Monday, January 1, 2018

Set Up Automatic Restore Points within Windows 10

To set up automatic restore points within Windows 10, search with the text of “system restore.”  Click on the Configure button and verify that the feature is enabled.

image

image

With Windows 10 Pro, launch the local Group Policy editor (gpedit.msc) and access the following path:

Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus –> Scan

Enable the “Create a system restore point” option.

image

image

http://www.itprotoday.com/windows-10/how-set-automatic-restore-points-windows-10

ASLR Registry setting with Windows

Windows 8 and later has a change in how system-wide mandatory ASLR is implemented. This change requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy.

To enable both bottom-up ASLR and mandatory ASLR on a system-wide basis on a Windows 8 or later machine, the following registry value should be imported:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00

https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/

http://www.kb.cert.org/vuls/id/817544

osquery

osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. The tools make low-level operating system analytics and monitoring both performant and intuitive.

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.

https://osquery.io/

Rescatux

Rescatux is a Debian-based GNU/Linux live distribution that includes a graphical wizard for rescuing broken GNU/Linux installations. The available rescue options include restoring the GRUB bootloader after a Windows installation, Linux and Windows password resets, and Linux file system checks.

https://www.supergrubdisk.org/rescatux/

Detection Lab

Detection Lab is a collection of Packer and Vagrant scripts that allow you to quickly bring a Windows Active Directory online, complete with a collection of endpoint security tooling and logging best practices.

https://isc.sans.edu/forums/diary/Detection+Lab+Visibility+Introspection+for+Defenders/23135/

https://github.com/clong/DetectionLab

Datally for Android

Datally is an application for Android from Google.  It’s a mobile data manager that will help you monitor, save, and gain control of your data.

https://play.google.com/store/apps/details?id=com.google.android.apps.freighter&hl=en

Secure Score with Office 365

Office 365 Secure Score is a tool for analyzing and implementing security best practices in your Office 365 tenant.

https://www.petri.com/improve-office-365-security-using-secure-score

https://blogs.technet.microsoft.com/office365security/using-the-office-365-secure-score-api/

Handoff option within iOS

Handoff is a feature to move tasks and data seamlessly from one device to another with iOS and Macs.  Handoff lets you start writing an email on your iPhone and pass it to your Mac for completion and sending.  To disable the feature, access Settings –> General –> Handoff.

image

Friday, December 1, 2017

OpenVAS configuration

OpenVAS http://openvas.org/ is an open-source security scanner.  The instructions below are concerning how to configure the application within Kali Linux.

The following commands are used once Kali Linux is installed and updated.

apt-get install openvas
openvas-setup
openvas-start
https://127.0.0.1:9392

openvas1

openvas2

openvas3

Once the initial configuration is completed, a default initial password should be displayed.  Start the required services and log in via the web interface to set a new password value under Administration -> Users.  The default user name is admin.

Log into the web interface of the OpenVAS service and use the Feed Status menu option under Extras tab to verify the local databases are current.
 
To update the NVT feed via a terminal session, use the command greenbone-nvt-sync.  The commands to update the other databases would be greenbone-scapdata-sync and greenbone-certdata-sync.

openvas4

View local root certificates within Windows using PowerShell

The local root certificate entries can be viewed within Windows using PowerShell.

ls CERT:\CurrentUser\AuthRoot

image

$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("root","LocalMachine")
$store.Open("ReadOnly")
$store.certificates | select ThumbPrint,FriendlyName,NotAfter

image

A script is available at https://isc.sans.edu/forums/diary/Keep+An+Eye+on+your+Root+Certificates/23030/ to compare hashes to a previous dump.