Sorting Windows events by UserID

Sorting Windows events by UserID is a critical piece of auditing. In the code and examples below, I concentrate on:$Logs="System","Application","Microsoft-Windows-GroupPolicy/Operational"purposefully leaving out the Security log. We can create a simple function that allows us to check all events logs on any machine sorted by file size:function CheckEventLogsBySize{get-winevent -listlog * | Sort -desc FileSize |ft -auto LogName,@{Label="FileLogSize(MB)";...

Read More

Review of Metasploit: The Penetration Tester's Guide Posted

Amazon.com just posted my four star review of Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni. From the review:Metasploit: The Penetration Tester's Guide (MTPTG), is a great book about the Metasploit Framework. I first tried MSF in April 2004 (noted in one of my blog posts) and have since used it to test detection mechanisms, as well as simulate activity by certain threat groups. I've read...

Read More

Review of Hacking: The Art of Exploitation, 2nd Ed Posted

Amazon.com just posted my five star review of Hacking: The Art of Exploitation, 2nd Ed by Jon Erickson. From the review:This is the last in a recent collection of reviews on "hacking" books. Jon Erickson's Hacking, 2nd Ed (H2E) is one of the most remarkable books in the group I just read. H2E is in some senses amazing because the author takes the reader on a journey through programming, exploitation, shellcode, and so forth, yet helps the reader...

Read More

Review of Gray Hat Hacking, 3rd Ed Posted

Amazon.com just posted my three star review of Gray Hat Hacking, 3rd Ed by Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Gideon Lenkey, and Terron Williams. From the review:Critical reviews are my least favorite aspect of my Amazon experience, but I believe readers expect me to be honest with them. Gray Hat Hacking, 3rd Ed (GHH3E) has a lot of potential, but it needs a reboot and a ruthless editor. I read and reviewed the original edition...

Read More

Review of Ninja Hacking Posted

Amazon.com just posted my four star review of Ninja Hacking by Thomas Wilhelm and Jason Andress. From the review:Ninja Hacking is not a typical digital security book. When I saw the title I expected the use of "Ninja" to be a reference to a style of digital attack. While this is true to a certain extent, Ninja Hacking is about actual Ninja concepts applied to the digital world. The book is an introduction to Ninja history and techniques, applied...

Read More

Review of Managed Code Rootkits Posted

Amazon.com just posted my five star review of Managed Code Rootkits by Erez Matula. From the review:Managed Code Rootkits (MCR) is one of the best books I've read in 2011. MCR is a one-man tour-de-force through the world of malicious software that leverages managed code for its runtime. Prior to reading the book I was only vaguely aware of the concept and implementation. After reading MCR, I am wondering when we might see more of this technique...

Read More

Review of Buffer Overflow Attacks Posted

Amazon.com just posted my two star review of Buffer Overflow Attacks, by James C. Foster, et al. From the review:I read "Buffer Overflow Attacks" as part of a collection of books on writing exploit code (reviewed separately). I have to give credit to the author team for writing one of the first books on this subject; Syngress published BOA in 2005, when the subject received less published coverage. However, better books are available now if you...

Read More

Risk Modeling, not "Threat Modeling"

Thanks to the great new book Metasploit (review pending), I learned of the Penetration Testing Execution Standard. According to the site, "It is a new standard designed to provide both businesses and security service providers with a common language and scope for performing penetration testing (i.e. security evaluations)." I think this project has a lot of promise given the people involved.I wanted to provide one comment through my blog, since...

Read More

Noah Shachtman’s Pirates of the ISPs

Two posts in one day? I'm on fire! It's easy to blog when something interesting happens, and I can talk about it.I wanted to mention the publication of Pirates of the ISPs: Tactics for Turning Online Crooks Into International Pariahs by Noah Shachtman, acting in his capacity as a Nonresident Fellow for Foreign Policy in the 21st Century Defense Initiative at The Brookings Institution. I read and commented on an earlier draft, and I think you will...

Read More

SQL Injection Challenge and Time-Based Security

Thanks to this Tweet by @ryancbarnett, I learned of the lessons learned of the Level II component of the ModSecurity SQL Injection Challenge. As stated on the challenge site, the goal is "To successful execute SQLi against the scanning vendor demo websites and to try and evade the OWASP ModSecurity CRS." The contestants need to identify a SQL injection vector within one of four demo websites, then enumerate certain information from the target....

Read More

The Difference Between RAW and JPG - A Visual Guide

RAW Image Edited in DarktableEver since I have been getting more into photography I have always been looking for what I need to do to improve my skills. I am not aspiring to become a professional photographer, but I believe that I can make simple changes to the way I take pictures that will improve the overall quality of my photos. One of the improvements I made a while ago was shooting everything in the camera's RAW format. I have noticed that...

Read More

Make your own low (or zero) calorie soda pop

I have always been a huge fan of making home made root beer. It is super fun and easy, but more importantly, it is super delicious.The concept for making root beer is this: Buy root beer concentrate and mix it with sugar and water then add dry ice to give it the carbonation. Easy. So one day while I was making root beer, I decided to try an experiment. I started putting dry ice in other drinks and found that it was amazing!Want to make zero calorie...

Read More

More Ideas for Tutorials

Well; I have been slacking off. I have been doing a lot less tutorial because I have less time, but mostly because I have run out of ideas for tutorials.This is where I need your help! I have created a page for anyone to suggest a tutorial. I am open to any ideas. If you have some open source software you want me to try out to do a review or tutorial, let me know. Any idea would be great! If you have a specific picture or idea you want me to try out you can send me an email with the picture attachment (my Gmail name is mckayc).Suggest a tutorial...

Read More

Best Video Screen Casting/capturing Software for Linux

Recently I have been doing more screen casts for my blog. Unfortunately, in Linux there are not a whole lot of programs available. I will discuss a few a the more popular programs with their pros and cons.Read article...

Read More

Lightroom vs Darktable - RAW photo editing

Recently I have been trying to do a lot more photography shooting in RAW. Because of this, I have been doing a lot less editing in the Gimp and a lot more editing in Darktable. Recently I did a short review/tutorial on Darktable. I have had a few people ask me to compare or show some of the differences with Lightroom and Darktable. This will be a quick overview on some of the differences and similarities between the two programs. Read article...

Read More

Get-Winevent Part III: Querying the Event Log for Logons (Part E)

In Part A of this series ('Get-Winevent Part III Querying the Event Log for logons'), I worked with the 'where-object' cmdlet to filter through properties of specific logon event types. In Part B, I used '-filterhashtable' and 'findstr' to more quickly dig into the message field of logon events, utlimately producing a spreadsheet or database format of those events. In Part C, I presented code that enumerates all provider...

Read More

Get-WinEvent, EventLogs, ETL, Providers on Win7 Part III

Microsoft has exposed substantial providers since XP. With Windows 7, Microsoft has increased the number of providers substantially over previous versions of Windows and added 'netsh trace' functionality to enable tracing, conversion, batching of these kernel level counters. In the commands below, I have mixed cmd shell, powershell, cygwin cmds to parse ETL files. In  general, parsing etl files with 'get-winevent' and powershell takes a while......

Read More

Get-Winevent Part III: Querying the Event Log for Logons (Part D)

In Part A of this series ('Get-Winevent Part III Querying the Event Log for logons'), I worked with the 'where-object' cmdlet to filter through properties of specific logon event types. In Part B, I used '-filterhashtable' and 'findstr' to more quickly dig into the message field of logon events, utlimately producing a spreadsheet or database format of those events. In Part C, I presented code that enumerates all provider types for these events.  Then...

Read More

Bejtlich Teaching in Abu Dhabi in December

I'm pleased to announce that on December 12-13 at Black Hat Abu Dhabi I will teach a special two-day edition of TCP/IP Weapons School 3.0. This class is designed for junior and intermediate security analysts. The "sweet spot" for the potential student is someone working in a security operations center (SOC) or computer incident response team (CIRT), or someone trying to establish one of those organizations. The class is very hands-on, and focuses...

Read More

Get-Winevent Part III: Querying the Event Log for Logons (Part C)

To list Opcodes, Event IDs, Event Descriptions from any group of provider's (e.g. Securit*) events, you can use:$ProviderNames=get-winevent -listprovider microsoft-windows-Securit* | % {$_.Name}$ProviderNames | % {((get-winevent -listprovider $_).events) | format-table @{Name="Opcode"; Expression = {$_.Opcode.Name}},ID,Description -auto -wrap}To create a list of EventIDs from the Security Log for which want more information, we could download  "Windows 7 and Windows Server 2008 R2 Security Event Descriptions"   or we could select...

Read More

Google+ vs Facebook - Who will win?

Google+ is Google's latest attempt to take some of the social network from Facebook.Now that I have Google+ I thought it would be interesting to do a short little comparison. It is fairly obvious that Google is trying their hand at social networking and hoping to dive into Facebook's market. It will be interesting to see if that can actually happen.As an evaluation, I decided to list the features that people use on Facebook and compare them to Google+...

Read More

Get-Winevent Part III: Querying the Event Log for Logons (Part B)

This is a long post that I've edited from a answer I gave on Stack Overflow.  Although the post is about how to audit logon information in the Security log of Windows 7, it is also about discovering methods to extract critical information from the 'Message' field of a "Logon Type" (ID=4624).  Get-WinEvent -max 100 | where { $_.Message | findstr /C:"Logon Type"}  | Select Message | fl * | findstr /C:"Logon Type"  Logon Type:  ...

Read More