One of my servers has been found two urgent (severity 5) vulnerabilities. Qualys scan report does give lots of details about those vulnerabilities such as solutions, patches, links etc. Applied Patch Unfortunately, even I have download the right patches and applied to this server. It is still showing those vulnerabilities. Microsoft Group Policy Remote Code Execution Vulnerability (MS15-011) Microsoft Internet Explorer Cumulative Security Update (MS15-124) You can find out details about them at the end…
Posts published in “Threat Hunting”
It was interesting during one of our Vulnerability Scanning. There are lots of machines listening on port 12345, and it does has lots of connection on it. Also, PID is 4, which is system process or service. Same thing also found on http port 80. Here are netstat command outputs. Symptoms C:\Windows\system32>netstat -tabno | find “:80” TCP 0.0.0.0:80 0.0.0.0:0 LISTENING …
Recent during a vulnerability scan , there is RC4 cipher found using on SSL/TLS connection at port 3389. The solution in the Qualys report is not clear how to fix. This post is going to record some searching results found online how to fix this SSL/TLS RC4 Cipher Vulnerability.
SSL/TLS use of weak RC4(Arcfour) cipher port 3389/tcp over SSL
Category: General remote services
CVE ID: CVE-2013-2566, CVE-2015-2808
Vendor Reference: -
Bugtraq ID: 91787, 58796, 73684
Service Modified: 05/10/2019
User Modified: -
PCI Vuln: Yes
This topic has been haunted in my mind for quite a while. As an information security guy, we got tons of reports about end point activities. One of them is the website ip or urls they were accessing. A typical network abnormal behaviour for an infected or compromised end point is huge amount of accessing malicious ip or bad reputation websites.
For many investigations, I can generate an ip list but how to quickly find out the ip reputation is a challenge for me.
That is why I am writing this post today. I am still checking those websites or scripts, hopefully I can get a good understanding then comes out my own script to do this job.
There are more and more websites using CDN (Content Delivery Network) to help deliver their contents to end users. It is faster, safer and more reliable. At the same time, CDN such as cloudflare company hides your real ip behind their public ip. Is there a way we can bypassing CDN and find out those websites' real ip addresses.
Here are some scripts and methods to do remote troubleshooting or running some commands in remote machines. I found they are very useful especially in a enterprise environment if you have your domain admin account.
Prerequisites to run remote commands:
- Install .NET Framework 4.5.2 from \\shareserver\it\$Install\Scripting prerequisites\NDP452-KB2901907-x86-x64-AllOS-ENU.exe
- or from https://www.microsoft.com/en-ca/download/details.aspx?id=42642
- copy the folder \\shareserver\it\$Install\Scripting prerequisite\Windows Management Framework 5.1 to your C drive or download from https://docs.microsoft.com/en-us/powershell/wmf/5.1/install-configure
- Open PowerShell as an administrator,
navigate into the directory on your C drive, and run the command
- Install Microsoft Visual C++ 2017 redistributable from \\shareserver\it\$Install\Scripting prerequisite\VC_redist.x64.exe
- Download from https://www.microsoft.com/en-us/download/details.aspx?id=52685
- Set-ExecutionPolicy Unrestricted -Force
an administrator, run the command
- winrm quickconfig
Microsoft Sysinternals tool Sysmon is a service and device driver, that once installed on a system, logs indicators that can greatly help track malicious activity in addition to help with general troubleshooting.
Sysinternals from Web Browser:
Basic Sysmon Usage commands:
sysmon -i -accepteula [options]
- Extracts binaries into %systemroot%
- Registers event log manifest
- Enables default configuration