Blocking SMB at the firewall

Interesting thread here, particularly if there's any remote powershell being used > If you are a firewall admin stop right now, apply these 2 rules. Block 137, 139, 445 inbound and outbound on your firewalls. While you are at it on all your workstations block inbound on the same ports, also add in 5985 and 5986. It will piss off admins but will stop worms! — EvilMog (@Evil_Mog) March 10, 2020 [https://twitter.com/Evil_Mog/status/1237511446570790912?ref_src=twsrc%5Etfw]…

Read More

Microsoft Attack Surface Analyzer

> If you're auditing security configurations on Windows, take a look at the open source Attack Surface Analyzer from @msftsecurity [https://twitter.com/msftsecurity?ref_src=twsrc%5Etfw] pic.twitter.com/UgjhgHQZsb [https://t.co/UgjhgHQZsb] — Jake Williams (@MalwareJake) February 25, 2020 [https://twitter.com/MalwareJake/status/1232434371623186432?ref_src=twsrc%5Etfw] Attack Surface Analyzer (updated) announcement here; Announcing the all new Attack Surface Analyzer 2.0Attack Surface Analyzer 2…

Read More

Prevent changing windows' color scheme via GPO

here's the GPO policy for that; Group Policy SearchThe GPS is a group policy search tool for Microsoft Active Directory Group Policy Settings.Group Policy SearchStephanus A. Schulte & Jean-Pierre Regente Microsoft.com [https://gpsearch.azurewebsites.net/#105]…

Read More

Defending Against PowerShell Attacks: Building the ultimate attacker honeypot

From @Lee_Holmes > We've updated this post to give additional context and guidance for folks being asked to disable PowerShell. Check it out and let us know what you think! https://t.co/0LqsBgjLTv — Lee Holmes (@Lee_Holmes) February 20, 2020 [https://twitter.com/Lee_Holmes/status/1230597293709000704?ref_src=twsrc%5Etfw] MS link here; > Defending Against PowerShell Attacks [https://devblogs.microsoft.com/powershell/defending-against-powershell-attacks/]…

Read More

Low Level Malware Protection

Good list, but the whole thread is even more interesting; > Low Level Malware Protection 1. Use web proxies 🌉 (proxy awareness in all malware stages is rare) 2. Block executable downloads 🚦 (from unclassified domains; stage 2+ is often executable content) 3. Restrict workstation to workstation communication 🚧 (contains an outbreak) — Florian Roth (@cyb3rops) February 14, 2020 [https://twitter.com/cyb3rops/status/1228306241815969792?ref_src=twsrc%5Etfw]…

Read More