Showing posts from June, 2017

NotPetya: Good Practices Final Exam

June 27, 2017, 9:45am Petya has struck and InfoSec Twitter is in full crisis mode. Petya appears to be very sophisticated and I have heard many exploits given for it's methods of spreading and I'm going to touch on each one. I am not here to prove that each one of these things is true about Petya but just going over how each one of these things can be prevented in the future.

Update, June 27, 2017, 10:10am: It is now being called NotPetya by Kapersky who decided it is unrelated. Either way this stuff still applies.  CVE-2017-0199 I have heard that it is using CVE-2017-0199, which I wrote about here, as an initial entry to networks via email. This has been mentioned once or twice. It bypasses macros in Microsoft Office, but there are patches available and my notes show how to break code execution if you're really paranoid.
Update: Loki, a different ransomware, might be using CVE-2017-0199 and not Petya. Even still...
Update, June 27, 2017, 10:30am: Petya/NotPetya is definitel…

Windows Management Interface (WMI) Filtering for Group Policy Objects

During my recent work with a local law firm overhauling their network and designing a new Active Directory (AD) domain structure I have learned some tricks. One is WMI Filtering for applying an entire Group Policy Object (GPO).
Windows Management Interface (WMI) Filtering is a feature in the Group Policy Management Console (GPMC) on Windows Server operating systems that let you create conditional logic as to whether or not a GPO applies to a specific computer within it's assigned Operational Unit (OU). Here's an example filter taken from the Security Baseline for Windows 10 (Draft):
Internet Explorer 11.mof instance of MSFT_SomFilter { Author = "Administrator@JST4KXS.local"; ChangeDate = "20131215210840.077000-000"; CreationDate = "20131031204931.789000-000"; Description = "Applies Internet Explorer 11 Settings"; Domain = "JST4KXS.local"; ID = "{F78EB5A2-B8C0-49FC-BB29-86DD2D3E0B15}"; Name = "Internet Explorer 11"; Ru…