Skip to main content


Showing posts from May, 2008

Welcome to Mark Baggett - In Depth Defense

I am the course Author of SANS SEC573 Automating Information Security with Python. Check back frequently for updated tools and articles related to course material.

Senior SANS Instructor
GSE #15
Internet Storm Center Handler
Penetration Testing and Incident Response Consultant
Technical Advisor to DoD for The SANS Institute
Founding President of the Greater Augusta ISSA
Cofounder of BSidesAugusta Security Conference

FREQ SERVER - Tool and technique for detecting Malware Command and Control domains
DOMAIN_STATES - Tool for detecting "Baby Domains" used for phishing and Malware distribution
SRUM_DUMP - Forensics tool for extracting System Resource Utilization Monitoring artifacts
LIAM_NEESON - Proof of Concept Linux Hash Protection
HONEY_HASHES - Certainly Honey Tokens have been around since 2003 but I created a cool technique for creating fake SATs in memory that was turned into Dell Secure Works DCEPT framework.
VSSOWN - Tool & Technique for Using Microsoft Volume Shadow Copies for hiding malware and extracting artifacts
SDB Hacking - Using Application Compatibility in unexpected ways.
SET-KBLED - Utility for Managing Clevo and Sager Laptop LED Backlit Keyboards - Scapy based fragement reassembly engine - A password cracker for the EAP protocol

and more. Most of these tools are available on my github page. Follow me on twitter @markbaggett


Here are some screen captures of the Meterpreter threads running inside the Symantec SEP 11 HIPS process and inside the McAfee TOPS HIPS process.   I guess DLL injection into the HIPS process isn't a malicious enough behavior.

Both HIPS seems to do a good job of blocking network based exploits, but its still game over if a client runs malicious code or the attacker knows a valid login and password for the box.  MAYBE all is not lost.  The verdict is still out on whether or not the HIPS config can be adjusted to block this type of backdoor.  


Over the weekend the Greater Augusta ISSA (Information Systems Security Association) had a Interactive Capture the flag event.   McAfee, ASU and Elliot Davis sponsored the event providing an IPS to monitor the event, facilities and computers for attendees to use.    McAfee also hosted a flag protected by McAfee HIPS and Intrushield which no one was able to get.   But McAfee still awarded the $100 dollar prize to the individual who did capture 7 of the 9 total flags.   Over the 4 hour period I walked attendees through tactics used by our enemies to break into the systems we are paid to protect.   The event was well attended and I think it was well received.   As promised, I am placing links to some of the tools used during the event on this blog.   We may do the event again some time so I am not including the PowerPoint with the "solutions".   The presentation material will be provided to individual attendees via email and by request only.  If you attended and want a copy of …

Update: Blocking Unauthorized Devices from accessing OWA

With the help of several coworkers we are blocking the troublesome User-Agents.   Here is a way to do it:
ISAPI Rewrite is a Mod Rewrite implementation for IIS.   There is a lite and a full version available here:

So with the configuration below you can block the unauthorized blackberries.   I will edit the original post to include the solution.  For full details see the April 2008 post on the subject on this blog.
RewriteEngine  on
#Block Blackberry and other smartphones
RewriteCond %{HTTP:User-Agent}  (?:BWC.Worker.*|BWC.Engine.*|MSFT-SPhone.*|PalmOne-TreoAce.*|AvantGO.*) [NC]  
RewriteRule .? -  [F,L]

Here is another approach for handling the blackberry devices which blocks it by IP address.

Googledork - Spidynamics customers

Here is a fun googledork.  It finds web pages which have been scanned with Spidynamics Webinspect with the default values.   Its an interesting customer list.  WorldBank, American Idol,  RSA Security Conference,  Oracle, NSA, etc.