The PowerShell Conference Europe 2019 took place last week in Hannover, and I had the pleasure to attend and speak for the second year in a row. I want to thank @TobiasPSP @Alexandair @sqldbawithbeard and the @PSConfEU crew for putting up this #PowerShell feast. From a RaspberryPi to the Clouds, from PowerShell internals to a dancing Lego robot, if you have anything to do with windows, PowerShell, or a computer, there was some content made for you… Continue reading “Back from PowerShell Conference Europe…”
Continue readingWindows Insight: Virtual Secure Mode
The Windows Insight repository currently hosts four articles on VSM (Virtual Secure Mode):
- Virtual Secure Mode: Architecture Overview (Aleksandar Milenkoski): In this work, we discuss the architecture of a virtualized Windows environment.
- Virtual Secure Mode: Communication Interfaces (Aleksandar Milenkoski): In this work, we discuss the communication interfaces that VSM implements: Isolated User Mode (IUM) system calls, normal-mode services, secure services, and hypercalls.
- Virtual Secure Mode: Protections of Communication Interfaces (Aleksandar Milenkoski): This work discusses implemented mechanisms for securing the above VSM communication interfaces. This includes restrictions on issuing hypercalls, data marshalling and sanitization, and secure data sharing.
- Virtual Secure Mode: Initialization (Dominik Phillips, Aleksandar Milenkoski): This work describes the process for VSM initialization activities performed by the Windows loader and the Windows kernel when Windows 10 is booted.
– Aleksandar Milenkoski
Continue readingEmotet im Active Directory: Es kann jeden treffen – aber Jeder kann es dem Angreifer schwer machen!
Heise berichtet aktuell öffentlich über die Emotet-Infektion im eigenen Haus, bei dessen Aufklärung ERNW unterstützte. Damit liefert Heise Informationen zum Verlauf aktueller Angriffe, aber insbesondere auch wertvolle Einsichten zu Vorbeugung, Erkennung, Analyse und Gegenmaßnahmen aus eigener Erfahrung, wie sie nur selten der Öffentlichkeit preisgegeben werden.
Ein Team aus Incident-Response Spezialisten der ERNW Research unterstützte Heise bei der Analyse und Rekonstruktion des Vorfalls und analysierte die Schadsoftware, um deren Ausbreitungswege nachzuvollziehen und IoCs (Indicators of Compromise) zu extrahieren. Hierdurch konnten effektive Gegenmaßnahmen entwickelt und gemeinsam mit Heise erfolgreich umgesetzt werden.
Im Zuge dessen unterstützten Active-Directory-Spezialisten der ERNW Heise bei der Konzeption und dem Wiederaufbau eines neuen Active Directory. Im heisec-Webinar am 3. Juli berichtet Heise über den Incident und die wichtigsten Erkenntnisse daraus. Dabei sein werden zwei unserer Active Directory-Security-Spezialisten. Sie werden Konzepte und Verfahren für ein sicheres, resilientes und trotzdem betreibbares Active Directory vorstellen und den Teilnehmern mit Tipps für Containment nach einer Infektion und in gemeinsamer Diskussion zur Verfügung stehen.
Bei Interesse an diesem Thema beachten Sie auch die vielen Vorträge internationaler Active Directory-Security-Spezialisten des Active Directory Security Tracks auf der diesjährigen Troopers (so wie unsere eigenen Beiträge dazu, wie etwa hier und hier) und unsere Workshops zu Active Directory-Sicherheit und Inicdent Response.
Wir wünschen allen Lesern ein schönes verlängertes und hoffentlich Incident-freies Pfingstwochenende!
Friedwart Kuhn & Andreas Dewald.
Continue readingWindows Insight: The TPM
The Windows Insight repository currently hosts three articles on the TPM (Trusted Platform Module):
- The TPM: Communication Interfaces (Aleksandar Milenkoski): In this work, we discuss how the different components of the Windows 10 operating system deployed in user-land and in kernel-land, use the TPM. We focus on the communication interfaces between Windows 10 and the TPM. In addition, we discuss the construction of TPM usage profiles, that is, information on system entities communicating with the TPM as well as on communication patterns and frequencies;
- The TPM: Integrity Measurement (Aleksandar Milenkoski): In this work, we discuss the integrity measurement mechanism of Windows 10 and the role that the TPM plays
as part of it. This mechanism, among other things, implements the production of measurement data. This involves calculation of hashes of relevant executable files or of code sequences at every system startup. It also involves the storage of these hashes and relevant related data in log files for later analysis;
Continue reading “Windows Insight: The TPM”
Continue readingThe Week in Review #RIPE78
This week Chris and I participated in the RIPE 78 meeting in Reykjavík. Being part of the group was fun as always and we had quite some interesting conversations with peers from (not only) the IPv6 community.
Big thanks to the RIPE NCC team for the smooth organization and for taking care of us!
In this post I’ll provide some notes on talks I found particularly interesting, plus links to our own contributions.
Continue reading “The Week in Review #RIPE78”
Continue readingWindows Insight: A New ERNW Repository
We are glad to announce the Windows Insight repository. The content of this repository aims to assist efforts on analysing inner working principles, functionalities, and properties of the Microsoft Windows operating system. This repository stores relevant documentation as well as executable files needed for conducting analysis studies.
Some of the content of this repository has been created in the course of a project named ‘Studie zu Systemaufbau, Protokollierung, Härtung und Sicherheitsfunktionen in Windows 10 (SiSyPHuS Win10)’ (ger.) – ‘Study of system design, logging, hardening, and security functions in Windows 10’ (eng.). This project has been contracted by the German Federal Office for Information Security (ger., Bundesamt für Sicherheit in der Informationstechnik – BSI). The work planned as part of the project is conducted by ERNW GmbH, starting in May 2017.
Continue reading “Windows Insight: A New ERNW Repository”
Continue readingIPv6 Security for Enterprise Organisations @ #RIPE78
Chris and I will give a tutorial on the above topic at next week’s RIPE Meeting in Reykjavík. In this post (actually this will probably become a small series of posts) I’ll try to summarize some thoughts on IPv6 security in enterprise environments in 2019.
Continue reading “IPv6 Security for Enterprise Organisations @ #RIPE78”
Continue readingHeise Security Tour: Offensive PowerShell
Dominik Phillips and I are taking part in a tour organized by Heise Security – the Heise Security Tour. We give a talk titled “PowerShell: Attack under the radar”. In this talk, we provide an overview of the architecture of PowerShell and show how attackers may use PowerShell for malicious purposes. We demonstrate PowerShell post-exploitation activities implemented as part of publicly available frameworks, such as Empire. We also discuss a security concept for defending against such activities.
You can find the slides of our talk here (in German).
– Aleksandar Milenkoski
Continue reading#TR19 Next Generation Internet (NGI) Summaries
This blogpost contains summaries of talks from this year’s TROOPERS19 Active Directory Security Track.
Microsoft IT (Secure) Journey to IPv6-Only
Veronika McKillop, Network Architect, Cloud and Connectivity Engineering (CCE)
The speaker, Veronika McKillop, working at Microsofts network infrastructure services, has given a talk about the process of switching a company network from IPv4 to IPv6-only. Continue reading “#TR19 Next Generation Internet (NGI) Summaries”
Continue readingSecurity Advisory for Cisco Nexus 9000 Series Fabric Switches in ACI mode
Yesterday, Cisco released a number of security advisories. Three of the advisories originated from research performed by us for the Cisco Nexus 9000 Series Fabric Switches / Cisco Application Centric Infrastructure (ACI). Continue reading “Security Advisory for Cisco Nexus 9000 Series Fabric Switches in ACI mode”
Continue reading