BDIR Podcast Episode-005


Join our #Slack Channel! Email us at or or DM us on Twitter @brakesec

Libsyn Feed

JOIN US FOR EPISODE-005, where we will discuss WMI and OUR GUEST WILL BE:

  • Chris Truncer - FortyNorthSec
  • Twitter - @ChrisTruncer and @FortyNorthSec
  • Blog -
  • Github -


NEWS-WORTHY - Sysinternals release Sysmon 8.0 and AutoRuns 13.90

Mark and crew over at Microsoft have release updates to two popular tools in Sysmon and AutoRuns.  Sysmon 8 adds a RuleTag field so now you can label your rules and see the rule name in the logs data.  Autoruns fixed data involving WMI, the topic of the day.

Reminder - Do NOT upload files to VirusTotal until you are certain you are not going to disclose anything to the criminals as they will know, that you know about their Fu.  Also, anything you upload can be downloaded by anyone with a VT Private Key and if you upload documents with confidential data, you may create a disclosure for yourself.


Sadly, none of interest this month ;-(


1.  BDIR - WMI vs. WMI: Monitoring for Malicious Activity

2.  Abusing WMI Providers for Persistence

Guests - Chris Truncer

  1. Device Guard Bypass Mitigation Rules


  1. BDIR - WMILM - Phillip Tsukerman

     2. LOG-MD-Pro of course, new WMI persistence feature

Guests - Chris Truncer

  1. WMImplant -
  2. WMIOps (older)


WMI - Exploitation and Detection


Will Schroeder - @ harmj0y

Article on settings needed to enable remote WMI


Matt Graeber BlackHat 2015 - Abusing Windows Management

Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor

Chris Truncer - WMImplant

Other WMI and Exploit Kits for Testing detection:

ASR rules for blocking wmi and psexec process creation



  1. What is WMI

  2. Why do PenTesters and Red Teamers like it?

  3. What are the components of WMI that IR and defenders need to know about

  4. What should defenders, hunters, IR and Forensic people look for?

  5. How to add WMI to your investigations

    1. WMIC cmd line

    2. CIMOM Registry key

  1. Scan the WMI database

  2. Can you block this type of attack, block the following from being accessible

    1. Admin$

    2. wmic /node:"<hostname or IP>" os get Caption

    3. Change key

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy - set to “0”
  1. Delete key

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
  1. Disable Remote RPC from the Firewall maybe

  2. Disable DCOM

  3. Testing lab configuration  - See Will’s article below

    1. Add the keys just mentioned

    2. Check Windows firewall for Remote RPC

    3. Test that you can get to Admin$

    4. wmic /node:"<hostname or IP>" os get Caption

  • If it works, you will get the OS of the remote machine and be able to map the ADMIN$ share
  1. What our testing showed

  • Impersonation level - “impersonation” + “identification”

9.  How to test yourself

  • WIn Logging Cheat sheet
  • Humio
  • The tools discussed


BDIR Podcast Episode-004

Join our #Slack Channel! Email us at or or DM us on Twitter @brakesec

Libsyn Feed

Our guests are Pieter Heyn and Kresten Krab with Humio will discuss with us Cloud based Log Management and/or On-Prem Log Management


  • Pieter Heyn - Sales Manager EMEA of HUMIO
  • Kresten Krab - CTO of HUMIO



NEWS-WORTHY - FBI asks everyone to reboot their routers

Last week, security researchers at Cisco's cyberintelligence unit Talos warned of the attack: malicious software, dubbed VPNFilter, had infected an estimated 500,000 consumer routers in 54 countries and was targeting routers from Linksys, MikroTik, Netgear and TP-Link, and possibly others. 

The FBI on Friday sent out a notice recommending that anyone with a small office or home office router reboot (turn on and off) their devices to stop the malware


Sadly, none of interest this month ;-(


1.  BDIR - The whole list of Windows Logging Cheat Sheets

2.  BDIR - Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference.docx

Guests - HUMIO

  1. Humio of course -


  1. BDIR - Audit your logs to see where your audit logging compares to industry standards - LOG-MD

     2.  BDIR - Add additional details to your logs - The Sysmon Service

Guests - Humio

  1.  Humio of course -


Cloud based Log Management and/or On-Prem Log Management



  • So why do I think this topic is important to IT, InfoSec, IR, Network, and Forensic people?
    • Why security and log management are important aka SIEM
    • Story about SMB needing help on an malware infection, multiple locations
  • MG Top 10 list of tools - Log Management is crucial to Detection and Response
  • Intro by Michael and Brian on how they found Humio 
    • Humio was responsive to our suggestions
    • Other vendors were not, just said yeah, we just wanted your business
  • Cloud log management vs. on-prem
  • MG - I have looked at 10 or more logging solutions and the lack of ease of use is a big one
  • A good log management solution has to have some basic features a lot of solutions lacked or were very buggy
    • Easy to use console
    • Built-in alerting, not as an option
    • Exclusion ability, not this or this or this
    • Save reports and queries
    • Dashboards for those that want them


  • Background of Humio
    • Live data vs query
    • No indexes used
  • Free vs Pro vs. trial vs. On-Prem solutions
    • How much data can I send in the 30 day trail for the SMB type use case?
  • Do you see yourself as a SIEM vendor or wanting to move there?
  • How does GDPR or any compliance regulation affect Cloud shared hosting ?
    • And really is this just solved by going with an On-Prem solution?
    • What basic changes did you have to make being a Euro company in this space?
  • There are a lot of Logging solutions, what gap were you intending to fill; what problem were you trying to solve?
  • New features in the last release you want to mention
  • What are the major differences or advantages that your customers like about Humio?


Our goal for the listeners

  • Try it on your home systems
  • Learn how to do basic logging
  • How to audit a Windows system
  • How to set the audit logging
  • Install the WinLogBeat agent
  • Start with the Winlogbeat config from Malware Archaeology
  • Use Humio
  • Populate it with the queries from the "Windows Humio Logging Cheat Sheet"


BDIR Podcast Episode-003

Join our #Slack Channel! Email us at or or DM us on Twitter @brakesec

Join us for Episode-003, our guest will be:

         Lesley Carhart - Principal Threat Hunter at Dragos Inc.

News-Worthy - City of Atlanta ransomware FOLLOW-Up

Atlanta Working 'Around The Clock' To Fight Off Ransomware Attack



Atlanta government was compromised in April 2017 – well before last week’s ransomware attack

Compromised Connected Fish Tank - Comes from a global threat report (2017) from Darktrace - a summary of their case studies for the year

Malware of the Month

Sigma Ransomware - Notable artifact

  • No text in the body of the message, just an image of text
  • Breaks any scanning of text for passwords to use in the attached Office documents by sandbox evaluation solutions


1.  BDIR - ISO 27035 - Information security incident management

2.  BDIR - NIST 800-61

Guest - Lesley Carhart






  1. BDIR - Blue Team Handbook: Incident Response Edition: A :  by Don Murdoch GSE
  2. BDIR - Blue Team Field Manual (by Alan J White and Ben Clark

Guest - Lesley Carhart

1.  Didier writes lots of handy tools useful for forensics and IR. I use his pdf tools

2.  A fair bit for inspecting suspicious attachments; rtfdump and oledump seem to do the same for OLE and RTF files.

Other tools Lesley recommends you learn:

Books Lesley recommends everyone read for IR

  • Blue Team Field Manual (BTFM) - by Alan White (Author), Ben Clark (Author)
  • Windows Internals, Part 1: System architecture, processes, threads, memory management, and more (7th Edition) 7th Edition - by Pavel Yosifovich (Author), Mark E. Russinovich (Author), David A. Solomon (Author), Alex Ionescu (Author)
  • Windows Forensic Analysis DVD Toolkit, Second Edition 2nd Edition - by Harlan Carvey (Author)
  • Digital Forensics with Open Source Tools: Using Open Source Platform Tools for Performing Computer Forensics on Target Systems: Windows, Mac, Linux, Unix, etc 1st Edition, Kindle Edition - by Cory Altheide (Author), Harlan Carvey (Author)
  • The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory 1st Edition - by Michael Hale Ligh (Author), Andrew Case (Author), Jamie Levy (Author), AAron Walters (Author)
  • Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious SoftwareFeb 1, 2012 - by Michael Sikorski and Andrew Honig

Topic of the Day

The Incident Response Process,  - Program, Plan, Policy, Process, Playbooks, and roles

The Program

  • ISO 27035 - Information security incident management
  • NIST 80-61 - Computer Security Incident Handling Guide (August 2012)




  • Prep, Detect/Analysys, Contain/Eradicate/Recovery, Post Incident Activity - NIST

Playbooks: (or “What to do in the event of...”)

  1. Ransomware

  2. Malware infection

  3. Website defacement

  4. Unauthorized Domain Admin Access

  5. Multiple Simultaneous Logins

  6. Media call / report of an incident from external entity

  7. DoS

8.  Phishing

9.  Credential Stealing phishing  

10.  Lost or stolen equipment

11.  When to use Forensics

12.  How to do forensics

IESO - Cyber Security Forum - Playbooks

CERT SOCIETE GENERALE - IRM (Incident Response Methodologies)

(From a list found on Peerlyst)

  1. Phishing

  2. Virus or Worm

  3. Ensure that the host has an updated virus definition file

  4. Traffic Flows

  5. Denial of service (Network Crafted)

  6. Denial of service (spam)

  7. Host Compromise (Trojan)

  8. Network Compromise (Cracking)

  9. Host Compromise (physical Access)

  10. Domain Hijacking

  11. Dns Cache Poisoning

  12. Suspicious User Activity

  13. User Account Compromised

  14. Unauthorized Access (Employee)

  15. Corporate espionage

  16. Internet Hoaxes

  17. IP Telephony denial of service or Outage

  18. Unauthorized remote access protocol

  19. Suspicious website access

  20. Unexpected administrative account / permissions added.


  • What is each person responsible for?

All the people add up to  and are a part of your CIRT (NOT CERT)

  • Incident Responder / IR Manager

  • Incident Handler

    • Project Manager

    • Communication lead

    • Documentation lead

  • Security Operations Analysts / Triage Analysts

  • Forensic Analysts:

  • Malware Reversers

  • Security Engineering

  • Threat Intelligence

  • Leadership

  • HR

  • PR / Corporate Communications

  • Legal Council

  • IT (Domain Admin, Help Desk, Server Admins, Client / Patch Admins)

  • Audit

  • GRC / Disaster Recovery / Risk Management

  • Developers / AppSec / Product Engineering

War Room

  • What is it and when to use it and why

Tabletop Exercises

  • What should you do here

IR Firm Retainer & Fees can be used for?

  • What can you use them for?

Breach Notification

  • Who is involved

  • What to prepare

  • Whom to involve


Carnegie Mellon - SEI - CSIH


  • SANS


BDIR Podcast Episode-002

Join our #Slack Channel! Email us at or or DM us on Twitter @brakesec

Join us for Episode-002, our guest will be:

         David Longenecker - InfoSec Practitioner

  • Twitter: @dnlongen
  • Blog:
  • GitHub -

News-Worthy - City of Atlanta hit with ransomware, services taken offline

  1. Atlanta Working 'Around The Clock' To Fight Off Ransomware Attack

    1. “Mayor (Keisha Lance Bottoms) told reporters that cybersecurity is now a top priority for the city.”

    2. “Wi-Fi at Hartsfield-Jackson Atlanta International Airport has been shut down as a precaution”

  2. Six days after a ransomware cyberattack, Atlanta officials are filling out forms by hand

    1. “SecureWorks and the city's incident response team are working with law enforcement, including the FBI, Homeland Security and the Secret Service, as well as independent forensics experts and educational partners like Georgia Tech, to determine exactly what happened.”

    2. “I am looking forward to us really being a national model of how cities can shore themselves up and be stronger because of it.” mayor said regarding digital infrastructure




Malware of the Month

Dridex - Artifacts

  1. This came in an email with a URL that auto downloaded and installed the malware, but could be a drive-by as well.
  2. Since Dridex uses actual signed Microsoft binaries located in a different directory (not System32), sideloading is easy, it just has to be named after one of the Dlls that the binary actual needs in the same folder that is usually, and should be located in System32
  3. This method has been making the Con circuit talks as many tools miss or exclude known good Microsoft signed binaries as “Good”.  A popular tool we all use, Microsoft’s Sysinternals ProcessExplorer has an option we all have used to hide the Microsoft signed files to make it easier to see an obvious bad processes.  Dridex exploits this typical behavior by analysts to hide among the known good.
    1. It is important to note that we designed LOG-MD to see these cases since WHERE the file is located can be a BIG clue, even if it is a real and signed MS binary

  4. Morphs on reboot - The DLL changes its hash on each reboot and the .EXE changes as well and the DLL named changed to what will work for that .exe.  So chasing hashes is a waste of time. What you have hash wise is not what the rest of us will have.


5. Uses a valid trusted MS signed binary to launch the Bad DLL, which is named for a correct DLL that is needed by the launcher (GamePanel.exe, UxTheme.dll, CameraSettingsUIHost.exe, DUI70.dll, etc.)

6. Autoruns are a .lnk file in the users Startup folder and a Scheduled Task pointing to another version

7. Files are found in:

  • %windir%\System32\5_Char_random_name
  • %AppData%\5_Char_random_name

8. Uses SVCHost.exe to phone home and communicate

9. Opens a hole for Explorer in the Windows Firewall




  3. Guest - David Longenecker

    1. - Adversarial Tactics, Techniques & Common Knowledge. A repository of things for which to ask yourself, "would I detect this? Would it set off any alarms?"

    2. - dozens of tools and exploitation techniques, with detailed artifacts generated by those actions. Again, a great resource for asking "how would I detect this?"


  1. LOG-MD

  2. Guest - David Longenecker

    1. - Didier writes lots of handy tools useful for forensics and IR. I use his pdf tools ( a fair bit for inspecting suspicious attachments; rtfdump and oledump seem to do the same for OLE and RTF files.

Topic of the Day

Windows Logging, Who, What, Where, When, Why

  1. Why is logging important?

    1. Incident took place...what happened?  I don’t know!

    2. Research / hunting.

    3. Alerts

  2. Windows Default logging

    1. Some of the improvements since XP

    2. Default is painfully bad, so at minimum set the following

      1. 4688

      2. 5156

      3. PowerShell

      4. CMD Line Logging

    3. Make checks for

  3. Where does one start to improve logging

    1. Industry Standards

    2. Cheat Sheet(s)

  4. Gaps in the industry standards

    1. Why are they inadequate

  5. Log configurations/properties

    1. Log Sizes

    2. FIFO

  6. Centralized / forwarded vs. Local logging

    1. Why some things shouldn’t be forwarded

    2. Log “nice-to-haves” locally (it won’t kill the box -Microsoft Article)

  7. What tools can you use to collect local logs?

    1. Wevtutil

    2. PowerShell

    3. LOG-MD

  8. Filtering logs on the endpoint

  9. 3rd party logging utilities

    1. Sysmon

    2. WLS

10. Advanced Logging

  • NEW - The Windows Advanced Logging Cheat Sheet

11. Log Attacks

  • Clear the logs
  • Stop the logging service
  • Change size to 1k



BDIR Podcast Episode-001

Join our #Slack Channel! Email us at or or DM us on Twitter @brakesec

Join us for Episode-001, our guest will be:

  • Martin Brough - Manager of the Security Solutions Engineering team in the email phishing industry

Topic of the day will be:

"Credential Stealing emails what can YOU do"

Show Notes:

  • Introductions
  • Introduce our Guest
    • Martin Brough
      • Twitters - @HackerNinja
      • Blog -


  1. The Register: Perv raided college girls' online accounts for nude snaps – by cracking their security questions.  Personal info obtained to pull off 1,400 password resets. Now he's behind bars.

Powell's interest in all this was obtaining private sexually explicit photos, which people apparently store in their email accounts without much thought about security. It's not immediately clear why the large number of such images on the internet did not suffice.

Jonathan C. Powell, who hacked into over 1,000 email accounts in search of sexually explicit images and videos of college-aged women, was jailed for six months for computer fraud, the US Department of Justice said on Thursday.

"During that time frame, those Reset Utility accesses resulted in approximately 18,600 attempted password changes in connection with approximately 2,054 unique [Pace] email accounts, and approximately 1,378 successful password changes in connection with approximately 1,035 unique [Pace] email accounts," explained FBI special agent Christopher Merriman in the complaint.

2. The Hacker News: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

The article states that “As CrossRAT is written in Java, it requires Java to be installed"  Not entirely true, as the dropper can check for java, if none is present, can download JRE and run locally or can install “jportable launcher”.

Also, it is interesting that the article calls it undetectable in the title, but then tells you how to detect it by looking for a runkey.

3. Windows 10 Creator update breaks purposefully set security tweaks

Win 10 fail Tweet.jpg

4. TrickBot

  • Artifacts

    • Delivered by a Word Doc with Macros

      • So cscript and PowerShell to grab the dropper

      • PS gets the dropper and also launches one of the batch files to load

    • Stores files in %appdata%, so Appdata Roaming\localservice

    • Some oddly named binary

    • Client_ID file

    • Group_tag file

    • A directory named Modules

    • You can see a couple batch files in %temp% and the binary before it is copied

    • Persistence is a Task called “services update”

    • Named Pipes connection for PowerShell

    • The IP it uses was a US based hosting service



  • MalPedia - reports and info on malware families and their actors and yara signatures


Topic of the DAY

Credential Stealing emails what can YOU do….

What to look for if you DON’T have a lab or also in your lab

  • Screen Shots – Good indicator a credential stealing site with an authentication page

  • Domain age - How old is the website in days or years.  Is it new? DGA (Domain Generating Algorithms)

  • Blacklists – Is the domain in any blacklists, if so, why is the SMTP gateway not catching it

  • Category – Has the site been categorized (BLOG/Malware/etc.)

  • Reputation – Is this a Bad, Neutral or Good site

  • Country – Where is this URL from

  • Alexa Rating - How known is it

Evaluating it in a Lab

  • LOG-MD Babbeeeee

Steps to take when you get a Phishing email

1.  Of course.. You get an alert of some kind or are notified

2. Get a copy of the email - You can’t evaluate it if you don’t have an actual copy, your help desk copy might not have the context correct

3.  Evaluate the URL

  • In a lab, click all the way through, login too (fake creds)
  • Or with one of the URL eval sites

4.  Block the URL - Ya need a Web Proxy of course

  • Or the IP in the firewall

5.  Monitor the IPs in log management from your firewall logs

  • Who else went there
  • You will have a HUGE gap for offsite/roaming people

6.  Consider Fast and Mass disabling of accounts

7.  Recall the message from your mail servers

  • Keep people from opening it

8.  Monitor any Internet facing non-2-Factor email logins

  • Unless you reset all your users that received the phish

9.  Monitor any Internet facing non-2-Factor VPN logins

  • Unless you reset all your users that received the phish

10.  Monitor any Internet facing non-2-Factor Cloud Storage logins

11.  Monitor any Internet facing non-2-Factor Virtual Desktop logins

12.  Monitor for password resets to make sure you got everybody

13.  Contact the sender to say you have been owned

  • Assuming you know it actually came from them.. SMTP logs

14.  Create a Report

  • What happened, how did it come in
  • What improvements can be made to avoid it
  • Improvements to monitoring or hunting

15.  Update your Email Investigation process

  • You will improve each time
  • Someone will need to do this when YOU are not at work or sleeping

BDIR Podcast Episode-000

Join our #Slack Channel! Email us at or or DM us on Twitter @brakesec

Join us for our inaugural podcast, our guests will be:

  • Dave Cowan - Forensic Lunch Podcast and G-C Partners
  • Tyler Hudak - Trainer in Malware Analysis and Reverse Engineering

Brian and I will kick off this new podcast, and the topic of the day will be:

"What is this new podcast all about, what will it cover? 

Incident Response, Malware Discovery, and Basic Malware Analysis, Detection and Response, Active Defense, Threat Hunting, and where does it fit within DFIR"

Show Notes:

  • Introductions
  • Introduce our Guests
    • Tyler Hudak
    • Dave Cowan




Tyler’s Pick

Dave’s Pick


Topic of the DAY

What is this new podcast all about?  Incident Response, Detection and Response, Active Defense, Threat Hunting, Malware Discovery, Basic Malware Analysis

Incident Response.JPG
DFIR width.JPG
  1. Define IR

    1. The process by which you respond to an incident (legal sense)?

    2. Do we agree on the diagram above?

      1. Define Discovery

      2. Define Analysis

      3. Define Forensics

    3. Does IR include preparation for an attack?

  2. What is Active Defense?

    1. Your definition will vary

  3. Threat Hunting - where do Hunters fit into all of this?

    1. JP.Cert paper

BDIR Podcast Sponsor:


This Podcast Sponsored by:



Brian and I are embarking on an expansion of the Brakeing Down Security Podcast, adding the Brakeing Down Incident Response Podcast (BD-IR Podcast).

This will be a once a month podcast with a few extra casts here and there.  The focus will be in the area of Detection and Incident Response, Malware Discovery, Basic Malware Analysis, Threat Hunting and improvements to your overall security posture.


Join us !