Search the Community

A modular incident response framework in Powershell. Note there's a bug that's currently cropping up in PowerShell version 2 systems, but version 3 and later should be fine. More info: trustedsignal -- blog: Kansa PowerShell Magazine » Kansa: A PowerShell-based incident response framework What does it do? It uses Powershell Remoting to run user contributed, ahem, user contri- buted modules across hosts in an enterprise to collect data for use during incident response, breach hunts, or for building an environmental baseline. How do you use it? Here's a very simple command line example you can run on your own local host. After downloading the project and unzipping it, you'll likely need to "unblock" the ps1 files. The easiest way to do this if you're using Powershell v3 or later is to cd to the directory where Kansa resides and do: ls -r *.ps1 | Unblock-File If you're not running PS v3 or later, Sysinternal's Streams utility can be used to remove the alternate data streams that Powershell uses to determine if files came from the Internet. Once you've removed those ADSes, you'll be able to run the scripts without issue. I've not run into any issues running the downloaded scripts via Windows Remote Management / Powershell Remoting through Kansa, so you shouldn't have to do anything if you want to run the scripts via remoting. Open an elevated Powershell Prompt (Right-click Run As Administrator) At the command prompt, enter: .\kansa.ps1 -Target localhost -ModulePath .\Modules -Verbose The script should start collecting data or you may see an error about not having Windows Remote Management enabled. If so, do a little searching online, it's easy to turn on. Turn it on and try again. When it finishes running, you'll have a new Output_timestamp subdirectory, with subdirectories for data collected by each module. You can cd into those subdirectories and checkout the data. There are some analysis scripts in the Analysis directory, but many of those won't make sense on a collection of data from a single host. Kansa was written for collection and analysis of data from dozens, hundreds, thousands, tens of thousands of systems. Running Modules Standalone Kansa modules can be run as standalone utilities outside of the Kansa framework. Why might you want to do this? Consider netstat -naob, the output of the command line utility is ugly and doesn't easily lend itself to analysis. Running Modules\Net\Get-Netstat.ps1 as a standalone script will call netstat -naob, but it will return Powershell objects in an easy to read, easy to analyze format. You can easily convert its output to CSV, TSV or XML using normal Powershell cmdlets. Here's an example: .\Get-Netstat.ps1 | ConvertTo-CSV -Delimiter "`t" -NoTypeInformation | % { $_ -replace "`"" } | Set-Content netstat.tsv the result of the above will be a file called netstat.tsv containing unquoted, tab separate values for netstat -naob's ouput. Caveats: Powershell relies on the Windows API. Your adversary may use subterfuge.* Collectors can be written to bypass the Windows API as well. Get-RekallPslist.ps1 for example. Link: https://github.com/davehull/Kansa

Oracle has issued a patch to fix several bugs in its Hyperion Product Management financial consolidation and reporting application that could be remotely exploited by hackers. Oracle's Proactive Support team announced the fixes, confirming that they address a number of flaws in the Hyperion Planning 11.1.2.2.x part of the application. The company does not offer firm details about the patch to non-registered customers, and had not responded to V3's request for further details at the time of publishing. However, TK Keanini, chief technology officer at Lancope, told V3 that the user base and nature of data handled within Hyperion means customers should be concerned by the flaw. "If you are running this software, it contains up-to-date business intelligence that you must keep secure. So if you are running this software it is incredibly important to keep it up to date and patched," he said. ? "Ask yourself this: if the information in your Hyperion system was compromised and posted to the internet for all to see, would you be OK with that? ? "The problem most companies face is that they sometimes don't know what is running on their network and this is problem number one that must be solved." Keanini explained that companies should patch the remote access vulnerabilities as soon as possible, but added that he has yet to see any evidence of the flaws being actively exploited by hackers. "This is not just one vulnerability but several. The CVEs that have remote access are the most important to fix first," he said. ? "I have not [seen the flaws being exploited] but when data is published to the internet, it is not like attackers take the time to show their timeline and the provenance of the data. ? "This is always interesting data but also a dangerous indicator because it is a lagging indicator at best." The Hyperion patch is one of many critical fixes issued by Oracle this year. The firm released a critical update in January addressing 167 vulnerabilities across hundreds of its products, including Java. Source

AntiBruteRDP is a simple tool to block bruteforce attempts on your Windows Servers running RDP. Most people will say that, why have it running in the first place? Well, there are times that you will need to have Remote Desktop service available. Tested on Windows Server 2003, Windows Server 2008, and Windows 8, it works flawlessly to block the bruteforce attempts. Please take note that auditing of failed logons are enabled on windows servers by default. If you are running client version eg. Windows 7 or Windows 8, you need to change the Audit Policy for logon attempts using Group Policy Editor (gpedit.msc). For more information, you can refer to technet here Audit logon events: Security Configuration Editor; Security Services It works by monitoring failed attempts by remote addresses and block the attempts. You can configure the settings using the AntiBruteRDP Front End. Download Zippyshare.com