Threat Advisory: Eternalrocks

Total Page:16

File Type:pdf, Size:1020Kb

Threat Advisory: Eternalrocks McAfee Labs Threat Advisory EternalRocks June 6, 2017 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent A malware. This Threat Advisory contains behavioral information, characteristics, and symptoms that may be used to n mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs. d To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://www.mcafee.com/enterprise/en-us/sns/preferences/sns-form.html. Summary EternalRocks is a network worm which uses the SMB exploits ETERNAL BLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY along with related programs DOUBLEPULSAR, ARCHITOUCH, and SMBTOUCH to spread. McAfee products detect this threat under the following detection names: • Trojan-EtrnlRock • Trojan.EternalRocks • Trojan-Bluedoom • HackTool-Shadowbrokers • RDN/Generic.grp • RDN/Generic.dx • RDN/Trojan-EtrnlRock • RDN/Generic Downloader.x Detailed information about the threat, its propagation, characteristics, and mitigation are in the following sections: • Infection and Propagation Vectors • Mitigation • Characteristics and Symptoms • Restart Mechanism • Remediation • McAfee Foundstone Services Infection and Propagation Vectors Even though this has not been confirmed, the malware’s initial vector is expected to be spam email. The malware spreads by exploiting shares and uses the EternalBlue (MS17-010 Echo Response - SMB vulnerability) vulnerability. The authors have used publicly available exploit code and embedded it as a part of their dropper. On execution, the malware connects to the IPC$ tree and attempts a transaction on FID 0, triggers the vulnerability, and then exploits it. During replication, we observed that it generates a random set of IP addresses for the purposes of propagation. These IPs are not restricted to internal IPs. Affected systems: Microsoft Windows XP, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7, Windows 8.1, Windows RT 8.1, Windows Server 2012 and R2, Windows 10, and Windows Server 2016. Characteristics and Symptoms This section describes various components of the malware: Dropper Component: 994bd0b23cce98b86e58218b9032ffab The dropper component is an .exe file compiled using Microsoft Visual Basic 6 having size 332 KB. After execution, it creates the following folders and files: • C:\Program Files\Microsoft Updates : Base install directory of the malware • C:\Program Files\Microsoft Updates\SharpZLib.zip : Zip file containing library files for unzipping archives. • C:\Program Files\Microsoft Updates\SharpZLib\ : Folder into which the SharpZLib zip archive is unzipped. • C:\Program Files\Microsoft Updates\svchost.exe : Second stage component described in a subsequent section in this Threat Advisory. • C:\Program Files\Microsoft Updates\installed.fgh: Text file containing the current installed version of the malware. • C:\Program Files\Microsoft Updates\ICSharpCode.SharpZipLib.dll : SharpZLib library file. • C:\Program Files\Microsoft Updates\TaskScheduler.zip : File and libraries required to set up a Schedule Task on the system programmatically. • C:\Program Files\Microsoft Updates\TaskScheduler\ : Folder into which TaskScheduler.zip is unzipped. • C:\Program Files\Microsoft Updates\Microsoft.Win32.TaskScheduler.dll : TaskScheduler related library file. • C:\Program Files\Microsoft Updates\temp\tor.zip : Zip file containing the Tor module to communicate with the malware’s Command & Control (C&C) server. • C:\Program Files\Microsoft Updates\Tor\ : Contains the unzipped contents of Tor.zip • C:\Program Files\Microsoft Updates\torunzip.exe : Binary used for unzipping the contents of tor.zip into the Tor folder. • C:\Program Files\Microsoft Updates\required.glo : Data file containing the installation info for the malware. This acts as a log file keeping track of the activities the malware has completed. • C:\Program Files\Microsoft Updates\taskhost.exe : Another second stage malware component that downloads and executes various exploits. This file is embedded in the svchost.exe file. The dropper creates the following mutex: Global\20b70e57-1c2e-4de9-99e5-69f369006912 (created by dropper process/binary) The dropper component then checks for the Dot Net version, and if it is not installed it can download it from the following locations: • http://download.microsoft.com/download/a/3/f/a3f1bf98-18f3-4036-9b68-8e6de530ce0a/NetFx64.exe • http://download.microsoft.com/download/5/6/7/567758a3-759e-473e-bf8f-52154438565a/dotnetfx.exe It then downloads TaskScheduler and SharpZLib packages from the following URLs: • https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg • https://api.nuget.org/packages/sharpziplib.0.86.0.nupkg It extracts these into the following locations, respectively: • C:\Program Files\Microsoft Updates\SharpZLib • C:\Program Files\Microsoft Updates\TaskScheduler The dropper then extracts the malicious svchost.exe file from its binary (resources) to the following location: • C:\Program Files\Microsoft Updates\svchost.exe The dropper then executes the dropped svchost.exe file [MD5: 5c9f450f2488140c21b6a0bd37db6a40]. Second stage Component: 5c9f450f2488140c21b6a0bd37db6a40 The second stage component downloads the Windows Tor package from: • hxxps://archive.torproject.org/tor-package-archive/torbrowser/4.0.1/tor-win32-tor-0.2.5.10.zip and uses torunzip.exe to unzip the archive into the Tor folder located in the install directory: • C:\Program Files\Microsoft Updates\Tor\ The second stage component drops torrc, which is a tor configuration file to the following path: • C:\Program Files\Microsoft Updates\Tor\torrc The second stage component executes tor.exe to install the tor hidden service: • C:\Program Files\Microsoft Updates\Tor\tor.exe" --defaults-torrc "C:\Program Files\Microsoft Updates\Tor\torrc The tor.exe binary drops following files: • C:\Program Files\Microsoft Updates\Tor\cached-certs • C:\Program Files\Microsoft Updates\Tor\cached-microdesc-consensus • C:\Program Files\Microsoft Updates\Tor\cached-microdescs.new • C:\Program Files\Microsoft Updates\Tor\hidden_service\hostname • C:\Program Files\Microsoft Updates\Tor\hidden_service\private_key • C:\Program Files\Microsoft Updates\Tor\state Tor generates an onion address (example: 32sxljhplsaxdzxb.onion) as a hidden service based on the configuration present in the torrc file, and the address is written to a file named hostname. The second stage component executes various networking commands such as: a) netstat.exe –a : To generate the list of open TCP (listening) and UDP ports to be used for configuring firewall rules. b) To allow the various components of the malware to communicate freely over the network, the malware then sets up various firewall rules: • firewall add allowedprogram <Install_dir>\svchost.exe “Microsoft Update Service” ENABLE • firewall add allowedprogram <Install_dir>\taskhost.exe “Microsoft Update Service” ENABLE • firewall add allowedprogram <Install_dir>\Tor\tor.exe “Microsoft Update Service” ENABLE c) The malware also adds exceptions to the firewall for each open and listening port on the target machine to allow incoming connections via netsh.exe commands: • firewall add portopening TCP <port_number> “Open TCP Port <port_number>” • advfirewall firewall add rule name=”Open TCP Port <port_number>” dir=in action=allow protocol=TCP localport=<port_number> • firewall add portopening UDP <port_number> “Open UDP Port <port_number>” • advfirewall firewall add rule name=”Open UDP Port <port_number>” dir=in action=allow protocol=UDP localport=<port_number> d) It also disables file and printer sharing devices by setting up another firewall rule: • netsh.exe firewall set service fileandprint disable e) The malware also attempts to CLOSE the default SMB port on the target machine: "Malware SMB Block” rule to block SMB port 445: netsh.exe advfirewall firewall add rule name="Malware SMB Block" dir=in localport=445 protocol=TCP action=block f) When the various firewall rules have been configured, the malware starts up the firewall on the target system: • netsh.exe" firewall set opmode ENABLE Updater Component: The second stage component (svchost.exe) may also contain an updater component in some cases. The updater checks to make sure that the target machine is running the latest version of the third stage component (taskhost.exe). If not, the second stage component contacts the CnC server to download the latest version of taskhost.exe. Infected systems will see communications to the CnC URLs such as: • hxxp :// ubgdgno5eswkhmpy[dot]onion/updates/info?id=<Hostname>&v1.<version_number>&download=next • hxxp :// ubgdgno5eswkhmpy[dot]onion/updates/download?id=<Hostname> The following mutex is created by the second stage dropper component (svchost.exe): {8F6F0AC4-B9A1-45fd-A8CF-72FDEFF} Third stage Component: C52F20A854EFB013A0A1248FD84AAA95 The third stage component is named taskhost.exe. This is the module responsible for the worm’s propagation. This is a .Net binary embedded inside the resources of the second stage component (svchost.exe). This binary (third stage) may also be downloaded from the CnC as part of the update process by the second stage component into the install directory: C:\Program Files\Microsoft Updates\ The third stage binary is responsible for downloading shadowbrokers.zip exploit pack and unpacking the contained “payloads/”, “configs/” and “bins/” directories. This archive
Recommended publications
  • View the Slides (Smith)
    Network Shells Michael Smith Image: https://commons.wikimedia.org/wiki/File:Network-connections.png What does a Shell give us? ● A REPL ● Repeatability ● Direct access to system operations ● User-focused design ● Hierarchical context & sense of place Image: https://upload.wikimedia.org/wikipedia/commons/8/84/Bash_demo.png What does a Shell give us? ● A REPL ● Repeatability ● Direct access to system operations ● User-focused design ● Hierarchical context & sense of place Image: https://upload.wikimedia.org/wikipedia/commons/8/84/Bash_demo.png Management at a distance (netsh) Netsh: Configure DHCP servers with netsh -r RemoteMachine -u domain\username [RemoteMachine] netsh>interface [RemoteMachine] netsh interface>ipv6 [RemoteMachine] netsh interface ipv6>show interfaces Reference: https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts Management at a distance (netsh) Netsh: Configure DHCP servers with netsh Location-r RemoteMachine -u domain\username Hierarchical [RemoteMachine] netsh>interfacecontext Simpler [RemoteMachine] netsh interface>ipv6 commands [RemoteMachine] netsh interface ipv6>show interfaces Reference: https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts Management at a distance (WSMan) WSMan (in Powershell): Manage Windows remotely with Set-Location -Path WSMan:\SERVER01 Get-ChildItem -Path . Set-Item Client\TrustedHosts *.domain2.com -Concatenate Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/about/about_wsman_provider
    [Show full text]
  • Netsh Commands William John Holden 2014­04­11 (Version 2) Interface Configuration Configure an Ipv4 Address with Subnet Mask and Default Gateway
    Netsh Commands William John Holden 2014­04­11 (version 2) Interface Configuration Configure an IPv4 address with subnet mask and default gateway. Omitted netmask implies classful addressing. netsh int ipv4 set address "Local Area Connection" static 192.168.1.3 255.255.255.0 192.168.1.1 Remove an IPv4 address and default gateway from an interface. netsh int ipv4 del address "Local Area Connection" 192.168.1.3 192.168.1.1 You can add more than one IP address to an interface. Additional addresses don't show up in ipconfig without /all. netsh int ipv4 add address "Local Area Connection" 192.168.1.4 Add a global unicast IP with prefix. Prefix is optional and defaults to /64. netsh int ipv6 set address "Local Area Connection" 2001:beef::1/64 Add a link­local IP to an interface. See the similarity to above? netsh int ipv6 add address "Local Area Connection" fe80::6 Delete the IP. Remove a link­local IP the same way. netsh int ipv6 del address "Local Area Connection" 2001:beef::1 Set an IPv6 default route. netsh int ipv6 add route ::/0 "Local Area Connection" fe80::3 Delete the default route. netsh int ipv6 delete route ::/0 "Local Area Connection" fe80::3 Reset Configuration Reset interface configuration completely (requires restart): netsh int ipv6 reset all netsh int ipv4 reset all shutdown ­r ­t 0 Verification (“show commands”) netsh has several commands that are very similar to ipconfig, route print (netstat ­r), netstat ­a, and getmac. Poke around netsh int ipv4 show ? and you’ll find lots of interesting stuff.
    [Show full text]
  • How to Cheat at Windows System Administration Using Command Line Scripts
    www.dbebooks.com - Free Books & magazines 405_Script_FM.qxd 9/5/06 11:37 AM Page i How to Cheat at Windows System Administration Using Command Line Scripts Pawan K. Bhardwaj 405_Script_FM.qxd 9/5/06 11:37 AM Page ii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc- tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.
    [Show full text]
  • How Will You Troubleshoot the Issue? What Are the Steps to Followed? A
    1. A user in a corporate network contacts service desk saying he/she has lost network connectivity: How will you troubleshoot the issue? What are the steps to followed? A. First I will check the network cable is plugged in or not. Then check the network connections and the ip address is assigned or not. Then check connecting to website or not. IP conflict. 2. A User calls in and complains that her computer and network is running very slow. How would go about troubleshooting it? A. 3. How would you create an email account for a user already in AD? A. Open Microsoft Outlook if you are using office 2000, and click on "Tools" tab. Go to "Email Accounts". There you can find two option like Email and Directory. Click on "Add a new Account" and click next. If you are using Exchange Server then click over there, this depends on that particular Organization. According to the their setup you have to choose. And if you are using POP3 server then next popup will come along with your name, email address POP3 and SMTP IP address, Password etc. and after that click on Next and finish it..... 4. A PC did not receive an update from SMS. What steps would we take to resolve this? A. If SMS not updated in client system. 1. Need to check system getting IPaddress or not. 2. Need to check system in domain or not 3.Ensure that windows firewall should be off. 5. How do you set the IP address by using the command prompt A.
    [Show full text]
  • Command-Line IP Utilities This Document Lists Windows Command-Line Utilities That You Can Use to Obtain TCP/IP Configuration Information and Test IP Connectivity
    Guide to TCP/IP: IPv6 and IPv4, 5th Edition, ISBN 978-13059-4695-8 Command-Line IP Utilities This document lists Windows command-line utilities that you can use to obtain TCP/IP configuration information and test IP connectivity. Command parameters and uses are listed for the following utilities in Tables 1 through 9: ■ Arp ■ Ipconfig ■ Netsh ■ Netstat ■ Pathping ■ Ping ■ Route ■ Tracert ARP The Arp utility reads and manipulates local ARP tables (data link address-to-IP address tables). Syntax arp -s inet_addr eth_addr [if_addr] arp -d inet_addr [if_addr] arp -a [inet_address] [-N if_addr] [-v] Table 1 ARP command parameters and uses Parameter Description -a or -g Displays current entries in the ARP cache. If inet_addr is specified, the IP and data link address of the specified computer appear. If more than one network interface uses ARP, entries for each ARP table appear. inet_addr Specifies an Internet address. -N if_addr Displays the ARP entries for the network interface specified by if_addr. -v Displays the ARP entries in verbose mode. -d Deletes the host specified by inet_addr. -s Adds the host and associates the Internet address inet_addr with the data link address eth_addr. The physical address is given as six hexadecimal bytes separated by hyphens. The entry is permanent. eth_addr Specifies physical address. if_addr If present, this specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used. Pyles, Carrell, and Tittel 1 Guide to TCP/IP: IPv6 and IPv4, 5th Edition, ISBN 978-13059-4695-8 IPCONFIG The Ipconfig utility displays and modifies IP address configuration information.
    [Show full text]
  • 10 Windows Server 2008 Netsh Commands You Should Know Page 1 of 7
    10 Windows Server 2008 Netsh commands you should know Page 1 of 7 Are you monitoring your network 24/7? Automated server and network monitoring. Monitors all aspects of your Windows and Linux servers, workstations and devices. Download a free 30-day trial! - www.gfi.com/nsm/ 10 Windows Server 2008 Netsh commands you should know Taking a look at ten Netsh commands that every Windows administrator should know. z Published: Aug 26, 2008 z Updated: Aug 26, 2008 z Section: Articles & Tutorials :: Windows Server 2008 z Author: David Davis z Rating: 4.1/5 - 8 Votes Introduction I have written a number of different Netsh articles and other authors have published their own Netsh articles. This just shows how important and innovative Netsh really is. In this article, I will cover 10 Netsh commands that every Windows admin should know. In my opinion. Netsh is so powerful and flexible; I cannot choose the “most important” Netsh commands as the importance of a command will vary from admin to admin. What I can do is to choose the 10 commands that I feel will either show you valuable information or will help you out when you are in trouble. Keep in mind that these commands can be scripted (as they are all command line tools) so whatever you can do with just an individual command on a single machine, you could write a script to perform that command on all machines in your network. What is Netsh? Microsoft Windows Netsh is a command line scripting utility. With Netsh, you can view or change the network configuration of your local computer or a remote computer.
    [Show full text]
  • Facing the Challenge(S) of Windows Logs Collection to Leverage Valuable Iocs
    Facing the challenge(s) of Windows logs collection to leverage valuable IOCs . Michel de Crevoisier Security Analyst, Radar Cyber Security 15.10.2019, Berne © RadarServices // Classification: Public The five challenges © RadarServices // Classification: Public #1 High diversity of log sources Server Microsoft 3rd party Built-in roles software software Advanced Threat ADFS Application Analytics (ATA) Ivanti software Certification authority Exchange PowerShell Kaspersky DHCP server Skype Security DNS server SQL Server Veeam Backup System IIS web server SYSMON […] […] NPS Radius Defender © RadarServices // Classification: Public 3 #2 Different log extensions EVTX ETL TXT (standard Windows logs (analytical logs, like DNS (IIS, NPS, DHCP, in XML format) Server or PowerShell) PowerShell Transcript, former DNS logs) © RadarServices // Classification: Public 4 #3 Multiple architectural approaches Access method / Protocol (MS-EVEN6, RPC, WMI,…) Push vs Pull Agent vs Agentless Intermediate collector VS Direct sending to receiver Central file store vs Shared folder Managed agent VS Unmanaged agent © RadarServices // Classification: Public 5 #4 Disabled and restrictive event logs • Protected users (if configured, on DCs only) Valuable event • LSA (Local Security Authority) logs disabled • IIS web server • DNS client Event logs with • SMB server restrictive • SMB client access • IIS web server © RadarServices // Classification: Public 6 6 #5 Operational constraints Security Data exchange Performance Configuration Environment • Avoid usage of • Data
    [Show full text]
  • To Contact Your Nearest Click&Decide Partner, Click Here
    Click&DECiDE NSI & BAI | KBA Knowledge Base Article: Article 216 How to use fixed ports for WMI through firewalls for NSI WMI Centralized Server v10 Date: November 5th, 2010 Problem: The WMI Centralized Server in NSI needs to connect to the Microsoft WMI agent of a machine to get WMI information. By default, the first call is done in DCOM through the TCP port 315; then DCOM allocate dynamic ports to continue the communication. When this flow has to cross firewall, dynamic port is not acceptable, fixed ports must be used. So, remote server that will spied by the NSI WMI Centralized Server should be configured as below. 1. Solution for Remote Windows 2003 Servers DCOM Settings Start Component services management from Administration tools: Contact us: E-mail: [email protected] Tel: +33 (0)4 67 84 48 00 Headquarters: Click&DECiDE 130, rue du Baptistou - 34980 St Gély du Fesc, France. www.clickndecide.com To contact your nearest Click&DECiDE partner, click here. Business Application Intelligence | FAQ Right click my computer, then click properties and select default protocol as below: Then, click on properties and create a range of ports for intranet network: 5001 to 5010 per example. 2 Contact us: E-mail: [email protected] Tel: +33 (0)4 67 84 48 00 Headquarters: Click&DECiDE 130, rue du Baptistou - 34980 St Gély du Fesc, France. www.clickndecide.com To contact your nearest Click&DECiDE partner, click here. Business Application Intelligence | FAQ FIREWALL Settings Open TCP ports you just have set in DCOM Settings plus TCP 135 for initial DCOM communication.
    [Show full text]
  • Monitoring Malicious Powershell Usage Through Log Analysis
    Monitoring malicious PowerShell usage through log analysis Jesper Magnusson Computer Science and Engineering, master's level 2019 Luleå University of Technology Department of Computer Science, Electrical and Space Engineering (This page is intentionally left almost blank) Abstract Security has become a hot topic around the world but focuses more on the perime- ter than inside networks which opens up vulnerabilities. Directed cyber-attacks towards the energy sector which leverages this fact has increased and can have dis- astrous effect, even on national level. To counter this, a solution to monitor the usage of the most powerful and popular built-in tool among attackers - PowerShell - was implemented. A test-bed was set up reflecting a corporate network with two separate active directory domains, one for office clients and one for critical infrastructure. It was shown that attackers only needed to overtake the office active directory domain in order for gain easy access to the critical active directory domain. To simulate attacks of this type, a collection of malicious scripts was gathered from which a number of possible scenarios for taking over the office active directory domain via PowerShell was created. Windows has several options for logging executions of PowerShell commands on machines. The one used and deemed most beneficiary was "Module logging" with the addition of a filtered result of process creation logs. To monitor the logs created on the office client from PowerShell executions, a system based on the "ELK stack" was set up. This system gathered, processed, stored and visualized logs along with the result of their analysis. The system analyzed logs with the aid of a custom software called "ESPSA" which based on different parameters and contexts assigned every execution with a risk value indicating the level of maliciousness.
    [Show full text]
  • Windows Server 2008 Essentials Installation, Deployment and Management
    Windows Server 2008 Essentials Installation, Deployment and Management Windows Server 2008 Essentials Windows Server 2008 Essentials – First Edition © 2009 Techotopia.com. This eBook is provided for personal use only. Unauthorized use, reproduction and/or distribution strictly prohibited. All rights reserved. 2 © 2009 Techotopia.com Windows Server 2008 Essentials Table of Contents Chapter 1. About Windows Server 2008 Essentials ................................................................. 11 Chapter 2. Windows Server 2008 Editions and System Requirements .................................... 12 2.1 Windows Server 2008 Standard Edition ........................................................................ 12 2.2 Windows Server 2008 Enterprise Edition ...................................................................... 12 2.3 Windows Server 2008 Datacenter Edition ..................................................................... 12 2.4 Windows Web Server 2008 ............................................................................................ 13 2.5 Windows Server 2008 Features Matrix .......................................................................... 13 2.6 Windows Server 2008 Hardware Requirements............................................................ 15 Chapter 3. Performing a Clean Windows Server 2008 Installation .......................................... 17 3.1 Obtaining Windows Server 2008 ................................................................................... 17 3.2 Starting the Installation
    [Show full text]
  • Secrmmcentral Administrator Guide
    Security Removable Media Manager secRMMCentral for AD domain environments Version 9.9.24.0 (March 2020) Protect your valuable data secRMMCentral Administrator Guide © 2011 Squadra Technologies, LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Squadra Technologies, LLC. If you have any questions regarding your potential use of this material, contact: Squadra Technologies, LLC 7575 West Washington Ave Suite 127-252 Las Vegas, NV 89128 USA www.squadratechnologies.com email: [email protected] Refer to our Web site for regional and international office information. TRADEMARKS Squadra Technologies, secRMM are trademarks and registered trademarks of Squadra Technologies, LLC. Other trademarks and registered trademarks used in this guide are property of their respective owners. Disclaimer The information in this document is provided in connection with Squadra Technologies products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Squadra Technologies products. EXCEPT AS SET FORTH IN Squadra Technologies's TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, Squadra Technologies ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
    [Show full text]
  • Nsa-Windows-Event
    National Security Agency/Central Security Service Information Assurance Directorate Spotting the Adversary with Windows Event Log Monitoring February 28, 2013 A product of the Network Components and Applications Division TSA-13-1004-SG Contents 1 Introduction .......................................................................................................................................... 1 2 Deployment........................................................................................................................................... 1 2.1 Ensuring Integrity of Event Logs ................................................................................................................... 2 2.2 Environment Requirements ......................................................................................................................... 3 2.3 Log Aggregation on Windows Server 2008 R2 ............................................................................................. 4 2.4 Configuring Source Computer Policies ....................................................................................................... 11 2.5 Disabling Windows Remote Shell ............................................................................................................... 16 2.6 Firewall Modification ................................................................................................................................. 16 2.7 Restricting WinRM Access .........................................................................................................................
    [Show full text]