Cyber Security Blog of Chris Dale

  • Detecting if Volume Shadow Copies has been explicitly disabled through registry

    Detecting if Volume Shadow Copies has been explicitly disabled through registry

    Ransomware is very fond of disabling Volume Shadow Copies when infecting targets. Here is a script to remotely detect if Volume Shadow Copies has been disabled. First, we use PSExec from Microsoft Sysinternals and a local reg query command. This is useful if you only have a list of IP addresses, not hostnames of the…

  • Mapping attack surface for Ransomware / Cryptolocker

    Mapping attack surface for Ransomware / Cryptolocker

    With all the ransomware hitting everyone, everywhere, I decided to share my scripts on how I map the attack surface of internal threats, and subsequently ransomware / cryptolocker. It is not fully automated yet, but hopefully sharing this will give people the right ideas, and perhaps some might even automate it. For now, this only…

  • Using Powershell to fetch file hashes with multiple algorithms

    Using Powershell to fetch file hashes with multiple algorithms

    You might need to check file hashes across multiple directories and across multiple algorithms, e.g. verifying all files hashsums against both MD5 and SHA1. This is an example of how to accomplish such task using Powershell.                   The command you run is: gci -Recurse | select FullName |…

  • Remotely lock a computer, and prevent them from logging back in

    Remotely lock a computer, and prevent them from logging back in

    Sometimes you have to throw someone off a terminal, but at the same time preserve the evidence on the terminal. For example if someone is using a terminal to hack something, and you need to secure the running terminals to capture the commands that has been run. It is quite simple to accomplish this, as…

  • SANS Holiday Hack Challenge 2016 write up

    Brilliant CTF by Counter Hack team as usual. Tons of good fun, awesome challenges and a great story to go with it. Whats not to like? Here’s a quick write-up on the answers I produced on the 2016 challenge. 1) What is the secret message in Santa’s tweets? I wrote a simple Javscript to extract…

  • Finding files and grepping for information

    Sometimes you have to find interesting files, then grep through those specific files dynamically. With Linux this is as easy as: find . -name -exec grep -i -H {} \; This will simply recursively look for files you want to find, e.g. *.txt, and for each file found, grep that file for whatever…

  • Slow DNS enumeration

    Fierce is an excellent tool for doing DNS reconnaissance, i.e. querying the DNS server for potential domain names to be revealed. I’ve seen some setups where the enumeration has gone horrible slow. If your DNS enumeration tool is going slow, fire up tcpdump and inspect the DNS traffic. tcpdump -i -nn port 53  Normally…

  • Hassles and concerns upgrading from Windows 10 Home to Pro

    Windows 10 Pro supports some features that are nice to have, especially if you like to take advantage of more features of your OS than the Home edition allows for. Windows store changes my local account to an online account The Window shop application requires you to sign in with your MSDN account. Once you’ve…

  • Phish claiming your domain is about to be registered on Asian TLD’s

    If you get email from someone claiming that your domain is about to be registered on Chinese and other Asian top-level-domains, don’t worry. This is very likely to be a scare tactic to get you to buy their domain for a high price. Ignore it, and move on. Heres an example: Dear CEO, (If you…

  • Cipher and Password Bruteforcing with OpenSSL

    Ever had to crack something, but you don’t know the cipher? Sometimes the encrypted text gives you clues on which encryption algorithm has been used, but not always. For those cases, it might be useful with the script I am talking about in this post. Bruteforcing the cipher type might be the only way to…

Looking to get in touch?

All Things Chris
Chris Dale
River Security