Disable “Run” Command via GPO
Want an easy way to harden your workstations? Disable the Run box for standard users. It’s a classic, straightforward restriction that stops curious users and particular basic social…
Category
Security
19 articles in this category
Block non-US Network Connections with GeoIP, UFW and ipset
I have nginx configured already to drop connections from non-US based IP addresses using the libnginx-mod-geoip module. Taking this a step further, I decided to block all non-US based IP…
Disable TLS 1.0 and TLS 1.1 on Nginx and Enable TLS 1.2 and TLS 1.3
SSL/TLS protocol settings may be specified in the primary Nginx configuration file (usually located at /etc/nginx/nginx.conf), or in your site configuration files. Look for a line beginning with ssl_protocols. For…
Enumerate SSL Ciphers Using nmap
A quick method to scan your network and enumerate the SSL Ciphers in use on systems is with nmap. nmap --script ssl-enum-ciphers -p 443 192.168.0.1/24 This will scan…
Ransomware: id-3509099450_[mk.goro@aol.com].0oxr4
A new variant of Dharma seems to have hit a server; here are some of the details I've been gathering.
CPU-miner Installed via Windows OS Vulnerability
I have triaged a handful of Windows servers this week that started out being ticketed as high CPU / performance issues. Upon investigation, I have found XMR cryptocurrency…
Fail2ban + fail2sql + Ban Hammer + PHP7
I recently revisited a project from some time ago that I found and modified the code to support PHP7 which dropped support for mysql extension in favor of mysqli.
CrySiS Reborn, Not Decryptable: [stopper@india.com].wallet
Break-fix call on a CrySiS Ransomware infection. It's actually not CrySiS, but a fork of it, which is not decryptable at this time. CrySiS shut down its operation…
Part 1: Analysis of a WordPress Malware
I had some time at lunch to kill, so I decided to see how Malware techniques were improving in the land of WordPress and free premium theme download…
CryptoLocker Database Search
I found the database dump of the CryptoLocker release from May 30, 2015 by the ransomware's author. I decided to put it into a database and make a…
GPO to block regsvr32 AppLocker Bypass Vulnerability
A recently discovered method of bypassing AppLocker by using regsvr32.exe, poses a threat to users on Windows 7, 8/8.1, and 10 (Professional or Enterprise editions). To work around…
Crypto Ransomware CTB-Locker (Critroni.A)
Move over CryptoLocker, there's a newer and meaner kid on the block. CTB-Locker, or Curve-Tor-Bitcoin Locker, makes use of the Tor ((Tor is free software and an open…
Disqus WordPress Plugin Vulnerability
A vulnerability has been discovered in the Disqus plugin for WordPress allowing for Remote Code Execution. The Disqus plugin is used on nearly 2 million WordPress blogs. Who is…
CryptoLocker Software Restriction Policies
Identification of Cryptolocker Location of CryptoLocker binaries: %AppData%<random>.exe %LocalAppData%<random>.exe If the malware has executed, one or more of the following registry keys will be present: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun CryptoLocker HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun…
3% of Government Websites Still Remain Unpatched Against the OpenSSL "Heartbleed Bug"
Yesterday, I collected over 1,200 .GOV TLD domains and ran checks against them. Of that, 58 were affected by the OpenSSL bug, aka, "Heartbleed". This morning, upon checking…