WebClient).DownloadString("https://raw.githubusercontent.com/Infocyte/PowershellTools/maste
r/AgentDeployment/install_huntagent.ps1") | iex
14. Austin DFIR - Gerritz (Infocyte)
Remote Monitoring & Management (RMM) Tools
Description:
Usually a pre-deployed agent used to manage endpoint configurations.
Most can install packages or execute remote commands.
Sometimes transfer is not available.
Availability:
- Each company might use a different one.
- No standardization.
Examples:
- SCCM, InTune, Kasaya, Tanium, Atera
Protocol Ports OS Availability
RMM Tool Varies Varies Custom (If Installed)
Capability
File Transfer SOME
Execution YES
15. Austin DFIR - Gerritz (Infocyte)
DevOps Server Configuration Tools
Description:
Either a pre-deployed agent or interface to SSH/WinRM.
Used to configure servers in cloud environments.
Can be configured to install packages or execute remote commands.
Biggest difference with RMM tools is these require development and/or scripting experience.
Availability:
- Each company might use a different one.
- RubyDSL or Python YAML
Protocol Ports OS Availability
Puppet / Chef Agent-based Cross Platform Common in IaaS (Cloud)
Ansible / Saltstack Agentless (SSH/WinRM) Cross Platform Common in IaaS (Cloud)
Capability
File Transfer YES
Execution YES
17. Austin DFIR - Gerritz (Infocyte)
Validating integrity via live forensic analysis of a set of hosts
Testing / Troubleshooting RPC
Error: 0x800706BA RPC Server Unavailable
• Possible Issues: The Windows Firewall is blocking the connection.
• DCOM or WMI Service is not running
Error: 0x80070005 – Access is denied by DCOM
• Possible Issues: The user does not have remote access to the computer through
DCOM. (Run DCOMCNFG)
WMI Diagnostic Tool (local):
https://www.microsoft.com/en-us/download/details.aspx?id=7684
WBEMTEST (remote):
https://docs.microsoft.com/en-us/configmgr/develop/core/understand/introduction-to-wbemtest
- Microsoft Support
18. Austin DFIR - Gerritz (Infocyte)
Validating integrity via live forensic analysis of a set of hosts
Testing / Troubleshooting RPC
• RPC-based mechanisms are very complex due to multiple subsystem
involvement:
– Windows Firewall -> DCOM -> WMI -> Account Privileges
– Each subsystem can deny access (“Access Denied” isn’t always what you think it is)
or fail
Possible Solutions:
• Check Account Permissions and Status
• Check Firewall Rule enabled to allow RPC, DCOM, and/or WMI
• Check Services are Running and set to Automatic
• Check DCOM & WMI Permissions
• If all Fails: WMI Class Rebuild?
Services:
● DCOM Server Process Launcher
● Remote Procedure Call (RPC)
● RPC Endpoint Mapper
● Windows Management Instrumentation
19. Austin DFIR - Gerritz (Infocyte)
Validating integrity via live forensic analysis of a set of hosts
Open Source Network Test Script
Test-ICNetworkTest
https://github.com/Infocyte/PowershellTools/tre
e/master/NetworkDiagnostics
• Powershell tool used to determine which remote access
methods are available and if credentials are configured
correctly.
• Run this as a pre-checkup to verify if remote access will be
possible (i.e. firewalls and accounts are configured
correctly)
• Drops output to a log file as well
# Powershell Commands #
Install-Module –name InfocyteNetworkAccess
Test-ICNetworkAccess –Target 10.0.0.1 –Credential (Get-Credential)