I want to wish everyone a Merry Christmas! I love this time of year and hope that everyone is finding joy and happiness!
On my personal blog, I just wrote about the true meaning of Christmas from a different perspective (in China). You can read it here if you would like.
Sabtu, 24 Desember 2011
Minggu, 18 Desember 2011
One liners for retrieving Windows TCP/IP and IP Address information
One liners for retrieving Windows IP Address information from Powershell v3.0:
- gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input}}
- gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input}} | fl *
- gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input | Select -ea 0 IP,DHCP,DNS,WINS}}
- gwmi -class Win32_NetworkAdapter | % {If ($_.NetEnabled) {$input | Select Caption, Name, Speed, TimeOflastReset,Net*}}
- gwmi -class Win32_NetworkAdapterConfiguration | % {If ($_.IPAddress -ne $null) {write "$($_.caption) $($_.IPAddress) $($_.SettingID)"}}
- gwmi -class Win32_PerfRawData_Tcpip_NetworkInterface | % {if ($_.BytesReceivedPersec -ne 0) {write "$($_.Name) $($_.BytesReceivedPersec) $($_.BytesSentPersec)"} }
and a function for retrieve 'PropertySets' of IP information for a list of computers; provided that you can make remote Powershell connectivity work:
function Global:Show-IPinfo {
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$true)]
[array]$HostList=@("localhost"),
[array]$PropertySets=@("IP","DHCP","DNS")
)
$HostList | % {
$HostIP=gwmi -computer $input -class Win32_NetworkAdapterConfiguration |
% {if ($_.IPAddress -ne $null) {$input}}
$PropertySets |
% {foreach ($i in ($HostIP.$input).ReferencedPropertyNames) {write "$($i) : $($HostIP.$i)"}}
}
}
Kamis, 15 Desember 2011
One of the many reasons I love Google
This is a picture of my bathroom here in China. Nothing special really (other than the fact that I moved into a really nasty apartment with a nasty bathroom). Nothing special I thought.
This is why Google is so cool.
I recently upgraded Picasa to the newest version. I decided to go through and use Picasa to organize some of my contacts with faces. It was when I was doing this that Picasa brought up this photo for me to tag. My initial response was that Picasa was crazy, but after looking at the smaller thumbnail, I realized it totally does look like a face.
I love you Google.
Sabtu, 10 Desember 2011
FileVersionInfo Part II
# Powershell v3.0 code
# Recurses current directory to gather file version information of a boolean property
# Returns number of Debug,Patched,PreRelease,Private,Special builds
# Creates csv of those properties in current directory
# Takes up to three arguments:
# [mandatory]$filename (e.g. *.dll),$exportflag (e.g. "0" to output csv;default is off), $filetime (default is now)
function Global:Get-fileinfo {
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$true)]
[object]$filename,
[bool]$exportflag=1,
$filetime=[DateTime]::Now.ToFileTime()
)
$Files=ls -Filter $filename -recurse -File
## $Files=ls -ea 0 -Filter $filename -recurse #remove '-File' to create 2.0 code. Add '-ea 0' as desired.
$FileInfo=$Files |
% {[System.Diagnostics.FileVersionInfo]::GetVersionInfo("$(($_.DirectoryName)+"\"+($_.Name))")}
$Global:DebugBuild=$FileInfo | % {if ($_.IsDebug) {$_}}
$Global:PatchedBuild=$FileInfo | % {if ($_.IsPatched) {$_}}
$Global:PrereleaseBuild=$FileInfo | % {if ($_.IsPreRelease) {$_}}
$Global:PrivateBuild=$FileInfo | % {if ($_.IsPrivateBuild) {$_}}
$Global:SpecialBuild=$FileInfo | % {if ($_.IsSpecialBuild) {$_}}
[hashtable]$Global:Report=@{
"DebugBuild" = '$DebugBuild';
"PatchedBuild" = '$PatchedBuild';
"PrereleaseBuild" = '$PrereleaseBuild';
"PrivateBuild" = '$PrivateBuild';
"SpecialBuild" = '$SpecialBuild' }
if ($exportflag -eq 0)
{
[array]$hasharray=foreach ($i in $Report){$i.Values}
foreach ($i in $hasharray) {invoke-expression $($i.trimEnd("$")) | Export-Csv -ea 0 -Path $filetime$i.csv }
}
write "Total files: $(($Files).count)"
write "Marked Debug: $(($DebugBuild).count)"
write "Marked Patched: $(($PatchedBuild).count)"
write "Marked Prerelease: $(($PrereleaseBuild).count)"
write "Marked Private: $(($PrivateBuild).count)"
write "Marked Special: $(($SpecialBuild).count)"
}
FileVersionInfo Part I
Retrieving FileVersionInfo in Powershell involves calling [System.Diagnostics.FileVersionInfo]::GetVersionInfo(). "ls ' or 'Get-childitem' has a scriptproperty named "VersionInfo" that can be used for this:
PS C:\ps1> $a=ls -recurse | % {$_.VersionInfo}
TypeName : System.IO.FileInfo
Name : VersionInfo
MemberType : ScriptProperty
Definition : System.Object VersionInfo {get=[System.Diagnostics.FileVersionInfo]::GetVersionInfo($this.FullName);}
System.Diagnostics.FileVersionInfo contains five boolean properties for Debug,Patched,PreRelease,Private,Special builds:
PS C:\ps1> $a | gm
TypeName: System.Diagnostics.FileVersionInfo
Name MemberType Definition
---- ---------- ----------
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
Comments Property System.String Comments {get;}
CompanyName Property System.String CompanyName {get;}
FileBuildPart Property System.Int32 FileBuildPart {get;}
FileDescription Property System.String FileDescription {get;}
FileMajorPart Property System.Int32 FileMajorPart {get;}
FileMinorPart Property System.Int32 FileMinorPart {get;}
FileName Property System.String FileName {get;}
FilePrivatePart Property System.Int32 FilePrivatePart {get;}
FileVersion Property System.String FileVersion {get;}
InternalName Property System.String InternalName {get;}
IsDebug Property System.Boolean IsDebug {get;}
IsPatched Property System.Boolean IsPatched {get;}
IsPreRelease Property System.Boolean IsPreRelease {get;}
IsPrivateBuild Property System.Boolean IsPrivateBuild {get;}
IsSpecialBuild Property System.Boolean IsSpecialBuild {get;}
Language Property System.String Language {get;}
LegalCopyright Property System.String LegalCopyright {get;}
LegalTrademarks Property System.String LegalTrademarks {get;}
OriginalFilename Property System.String OriginalFilename {get;}
PrivateBuild Property System.String PrivateBuild {get;}
ProductBuildPart Property System.Int32 ProductBuildPart {get;}
ProductMajorPart Property System.Int32 ProductMajorPart {get;}
ProductMinorPart Property System.Int32 ProductMinorPart {get;}
ProductName Property System.String ProductName {get;}
ProductPrivatePart Property System.Int32 ProductPrivatePart {get;}
ProductVersion Property System.String ProductVersion {get;}
SpecialBuild Property System.String SpecialBuild {get;}
We can select for these booleans easy enough:
PS C:\ps1> $a | Select Filename,Is* | fl *| more
{ls -recurse | % {$_.VersionInfo} | Select Filename,Is* | fl *| more}
FileName : C:\ps1\CTPv3\app.config
IsDebug : False
IsPatched : False
IsPrivateBuild : False
IsPreRelease : False
IsSpecialBuild : False
FileName : C:\ps1\CTPv3\AssemblyInfo.cs
IsDebug : False
IsPatched : False
IsPrivateBuild : False
IsPreRelease : False
IsSpecialBuild : False
...
PS C:\ps1> $a=ls -recurse | % {$_.VersionInfo}
TypeName : System.IO.FileInfo
Name : VersionInfo
MemberType : ScriptProperty
Definition : System.Object VersionInfo {get=[System.Diagnostics.FileVersionInfo]::GetVersionInfo($this.FullName);}
System.Diagnostics.FileVersionInfo contains five boolean properties for Debug,Patched,PreRelease,Private,Special builds:
PS C:\ps1> $a | gm
TypeName: System.Diagnostics.FileVersionInfo
Name MemberType Definition
---- ---------- ----------
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
Comments Property System.String Comments {get;}
CompanyName Property System.String CompanyName {get;}
FileBuildPart Property System.Int32 FileBuildPart {get;}
FileDescription Property System.String FileDescription {get;}
FileMajorPart Property System.Int32 FileMajorPart {get;}
FileMinorPart Property System.Int32 FileMinorPart {get;}
FileName Property System.String FileName {get;}
FilePrivatePart Property System.Int32 FilePrivatePart {get;}
FileVersion Property System.String FileVersion {get;}
InternalName Property System.String InternalName {get;}
IsDebug Property System.Boolean IsDebug {get;}
IsPatched Property System.Boolean IsPatched {get;}
IsPreRelease Property System.Boolean IsPreRelease {get;}
IsPrivateBuild Property System.Boolean IsPrivateBuild {get;}
IsSpecialBuild Property System.Boolean IsSpecialBuild {get;}
Language Property System.String Language {get;}
LegalCopyright Property System.String LegalCopyright {get;}
LegalTrademarks Property System.String LegalTrademarks {get;}
OriginalFilename Property System.String OriginalFilename {get;}
PrivateBuild Property System.String PrivateBuild {get;}
ProductBuildPart Property System.Int32 ProductBuildPart {get;}
ProductMajorPart Property System.Int32 ProductMajorPart {get;}
ProductMinorPart Property System.Int32 ProductMinorPart {get;}
ProductName Property System.String ProductName {get;}
ProductPrivatePart Property System.Int32 ProductPrivatePart {get;}
ProductVersion Property System.String ProductVersion {get;}
SpecialBuild Property System.String SpecialBuild {get;}
We can select for these booleans easy enough:
PS C:\ps1> $a | Select Filename,Is* | fl *| more
{ls -recurse | % {$_.VersionInfo} | Select Filename,Is* | fl *| more}
FileName : C:\ps1\CTPv3\app.config
IsDebug : False
IsPatched : False
IsPrivateBuild : False
IsPreRelease : False
IsSpecialBuild : False
FileName : C:\ps1\CTPv3\AssemblyInfo.cs
IsDebug : False
IsPatched : False
IsPrivateBuild : False
IsPreRelease : False
IsSpecialBuild : False
...
Selasa, 06 Desember 2011
Mandiant Webinar Wednesday; Help Us Break a Record!
I'm back for the last Mandiant Webinar of the year, titled State of the Hack: It's The End of The Year As We Know It - 2011. And you know what? We feel fine! That's right, join Kris Harms and me Wednesday at 2 pm eastern as we discuss our reactions to noteworthy security stories from 2011. Register now and help Kris and me beat the attendee count from last month's record-setting Webinar.
If you have questions about and during the Webinar, you can always send them via Twitter to @mandiant and use the hashtag m_soh.
Tweet
Tripwire Names Bejtlich #1 of "Top 25 Influencers in Security"
I've been listed in other "top whatever" security lists a few times in my career, but appearing in Tripwire's Top 25 Influencers in Security You Should Be Following today is pretty cool! Tripwire is one of those technologies and companies that everyone should know. It's almost like the "Xerox" of security because so many people equate the idea of change monitoring with Tripwire. So, I was happy to see my twitter.com/taosecurity feed and the taosecurity.blogspot.com blog make their cut.David Spark asked for my "security tip for 2012," which I listed as:
Improve your incident detection and response program by answering two critical questions:
1. How many systems have been compromised in any given time period; and
2. How much time elapsed between incident identification and containment for each system?
Use the answers to improve and guide your overall security program.
Those of you on the securitymetrics mailing list, and a few other places, have heard me speaking about this topic. I'll probably blog about it in the future, but suffice it to say that those are the key issues you should address in 2012 in my opinion.
Tweet
Senin, 05 Desember 2011
Become a Hunter
Earlier this year SearchSecurity and TechTarget published a July-August 2011 issue (.pdf) with a focus on targeted threats. Prior to joining Mandiant as CSO I wrote an article for that issue called "Become a Hunter":IT’S NATURAL FOR members of a technology-centric industry to see technology as the solution to security problems. In a field dominated by engineers, one can often perceive engineering methods as the answer to threats that try to steal, manipulate, or degrade information resources. Unfortunately, threats do not behave like forces of nature. No equation can govern a threat’s behavior, and threats routinely innovate in order to evade and disrupt defensive measures.
Security and IT managers are slowly realizing that technology-centric defense is too easily defeated by threats of all types. Some modern defensive tools and techniques are effective against a subset of threats, but security pros in the trenches consider
the “self-defending network” concept to be marketing at best and counter-productive at worst. If technology and engineering aren’t the answer to security’s woes, then what is?
Download and read my article starting on page 19 for the answer! July-August 2011 issue (.pdf)
Tweet