Category: Conference Talks

Home / Category: Conference Talks

Back in April of 2016, Zaid Arafeh, Clare Kearney, and I, recorded a 7 part series for the Microsoft Virtual Academy titled “Defending Active Directory against Cyberattacks”. Unfortunately Microsoft retired the Virtual Academy and most of the recordings are no longer available. Some of the content is now part of this edX course on Managing Identity.

I recently had someone reach out to me on Twitter and ask if I still had a copy of the slides from this series. After some searching, I was able to locate them. Slides for all 7 sessions are now available here below:

Hunting Webshells: Tracking TwoFace

September 9, 2019 | Conference Talks | No Comments

Microsoft Exchange Servers are a high-value target for many adversaries, which makes the investigation of them during Incident Response vital. Backdoor implants in the form of webshells and IIS modules on servers are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on every exchange server. The presentation will feature real-world examples carried out by an adversary group using web-based backdoors to breach and maintain access to networks of targeted organizations in the Middle East.

This talk has evolved over the last few years. I originally came up with the idea for this talk in 2016 after some friends and colleagues of mine from Microsoft’s Global Incident Response team (now called Detection and Response Team) reached out to me for help analyzing a webshell they’d found at a customer. By this point I had analyzed a few different webshells targeting Exchange Servers, and thus the original version of this talk, titled “Hunting Webshells on Microsoft Exchange Server” was born and delivered at the 2017 SANS Threat Hunting Summit. At the time I had no idea what to call this webshell.

Shortly after SANS released the recording of that talk, Palo Alto’s Unit 42 released a blog post by Robert Falcone, who called this webshell “TwoFace”. Robert and I started talking and decided to combine our research and co-present the next version of this talk. It was accepted by and delivered at the 2018 SANS Threat Hunting Summit. Video and slides from that version can be found below.

In 2019, we decided to update this talk again. We ended up delivering it at DerbyCon 9: Finish Line. Video and slides from this version can be found below as well.

If you would like this talk presented at your event or conference, please contact me on Twitter or LinkedIn.

In the physical realm, a successful hunt ends with either a kill or a capture.  While some might enjoy the thrill of the hunt, no one really wants to walk away empty handed.  Why do we treat hunting in the digital realm differently?  The Containment, Eradication, and Recovery phase of the Incident Response Lifecycle is the digital equivalent of the kill or capture in the physical world.  Proper execution of this phase is necessary for a successful hunt, and it’s as easy as remembering your ABCs.  You’ve stalked and located your prey, evil has been found, are you prepared to take it out? 

I gave this talk at the GoSec 2019 conference in Montreal, the 2019 Texas Cyber Summit in San Antonio, and the 2019 Forensik conference in Montreal. Slides are available below. I’d like to give a shout out to Michael Melone, who I believe originally came up with the “ABCs”, Jared Poeppleman for writing the krbtgt reset script, as well as Andrew Robbins and his team for creating the Bloodhound tool, all of which are referenced in these slides.

If you are interested in having this talk delivered at your event or conference, please contact me through Twitter or LinkedIn.

Public and private enterprises face the same threats, and yet often have different approaches to defense. What if you could take some of the best tactics from each and blend them together? What if I told you this is already happening in small pockets around the US? Enhance your defenses by studying the strengths and weaknesses of each sector and blending tactics from both.

This talk was original presented at the 2019 SANS Enterprise Defense Summit. Slides are available below.

If you are interested in having this talk delivered at your event or conference, please contact me through Twitter or LinkedIn.

The results are in, you’ve been breached. It’s officially the worst day of your career. How will you handle what comes next? Are you prepared to navigate the long road to recovery? Where do you even begin? Come, hitch a ride with me, I’ll show you the way. Lessons learned from dozens of compromise recoveries across a variety of industries from around the world. Advice on evicting your adversary, answering to Executives, and recovering from the trauma of a cyberattack, to help you better prepare for the inevitable breach. Turn your worst day around, just don’t forget your towel!

This talk was given at the 2017 SANS Data Breach Summit, and the 2018 Camp IT Enterprise Risk / Security Management conference to audiences of Executives and Legal Council. Recently a few people expressed interest in seeing the slide deck from this talk, so I’m making it available here.

If you are interested in having this talk delivered at your event or conference, please contact me through Twitter or LinkedIn.

Microsoft Exchange Servers are a high value target, making investigation of them during Incident Response vital, but where do you start? What should you look for? Backdoor implants in the form of webshells hiding in OWA are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on every Exchange Server, through real world examples. It’s easier than you might think, and these techniques can help up your DFIR game in environments containing Exchange Servers!

This talk was originally presented at the 2017 SANS Threat Hunting and Incident Response Summit. A recording of this talk and the slide deck from it are available below. If you would like an updated version of this talk presented at your event or conference, please contact me on Twitter or LinkedIn.

I’ll be presenting a brand new session titled “Hunting Webshells on Microsoft Exchange Server” at the 2017 SANS Threat Hunting and Incident Response Summit in New Orleans on April 18th and 19th!

My session abstract:
“Microsoft Exchange Servers are a high value target, making investigation of them during Incident Response vital, but where do you start? What should you look for? Backdoor implants in the form of webshells hiding in OWA are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on every Exchange Server, through real world examples. It’s easier than you might think, and these techniques can help up your DFIR game in environments containing Exchange Servers!”

Full agenda: https://www.sans.org/event-downloads/45247/agenda.pdf

More details: https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017

If you can’t make the summit, a recording should be available afterwards.  I’ll post a link to the recording and a detailed blog on this subject when available.

Here are some times/places you can find me during the Microsoft Ignite conference next week.

 

Sunday May 3rd

3-4 PM – #BeerIT – I’m hoping to make this pre-conference party, but the time conflicts with a meeting I have. Hopefully I’ll be able to make it for at least part of it.

6-9 PM – Exchange and Sharepoint Pre-Release Program Pre-Event – This one is invite only, if you have an invite, I’ll see you there!

 

Monday May 4th

6-8 PM Welcome Reception/Ask the Experts in the Expo Hall – I’ll be hanging out in the Office 365/Exchange area wearing one of the “EXPERT” Orange shirts.

After Hours – TBD

 

Tuesday May 5th

Attending as many sessions as I can get into.  Taking it easy after hours to make sure I’m ready to deliver my session on Wednesday.

 

Wednesday May 6th

10:45 AM – 12 PM – Delivering “Shut the Front Door! Securing your Messaging Environment.” in room N426 (Subject to change, the room has a capacity of 548, and over 800 have enrolled!)

Attending any sessions I can for the rest of the afternoon.

After Hours TBD, but now that my session is out of the way, it’ll be time to let loose!

 

Thursday May 7th

1:15PM – 4 PM – Manning the Exchange booth in the Expo Hall.

6:30PM – 10:30PM I- Ignite Celebration!

 

Friday May 8th

Squeezing into a few last sessions, then heading home!

 

If you haven't already heard, I'll be delivering a session at the Microsoft Ignite conference at the McCormick Place in Chicago Illinois May 4-8.  My session is called "Shut the Front Door! Securing your Messaging Environment". (Session code BRK3109)

UPDATED!  TIME CHANGE! (Updated again, for some reason the strikethrough text isn't working, removed some text to avoid confusion)

The date and time of my session have been officially announced, it will be Wednesday May 6th from 10:45AM to 12:00 PM.  You can find more details here.  Also be sure to check out my promo video on YouTube.

As of today (Updated 4/9) there are already over 400 enrolled to attend my session, space is limited, so if you haven't already enrolled in my session, be sure to do so soon!  The conference itself is sold out!

Stay tuned for a behind the scenes look at what goes into creating a session for this conference!   I hope to see you there!