Author: Josh Bryant
-
After 6 years of silence, plus a month of downtime… Now with 100% more containers and an all-new look! Where have I been? Busy with work mostly. After I last posted in 2019, I got very busy launching a proactive lateral movement risk assessment tool called “Impact” at Tanium. Then the pandemic hit, which put…
-
Back in April of 2016, Zaid Arafeh, Clare Kearney, and I, recorded a 7 part series for the Microsoft Virtual Academy titled “Defending Active Directory against Cyberattacks”. Unfortunately Microsoft retired the Virtual Academy and most of the recordings are no longer available. Some of the content is now part of this edX course on Managing…
-
Microsoft Exchange Servers are a high-value target for many adversaries, which makes the investigation of them during Incident Response vital. Backdoor implants in the form of webshells and IIS modules on servers are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on…
-
In the physical realm, a successful hunt ends with either a kill or a capture. While some might enjoy the thrill of the hunt, no one really wants to walk away empty handed. Why do we treat hunting in the digital realm differently? The Containment, Eradication, and Recovery phase of the Incident Response Lifecycle is the digital equivalent…
-
Public and private enterprises face the same threats, and yet often have different approaches to defense. What if you could take some of the best tactics from each and blend them together? What if I told you this is already happening in small pockets around the US? Enhance your defenses by studying the strengths and…
-
The results are in, you’ve been breached. It’s officially the worst day of your career. How will you handle what comes next? Are you prepared to navigate the long road to recovery? Where do you even begin? Come, hitch a ride with me, I’ll show you the way. Lessons learned from dozens of compromise recoveries…
-
Three years ago I wrote a document titled “Removing Exchange’s ability to impact Tier 0 and Tier 1” that was distributed internally at Microsoft as well as to dozens of Microsoft customers as part of Cybersecurity services delivered through Microsoft Consulting Services (MCS). I had always intended to get this document published publicly, but for…
-
Microsoft Exchange Servers are a high value target, making investigation of them during Incident Response vital, but where do you start? What should you look for? Backdoor implants in the form of webshells hiding in OWA are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using…
-
I’ll be presenting a brand new session titled “Hunting Webshells on Microsoft Exchange Server” at the 2017 SANS Threat Hunting and Incident Response Summit in New Orleans on April 18th and 19th! My session abstract:“Microsoft Exchange Servers are a high value target, making investigation of them during Incident Response vital, but where do you start?…
-
Ever since last month’s announcement that Microsoft SQL Server will be coming to Linux, quiet rumors have been floating around that some of Microsoft’s other Enterprise Products, such as Exchange Server, may follow suit. With this week’s announcement at the Build conference about the popular Linux shell “BASH” coming to Windows, I decided it was time to see…