TOPIC: Information Technology

Living off the Land - WST

 Many malicious users try to fly under the radar by using built in system commands or living off the land as its often called. Built in system commands typically don't look out of the norm and allows the malicious user to perform tasks such as: domain enumeration, load malicious code using a scheduled task, start remote processes, and more.
Figure 1: user enumeration using system commands By default, these commands are not logged on windows hosts; however, logging can be enabled. Once enabled, you can go a step further and forward these logs into your central logging or SIEM (i.e., Security Information and Event Management) solution for additional parsing and alerting.
Figure 2: Event viewer show command line usage To enable edit the following GPO or registry settings.  For additional information, visit the following Microsoft article:  https://devblogs.microsoft.com/commandline/how-to-determine-what-just-ran-on-windows-console/  Enable the Audit Process Creation audit policy so that 4688 events are generated by editing the following GPO Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Detailed TrackingEnable the Include command line in process creation events by editing the following GPO Computer Configuration\Administrative Templates\System\Audit Process Creation. Or enable on the local system by, editing the local registry HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\
ProcessCreationIncludeCmdLine_Enabled
registry key value to “1”. Authored by - Brian Hitchcock CISSP, OSCP, PCNSE, ACCP 

    Risk Assessment for Security Control

    CIO at a credit_union ($428MUSA)
    Instead of purchasing a Network Access Control server we have decided to do MAC Address Filtering instead. When it was discussed with our NCUA auditor; it was indicated that this would be acceptable providing we did a risk assessment for this control option. Does anyone have a sample of a risk assessment for something like this?

      Take my Credentials Please

      Server Message Block (SMB) is the network sharing protocol that is commonly used in organizations to allow systems within the same network to share files. SMB requires ports 139 or 445 to be open, to communicate with other systems. One way that an attacker can take advantage of this protocol, is if an organization’s outbound SMB traffic is not blocked at the firewall.  An attacker can send an email containing links to a resource such as an image on a remote server. If a user clicks the link, a Windows workstation will try to authenticate to the remote share and sends your encrypted credentials to the remote server. After this happens an attacker can attempt to crack the encryption using readily available tools on the internet and collect the credentials. At this point it’s simply a matter of time before a persistent attacker can find a place on your network to use these credentials for further attacks.  SMB security best practices would be to block all versions of SMB at the network boundary by blocking TCP port 139 and 445 plus all related UDP protocols (137,138), for boundary devices.  Link to CISA best practices:
       https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices