7MS #401: Tales of Internal Pentest Pwnage - Part 15

ManageEngine Desktop Central Overall, I have to bluntly say that I really enjoyed playing with ManageEngine's solution. It's got a crap-ton of features built into it - above and beyond patching - that I think IT/security folks will really appreciate. Pros Agent or agentless management of systems MDM (didn't play with it but it certainly looks feature-rich) Application white/blacklisting Ability to push out configurations for things you'd normally use GPOs for - i.e. setting a login banner, enforcing screen locks, setting IE homepage and search engine, etc. Patch management is full-featured - it's easy to setup a simple "scan systems, download and deploy missing patches." Or just a "scan to identify missing patches" kind of thing. It's easy to run a variety of reports to find out which systems are most vulnerable, which patches are missing across the enterprise, etc. Software deployment engine - there's a big package library where you can easily search and deploy things like Dropbox, Adobe Reader, etc. It also includes a self-service portal where users can simply select certain packages and have them installed automagically! Inventory - ability to have detailed hardware/software level details on each machine. Ability to block software by path and/or hash. You can also give people a warning saying "We're gonna nuke dropbox in 2 days if you keep it on here!" Agent-based install gives you ability to chat with users, remote control systems, send announcements, drop to a command line at a target machine, etc. Reports - you can create a report for just about anything under the sun like AD group changes, user logon reports, users that are disabled/expired, and on and on... Email alerts - I think you can trigger an email alert for just about ANYTHING that happens in the environment. ...more on today's episode!

14 Syys 201713min

This is it! The worldwide Internet debut of an original infosec-themed song called CryptoLocker'd, and as the name implies, it's about a CryptoLocker incident. Here's the quick back story: A few years ago a worked on an incident response where a user got phished with a promise of a free burrito from Chipotle but instead got a free order of CryptoLocker! And rather than tell IT or sound the alarms, the user just left for the day! The next day they came back and the company was digitally on fire, and they played ignorant to what was going on. I found the user's handling of the situation humorous (read: not the CryptoLocker infection itself!), so I was inspired to write a song about it. Today's episode has the audio, and I welcome you to follow along with the lyrics below (head to 7ms.us to see the full lyrics as they are included in a GitHub gist)

6 Syys 201712min

This episode continues our series on comparing popular patching solutions, such as: Ninite ManageEngine Ivanti PDQ Ninite This week I focused on Ninite, and here's the TLDR version: Pros Does one thing (third party patching) and does it really well Extremely affordable User interface is clean, simple and really easy to use/learn Cons No "agentless" option - it's an agent or nothin' I'm not sure if Ninite has the brand name recognition and reputation to be accepted/respected by large companies I need to do more homework on how they pull down their packages...are they ripping apart packages and repackaging them at all? That could be a big avenue for side-loading icky stuff.

30 Elo 201711min

I'm back from Vegas! My talk went really well and I'm excited to tell you about it in today's episode. First, some conference/trip highlights: During the ILTACON conference I attended a great talk by Don McMillan about how to infuse humor into your work environment. Really enlightening, and you know those things you hear about how humor lowers blood pressure, increases satisfaction and just overall makes you a more pleasant person to be around? Turns out it's true! On the day before my presentation I got my first experience touring around the Vegas strip, and the people watching did not disappoint. I also saw the Muhammad Ali and Van Gogh exhibits, which were awesome. When it came to the actual talk, everything went really well. The audio/visual stuff all worked perfect, and I felt the content delivery went over well too. People asked a lot of questions and even hung out afterwards to discuss security topics further. There were two big surprises I wasn't expecting, though: A podcast listener was at the conference, and shared with me that after listening to lots of 7MS episodes, he always figured I looked like Jared from Subway. :-( There were super talented artists from a company called Filament did a comic-book style retelling of my talk live as I was doing it. I love crazy-talented people like this, so I was totally geeking out. I reposted the renderings (with their permission) at my personal portfolio site if you wanna check 'em out.

23 Elo 201715min

I ran out of time in episode #272 to tell you about why preparing to be a speaker for ILTACON was way more stressful that preparing for Secure360 a few months ago. The main points of difference/stress were: ILTA wanted to see PowerPoint deck progress weekly, whereas with Secure360 it was pretty much "Your talk is accepted - see you at the conference!" ILTA is going to show a "speaker slide" with bio a few minutes before the sessions starts. That way the session is focused on content (and probably avoids people who like to talk about themselves too much :-) ILTA requested my PowerPoint and handouts a few weeks before the session so they could put on their Web site for attendees to see. Although that put some pressure on me to get content done early, I think it's great because presumably some people at the talk will have screened the content and therefore be more tuned in.

17 Elo 20179min

This is part 2 of a series focusing on public speaking - specifically for the ILTACON conference happening in Vegas this week. In this episode I share a high-level walkthrough of my talk and the 10 "Blue Team on a Budget" tips that the talk will focus on. These tips include: Turning up Windows auditing and PowerShell logging Installing Sysmon Installing Security Onion Don't put too much faith in endpoint protection Keep an eye on Active Directory Install RITA Deploy a Canary Use strong passwords Install LAPS Scan and patch all your things

17 Elo 201711min

Seems like every business I meet with needs some sort of help in the patching department. Maybe they've got the Microsoft OS side of the house under control, but the third-party stuff is lacking. Or vice-versa. Either way, the team I work with is excited to kick the tires of some popular patching solutions over the next few weeks, and we'll audibly barf up what we learn into this mini-series! Solutions we'll poke around with include: Ninite ManageEngine PDQ Deploy PS: None of these solutions are sponsoring 7MS. They're just popular patching solutions we're trying out to learn more about 'em and give you the pros/cons we discover! In today's episode I dive a bit into... Ninite Pros Cheap Does one thing, and does it well Been around for a long time Cloud-based - doesn't rely on LAN-side server Cons Only cloud-based...no LAN-side option Requires an agent Agent's only purpose is patching - no extra bells/whistles like remote control or inventorying capability

10 Elo 201710min

I spent a bunch of time with Security Onion the last couple week's and have been lovin' it! I ran the install, took all the defaults, ran the updates, and pretty much just let it burn in on my prod (home) environment. After a few days, I went back to check the Security Onion dashboard to check the alerts. There was a bunch of benign stuff (computers pinging each other, Dropbox broadcasting to the network) but also a couple interesting finds - SO caught one of my VMs downloading (intentionally) Invoke-Mimikatz. The dashboard allows you to see transcripts of file downloads like this, as well as a tool called Network Miner to extract a copy of the downloaded file for further analysis. One thing the SO didn't pick up on was the DNS-based C2 tunnel I setup on a test victim client. However, it turns out RITA works great for exactly this type of analysis - it reported the huge number of DNS requests from my victim client to the C2 server. Very helpful info for an incident response situation!

3 Elo 201712min