This browser doesn't support Spotify Web Player. Switch browsers or download Spotify for your desktop.

2017-029-CIS benchmarks, Windows Update reverts changes used to detect malware

By Brian Boettcher, Amanda Berlin, and Bryan Brake

This week was one heck of a show. If you are a blueteamer and make use of the "Windows Logging Cheat Sheet", you are no doubt aware of how important it is to log certain events, and to set hostile conditions to make malware/Trojans/virus have a harder time avoiding detection. What if I told you the same updates we suggested last week to NEVER delay actually undoes all your hardening on your system and leaves your logfiles set to defaults, all file associations for suspect files like pif, bat, scr, bin, are set back to defaults, allow your users to be victims again, even after you've assured them they are safe to update? After a sequence of tweets from Michael Gough about just this exact thing, we laid out all the information, how and what get reverted that will open you back up to possible infections, as well as how some hardening standards actually make it harder to be secure. Finally, we discuss the CIS benchmarks, and how many of the settings in them are largely outdated and why they need to be updated.   Direct Download: RSS: Youtube Channel: #iTunes Store Link:  #Google Play Store:     Join our #Slack Channel! Sign up at #iHeartRadio App: #SoundCloud: Comments, Questions, Feedback: Support Brakeing Down Security Podcast on #Patreon: #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : #Stitcher Network: #TuneIn Radio App:   --SHOW NOTES--   Gough says ‘something is bad about CIS’   CIS benchmarks need revamping -- BrBr /var, /var/log in separate partitions? Password to access grub? Disable root login to serial pty? Many cloud instances and VMs don’t have serial ports (not in a traditional sense)   What’s the use case for using them? What problem will they solve? Misconfiguration? Proper logging? NTP sources?   So many, dilution possible SCAP OVAL STIG (complex as well) CIS   Infosec: how do we get IT past the “that’s good enough”, as many customers and compliance frameworks want to see ‘hardening’ done. What is a good baseline? Write your own?   How do we tell them that it’s not going to stop ‘bad guys’ ( or anyone really)? It’s not ‘security’, and it’s technically not even ‘best practices’ anymore (not all of it, anyway) On windows, they are needlessly complicated and cause more problems Roles have to be created “backup admin” Can cause unintended issues   Category            Sub Category                                      7/2008  8.1     2012    Win-7   Win-8.1 WLCS    ThisPC  Notes   Detailed Tracking   Process Termination                       NA      NA      NA      NA      NA      S/F     S Object Access       File Share                                           NA      NA      NA      NA      NA      S/F     S/F     Object Access       File System                                         NA      NA      NA      F       NA         S       S/F     Object Access       Filtering Platform Connection           NA      NA      NA      NA      NA      S       S       Object Access       Filtering Platform Packet Drop          NA      NA      NA      NA      NA      NA      NA   Log Sizes: ------------- Security - 1 GB Application – 256MB System – 256MB PowerShell/Operational – 512MB – 1 GB v5 Windows PowerShell – 256MB TaskScheduler – 256MB   Log Process Command Line                                             (5)     (5)     (5)     (5)     (5)     Yes     Yes ------------------------------------------------------------------------------------------------------------------------- PowerShell Logging v5                                                    (5)     (5)     (5)     (5)     (5)     Yes     Yes ------------------------------------------------------------------------------------------------------------------------- TaskScheduler Log                                                          (5)     (5)     (5)     (5)     (5)     (1)     Yes -----------------------------------------------------------------------------------------------------------------   (5) - CIS Benchmarks, USGCB, and AU ACSC do not cover this critical auditing item

Listen to 2017-029-CIS benchmarks, Windows Update reverts changes used to detect malware now.

Listen to 2017-029-CIS benchmarks, Windows Update reverts changes used to detect malware in full in the Spotify app