(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I just spent a fair bit of time preparing to take the GIAC Security Expert exam as part of the requirement to recertify every four years. I first took the exam in 2012, and I will tell you, for me, one third of the curriculum is a use it or lose it scenario. The GSE exam covers GSEC, GCIH, and GCIA. As my daily duties have migrated over the years from analyst to leadership, I had to relearn my packet analysis fu. Thank goodness for the Packetrix VM and the SANS 503 exercises workbook, offsets, flags, and fragments, oh my! All went well, mission accomplished, Im renewed through October 2020 and still GSE #52, but spending weeks with my nose in the 18 course books reminded of some of the great tools described therein. As a result, this is the first of a series on some of those tools, their value, and use case scenarios.

Ill begin with snapshot.ps1. Its actually part of the download package for SEC505: Securing Windows and PowerShell Automation, but is discussed as part of the GCIH curriculum. In essence, snapshot.ps1 represents one script to encapsulate activities specific to the SANS Intrusion Discovery Cheat Sheet for Windows.

The script comes courtesy of Jason Fossen, the SEC505 author, and can be found in the Day 5-IPSec folder of the course download package. The script dumps a vast amount of configuration data for the sake of auditing and forensics analysis and allows you to compare snapshot files created at different times to extract differences.

To use snapshot.ps1 place the script into a directory where it is safe to create a subdirectory as the script creates such a directory named named for the computer, then writes a variety of files containing system configuration data. Run snapshot.ps1 with administrative privileges.

The script runs on Windows 7, Server 2008, and newer Windows operating systems (I ran it on Windows 10 Redstone 2) and requires PowerShell 3.0 or later. You also need to have autorunsc.exe and sha256deep.exe in your PATH if you want to dump what programs are configured to startup automatically when your system boots and you login, as well as run SHA256 file hashes. That said, if you must make the script run faster, and I mean A LOT FASTER, leave file hashing disabled at the end of the snapshot.ps1 for a 90% reduction in run time. However, Jason points out that this is one of the most useful aspects of the script for identifying adversarial activity. He also points out that toolsmith #112: Red vs Blue - PowerSploit vs PowerForensics, after importing PowerForensics, you could add something like Get-ForensicTimeline | Sort-Object -Property Date | Where-Object { $_.Date -ge 12/30/2015 -and $_.Date -le 01/04/2016 } | WriteOut -FileName Timeline which would give you a file system timeline between the 12/30/2015 and 01/04/2016.But wait, theres more! Want to get autoruns without needing autorunsc.exe? Download @p0w3rsh3lls AutoRuns module, run Import-Module AutoRuns.psm1, then Get-Command -Module AutoRuns to be sure the module is on board, and finally comment out autorunsc.exe -accepteula -a -c | Out-File -FilePath AutoRuns.csv then add Get-PSAutorun | WriteOut -FileName AutoRuns.

th c:\ -Hidden -Recurse -ErrorAction SilentlyContinue | Select-Object FullName,Length,Mode,CreationTime,LastAccessTime,LastWriteTime | Export-Csv -Path FileSystem-Hidden-Files.csv. The resulting CSV is like a journey down evil memory lane, where all the nuggets I">|">@holisticinfosec (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Enlarge / Win32k.sys has some problems. Again.

Recently, Google’s Threat Analysis Group discovered a set of zero-day vulnerabilities in Adobe Flash and the Microsoft Windows kernel that were already being actively used by malware attacks against the Chrome browser. Google alerted both Adobe and Microsoft of the discovery on October 21, and Adobe issued a critical fix to patch its vulnerability last Friday. But Microsoft has yet to patch a critical bug in the Windows kernel that allows these attacks to work—which prompted Google to publicly announce the vulnerabilities today.

“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” wrote Neel Mehta and Billy Leonard of Google’s Threat Analysis Group.”This vulnerability is particularly serious because we know it is being actively exploited.”

The bug being exploited could allow an attacker to escape from Windows’ security sandbox. The sandbox, which normally allows only user-level applications to execute, lets programs execute without needing administrator access while isolating what it can access on the local system through a set of policies.

Read 2 remaining paragraphs | Comments

Symantec IT Management Suite CVE-2016-6589 Denial of Service Vulnerability

Enlarge (credit: Mustafa Al-Bassam)

Shadow Brokers—the name used by a person or group that created seismic waves in August when it published some of the National Security Agency's most elite hacking tools—is back with a new leak that the group says reveals hundreds of organizations targeted by the NSA over more than a decade.

"TheShadowBrokers is having special trick or treat for Amerikanskis tonight," said the Monday morning post, which was signed by the same encryption key used in the August posts. "Many missions into your networks is/was coming from these ip addresses."

Monday's leak came as former NSA contractor Harold Thomas Martin III remains in federal custody on charges that he hoarded an astounding 50 terabytes of data in his suburban Maryland home. Much of the data included highly classified information such as the names of US intelligence officers and highly sensitive methods behind intelligence operations. Martin came to the attention of investigators looking into the Shadow Brokers' August leak. Anonymous people with knowledge of the investigation say they don't know what connection, if any, Martin has to the group or the leaks.

Read 6 remaining paragraphs | Comments

NVIDIA GPU Display Driver CVE-2016-8806 Local Privilege Escalation Vulnerability
NVIDIA GPU Driver CVE-2016-8812 Local Stack Buffer Overflow Vulnerability
NVIDIA GPU Display Driver CVE-2016-7390 Local Privilege Escalation Vulnerability
NVIDIA GPU Display Driver CVE-2016-7391 Local Privilege Escalation Vulnerability
OpenJPEG CVE-2016-9113 Null Pointer Dereference Denial of Service Vulnerability
NVIDIA GPU Display Driver CVE-2016-7384 Local Privilege Escalation Vulnerability
OpenJPEG 'openjp2/pi.c' Divide-By-Zero Denial of Service Vulnerability
OpenJPEG 'convert.c' CVE-2016-9115 Remote Heap Based Buffer Overflow Vulnerability
Multiple Huawei Products CVE-2016-6670 Insecure Random Number Generation Vulnerability
OpenJPEG 'convert.c' CVE-2016-9116 Null Pointer Dereference Denial of Service Vulnerability
OpenJPEG 'convert.c' Null Pointer Dereference Denial of Service Vulnerability
OpenJPEG 'convert.c' Remote Heap Based Buffer Overflow Vulnerability
Novell NetIQ Identity Manager CVE-2016-1592 HTML Injection Vulnerability
Novell NetIQ Identity Manager CVE-2016-1598 Cross Site Scripting Vulnerability
Microfocus Rumba FTP CVE-2016-5764 Stack Buffer Overflow Vulnerability
October 2016 - Crowd - Critical Security Advisory
[SECURITY] [DSA 3691-2] ghostscript regression update
Internet Storm Center Infocon Status