A necessary component to any IR: Containment

This blog is updated at https://ciberesponce.com Incident Response and Containment Anyone who does Incident Response (IR), or any Digital Forensics Incident Response (DFIR) process knows that collecting Indicators of Compromise (IOC) is only half the story.  Eventually, you’ll need to recover the environment, which inherently means you best have confidence in the IOCs and have…


Setting up Kali Linux in Docker on Windows 10

This blog is updated at https://ciberesponce.com   A few times now, I find myself wondering why I need a full blown VM. I like need to quickly get my tools up and running on any hardware I find myself on. Most of the time that is a fresh installed Windows 10 on my Surface Book—I…


WMI Queries: ReturnValue vs uValue (and some Remote Registry)

This blog is updated at https://ciberesponce.com   Interestingly, when querying a registry setting in Windows via WMI, through PowerShell, it isn’t as straight forward as previously thought. When developing the Audit Policy settings tool, which uses WMI through PowerShell explicitly to avoid dependencies on Windows Remote Management (WinRM) or even the Remote Registry service, we hit…


ATA Auditing (AuditPol, Advanced Audit Settings Enforcement, Lightweight Gateway Service discovery)

This blog is updated at https://ciberesponce.com   NOTE: This blog and code was updated to include a new targeting feature so only 1 domain/child-domain can be targeted for assessment.  This will still discover all DCs in the Forest, however, only the DCs in the targeted domain will be assessed.   Advanced Threat Analytics (ATA) v1.8 added…



This blog is updated at https://ciberesponce.com   Installing Operational Management Suite (OMS) on top of Advanced Threat Analytics (ATA) is dead simple. It is even more simple if your ATA Center is installed in Azure as deploying the OMS agent on Azure VMs is one click. OMS continues to gain momentum as it provides a…


Setting up Damn Vulnerable Web App (DVWA) on Ubuntu in Azure

This blog is updated at https://ciberesponce.com   Getting familiar with attacks is step one of knowing what you’re up against. One way to do that is getting a vulnerable application to hit against and sharpen your skills. Nothing beats Damn Vulnerable Web App (DVWA). Here are the steps to get Damn Vulnerable Web App up…


SmartCard and Pass-the-Hash

On a pretty consistent basis, SmartCard and Multi-factor Authentication (MFA) technologies are brought up when discussing Pass-the-Hash/Pass-the-Ticket with customers. Many customers believe they do not need to worry about such attacks as they have non-repudiation. However, what Smartcard was set to solve was before Pass-the-Hash/Ticket (or Overpass-the-Hash) was a real thing! At that time, preventing…


Ubuntu RDP in Azure

Many times, I get a question on how do you RDP into a Linux machine created in Azure. So, instead of having the same conversation over and over, I’ll blog about it and point folks here . And going one step further, I figured now was a good time to also test out OpenSSH-Win32. In…


cpassword – MS14-025

Microsoft announced MS14-025 on 13 May, 2014. However, it continues to be an issue for many IT organizations, even when patched. I repeat, by simply installing the KB you have not fully remediated the vulnerability (elevate of privileges!) unless you ran the provided PowerShell code to ensure you don’t have any existing cpassword Group Policies….


ATA Playbook Released

The Advanced Threat Analytics Playbook is released. It includes a breakdown of how to test (and therefor learn!) ATA and the real-world research tools that are available on the public Internet. The goal here was simple: Debunk some myths around pass-the-hash (i.e. SmartCards) Show how these research tools work (and just how easy it is…