<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=694598870919452&amp;ev=PageView&amp;noscript=1">
Oct 12

Reliably Detecting Pass the Hash Through Event Log Analysis

At BDS we have the unique ability to pull large subsets of data in order to identify abnormal patterns in environments. With Binary Defense Vision, the endpoint is one of the easiest ways for us to identify compromises within an organization and we continue to add better detection capabilities every day. One of the many features we have within Vision is the ability to detect Pass the Hash (PtH) through multiple methods. I recently presented one of the methods we use for Pass the Hash detection at this year’s GrrCon. The point of this detection is not to focus on a tool, but rather the behavior of a specific indicator within a network and patterns that are abnormal.

read more →
Jan 21

New Tool Release: GoatRider - OTX, Artillery, and Alexa lookups

During incident response practices, you may need to look up very quickly some abnormal activity. While using feeds such as Artillery and OTX is far from a bulletproof method - these feeds can quickly help identify known C2 or malicious IPs or hostnames. The purpose of GoatRider is to make it simple to look through multiple sources quickly and determine if theres anything abnormal from a hostname or IP address list.

read more →
Dec 14

Tool Update: Auto-OSSEC + MSI Builder

Defend. Protect. Secure.

read more →
Oct 05

Tool Release: Auto-OSSEC - automated OSSEC deployment

We often get customers that prefer to use OSSEC as an endpoint detection, FIM agent. Regardless of what SIEM is in place, a lot of them have OSSEC integration. Alienvault in particular also has the ability to fully integrate and control OSSEC agents. Regardless if you are using OSSEC on a SIEM, standalone, or another method - the biggest pain for mass deployment in an organization is the ability to automatically provision agents. The way OSSEC works is by first installing OSSEC as a server, then deploying the agents. The agents require a key from the server in order to pair appropriately to the server to transmit logs.

read more →
May 12

Mick Douglas joins the BDS Family!

Binary Defense Systems (BDS) is happy to announce that Mick Douglas (@bettersafetynet) is joining the team. Mick is coming in as the Practice Lead for Incident Response (DFIR) team. Mick currently teaches the SANS SEC504 and SEC550 courses and brings additional capabilities to the BDS team. Mick is going to be closely helping with DFIR as well as better detection capabilities from attackers within BDS customers and product lines. Additionally Mick will be responsible for special projects and general defensive ninja stuff.

read more →
Feb 10

Anthem Phishing Schemes - Beware

BDS has been actively monitoring multiple phishing campaigns utilizing the Anthem breach as a pretext for attack. The primary motivation from the fraudsters is to obtain social-security numbers and credit card information from the victims that enter the information in on the website. When investigating the website there was no malicious software, exploits, or downloaders identified just the information around stealing personal information.

read more →
Feb 10

Artillery 1.4 Released - New major features

Binary Defense Systems (BDS) is proud to announce the release of Artillery version 1.4. This version adds several new features. The first is the ability to hook into multiple threat intelligence feeds and incorporate that into the normal banlist threat intelligence feeds from Artillery. The inspiration came from Deep Impact (@DeepImpactIO) and a blog post written here: http://www.deepimpact.io/blog/splunkandfreeopen-sourcethreatintelligencefeeds. With Artillery, there are new configuration options available that allow you to specify multiple source feeds outside of Artillery's threat intelligence feeds. In order to enable these feeds, edit the Artillery config and change the option to ON (which is default now):

read more →
Feb 09

Active Phishing Campaign with PowerShell Injection

Sending phishing emails with attachments is nothing new however there has been a significant decline in the threshold of these attacks that focus on attachment exploitation due to heavy SMTP content filtering. Most of the attacks have focused on malicious links and websites. A common phishing campaign uses delayed or returned packages from USPS/FedEx/UPS in order to entice victims to click a link (very old campaign). We've seen some pretty horrible attempts in the past for example sending zip files with exe's and PDF downloaders.

read more →
Nov 11

Artillery version 1.3 released - new features and bug fixes.

Artillery version 1.3 is now released. This version incorporates a number of new features and bug fixes. Most specifically, when it comes to timestamp for events - all events now include timestamp data when logging remote syslog, local syslog, and file formats. This also includes when starting, stopping, or restarting Artillery. An example of this can be found below:

read more →
Nov 10

Project Artillery - Now a Binary Defense Project!

Artillery was a tool I created a number of years ago to create a way for early warning indicators and open source threat intelligence feeds. It's gotten a lot of momentum over time and lots of folks contributing to it. Today I am shifting Project Artillery to a much better home, our sister company Binary Defense Systems (BDS) https://www.binarydefense.com. What this means is that Artillery will get a significant amount of attention, development, and enhancements from a full staff of developers versus just me focusing on it when I had time. Artillery will still and always be 100% open source and a project for the community. Artillery is only going to get better, and a much larger focus at continuing to be an amazing tool that just gets better with time.

read more →