Just Another IT Security Blog

This is a post I've been thinking about writing for some time now as I was sitting at work one day. Why not use a tool we already have to do some IR on a suspect system? We have Nessus and we use it to scan systems all over the network so I know I can log into the system remotely. This would save me time and speed up my preliminary investigations. I mean Nessus already has plenty of plugins that will report on useful IR information just people have probably never thought to use it that way. So here are the plugins I've come up with to try and do some preliminary IR with Nessus. Here is a list of the information that I need: - Running Processes 70329 Microsoft Windows Process Information - Active Connections 34220 Netstat Portscanner (WMI) 58651 Netstat Active Connections 64582 Netstat Connection Information - AutoRuns (Checking for persistence) 70615 Microsoft Windows AutoRuns Boot Execute 70621 Microsoft Windows AutoRuns Logon 70625 Microsoft Windows AutoRun Sch...

A few of weeks ago I took SANS 560 Network Penetration Testing and Ethical Hacking course. It was an awesome course and I had a lot of fun completing the exercises and practical. I gave myself a week to study for the exam and scheduled the GIAC GPEN exam for the following Monday.  I studied a couple of hours each night trying to finish at least one of the 5 books a night. When the day came I felt ready. The exam is open book so I took all my materials in the event I couldn't remember something and had to look it up. I scored an 87% and was extremely happy having passed the exam. There were a few questions I had to look up but not many so I feel comfortably that I know the material. For anyone looking to taking the GIAC GPEN I have a few recommendations. Take the course, whether that is live, online or by some other means that SANS offers as I feel it is well worth it. Prior to the exam give yourself a few hours each night to study at least one section at a time and re-read the pa...