What can I say, I'm a shameless self promoter: http://www.irongeek.com/i.php?page=videos/incident-response-u3-switchbla de
Of course for this to match to John's rules, you have to remove the Sysinternals tools, which are free but TECHNICALLY have no redistribution license so I guess they don't really conform. The scripting for the evidence collection process can all be launched from the command line though (and 90% of it involves no 3rd party tools, just good old DOS fu). From: [email protected] [mailto:[email protected]] On Behalf Of John Strand Sent: Tuesday, July 28, 2009 7:55 AM To: PaulDotCom Security Weekly Mailing List Subject: [Pauldotcom] Blue Team Tactics Please! PSW land! Share your Blue Team tactics! What tools, scripts, and techniques do you use as part of Incident Response and Blue Team Activities? I have sat in on one to many Red/Blue/CTF games where the Red team gets Core, Canvas, Metasploit, Nessus, Satan, Sara, Cain and Able, Ettercap, Dsniff, Hydra, 0phcrack, Nmap, BT4 and various torture techniques (including IronGeek's rubber hoses) and the the Blue team gets.... "An un-patched Windows 2000 box and a slew of un-patched software!!!!!'' Please see the following video for reference: http://www.youtube.com/watch?v=Y77n--Af1qo <http://console.mxlogic.com/redir/?5xWX28UsCro76zBcQsILzzo08JlKrp3-nMNIX 4OhAU3zxQ2Vsgth5GCXZuWrWbPNEVhsdTdHqSuxmqVsxlK5LE2xfBJrfgHdvBPrwVBMSyCMY eussud79JCVIQJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76Qjq9JwsqekPhOyqejh OrZav_q7AuljWD> Yea.. Thats right.... As of today the Blue Team is what you get assigned to when you are caught stuffing peas up your nose. This stops today!!! There are a few rules. Tricks and scripts must be able to run at the command line of your operating system of choice and all tools must be freeware or open source. Thats it!!! Look, the Blue Team can rock!!! So please share your tricks. I am going to collect and add to them so we have a solid list and this will serve as the playbook for the Blues going forward. Be expecting this on the PDC site soon. strandjs
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
