B2dfir

In this blog post I will detail how to perform various incident response techniques using native Windows PowerShell functionality. Each method I explain will be able to be executed remotely to allow for efficient investigation and containment of an individual host . For PowerShell response on mass, I recommend familiarising yourself with the Kansa framework . If you follow my github, you may also notice that many of the techniques listed below are built into my remote powershell triage tool, B2Response , which allows you to perform these actions with ease. Please give it a go and provide feedback! The techniques which I will cover include: 1) Issuing remote command/shell 2) Retrieving/downloading files 3) Checking for running processes 4) Query registry keys 5) PCAP collection 6) Blocking a domain 7) Blocking an IP 8) Quarantining a host Prerequisites All of the techniques listed below utilise PowerShell to remotely manage computers within your IT environment. In order

Oh no! I've got a potential incident unfolding now and I'm struggling keep track of everything? What do you use for incident documentation? A friend posed this question to me a few days ago and my first thought was "I use TheHive ". This response would have been about as useful as a wet fish to my friend, as at that point in time the last thing he had time to do is learn, deploy and configure a new incident management platform. He needed something now. He needed something without a learning curve and something which would free him up to spend valuable time actually investigating a potential incident. To help him out, I turned to the global backbone of information management... Microsoft Excel. Prior to deploying TheHive, I  built and improved upon an Excel incident management and documentation workbook for a number of years. It doesn't have machine learning, AI or even security automation, so it probably isn't much good. Disregarding these shortfalls,

Infrastructure as Code (IaC) tools like Terraform have enabled efficient, accountable and rapid infrastructure development and deployment in the cloud. Without the overhead of delivering, installing and maintaining hardware, the speed at which teams can build and release IT solutions brings measurable value to their organisation. Working in the security industry, we need to keep up with this rapid deployment methodology, and insert ourselves into the development pipeline to ensure architects/developers are releasing infrastructure that meets our best practices. This blog post details one way that we as security practitioners can automate compliance with technical security policy as code in Terraform. This method utilises a PowerShell script I wrote called TFCheck . If you would like to learn more about Terraform, please check out their website . How does it work? TFcheck writes the output of the Terraform  show command  to config.out for parsing.  When TFcheck parses co