├── CFP101 ├── CFP 101.pdf └── readme.md ├── CTIAThreatIntelStoryTelling​ ├── ISSessions_CTI.pdf └── readme.md ├── DetectingTheNotPowershellGang ├── NotPowershell_Mangatas_BTV.pdf └── readme.md ├── DetectionOrientedModellingFramework ├── IDSECCONF2023_DetectionOrientedModellingFramework.pdf └── readme.md ├── HowToUnATTACKYourATTACKProgram ├── HTUYAP_EUATTACK.pdf └── readme.md ├── HuntingImmaturityModel ├── HIM-Draft-Short.pptx ├── LOGO.png ├── him 2 - filled with level name.png ├── him-stages.png └── readme.md ├── JobSeekerOfInfoSec ├── JSOIS-HOPE-FINAL.pdf ├── JSOIS_ISSessions.pdf └── readme.md ├── KnockingOnCloudsDoor ├── AzulaDemo.m4v ├── Knocking on Clouds Door - Mangatas - SANS.pdf └── readme.md ├── OldMicrosoftHadAFarm-LOLBAS ├── ISS-LOLBAS-DEMO.flv ├── ISS-LOLBAS-FINAL.pdf ├── Scripts │ └── recon.ps1 └── readme.md ├── README.md ├── TheWorldOfInfoSec ├── TWOIS-Mangatas.pdf └── readme.md └── UnveilingTheNotPowerShellCult ├── UnveilingTheNotPowerShellCult-task_kmanager.pdf ├── readme.md └── reference.md /CFP101/CFP 101.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/CFP101/CFP 101.pdf -------------------------------------------------------------------------------- /CFP101/readme.md: -------------------------------------------------------------------------------- 1 | This folder is for CFP 101 Presentation i made for CDEF.ID July Meet Up 2 | 3 | #TO-DO 4 | 5 | -------------------------------------------------------------------------------- /CTIAThreatIntelStoryTelling​/ISSessions_CTI.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/CTIAThreatIntelStoryTelling​/ISSessions_CTI.pdf -------------------------------------------------------------------------------- /CTIAThreatIntelStoryTelling​/readme.md: -------------------------------------------------------------------------------- 1 | To Do: 2 | Upload deck 3 | -------------------------------------------------------------------------------- /DetectingTheNotPowershellGang/NotPowershell_Mangatas_BTV.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/DetectingTheNotPowershellGang/NotPowershell_Mangatas_BTV.pdf -------------------------------------------------------------------------------- /DetectingTheNotPowershellGang/readme.md: -------------------------------------------------------------------------------- 1 | Conference - Blue Team Village, DEF CON 28 2 | 3 | Year - 2020 4 | 5 | To-Do 6 | -------------------------------------------------------------------------------- /DetectionOrientedModellingFramework/IDSECCONF2023_DetectionOrientedModellingFramework.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/DetectionOrientedModellingFramework/IDSECCONF2023_DetectionOrientedModellingFramework.pdf -------------------------------------------------------------------------------- /DetectionOrientedModellingFramework/readme.md: -------------------------------------------------------------------------------- 1 | # TO DO 2 | -------------------------------------------------------------------------------- /HowToUnATTACKYourATTACKProgram/HTUYAP_EUATTACK.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/HowToUnATTACKYourATTACKProgram/HTUYAP_EUATTACK.pdf -------------------------------------------------------------------------------- /HowToUnATTACKYourATTACKProgram/readme.md: -------------------------------------------------------------------------------- 1 | To Do: 2 | 3 | Upload Slides 4 | -------------------------------------------------------------------------------- /HuntingImmaturityModel/HIM-Draft-Short.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/HuntingImmaturityModel/HIM-Draft-Short.pptx -------------------------------------------------------------------------------- /HuntingImmaturityModel/LOGO.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/HuntingImmaturityModel/LOGO.png -------------------------------------------------------------------------------- /HuntingImmaturityModel/him 2 - filled with level name.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/HuntingImmaturityModel/him 2 - filled with level name.png -------------------------------------------------------------------------------- /HuntingImmaturityModel/him-stages.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/HuntingImmaturityModel/him-stages.png -------------------------------------------------------------------------------- /HuntingImmaturityModel/readme.md: -------------------------------------------------------------------------------- 1 | These folder is created for presentation at SANS Threat Hunting and Incident Response Summit 2020 2 | 3 | #TO DO 4 | 5 | Upload Presentation Deck 6 | -------------------------------------------------------------------------------- /JobSeekerOfInfoSec/JSOIS-HOPE-FINAL.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/JobSeekerOfInfoSec/JSOIS-HOPE-FINAL.pdf -------------------------------------------------------------------------------- /JobSeekerOfInfoSec/JSOIS_ISSessions.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/JobSeekerOfInfoSec/JSOIS_ISSessions.pdf -------------------------------------------------------------------------------- /JobSeekerOfInfoSec/readme.md: -------------------------------------------------------------------------------- 1 | To Do: 2 | 3 | Upload the slides 4 | -------------------------------------------------------------------------------- /KnockingOnCloudsDoor/AzulaDemo.m4v: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/KnockingOnCloudsDoor/AzulaDemo.m4v -------------------------------------------------------------------------------- /KnockingOnCloudsDoor/Knocking on Clouds Door - Mangatas - SANS.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/KnockingOnCloudsDoor/Knocking on Clouds Door - Mangatas - SANS.pdf -------------------------------------------------------------------------------- /KnockingOnCloudsDoor/readme.md: -------------------------------------------------------------------------------- 1 | # TO-DO 2 | 3 | - Upload Slide 4 | -------------------------------------------------------------------------------- /OldMicrosoftHadAFarm-LOLBAS/ISS-LOLBAS-DEMO.flv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/OldMicrosoftHadAFarm-LOLBAS/ISS-LOLBAS-DEMO.flv -------------------------------------------------------------------------------- /OldMicrosoftHadAFarm-LOLBAS/ISS-LOLBAS-FINAL.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/OldMicrosoftHadAFarm-LOLBAS/ISS-LOLBAS-FINAL.pdf -------------------------------------------------------------------------------- /OldMicrosoftHadAFarm-LOLBAS/Scripts/recon.ps1: -------------------------------------------------------------------------------- 1 | # Basic OS 2 | systeminfo 3 | wmic qfe 4 | # Environemnt variables 5 | Get-ChildItem Env: | ft Key,Value 6 | # Connected drives 7 | net use 8 | wmic logicaldisk get caption,description,providername 9 | Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root 10 | # Curent Username 11 | whoami 12 | # Current user privileges 13 | whoami /priv 14 | # Users on sysem 15 | net users 16 | dir /b /ad "C:\Users\" 17 | Get-LocalUser | ft Name,Enabled,LastLogon 18 | Get-ChildItem C:\Users\$username -Force | select Name 19 | # Logged in users 20 | qwinsta 21 | # Local groups 22 | net localgroup 23 | Get-LocalGroup | ft Name 24 | # Local Administrators 25 | net localgroup Administrators 26 | Get-LocalGroupMember Administrators | ft Name, PrincipalSource 27 | # Registry for User Autologon 28 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 29 | Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*" 30 | # Scheduled tasks 31 | schtasks /query /fo LIST 2>nul | findstr TaskName 32 | dir C:\windows\tasks 33 | Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State 34 | # Startup programs 35 | wmic startup get caption,command 36 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 37 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 38 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run 39 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 40 | dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 41 | Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl 42 | # NICs 43 | ipconfig /all 44 | Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address 45 | Get-DnsClientServerAddress -AddressFamily IPv4 | ft 46 | # Routes 47 | route print 48 | Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex 49 | # ARP Cache 50 | arp -a 51 | Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State 52 | # Active Connections 53 | netstat -ano 54 | # Hosts File 55 | get-content C:\WINDOWS\System32\drivers\etc\hosts 56 | # Network Interface configuration 57 | netsh dump 58 | # Get cached credentials 59 | cmdkey /list 60 | -------------------------------------------------------------------------------- /OldMicrosoftHadAFarm-LOLBAS/readme.md: -------------------------------------------------------------------------------- 1 | These folder is created for presentation at Sheridan ISSessions 2019 2 | 3 | #TO DO 4 | 5 | - Upload Presentation Deck 6 | - Upload Scripts 7 | - Create Reference Markdown 8 | 9 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Security Presentation 2 | Resources from the security presentations I gave 3 | -------------------------------------------------------------------------------- /TheWorldOfInfoSec/TWOIS-Mangatas.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/TheWorldOfInfoSec/TWOIS-Mangatas.pdf -------------------------------------------------------------------------------- /TheWorldOfInfoSec/readme.md: -------------------------------------------------------------------------------- 1 | # TODO 2 | 3 | - Upload PDF file 4 | -------------------------------------------------------------------------------- /UnveilingTheNotPowerShellCult/UnveilingTheNotPowerShellCult-task_kmanager.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tas-kmanager/SecurityPresentation/9fb7a8132075e1d629fb8bfd072c98362d244226/UnveilingTheNotPowerShellCult/UnveilingTheNotPowerShellCult-task_kmanager.pdf -------------------------------------------------------------------------------- /UnveilingTheNotPowerShellCult/readme.md: -------------------------------------------------------------------------------- 1 | These folder is created for presentation at Hackfest 2019 2 | 3 | #TO DO 4 | 5 | * ~~Upload Presentation Deck~~ 6 | * ~~Create Reference Markdown~~ 7 | 8 | -------------------------------------------------------------------------------- /UnveilingTheNotPowerShellCult/reference.md: -------------------------------------------------------------------------------- 1 | # Reference Document 2 | From Unveilling the Not-PowerShell Cult Presentation 3 | 4 | 5 | 6 | ## Not-PowerShell Tools 7 | 8 | ### InvisiShell 9 | 10 | * Github: InvisiShell - https://github.com/OmerYa/Invisi-Shell 11 | * DerbyCon 2018: InvisiShell Presentation - http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-15-goodbye-obfuscation-hello-invisi-shell-hiding-your-powershell-script-in-plain-sight-omer-yair 12 | 13 | ### PowerShDLL 14 | 15 | * Github: PowerShDLL - https://github.com/p3nt4/PowerShdll 16 | 17 | ### PowerLessShell 18 | 19 | * Github: PowerLessShell - https://github.com/Mr-Un1k0d3r/PowerLessShell 20 | 21 | ### NoPowerShell 22 | 23 | * Github: NoPowerShell - https://github.com/bitsadmin/nopowershell 24 | * Medium: NoPowerShell Cobalt Strike Detection (Olaf Hartong) - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f 25 | * F-Secure: Detecting Malicious .NET Part 1 - https://blog.f-secure.com/detecting-malicious-use-of-net-part-1/ 26 | * F-Secure: Detecting Malicious .NET Part 2 - https://blog.f-secure.com/detecting-malicious-use-of-net-part-2/ 27 | 28 | ### PowerLine 29 | 30 | * Github: PowerLine - https://github.com/fullmetalcache/PowerLine 31 | 32 | ### SharpPick 33 | 34 | * Github: SharpPick - https://github.com/TheKevinWang/SharpPick 35 | 36 | ## Logging Tools 37 | 38 | ### Windows Logs 39 | * Microsoft: Windows Event Log - https://docs.microsoft.com/en-us/windows/win32/wes/windows-event-log 40 | * Microsoft: Using Windows Event Log - https://docs.microsoft.com/en-us/windows/win32/wes/using-windows-event-log 41 | 42 | ### SysInternal Sysmon 43 | * Microsoft: Download Sysmon - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon 44 | * Binary Defense: Sysmon and ETW - https://www.binarydefense.com/using-sysmon-and-etw-for-so-much-more/ 45 | 46 | ### Event Tracing For Windows (ETW) 47 | 48 | * Microsoft: Adding ETW to Message Analyzer - https://docs.microsoft.com/en-us/message-analyzer/adding-a-system-etw-provider 49 | * Palantir: Tampering with ETW - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 50 | * Microsoft: Intrusion Detection with ETW Part 1 - https://blogs.technet.microsoft.com/office365security/hidden-treasure-intrusion-detection-with-etw-part-1/ 51 | * Microsoft: Intrusion Detection with ETW Part 2 - https://blogs.technet.microsoft.com/office365security/hidden-treasure-intrusion-detection-with-etw-part-2/ 52 | * Microsoft: ETW in CLR - https://docs.microsoft.com/en-us/dotnet/framework/performance/etw-events-in-the-common-language-runtime 53 | * DerbyCon 2017: Detecting Attacks with ETW - http://www.irongeek.com/i.php?page=videos/derbycon7/s25-tracing-adversaries-detecting-attacks-with-etw-matt-hastings-dave-hull 54 | 55 | 56 | ## PowerShell Related Information 57 | 58 | ### General Usage 59 | 60 | * DarkOperator: PowerShell Basic - https://www.darkoperator.com/powershellbasics 61 | 62 | ### Blue Team Usage 63 | 64 | * Crowdstrike: Investigating PowerShell - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ 65 | * Microsoft: PowerShell Love the Blue Team - https://devblogs.microsoft.com/powershell/powershell-the-blue-team/ 66 | * Rapid7: Defending against PowerShell Attack - https://blog.rapid7.com/2018/09/27/the-powershell-boogeyman-how-to-defend-against-malicious-powershell-attacks/ 67 | * NSFocusGlobal: Attack and Defense Powershell - https://nsfocusglobal.com/Attack-and-Defense-Around-PowerShell-Event-Logging 68 | * HoldMyBeerSecurity: Detecting Empire - https://holdmybeersecurity.com/2019/02/27/sysinternals-for-windows-incident-response/ 69 | 70 | ### Red Team Usage 71 | * IReadTeam: PowerShell without PowerShell - https://ired.team/offensive-security/code-execution/powershell-without-powershell 72 | * Github: Empire - https://github.com/EmpireProject/Empire 73 | * Github: PowerCat - https://github.com/besimorhino/powercat 74 | * Github: PowerSploit - https://github.com/PowerShellMafia/PowerSploit 75 | * Github: Sherlock - https://github.com/rasta-mouse/Sherlock 76 | * Github: Watson - https://github.com/rasta-mouse/Watson 77 | * Github: Nishang - https://github.com/samratashok/nishang 78 | * Github: PowerThief - https://github.com/nettitude/Invoke-PowerThIEf 79 | 80 | ### APTs and Malware 81 | * FireEye: APT29 - https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html 82 | * TrendMicro: Cobalt Group - https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/ 83 | * CarbonBlack: Emotet - https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/ 84 | 85 | 86 | ## Mitre Att&ck 87 | * Mitre: T1086 PowerShell https://attack.mitre.org/techniques/T1086/ 88 | 89 | 90 | 91 | --------------------------------------------------------------------------------