Security Incident Response: Faster and Safer with PowerShell

Slides:



Advertisements
Similar presentations
Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Advertisements

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
IP ADDRESS MANAGEMENT [IPAM]
What’s New: Windows Server 2012 R2 Tim Vander Kooi Systems Architect
POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7.
Module 5: Creating and Configuring Group Policy
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Thursday September 20th, System Center User Group Philadelphia Chapter Tonight’s Sponsor is.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Micro Focus Net Express / Server Express in GDT Update.
SharePoint 2010 Development Environment A Guide to Setup SharePoint 2010 Development Environment on Windows 7 Machine.
AppManager Product Status Update David Mount Technical Manager – UK, Ireland & Middle East David Mount Technical Manager – UK, Ireland & Middle East.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
PowerShell Shenanigans Lateral Movement with PowerShell
Block1 Wrapping Your Nugget Around Distributed Processing.
POWERSHELL SHENANIGANS KIERAN JACOBSEN HP ENTERPRISE SERVICES.
Automating Operational and Management Tasks in Microsoft Operations Management Suite and Azure
Module 5: Designing Security for Internal Networks.
Module 5: Creating and Configuring Group Policies.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Corey Hynes HynesITe, Inc Session Code: SRV317 Objectives Let you walk out of here, being able to run a script against an OU of computers, to make some.
Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy.
1 Windows 2008 Server Manager. 2 Server Manager Gives ability to perform effectively server administration without needing to launch a multitude of tools.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
- 24x7serversupport Windows Server Management
ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.
From Zero to Automation HeroFrom Zero to Automation Hero A MNSCug production Steve Jesok Ameriprise – Senior Systems Engineer Ryan Andorfer.
ProStoria DATA-AS-A-SERVICE FOR DEVOPS. Agenda: ProStoria presentation Contact data.
PowerShell 5 & Windows 10. What are we covering today? What is PowerShell? Why is PowerShell important? Some simple demos on Windows 10.
Confidential ASWM Installation Guide in Main Server ( for Windows Server 2008 R2 ) 1.
MQ Series Cross Platform Dominant Messaging sw – 70% of market
Smarter Technology for Better Business
Lesson 6: Configuring Servers for Remote Management
Modern management for the cloud world
Exam In The First Attempt?
Hybrid Management and Security
Configure and Manage Your Hybrid Cloud Environment at Scale
PowerShell 2.0 Remoting Ravikanth C.
Modernize ConfigMgr OSD with Community Tools
PowerShell and ConfigMgr for Beginners
Windows 10 & Intune: A Modern Desktop Management Story Joe Crandall.
Andrew Pruski SQL Server & Containers
Drupal VM and Docker4Drupal For Drupal Development Platform
Microsoft Latest Real Exam Study Questions - Microsoft Dumps
Drupal VM and Docker4Drupal as Consistent Drupal Development Platform
Migration Strategies – Business Desktop Deployment (BDD) Overview
Ansible and Zabbix Rushikesh Prabhune (Software Technical Consultant)
Azure Automation and Logic Apps:
Windows PowerShell Remoting: Definitely NOT Just for Servers
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
Validating Your Information Security Program (ISP 3 of 3)
PowerShell Desired State Configuration
MQ Series Cross Platform Dominant Messaging sw – 70% of market
HCL’s Viewpoint – DevOps on MS Cloud
Mass Hunting and exploitation with powershell
Only Windows 10 Pro devices
System Center Operations Manager 2007 – Technical Overview
Windows Remote Management
Microsoft Virtual Academy
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Azure DevOps Simplified with Production Data
Microsoft 365 Business Technical Fundamentals Series
Samuel Kastberg Scripting a BizTalk Server installation
Presentation transcript:

Security Incident Response: Faster and Safer with PowerShell -J. Greg Mackinnon | Windows Technical Lead Windows Services | Information Technology Services Yale University

Security Incident! Security Incident! How to probe compromised systems securely? Remoting protocols like WMI and WinRM, when used with Kerberos Auth, avoids hazards of credential harvesting. How can we discover the extent of the compromise? Traditional forensic techniques involve cloning of machines. Slow!!! WinRM is faster than WMI, and easier to access though firewalls. For the win... The code is Github Enterprise, and shared with the ISO They can pull it down on their own “walled garden” systems. They can modify the code: (add scanning modules, or update regex strings in existing modules.) An early use case... We won’t get into the code here, but a link to a fork project called “Spool-FTLDrive” can be found in the footnotes. DevOps tools like “Ansible” enable rapid data collection over WinRM …but Ansible gets mixed results on the Windows platform. PowerShell remoting can be fast, too… it’s a “simple matter of programming”. Supports multi-threading in the form of “Jobs”

Start-FTLDrive Inspired by Ansible: Faster-than-Light! (Props to “Battlestar” for the PowerShell-friendly name) Rides on WinRM, PowerShell remoting, and PS Jobs Modules are just PowerShell: No C#, YAML, or T-SQL required. Most modules configured to run against PowerShell 2.0 or later (ability to scan legacy Server 2003 hosts from modern systems) Features: Queue management function Modular action scripts Dead-host detection Discovery running against 800 hosts can complete in about 15 minutes (Previous single-threaded processing took in excess of 8 hours.)

Where Can I Get It? How Can I Help? https://github.com/jgregmac/Start-FTLDrive