With the recent issues involving COVID-19, and the recent closure announcements of college campuses, organizations are beginning to review their capacity to support a larger than normal remote workforce. In the event an office closing, is your organization prepared to support the influx of users attempting to gain access to the corporate network remotely. Can your organization ... READ MORE
Blog
Netscaler Still in the Wild
It has been two months since Cirtix released details about CVE-2019-19781, a vulnerability found in their NetScaler product. In that time, we here at RSM have been working with several of our clients to help mitigate this vulnerability and remediate the effects of any successful compromises on their systems. Unfortunately, it appears that many more networks are affected by this ... READ MORE
Manually upload EVTX log files to ELK with Winlogbeat and PowerShell
While the Elastic Stack (ELK) is typically used for live log monitoring, Winlogbeat can be modified to manually send cold logs, or old, inactive Windows Event Logs (EVTX) to ELK for analysis. This functionality allows an analyst to take EVTX files from images or data collected from potentially relevant systems and utilize the functionality of ELK for their ... READ MORE
Ransomware attacks continue to get worse
Where did we start? From time to time, I still reminisce about my first ransomware investigation. The attack affected a family business in Florida during the summer of 2015. Business was humming along until one fateful morning when an employee arrived for their day of work, only to find that files stored on their servers were encrypted. I will never forget how devastated the ... READ MORE
Crimson Forge
Today RSM US has released a new research project dubbed Crimson Forge. The project originated from the desire to add evasion capabilities to existing, native payloads. The intention is to target x86 and AMD64 shellcode and automatically rewrite it to evade signature based detections. The issue with many existing implementations are that they rely on "encoding" the payload and ... READ MORE
Solarwinds
How a Default SolarWinds Guest Account Can Facilitate Compromise – and How to Fix It The Problem SolarWinds is a leading provider of network monitoring and configuration management software. However, there’s a default feature on the SolarWinds Orion Network Performance Monitor tool that could be putting your organization at big risk. The issue is a default guest account ... READ MORE
No More Mimikatz
Mitigating Windows Credential Flaws There’s a vulnerability in Windows systems that is leveraged time and time again while compromising a network. Though the technique is well known to attackers, it is rarely mitigated effectively. Bad combination. But it’s convenient… Windows systems will cache user credentials in system memory. In cleartext. This is a default feature in ... READ MORE
Stanford Password Policy
A creative solution for stronger passwords Rules, Rules, Rules Most of us are familiar with basic password rules: Don’t use ‘password’. Duh. Don’t use your username as your password. Got it. Don’t repeat the same password for multiple accounts. Don’t choose an easily guessable password combination, even if it looks complex, e.g. ‘Winter2016’. Ok… I know ... READ MORE
SMB Relay
SMB Relay Attack The SMB relay attack has been around for years, and publicly available tools make the attack easier to carry out. The attack can result in a full network compromise with relatively little effort or expertise on the part of the attacker, making this a very common technique. What’s worse, we’ve noticed many organizations are vulnerable to this attack and might ... READ MORE
Google Dorks
Google Dork: Finding the Information You Don’t Know Exists Reconnaissance Reconnaissance. It’s a technique not unknown to most teenagers, and if we’re honest, we’ve all done it ourselves too – Googling the person you just met at the bar, Facebook stalking the new person at work, we all know the drill. This is the age of social media and data breaches, so we all know there’s a ... READ MORE