My Take on Application Whitelisting

in

One of the recent thoughts that I have notices in the last year in discussions with friends in the industry is that whitelisting is of no use do to:

* "It is hard to do"
* "Bypasses exist so why do it"
* "It does not scale"


Those are the 3 most common ones I have heard with my discussions over drinks, chat rooms and lobbycon sessions with friends. I would like to try to address why for me they are not valid and share my thought process and to the why.

Read More

Being Thankful for 2016

The year 2016 has passed and I find myself reflecting on the good parts of it. There tends to be too much focus on the bad in social media and news media so it is easy to forget the good parts and to treasure those.

Family

The highlights this year where my family is involved.

  • My wife and I are expecting our third child. I love my children with such passion. Nothing compares to being a parent.

  • My kids, nothing in this world is more rewarding than being a parent.

  • My wife, don’t have a clue how she tolerates my dark humor and my quirks. Could not have asked for a better partner.
  • I still have my parents with me.
  • Thanks to opportunities that rose this year I was able to earn extra money that went to my parents to help them out. They have given so much to me so it is a no brainer for me to do the same for them.

Professionally

The highlights of my profession are:

  • I got to present at Derbycon and BSidesPR. I do not do the con circle of presenting several times a year repeating content. Thankfully I have been able to keep my ego in check. I present at these 2 cons every year I can because to me they are family, consider myself fortunate to submit and get accepted.
  • I delivered a training class at Derbycon. I got to deliver my PowerShell for Security Professionals class, this class is practically re-written every year and this year I had a fabulous set of students. Every year it gets better and better.
  • I got to twice train Marine Corp Cyber Command personnel in addition to personnel of other branches. I consider it an honor and a privilege to have been asked to train them. The NCOs, Officers and Civilian personnel trained exemplified what professionalism is. Each class was tailored to their specific needs and requests. It was the highlight of my training experience in 2016.
  • I still enjoy the respect of many of my peers.
  • I was able to update and write tools that people in my industry find useful.
  • I was able to share knowledge in blog posts and people found the information useful.
  • I still have a job that provides for my family and allows me the flexibility of spending time with them and provide a better level of living for them.
  • I get to manage in my day job a group of professionals that inspire me and challenge me to be better every day.
  • was awarded again the Microsoft MVP award for Cloud and Management.

2017

For 2017 I'm again working on:

  • Hopping to spend time with my family and welcome the new addition.
  • Writing tools to learn and share.
  • Thinking of what presentation I can do at Derbycon that will be of value to the community so as to submit to the CFP.
  • Re-Writing labs, updating slides, consolidating and re-organizing training material for the 3 different classes I teach.
  • Planning on submitting again to Derbycon training and update version of my PowerShell class.
FullSizeRender.jpg
FullSizeRender.jpg
IMG_0726.JPG
IMG_0020.JPG

Update to the Metasploit Framework Install Guide

It had been a while since I last updated the Ubuntu/Debian install guide. Recently had to install a new version of my Linux dev VM so what better time to go through the steps and update the guide. I hope you find the guide useful as always. 

Changes:

  • Update the link for Armitage download.
  • Changed nmap install to use Git instead of SVN
  • Now we pull the Ruby version from the project it self so it is always the latest
  • We now install the latest Oracle Java version.
  • Remove warning of bug with RVM that has been fixed in the project.

Creating Real Looking User Accounts in AD Lab

As I write my own tools for IR Hunting and Post-Expoitation I like to have a large realistic set of AD accounts and also accounts with accentuated and not english characters to make sure my tools will work in large environments and also simulate multiple geographical locations since most customers are not US based. When creating realistic user accounts I have found no better source that using http://www.fakenamegenerator.com it allows me to order a CSV with a large amount of realistic looking users and their details.  

Read More

Meterpreter New Windows PowerShell Extension

in ,

I still remember 5 years ago when I decided to do my first PowerShell class at Derbycon and some of my buddies told me I was nuts for teaching what they called a "Toy Language" I have used  Windows PowerShell almost daily for work since 2007, started with my previous job setting up and securing Exchange 2007 servers, once PowerCLI from VMware come out it became my go to environment for automating and hardening ESX and ESXi environments.   Once we figured how to run encoded commands it became a must for post-exploitation since it gave me access to ADSI, COM, Win32 API, .NET API and all sorts of third party .NET library I could get my hands on. Some kind of PowerShell ability has been present in most major comercial products one way or another and now Metasploit is taking it a step further thanks to the great work of OJ Reeves also known as @TheColonial by adding a Metrerpeter extension for unmanaged Windows PowerShell Runspace.  This extension is based on the work from Lee Christensen and his UnmanagedPowerShell project.

Read More