This document discusses the use of PowerShell and Windows Management Instrumentation (WMI) by attackers. It provides background on these tools and their capabilities. It then gives examples of how attackers may use PowerShell and WMI for activities like downloading files, achieving persistence, and pivoting within a network. The document concludes by discussing defenses like logging and monitoring these tools to detect malicious use.
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.
This presentation done at DeepSec 2014 focuses on using PowerShell for Client Side attacks. New scripts which are part of the open-source toolkit Nishang were also released. NIshang is toolkit in PowerShell for Penetration Testing
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
As organizations assess the security of their information systems, the need for automation has become more and more apparent. Not only are organizations attempting to automate their assessments, the need is becoming more pressing to perform assessments centrally against large numbers of enterprise systems. Penetration testers can use this automation to make their post-exploitation efforts more thorough, repeatable, and efficient. Defenders need to understand the techniques attackers are using once an initial compromise has occurred so they can build defenses to stop the attacks. Microsoft's PowerShell scripting language has become the defacto standard for many organizations looking to perform this level of distributed automation. In this presentation James Tarala, of Enclave Security, will describe to students the enterprise capabilities PowerShell offers and show practical examples of how PowerShell can be used to perform large scale penetration tests of Microsoft Windows systems.
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links.
When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source.
In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it.
Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.
In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...Puppet
Adding Windows servers to a Puppet instance can feel like a daunting task, even more so when you already have a large number of Linux servers in Puppet already. Learn how Walmart integrated their Windows servers into Puppet Enterprise. We’ll discuss not only why we chose Puppet over other tools, but why and how we still use tools like DSC, SCCM and GPOs. We’ll also go over the successes and pitfalls we had along the way in using Puppet on Windows, onboarding other teams, and evangelizing our team’s vision to others.
This presentation done at DeepSec 2014 focuses on using PowerShell for Client Side attacks. New scripts which are part of the open-source toolkit Nishang were also released. NIshang is toolkit in PowerShell for Penetration Testing
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
As organizations assess the security of their information systems, the need for automation has become more and more apparent. Not only are organizations attempting to automate their assessments, the need is becoming more pressing to perform assessments centrally against large numbers of enterprise systems. Penetration testers can use this automation to make their post-exploitation efforts more thorough, repeatable, and efficient. Defenders need to understand the techniques attackers are using once an initial compromise has occurred so they can build defenses to stop the attacks. Microsoft's PowerShell scripting language has become the defacto standard for many organizations looking to perform this level of distributed automation. In this presentation James Tarala, of Enclave Security, will describe to students the enterprise capabilities PowerShell offers and show practical examples of how PowerShell can be used to perform large scale penetration tests of Microsoft Windows systems.
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links.
When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source.
In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it.
Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.
In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...Puppet
Adding Windows servers to a Puppet instance can feel like a daunting task, even more so when you already have a large number of Linux servers in Puppet already. Learn how Walmart integrated their Windows servers into Puppet Enterprise. We’ll discuss not only why we chose Puppet over other tools, but why and how we still use tools like DSC, SCCM and GPOs. We’ll also go over the successes and pitfalls we had along the way in using Puppet on Windows, onboarding other teams, and evangelizing our team’s vision to others.
Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
Slides for Building Better Backdoors with WMI - DerbyCon 2017 - Legacy
Code:
https://github.com/0xbadjuju/PowerProvider/
https://github.com/0xbadjuju/WheresMyImplant
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
This presentation is about how you can structure your analysis to increase the chances of success when attempting to evict an advanced attacker. It's my thoughts on how to think when deciding how and when to respond and attempt to evict a mission driven attacker from your infrastructure. This is a continuation of my previous work on the Cyber Threat Intelligence Matrix.
P.S. The concepts are still work in progress, and the slide deck is a bit rough around the edges, but I hope it can spark some ideas and help you out. If you have feedback I would also greatly appreciate hearing from you, e.g. on Twitter (@FrodeHommedal).
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
"Windows Defender Advanced Threat Protection will soon be available for all Blue Teams to utilize within Windows 10 Enterprise, which includes detection of post breach tools, tactics and techniques commonly used by Red Teams, as well as behavior analytics. Combined with Microsoft Advanced Threat Analytics for user behavior analytics across the Domain, Red Teamers will soon face a significantly more challenging time maintaining stealth while performing internal recon, lateral movement, and privilege escalation in Windows 10/Active Directory environments.
This talk highlights challenges to red teams posed by Microsoft's new tools based on common hacking tools/techniques, and covers techniques which can be used to bypass, disable, or avoid high severity alerts within Windows Defender ATP and Microsoft ATA, as well as TTP used against mature organizations that may have additional controls in place such as Event Log Forwarding and Sysmon."
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
With advanced cyber-actors evolving quickly and becoming more stealthy, it has become imperative to question the status quo of our existing cyber-operations. This session will outline how a case study and incident response led to changes in focus and philosophy and how that changed the structure of Defensive Cyber Operations.
(Source: RSA Conference USA 2017)
In this presentation I have explained about difference between regular malware attack and fileless attack. Also added ways to capture it using EventTracker.
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
Attendees will learn the best web application security practices used by major US government entities. The presentation will cover network configuration, caching, replication, common web application vulnerabilities, and how making these changes will result in better web site performance and user satisfaction. The five most common types of web application attacks will be explained, along with simple ways to prevent them.
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
The best way to enable developers to create secure applications is to “shift left” in security. That means providing developers with the tools and techniques that help build more secure applications from the get-go. Developers may get security controls into their applications in different ways. They may write them from scratch following security training or guidance, they may use open source libraries, or they may use frameworks that have the security features built in already. In this talk we explore JavaScript applications that use different types of security controls implemented at levels ranging from developer code, to libraries and plugins, to different frameworks, and analyze which applications actually turn out to be more secure. This work is based on analysis of over 500 open source JavaScript applications on GitHub that use client-side frameworks and template engines to prevent XSS, as well as server-side frameworks (Express, Koa, Hapi, Sails, Meteor) and CSRF prevention mechanisms. In conclusion, we provide data-driven recommendations for framework maintainers and application developers on how to develop and choose a framework that will actually make applications more secure.
TABLETOP SCENARIO: Your organization regularly patches, uses application whitelisting, has NextGen-NG™ firewalls/IDS’s, and has the latest Cyber-APT-Trapping-Blinky-Box™. You were just made aware that your entire customer database was found being sold on the dark web. Go.
Putting too much trust in security products alone can be the downfall of an organization. In the 2015 BSides Tampa talk “Pentest Apocalypse” Beau discussed 10 different pentesting techniques that allow attackers to easily compromise an organization. These techniques still work for many organizations but occasionally more advanced tactics and techniques are required. This talk will continue where “Pentest Apocalypse” left off and demonstrate a number of red team techniques that organizations need to be aware of in order to prevent a “Red Team Apocalypse” as described in the tabletop scenario above.
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
Talk at TYPO3 Conference 2016 in Bologna/Italy. Basic insights into hacking websites with SqlMap and BeEF XSS and considerations to prevent that. Screencasts of SQLi and XSS at https://www.youtube.com/watch?v=VIGVlmaKqxY & https://www.youtube.com/watch?v=WBDWWv5zdUQ
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
Today’s cutting-edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share the processes that Amazon’s engineers use to practice DevOps and discuss how you can bring these processes to your company by using a new set of AWS tools (AWS CodePipeline and AWS CodeDeploy). These services were inspired by Amazon's own internal developer tools and DevOps culture.
Burrowing Through The Network - Contextualizing The Vulkan LeaksJoe Slowik
In late March 2023, a consortium of journalists and investigators released analysis of “the Vulkan files”. Consisting of a trove of documents associated with a Russian contracting company working with intelligence and military authorities, the papers revealed a variety of ambitious, concerning programs such as “Scan-V” and “Amezit.” Both program, in the sense that they offer capabilities to acquire, maintain, and task infrastructure for cyber and information operations at scale, are deeply concerning, indicating a significant advancement in Russian-linked network warfare and related actions.
However, placing these items in context reveals a murkier, far more troubling picture. After reviewing the capabilities of Amezit and Scan-V, we can see glimpses of other, historical programs in the advertised efficacy of these projects. Notably, we will consider other items that have leaked out over the years offering similar capabilities, albeit in different circumstances. Examples include Russia’s own SORM framework for domestic operations, China’s Great Firewall and (more significantly) Great Cannon programs, and items that emerged nearly a decade ago in the Snowden leaks such as the US’s alleged “Quantum” program.
By analyzing these additional projects, we will observe a decade’s long trend in the systematization and increasing scale of cyber programs, especially with respect to automated exploitation and infrastructure management frameworks. Thus, Vulkan and related items, as significant as they are, represent a culmination of operational evolution and a prime example of the proliferation of capabilities following public disclosure. With programs such as Scan-V exposed, we should anticipate other entities seeking to mirror such capabilities, progressing beyond simple botnets and other distributed systems to effective management of dispersed capabilities for signals intelligence and cyber operations purposes.
Cyber consequences, operational dependencies, and full scope securityJoe Slowik
Cyber impacts are typically viewed in isolation - yet paired with secondary effects or specific process targeting, they can result in outsized physical or reputational impacts. This talk will examine such attacks, their execution, and how Purple Teaming can incorporate these events in testing.
Cyber events are typically viewed in isolation as information-centric events, perhaps with some secondary effects in terms of victim organization finances or reputation. Yet this perspective ignores both the increasing physical consequences of cyber manipulation, greater inter-organization dependencies leading to expanded attack surface, and the potential for targeting operational or procedural “weak points” to propagate impacts to more secure or sensitive areas. Essentially, just as the idea of network isolation or “airgaps” no longer makes sense for defense, the idea of network defense as being limited only to the defended organization’s “border” no longer applies either.
This talk will examine how critical operational dependencies, perceptions, and third-party relationships can be used to achieve not just initial network access, but potentially network or even physical disruption. Examples to illustrate this concept will include sequenced cyber impacts combined with information operations to create panic or reduce confidence in critical infrastructure; targeting up- or down-stream dependencies as a mechanism to bypass security to achieve outsized impacts; and leveraging proper timing to increase the impact of a cyber intrusion or disruption event.
The above will cover attack scenarios and their impacts, but the talk will conclude with how organizations must expand scope for security testing, evaluation, and auditing to include such scenarios. Essentially, red (and purple) teaming no longer stops at the network border, but instead must include dependencies and external influencing factors to adequately map out true security risk. By designing intrusion scenarios to simulate such conditions, implementing wide-ranging table-top exercises, and incorporating third-parties (from suppliers to vendors to service providers) in testing activity, organizations can prepare for sequenced, dependency-focused attacks increasingly used by advanced adversaries. Failure to recognize and adapt to these trends will leave organizations unaware of and ill prepared for an increasingly expanded attack surface based on modern network and operational inter-dependencies.
Full-Spectrum Information Operations for Critical Infrastructure AttacksJoe Slowik
Presentation from 2019 CYBERWARCON covering layered/sequenced use of different disciplines of information operations (including cyber attacks) for critical infrastructure disruption.
Attribution within threat intelligence operations generally focuses on trying to find a 'who' - pick a US three-letter agency or other intelligence service - rather than the 'how' - what totality of activities makes up a specific activity group responsible for one (or more) campaigns. This talk will explore and outline the differences between these approaches, and how the former might be useful when discussing things in the press or looking at events from a law enforcement perspective, but the latter is far more useful (and significantly less controversial) for actual network defenders. Specifically, by limiting ourselves to defining a collection of behaviors or TTPs surrounding a specific event or campaign, threat intelligence can then develop playbooks, response procedures, and evaluation of expected follow-on actions related to the documented activity group. Most importantly, activity groups - as collections of behaviors - are distinct from 'actors'. Thus, you may have multiple activity groups, associated with a set of targets and TTPs, that all happen to belong to the same hostile foreign intelligence service. But from an IR or SOC perspective, the 'geopolitical' aspect is irrelevant.
To illustrate the above and how this matters, I would provide a couple of examples - including one where aggressive attribution for the sake of press or other motives muddies the waters from a defense perspective. Specifically, I'll look into the Dragonfly2.0 report released earlier in 2017 and follow-on reporting related to it (most notably US-CERT's report) to show how multiple activity groups can be conflated and produce a confusing and unhelpful threat landscape understanding for network defenders.
Following this discussion, attendees will have a more robust understanding of threat intelligence operations, the different types of attribution based upon threat intelligence work, and why an activity group-focused approach is more useful to security operations than alternatives. Attendees will be equipped to more robustly examine and, where necessary, challenge threat intelligence reporting, and learn what details are most useful in applying threat intelligence data to security operations.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
4. • Joe Slowik, Adversary Hunter
• Current: Dragos Adversary Hunter
• Previous:
• Los Alamos National Lab: IR Lead
• US Navy: Information Warfare Officer
• University of Chicago: Philosophy Drop-Out
5. • Scripting and interactive language
• Introduced in 2006, integral to Win7+
since 2009
• Full access to COM & WMI for system
administration
6. • WMI = Windows Management
Instrumentation
• Interactive and scriptable framework
for local and remote administration
• Frequently accessed via PowerShell
12. • WMI enables significant access to
review and modify system data
• Access via PowerShell allows for
scripting and automated possibilities
13.
14. • PowerShell’s ubiquity adds a significant
capability to potential attacker
• Enhances ability to ‘live off the land’
• Expands initial infection vectors
15. Command Use
-EncodedCommand Accepts Base64-encoded input for
execution within PowerShell
(New-Object
System.New.Webclient).DownloadFile()
Download a file from a remote location;
can be piped to Start-Process to execute
-ExecutionPolicy Bypass Circumvent system limits on script
execution
-WindowStyle Hidden Hide the command window from the user
-Invoke-Expression Execute arbitrary code or commands
18. • WMI is also ubiquitous, potent ‘dual-use’
• Can enable:
• Complex exploitation, persistence of
infected host
• New vectors to pivot within network
19. • PsExec-like remote execution
• Malicious file/script storage
• Persistence when combined with file or
registry activity
32. • Sysinternals Sysmon – latest version
includes WMI visibility
• But logging/alerting will need to be
tuned
• DIY via WMI Subscription creation
• Otherwise – commercial products
34. • What PowerShell/WMI scripts are used
in ‘normal’ network administration?
• What commands never have legitimate
use?
• What – if any – items require
whitelisting?
35.
36. wmic /node:REMOTESYSTEM process call create “EVIL_COMMAND”
SELECT * FROM Win32_BIOS WHERE SerialNumber LIKE “%VMware%”
$BADTHING=New-ObjectManagement.ManagementClass($REMOTESYSTEM,
[String]::Empty,$null)
$BADTHING[‘__CLASS’]=’Evil_Malware’
$BADTHING.Properties.Add(‘SomethingEvil’,[Management.CimType]
::String,$False)
$BADTHING.Properties[‘SomethingEvil’].Value =$PAYLOAD
$EvilClass.Put()
37.
38. • Create Event Consumer: performs action when
triggered by event
• Pair with Event Filter: events of interest
• Filter to Consumer Binding: bind filter to
consumer
• Export results to log file, data store
• Credit: https://www.fireeye.com/blog/threat-
research/2016/08/wmi_vs_wmi_monitor.html