Email is the primary way that malware infiltrates systems. By default, Windows allows dangerous file types like scripts to execute when double-clicked, enabling malware. However, several simple changes can significantly reduce this risk. First, block common file types from email attachments and change their associations to open in Notepad instead of executing. Second, enable macros blocking in Office and tweak registry settings. Third, monitor for encrypted emails and evaluate any attachments. Together these low-effort changes can prevent the majority of malware delivered by email.
Deeplook into apt and how to detect and defend v1.0Michael Gough
This document summarizes a presentation about detecting a Chinese advanced persistent threat called WINNTI. The presentation discusses the evolution of WINNTI attacks from 2012 to 2014, describing new techniques used in 2014 including hiding payloads in the Windows registry and altering system management binaries. It provides tips for detecting WINNTI, such as enabling detailed process auditing, monitoring for suspicious commands, and using tools like Sysmon and Log-MD to facilitate malware discovery and investigation.
Email is the primary way that malware infiltrates systems. By default, Windows allows dangerous file types like scripts to execute when double-clicked, enabling malware. However, several simple changes can significantly reduce this risk. First, block common file types from email attachments and change their associations to open in Notepad instead of executing. Second, enable macros blocking in Office and tweak registry settings. Third, monitor for encrypted emails and evaluate any attachments. Together these low-effort changes can prevent the majority of malware delivered by email.
Deeplook into apt and how to detect and defend v1.0Michael Gough
This document summarizes a presentation about detecting a Chinese advanced persistent threat called WINNTI. The presentation discusses the evolution of WINNTI attacks from 2012 to 2014, describing new techniques used in 2014 including hiding payloads in the Windows registry and altering system management binaries. It provides tips for detecting WINNTI, such as enabling detailed process auditing, monitoring for suspicious commands, and using tools like Sysmon and Log-MD to facilitate malware discovery and investigation.
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
The document discusses using Windows event logs to detect advanced attacks and malware. It provides the following key points:
1. Six main Windows event IDs (4688, 4624, 5140, 5156, 7045, 4663) can be monitored and alerted on to detect a variety of malware and hacker activity.
2. Real examples are shown of how logs caught commodity malware, PowerShell logging bypasses, and the multi-stage WinNTI attack in action.
3. Tips are provided on enabling command line logging, using lookup lists to reduce noise, and sample Splunk queries to analyze key events like new processes started and logon activity.
4. Attendees
This document discusses defending against ransomware and provides recommendations. It begins by establishing the problem of ransomware growth and costs. It then recommends (1) blocking common file types at email gateways and Outlook, (2) blocking macros in Office documents, (3) changing file associations of script types to open in Notepad instead of executing, (4) using Group Policy to prevent changes from Windows updates, and (5) disabling dangerous Word features like DDE links. Implementing these free solutions can help block the majority of ransomware attacks.
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
This document discusses various methods for securing personal devices and systems. It provides tips for using password managers, multi-factor authentication, browser security settings, encrypted backups, and restricting administrative privileges to help protect against malware and identity theft. The document also addresses security best practices for social media, wireless networks, and monitoring children's cell phone usage.
A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.
MalwareArchaeology.com
LOG-MD.com
Logging for Hackers - What you need to know to catch themMichael Gough
This document discusses how to detect malware using existing Windows logs. It begins with an introduction to the presenter and his tools for malware analysis and log management. Several examples of malware artifacts and their associated log entries are described. The document emphasizes that command line logging is critical for detection. It also introduces the free, open-source Log-MD tool which analyzes log settings and harvests security events to help identify infected systems.
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
This document discusses fileless or memory-based malware that exists only in memory and provides recommendations for detecting and responding to it. It recommends:
1. Developing a process to monitor running processes and modules for signs of injection or unauthorized code. Tools like Log-MD-Premium can help detect these memory-only infections.
2. Enabling detailed process logging, especially of command lines, to provide visibility. Detections and hunting can then focus on suspicious process activity.
3. Extracting and analyzing files from memory dumps or live systems to identify malware artifacts and indicators through static file evaluation and string analysis.
Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow
Malware Archaeology
LOG-MD
BSidesNOLA
Sandbox vs manual malware analysis v1.1Michael Gough
The document discusses the differences between sandbox analysis and manual analysis of malware. Sandbox analysis uses virtual machines and cloud-based solutions to analyze malware, but may miss artifacts since malware can detect virtual environments. The author argues that manual analysis on bare-metal systems provides more complete artifacts and indicators. Manual analysis allows evaluating malware as it was intended by detonating it directly on hardware.
The document discusses how to detect malware through effective logging. It recommends enabling command line logging for events like cmd.exe, powershell, and other processes to see details of malware behavior. The speaker advocates building a "malware matrix" of indicators and monitoring important log events. Effective logging of files, registry, network connections and other activities on internet-facing systems can help detect malware, as demonstrated by the speaker's analysis of real world advanced persistent threats. Logs are crucial for both incident response and prevention when properly configured.
This document provides information on detecting WMI exploitation. It discusses how WMI can be used by adversaries to remotely execute payloads, persist, query systems, and more. It outlines various ways WMI is exploited, including installing malicious MOF files and DLLs. The document recommends enabling specific Windows event logs and logging options to detect WMI activity, such as Process Creation, Authentication, and PowerShell logs. It also discusses tools that can help hunt for WMI exploitation like LOG-MD, Sysinternals AutoRuns, and WMI Explorer.
This PowerShell command uses many odd characters and variable names to obfuscate its intent, which is typically seen with malware. It likely downloads additional payloads or malware to the system. Logging and monitoring PowerShell activity can help detect this type of obfuscated command.
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.
The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
This document discusses the presenter's testing of various EDR and EPP solutions using three malware samples. Key findings include:
1) Many solutions failed to detect infections, even those detected by the presenter's IPS. Detection was weakest for "fileless" Kovter and morphing Dridex malware.
2) Solutions provided inadequate details to fully remediate infections. The presenter's own LOG-MD tool outperformed EDR solutions in revealing infection artifacts.
3) Based on the results, the presenter recommends that EDR tools integrate capabilities to remotely run third-party tools like LOG-MD for more thorough investigations. Simpler consoles are also needed to distribute workload across security
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
The document discusses using Windows event logs to detect advanced attacks and malware. It provides the following key points:
1. Six main Windows event IDs (4688, 4624, 5140, 5156, 7045, 4663) can be monitored and alerted on to detect a variety of malware and hacker activity.
2. Real examples are shown of how logs caught commodity malware, PowerShell logging bypasses, and the multi-stage WinNTI attack in action.
3. Tips are provided on enabling command line logging, using lookup lists to reduce noise, and sample Splunk queries to analyze key events like new processes started and logon activity.
4. Attendees
This document discusses defending against ransomware and provides recommendations. It begins by establishing the problem of ransomware growth and costs. It then recommends (1) blocking common file types at email gateways and Outlook, (2) blocking macros in Office documents, (3) changing file associations of script types to open in Notepad instead of executing, (4) using Group Policy to prevent changes from Windows updates, and (5) disabling dangerous Word features like DDE links. Implementing these free solutions can help block the majority of ransomware attacks.
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
This document discusses various methods for securing personal devices and systems. It provides tips for using password managers, multi-factor authentication, browser security settings, encrypted backups, and restricting administrative privileges to help protect against malware and identity theft. The document also addresses security best practices for social media, wireless networks, and monitoring children's cell phone usage.
A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.
MalwareArchaeology.com
LOG-MD.com
Logging for Hackers - What you need to know to catch themMichael Gough
This document discusses how to detect malware using existing Windows logs. It begins with an introduction to the presenter and his tools for malware analysis and log management. Several examples of malware artifacts and their associated log entries are described. The document emphasizes that command line logging is critical for detection. It also introduces the free, open-source Log-MD tool which analyzes log settings and harvests security events to help identify infected systems.
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
This document discusses fileless or memory-based malware that exists only in memory and provides recommendations for detecting and responding to it. It recommends:
1. Developing a process to monitor running processes and modules for signs of injection or unauthorized code. Tools like Log-MD-Premium can help detect these memory-only infections.
2. Enabling detailed process logging, especially of command lines, to provide visibility. Detections and hunting can then focus on suspicious process activity.
3. Extracting and analyzing files from memory dumps or live systems to identify malware artifacts and indicators through static file evaluation and string analysis.
Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow
Malware Archaeology
LOG-MD
BSidesNOLA
Sandbox vs manual malware analysis v1.1Michael Gough
The document discusses the differences between sandbox analysis and manual analysis of malware. Sandbox analysis uses virtual machines and cloud-based solutions to analyze malware, but may miss artifacts since malware can detect virtual environments. The author argues that manual analysis on bare-metal systems provides more complete artifacts and indicators. Manual analysis allows evaluating malware as it was intended by detonating it directly on hardware.
The document discusses how to detect malware through effective logging. It recommends enabling command line logging for events like cmd.exe, powershell, and other processes to see details of malware behavior. The speaker advocates building a "malware matrix" of indicators and monitoring important log events. Effective logging of files, registry, network connections and other activities on internet-facing systems can help detect malware, as demonstrated by the speaker's analysis of real world advanced persistent threats. Logs are crucial for both incident response and prevention when properly configured.
This document provides information on detecting WMI exploitation. It discusses how WMI can be used by adversaries to remotely execute payloads, persist, query systems, and more. It outlines various ways WMI is exploited, including installing malicious MOF files and DLLs. The document recommends enabling specific Windows event logs and logging options to detect WMI activity, such as Process Creation, Authentication, and PowerShell logs. It also discusses tools that can help hunt for WMI exploitation like LOG-MD, Sysinternals AutoRuns, and WMI Explorer.
This PowerShell command uses many odd characters and variable names to obfuscate its intent, which is typically seen with malware. It likely downloads additional payloads or malware to the system. Logging and monitoring PowerShell activity can help detect this type of obfuscated command.
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.
The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
This document discusses the presenter's testing of various EDR and EPP solutions using three malware samples. Key findings include:
1) Many solutions failed to detect infections, even those detected by the presenter's IPS. Detection was weakest for "fileless" Kovter and morphing Dridex malware.
2) Solutions provided inadequate details to fully remediate infections. The presenter's own LOG-MD tool outperformed EDR solutions in revealing infection artifacts.
3) Based on the results, the presenter recommends that EDR tools integrate capabilities to remotely run third-party tools like LOG-MD for more thorough investigations. Simpler consoles are also needed to distribute workload across security
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
Este documento resume los modelos OSI y TCP/IP, explicando sus capas, funciones y unidades de datos del protocolo. También describe los diferentes tipos de direccionamiento en las capas 2, 3 y 4, incluyendo las direcciones MAC, de red e identificadores de proceso.
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandboxJuan Salas Santillana
Este documento presenta técnicas para desarrollar malware y evadir detección por antivirus y sandbox. Explica el uso de APIs de Windows como I/O y registro para implementar exploits como MS10-092 y MS10-046 que permiten escalar privilegios y propagación remota de código. También cubre temas como identificar entornos virtualizados, polimorfismo, cifrado de tráfico e inutilizar antivirus. Finalmente describe el funcionamiento básico de motores antivirus y sandbox.
Windows logging workshop - BSides Austin 2014Michael Gough
This document provides an overview of a workshop on Windows logging. The workshop aims to teach attendees how to use Windows logging to detect attacks like the Target data breach. It discusses enabling and configuring Windows logging, collecting logs using commands, and analyzing logs with Splunk. The presentation covers malware behavior, Windows logging components, enabling auditing of important events in security and system logs, and installing the Splunk Universal Forwarder to send logs to Splunk Storm for analysis.
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014Stratesys
Historia de éxito basada en el proyecto ejecutado por Stratesys en nuestro cliente Penguin Random House Grupo Editorial, consistente en la implantación de un Portal de Clientes tecnológicamente vanguardista (SAP UI5 y SAP Gateway 2.0), que constituye un nuevo canal de venta directa y proporciona transparencia con la publicación de datos de negocio y disponibilidad de éstos en tiempo real.
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...Ryan G. Murphy
According to Carbon Black data, attackers are holding data for ransom at an alarming rate and are continuing to deploy attacks across every industry. In conjunction with the rise of ransomware and the continued ubiquity of mass malware, attackers are increasingly utilizing non-malware attacks in an attempt to remain undetected and persistent on organizations’ enterprises.
Présentation de la réunion du 07 avril 2015 de Résowest qui avait pour objectif de sensibiliser chacun d’entre nous sur la thématique de la sauvegarde de données.
Présentée par Baptiste Leclercq de Provectio
Comment se protéger contre les menaces de CTB Locker (ransomware)?ATN Groupe
CTB-Locker : l'antivirus ne suffit plus!
CTB-Locker est un Ransomware qui encrypte vos données en utilisant un système de chiffrement fort. Vous devez ensuite payer une rançon (jusqu'à 1600 euros) afin de déverrouiller ses fichiers. En participant à notre Webinaire de 30 minutes ou en téléchargeant notre livre blanc, découvrez dès à présent quelles sont les parades.
http://goo.gl/fA1Nyc
Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today. In recent years, personal use of computers and the internet has exploded and, along with this massive growth, cybercriminals have emerged to feed off this burgeoning market, targeting innocent users with a wide range of malware. The vast majority of these threats are aimed at directly or indirectly making money from the victims. Today, ransomware has emerged as one of the most troublesome malware categories of our time.
There are two basic types of ransomware in circulation. The most common type today is crypto ransomware, which aims to encrypt personal data and files. The other, known as locker ransomware, is designed to lock the computer, preventing victims from using it. In this research, we will take a look at how the ransomware types work, not just from a technological point of view but also from a psychological viewpoint. We will also look at how these threats evolved, what factors are at play to make ransomware the major problem that it is today, and where ransomware is likely to surface next.
What Is Next-Generation Endpoint Security and Why Do You Need It?Priyanka Aash
This session will clarify the definition of next-generation endpoint security and distinguish it from legacy antivirus software. It will also describe how next-generation endpoint security can help organizations improve incident prevention, detection and response.
(Source: RSA USA 2016-San Francisco)
Defending against Ransomware and what you can do about itJoAnna Cheshire
This document discusses defending against ransomware and provides recommendations. It begins by establishing the problem of ransomware growth and costs. It then recommends (1) blocking common file types at email gateways and Outlook, (2) blocking macros in Office documents, (3) changing file associations to open dangerous file types in Notepad instead of executing them, (4) using Group Policy to prevent Windows updates from resetting changes, and (5) disabling Word DDE links to prevent automatic downloads. User awareness training and evaluating captured files are also recommended. Resources for implementing these defenses are provided.
When your security tools fail you, and what you can do about it. This discusses actual tool fail backgrounds, what failed and what you can do to detect and/or mitigate the issues(s) another way
HackerHurricane
MalwareArchaeology
Malware Archaeology
LOG-MD
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
Can we really detect advanced attacks? This session walks through 4 published attacks to point out what we can learn and detect using malware management, some cheat sheets and Security 101. LOG-MD, FILE-MD, Malware Archaeology
This document discusses keyloggers, malware detection, and forensic investigation of infected systems. It defines keyloggers as hardware or software that captures keystrokes and malware as malicious software like viruses and Trojans. It provides tips for detecting keyloggers and malware through artifacts in the system, registry, prefetch files, and suspicious files and entries. It outlines methods for determining the infection source and timeline, and identifying captured data, attacker information, and next steps for investigators.
Robert Vidal is an information security professional who specializes in WordPress security. He outlines several recommendations for securing a WordPress site, including changing default usernames and passwords, removing WordPress version information, keeping software updated, using strong security plugins, limiting comments and user input, regularly backing up the site, and scanning for vulnerabilities, malware and unauthorized changes. Vidal emphasizes that there is no single solution and site owners must take an active, ongoing approach to security through multiple methods like plugins, backups and monitoring.
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Eric Kolb
A presentation by Eric Kolb for a non-technical audience to increase laypersons' awareness of who cyber security professionals are and what they do. The latter half of the presentation provides a wealth of information on what non-security pros can do at home to protect their computers and accounts from events and actors outside their control.
The document discusses two cyber threats that existed in Morocco:
1. A password info stealer malware that was responsible for 90% of attacks. Intelligence tracking detected around 180GB of leaked data related to Moroccan domains and personal information, and over 320 spammers were identified from the data with connections to Morocco.
2. An ATM dispense malware that was gathered from Moroccan internet service providers. Technical details about the ATM malware were presented, but not summarized.
The document ends by stating that preparations are being made for the "next war", but does not clarify the purpose of the two threats.
DEF CON 23 - BRENT - white hacking web apps wpFelipe Prado
This document provides an overview of executing a web application penetration test. It discusses the discovery phase using OSINT tools to identify the target's online presence. It then covers gathering evidence, utilizing automated scanning tools to find vulnerabilities, and thorough manual testing techniques like exploring parameters, authentication, and the host server. The goal is to break into web applications like a professional penetration tester and provide a detailed report of findings.
Drupal, WordPress, and Joomla are very popular Content Management Systems (CMS) that have been widely adopted by government agencies, major businesses, social networks, and more — underscoring why understanding how these systems work and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester’s perspective of CMS’ and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists- all of which are open-source and can be downloaded and implemented following the presentation.
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
The document provides an overview of how anti-virus software works and techniques used to bypass antivirus detection. It discusses how antiviruses use signature-based, heuristic-based, behavioral, and sandboxing techniques to detect malware. It also explains common techniques used to evade detection like packers, splitters, code obfuscation, and injection. The document concludes that while antivirus has improved, virus creators continually develop new methods to bypass protections and that additional security measures are still needed.
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
This document discusses evaluating web app, mobile app, and API security standards and tools. It provides an overview of the Open Web Application Security Project (OWASP) which publishes free, open-source security standards like the Application Security Verification Standard (ASVS). The document also discusses different types of software security testing like static analysis, dynamic analysis, code review, and penetration testing. It provides a demonstration of using the OWASP Zed Attack Proxy (ZAP) tool to conduct dynamic analysis and penetration testing of a web application.
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive.
Key Takeaways:
-Great places in the user journey to inject security tests
- Ways to augment existing test approaches to cover security concerns
- Typical security tools that are free, cheap, and easy for software testers
Effective approaches to web application security Zane Lackey
The document discusses effective approaches to web application security. It emphasizes techniques that are simple yet effective, such as making things safe by default through early encoding of dangerous HTML characters. It also stresses focusing security efforts by automatically detecting changes to sensitive code and functionality through hashing and alerts, in order to quickly review any newly introduced risks from continuous deployment.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Webinar: Designing a schema for a Data WarehouseFederico Razzoli
Are you new to data warehouses (DWH)? Do you need to check whether your data warehouse follows the best practices for a good design? In both cases, this webinar is for you.
A data warehouse is a central relational database that contains all measurements about a business or an organisation. This data comes from a variety of heterogeneous data sources, which includes databases of any type that back the applications used by the company, data files exported by some applications, or APIs provided by internal or external services.
But designing a data warehouse correctly is a hard task, which requires gathering information about the business processes that need to be analysed in the first place. These processes must be translated into so-called star schemas, which means, denormalised databases where each table represents a dimension or facts.
We will discuss these topics:
- How to gather information about a business;
- Understanding dictionaries and how to identify business entities;
- Dimensions and facts;
- Setting a table granularity;
- Types of facts;
- Types of dimensions;
- Snowflakes and how to avoid them;
- Expanding existing dimensions and facts.
1. Ransomware and commodity
malware, What can I do really to
prevent it? And how do I look to see
if my system has anything odd or
malicious?
Michael Gough – Founder
MalwareArchaeology.com
MalwareArchaeology.com
2. Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where,
When and hopefully How
Creator of
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows PowerShell Logging Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Malware Management Framework”
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– With @Boettcherpwned – Brakeing Down Security PodCast
• @HackerHurricane also my Blog
MalwareArchaeology.com
4. Ransomware
• It sucks
• You probably know someone or YOU have had it
• It dominated the 2016 malware landscape
• 500% increase the last 2 years
• Estimated $1BILLION dollars ransom paid
• Targets consumers
• Targets business
• Even targets TV’s !!!
MalwareArchaeology.com
6. Ransomware
• Anti-Virus is failing us because it is too easy to
bypass
• Ransomware heavily uses scripts
• AV doesn’t do scripts
• Even Next Gen Endpoint solutions have had
issues due to script usage
• So what can we do to prevent Ransomware?
MalwareArchaeology.com
7. Ransomware
Let’s look at the flavors of Ransomware
1. Infected Attachments
2. Links to infected websites
MalwareArchaeology.com
14. Ransomware
• Attachments in SPAM/Phishing emails
– Office Docs (.Doc, .XLS, .PPT)
– PDF’s – contain links
– .js, .jse, .hta, .wsf, .wsh, .PS1
– Zip files with the above attachments inside
– Password protected attachments
• Password is in the body (obvious indicator of BAD)
MalwareArchaeology.com
15. Ransomware
• URLs in SPAM/Phishing emails
– Javascript auto downloads and executes malware
• .js, .jse, .hta, .wsf, .wsh
– Downloads an Office Doc (.Doc, .XLS)
– Downloads a PDF
– Downloads a Zip files with the above inside
– Downloads a password protected attachment
• Password is in the body (obvious indicator of BAD)
MalwareArchaeology.com
16. Ransomware
• Drive-by downloads
– Javascript auto downloads and executes malware
• All scripts
• .js, .jse, .hta, .wsf, .wsh
• Can download and call binary .EXE
MalwareArchaeology.com
18. Ransomware
• Believe it or not you already have what you
need to stop ransomware dead cold – For
Windows
• And its FREE !!!!
• So how can we take the RANSOM out of
Ransomware?
MalwareArchaeology.com
19. Prevention
• Don’t enable Macro’s or Content EVER!!!! In
any Office Documents
• Actually let’s assume you do enable content,
because we can still stop ransomware
• We will go after what the payload actually is
and does and how Windows handles it
• The file extension that is executed when the
content is enabled is the key
MalwareArchaeology.com
23. Windows Based Script Host
• Get rid of it, they use it to execute crypto
• Consider .vbe, .vbs, .ps1 and .ps1xml too, but
this is used in corporate environments
• This only affects double-clicking the file, not
using the file properly (cscript bad_file.vbs)
MalwareArchaeology.com
24. Corporate email
• Drop these file types at the email gateway and
you will block 90% or more of what users see
that gives them ransomware
• .js, .jse, .hta, .wsf, .wsh, .vbe, .vbs
• No reason these will be emailed to you, if so
just encrypt with a password, and do NOT
include the password in the body of the
message.
MalwareArchaeology.com
25. Gaps
• We are starting to see more encrypted
documents, but they have the password in the
body so obviously NOT secure
• If a user opens the fake email and opens the
file inside, then scripting can be used properly
– cscript some_bad.vbs
• Most will be Office documents and the Macro
and/or Content must be enabled
• Office 2013 and 2016 can break this FINALLY
MalwareArchaeology.com
27. Group Policy for the WIN
• For corporate users
MalwareArchaeology.com
28. Or tweak the registry
Office 2016
• HKCUSOFTWAREPoliciesMicrosoftoffice16.0wordsecurity
HKCUSOFTWAREPoliciesMicrosoftoffice16.0excelsecurity
HKCUSOFTWAREPoliciesMicrosoftoffice16.0powerpointsecur
ity
– In each key listed above, create this value:
DWORD: blockcontentexecutionfrominternet Value = 1
Office 2013
•
HKCUSOFTWAREPoliciesMicrosoftoffice15.0wordsecurity
HKCUSOFTWAREPoliciesMicrosoftoffice15.0excelsecurity
HKCUSOFTWAREPoliciesMicrosoftoffice15.0powerpointsecur
ity
– In each key listed above, create this value:
DWORD: blockcontentexecutionfrominternet Value = 1
MalwareArchaeology.com
29. #WINNING
• After adding these tweaks you will see this
when you try and enable a macro and/or
content
• You can unblock if truly need and trusted
MalwareArchaeology.com
30. Ransomware Prevented
• If you do these simple things, which are all
FREE, you will curb ransomware infections by
90-95% or more
• This does not address malicious binaries .EXE
files or .DLL files
• Whitelisting with Software Restriction Policies
or AppBlocker will be needed for this
MalwareArchaeology.com
32. Software Restriction Policies
• Block all executions from “C:Users*”
• Block all USB executions from “E:*”
MalwareArchaeology.com
33. Software Restriction Policies
• If you set to block like I do, then when you try
to launch, install or an update runs, it will fail
• Generates an Event ID 866 in the Application
Log
• Copy the path that failed and create an
exception
• Be careful of over trusting generic paths
• Use a * to genericize an entry C:Users*
MalwareArchaeology.com
34. AppLocker
• ONLY works in Windows Enterprise versions
• Screw you Microsoft ;-(
• Has an Audit only mode so can detect what
would be blocked to allow you to tweak the
policy before enforcing
• Does Dlls
• Does Scripts
MalwareArchaeology.com
35. How to inspect a system
and improve logging
MalwareArchaeology.com
36. • The Log and Malicious Discovery tool
• Audits your system and produces a report
• Also shows failed items on the console
• Helps you configure proper audit logging
• ALL VERSIONS OF WINDOWS (Win 7 & up)
• Helps you enable what is valuable
• Compares to many industry standards
• CIS, USGCB and AU standards and “Windows
Logging Cheat Sheet”
MalwareArchaeology.com
37. Free Edition
• Collect 1-7 days of logs
• Over 20 reports
• Full filesystem Hash Baseline
• Full filesystem compare to Hash Baseline
• Full system Registry Baseline
• Full system compare to Registry Baseline
• Large Registry Key discovery
MalwareArchaeology.com
38. • Over 25 reports
• Interesting Artifacts report
• WhoIS resolution of IPs
• SRUM (netflow from/to a binary)
• AutoRuns report with whitelist and MD
• More Whitelisting
• Master-Digest to exclude hashes and files
MalwareArchaeology.com
39. Resources
• Websites
– MalwareArchaeology.com
– Log-MD.com The tool
• The “Windows Logging Cheat Sheet”
– MalwareArchaeology.com
• Malware Analysis Report links too
– To start your Malware Management program
MalwareArchaeology.com
40. Questions?
• You can find us at:
• @HackerHurricane
• @Boettcherpwned
• Log-MD.com
• MalwareArchaeology.com
• HackerHurricane.com (blog)
• http://www.slideshare.net
MalwareArchaeology.com