How I Work

img_1350

I recently saw this project shared by Adam Bertram, and decided that some of you may be interested in how I work on a day to day.

https://github.com/adbertram/HowIWorkIT/blob/master/README.md

If you’re not interested, well then why the hell are you here?  You can see others that have participated here: https://github.com/adbertram/HowIWorkIT/blob/master/ThisIsHowIWork.md

 

Where are you located?

First of all, my name is Josh Rickard and I’m located in Columbia, Missouri.  It sounds lame, but really it’s a great little town.  The population of Columbia is around 100,000 (without students).  With that being said, we have about 5 College’s/Universities, so our population increases quite a bit when students are in town.

What is/are your current gig(s):

I currently work at home for PhishMe; if you’re not familiar, then check us out: http://phishme.com/.  My position at PhishMe is currently “Manager, Reporter Solutions Engineering”.  I’m a new manager, but we do anything and everything to do with PhishMe Reporter products (email client plugin/add-in to reporter suspicious messages).  When I say everything, I mean everything from customer engagement, support, troubleshooting, development, etc.

What’s one word to describe your work?

Creativity

What apps, software, or tools can’t you live without?

Without a doubt, PowerShell.  Besides that, the biggest in each category are:

  • Apps
    • Jira
    • Confluence
    • Slack (and appear.in)
  • Software
  • Tools
    • Doane Notebook and a great pen
      • I know, I may be the only one but I still carry a pen and piece of paper daily.

What does your workspace look like? (Take a picture if you can)

So, since I work at home but workspace can get fairly messy but I try to keep it as clean as possible (even though my wife says I don’t :))

img_1350 img_1351 img_1352 img_1353

What’s a typical workweek look like?

Since PhishMe is based on the east coast, and I live in the Midwest, I typically work in eastern time.  I’m a new manager, so my typical workweek contains of lots of project work that ranges from documentation, to building new tools (using PowerShell mostly), automating processes, moving development forward, and making sure that all our customers needs have been met.

What do you like the best about your role?

The best thing about my position is the ability to experiment and come up with new solutions for problems affecting our customers as well as new products.  Besides that, I love my team.  I have 8 guys underneath me and working them has made me excited for the next work week.  We have a highly jelled team, which, as you may know is extremely rare.

What’s something about you that no one knows about?

Some of you may know this, some of you probably not, but I went to school late in life; I’ve only been in IT for 5 1/2 years.  So you can say I’m still learning the IT way.🙂

What do you listen to while you work?

I LOVE MUSIC!!!!  Like, seriously LOVE IT! But when I work, I don’t listen to anything.  I can’t.  I’m a traditionalist and I love listening to the lyrics of music, but while I’m working I get too distracted if I try to listen to music.

What do you wish you could change about your work?

Now that I’m manager of my team, I find that I can’t focus on scripting/coding as much as I used to be able to.  I’ve really only been manager for about 3 months, so most of my time right now is focused on process improvement and making sure all our projects are moving forward.

Is there anything else you’d like to add that might be interesting to readers?

I decided to list out my career progression and some projects that I’ve worked on:

  • Helpdesk at a small college (9 months)
    • Managed Accounts
    • Ran TONS of network cable
    • Implemented wireless across small college campus (College capstone project)
  • System Support Analyst – Entry (14 months)
    • Worked at a larger University/Medical
    • Re-organized AD, GPOs, etc for over 3,000 users/pcs
    • Learned and implemented MDT for all 3,000 users/pcs
    • GCWN (SANS Certified Windows Security Administrator)
  • System Support Analyst – Specialist (5 Months)
    • Implemented MDT for another division within the University
    • Guided a lot of initiatives that are still used today
  • Security Analyst – Specialist (24 months)
    • Hired as part of the Incident Response and Digital Forensics team for the University
    • Managed cases/investigations/etc.
    • Implemented QualysGuard Vulnerability Management for over 5,000 servers
    • Implemented/Designed Kaspersky Endpoint Security administrative console for entire campus
    • Developed automation & defense tools for protection of University assets.
  • Solutions Engineer – PhishMe (9 Months)
    • Solutions Engineer responsible for advancing development and products
    • Responsible for (ongoing) new products and solutions
    • Automate EVERYTHING!
  • Manager, Reporter Solutions Engineering
    • Responsible for global support, engagement, development and automation tools to support our global customers with more than 5.5 Million endpoints installed globally.
    • 8 Employee’s
    • Product development, enhancements, and bug hunting.

Besides all of this, I am responsible for tons of projects which can be found on my GitHub: https://github.com/MSAdministrator

PowerShell Phishing Response Toolkit (PPRT)

Yesterday I gave a talk at ShowMeCon in St. Louis regarding PPRT.  I also gave this talk at CircleCityCon, but had some technical issues.🙂  I wanted to write this quick post to share out my PowerPoint Slides from this presentation.  If you have any questions about PPRT, please reach out via this blog or create an issue on my GitHub page: https://github.com/MSAdministrator/PPRT—PowerShell-Phishing-Response-Toolkit

Enjoy!

Slides: PowerShell Phishing Response Toolkit

PowerShell & Qualys: Get Asset Group Info – Part 2

Today I decided to write another post regarding PowerShell and Qualys Vulnerability Management API.  This post will focus on gathering information about your enrolled Asset Groups.   You can find the complete script on GitHub: https://github.com/MSAdministrator/POSH-Guard/blob/master/Get-QualysAssetGroupInformation

We start of by opening up PowerShell ISE and using our handy “Snippet” shortcut:

PowerShell_ISE_CTRL_+_J

We select the “Cmdlet (Advanced function) – complete” option in the “Snippet” context menu.  Once we have our advanced function template, we then proceed by entering a name for our Qualys Asset Group function.

Since we will be gathering some additional information about our Asset Groups, I am going to name my function:


function Get-QualysAssetGroupInformation

Next, we will start by filling out our “Help” info.  At this point, a lot of people skip this step; I HIGHLY recommend that you do not.  It will help you and anyone else viewing your code, understand what your intention was when writing this function.

Next, we start by looking at our advanced functions template within the body of this function.  The first thing you will see is some default parameters for [CmdletBinding].  With my function, I’m going to weed these parameters down a bit, as they are not really needed.  Your function should look something like this when complete:

function Get-QualysAssetGroupInformation
{
    [CmdletBinding(SupportsShouldProcess=$true, 
                  HelpUri = 'https://raw.githubusercontent.com/MSAdministrator/POSH-Guard/master/Get-QualysAssetGroupInformation',
                  ConfirmImpact='Medium')]
    [Alias()]
    Param
    (
        # Param1 help description
        [parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   ValueFromPipelineByPropertyName=$true,
                   HelpMessage="Please provide a credential obejct")]
                   [ValidateNotNullOrEmpty()]
                   [System.Management.Automation.CredentialAttribute()]$credential
        ) 

    Begin
    {
    }
    Process
    {
        
    }
    End
    {
    }
}

After we have the base of this function setup and ready to go, we will start off by adding some code into our Begin block.  Remember, the Begin block will always run once for every call to the function.

	$results = @()
	$assetGroupInfo = @()
        [xml]$assetGroupInfo = Invoke-RestMethod -Uri "https://qualysapi.qualys.com/msp/asset_group_list.php" -Credential $credential

Here I am setting my $assetGroupInfo and a $results variable as empty array’s/hash-table’s. Next, I’m casting my $assetGroupInfo variable as an XML object. This ensures that we receive XML from Invoke-RestMethod Cmdlet.

If we want to make sure that any errors are caught, we should add a Try/Catch block to our Invoke-RestMethod call. Your code should look like this:

 Begin
    {
        $results = @()
        $assetGroupInfo = @()

        Try
        {
            [xml]$assetGroupInfo = Invoke-RestMethod -Uri "https://qualysapi.qualys.com/msp/asset_group_list.php" -Credential $credential
        }
        Catch
        {
            Write-Debug "Error using Invoke-RestMethod: $_"
        }
    }

Now we move to the Process block. This is where we will be parsing our data into our objects. As I mentioned above, we are wanting to gather all our Asset Groups Titles, their assigned IP Addresses, their role, and the users login ID. To do this, we must loop through each item, or branch returned by our query above. Each $item can be considered as an Asset Group. Additionally, we need to loop through each of the users assigned to that Asset Group.

Once we have that data, we want to create a Custom PSObject to hold all of this data. Your code should look like this:

Process
{
	foreach ($item in $assetGroupInfo.SelectNodes("/ASSET_GROUP_LIST/ASSET_GROUP"))
	{
		for ($u=0; $u -lt $($item.ASSIGNED_USERS.ASSIGNED_USER.LOGIN).count;$u++)
		{
			$tempAssetGroupInfo = @()
		                            
                                $props = @{
				userlogin=$($item.ASSIGNED_USERS.ASSIGNED_USER[$u].LOGIN.InnerText)
				userrole=$($item.ASSIGNED_USERS.ASSIGNED_USER[$u].ROLE.InnerText)
                                           assetgrouptitle=$($item.TITLE.InnerText)
                                           ip=$($item.SCANIPS.IP)
                                          }
		
			$tempAssetGroupInfo = New-Object PSObject -Property $props
		        
                                $results += $tempAssetGroupInfo
		}
	}
}

Now, we can either simply put the following line in our End block:

return $results

But, I actually like it to be saved into an XML file. This means that I can use this data with other functions without having to call Qualys again. To be quite frank, as you may know, Qualys is not the fastest website/service out there. Don’t get me wrong, the scanning engines are fast, but their database(s) – not so much.

To return both the object and export the results to an XML, we can just add this one line of code:

Export-Clixml -Path "$env:USERPROFILE\Desktop\QualysData\assetgroupinfo.xml" -InputObject $results

That’s it. We now have a function that can return some details about our Asset Groups within Qualys. Next time, I will focus on creating a function that gathers our enrolled IP Addresses, split’s them into a single list.

Hint: Qualys loves IP ranges (192.168.0.1-192.168.0.123) and their API calls return it the same way.🙂

PowerShell & Qualys: Authentication – Part 1

I always mean to post more on my blog, but as life gets in the way and work keeps me busy, I always seem to push it to the back-burner. This time, I am hoping to make it stick as a regular routine.

To kick off my new-found motivation to blog more, I am starting a series of posts surrounding PowerShell and Qualys Vulnerability Management API.

To start this off, first I’m going to share some my basic steps with regards to authentication to Qualys VM API v1. This is really basic, but I see a lot of posts around that seem to try to create some “advanced” way of authenticating to Qualys API. You don’t need to do anything fancy.

As with all scripts/modules/etc., I suggest that you get into the habit of using PowerShell ISE and it’s many great keyboard shortcuts to help you get on the right path.

First, open PowerShell ISE and enter the following keyboard shortcut:


CRT + J

Once the “Show Snippets” context menu shows up, select “Advanced Function (Complete)”. I always recommend that you start with a ‘Complete’ Advanced FUnction. This makes your script look much better, and it’s all around a good idea.

Once you have the Snippet loaded, I would begin by coming up with a name; following Microsoft’s approved Verb-Noun naming convention:

Approved Verbs – https://technet.microsoft.com/en-us/library/ms714428(v=vs.85).aspx
Get-Verb Documentation: https://technet.microsoft.com/en-us/library/hh852690.aspx

Next, start adding a “Credential” object parameter to your code. Qualys uses “Basic” authentication, so using Invoke-RestMethod in combination with a “Credential” object is extremely easy.

To capture your credentials into a Credential Object used by Invoke-RestMethod, you simply need the following before you run your function or within your function:


$cred = Get-Credential

Enter your Qualys API username and password.

*NOTE: Do not try to save this credential object to disk or to a file. It’s NOT hard to enter your username and password every time you connect to Qualys API.

Next, you should have the following code in your function:


[xml]$hostinfo = Invoke-RestMethod -Uri "https://qualysapi.qualys.com/msp/get_host_info.php?host_netbios=$netbios&general_info=1"-Credential $credential

I recommend that your $credential object should be passed into your function as a parameter. This will help when you move into more advanced interaction and multiple calls to Qualys VM API.

Now that you have your XML (Type cast) $hostinfo variable, you can then parse the data very, very, very easily.

In my next post I will share with you how to do this to gather some very important data for any Qualys Vulnerability Management Administrator.

If you have any questions, then please leave a comment.


function Test-QualysAuthentication ()
{

[cmdletbinding()]
param (
[parameter(Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
HelpMessage="Please provide a credential obejct")]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.CredentialAttribute()]$credential
)

<# .SYNOPSIS This function tests your Qualys VM API Credentials .PARAMETER Credential Specifices a set of credentials used to query the QualysGuard API .EXAMPLE C:\PS> $cred = Get-Credential
C:\PS> Test-QualysAuthentication -credential $cred

#>

[xml]$hostinfo = Invoke-RestMethod -Uri "https://qualysapi.qualys.com/msp/get_host_info.php?host_netbios=$netbios&general_info=1" -Credential $credential

return $hostinfo
}

PhishReporter: PowerShell Module

If you work in the Info Sec world you know that phishing is a pain in the neck, especially when you’ve been targeted by a large phishing campaign.  I’ve been through these massive phishing attacks, and it is not fun!

One such attack, about a year ago, was especially difficult because the attackers were using very unique tactics and spoofing lots of internal e-mail communications.

Our procedure was to go and find the company that was hosting these phishing URLs and e-mail them to tell them to shut the site down immediately.  Hosting companies like weebly.com, jimdo.com, webs.com, etc. were pretty good at shutting these sites down as soon as they were put online, but this process would take about 5 to 10 minutes and sucked!

Since this last attack, I decided to automate this process.  This new script/tool is a PowerShell Module called PhishReporter.

The PowerShell module can be downloaded on GitHub: https://github.com/MSAdministrator/PhishReporter

This PowerShell Module is designed to send notifications to hosting companies that host phishing URLs by utilizing the major WHOIS/RDAP Abuse Point of Contact (POC) information.

  1. This function takes in a .msg file and strips links from a phishing URL.
  2. After getting the phishig email, it is then converted to it’s IP Address.
  3. Once the IP Address of the hosting website is identified, then we check which WHOIS/RDAP to search.
  4. Each major WHOIS/RDAP is represented: ARIN, APNIC, AFRNIC, LACNIC, & RIPE.
  5. We call the specific WHOIS/RDAP’s API to determine the Abuse POC.
  6. Once we have the POC, we send them an email telling them to shut the website down. This email contains the original email as an attachment, the original phishing link, and e-mail body telling them to remove the website.

This Module came out of necessity. I was sick of trying to contact these individual sites, so I have began automating our response time to these events.

The next steps for this project are to fully integrate into Outlook and automate this even further by enabling a simple text search or based on a selected ‘folder’ event. Please share with the Security community and contribute/improve as you deem fit. I only ask that you share your edits back with this project.