DOWST.DEV

has been many months in the making. Actually, if I'll be perfectly honest... it's truly been a lifetime in the making.

Kazakh Ministry of Health Care, leading us to believe it targets Kazakhstan.

build on. It's not about doing wonderful things, it's about basics.

undesired effects, including remote code execution. We will also see that widely used solutions, like PowerShell Remoting and PowerShell Direct (Hyper-V), rely on such deserialization and could make you vulnerable to this kind of attack.

(2022-09-13) A quick post - I just published a new script for retrieving activity log events for an Azure subscription as the current options for searching and retrieving events didn't satisfy me.

that's considered the crown jewels. This is due to Active Directory still being the bread and butter for most organizations in regard to authentication and authorization. When it comes to security, automation is your best friend and keeping a close eye on privileged group membership should be on top of your list. This post will walk you through, how you can make sure no unwelcome objects make their way into privileged groups in on-premises AD, by leveraging Microsoft Sentinel and its option to run playbooks automated. This breaks down to Microsoft Sentinel generating an alert, which triggers the associated Playbook, which triggers a Logic app, which triggers a Runbook in an Automation Account, which ultimately runs a PowerShell script on an on-premises server.

Task Scheduler to run my Powershell scripts.

leverages the SSLabs API to test websites from the command line. Clem walks through why he is using the various settings that he added to his script. This is an excellent example of how API's can be leveraged to automate a task and query for certain suspect security settings.

kind of strange of relying on a third party closed service to generate and send passwords to clients. You're not 100% in control and often it misses some form of functionality like a password generator or somesuch.

deploy the Secure Defaults centrally, so I figured I would try to help with this.

course just one part of the new beta Secure Score module. The next one is actually the more fun part; applying the correct security settings to a tenant.

may be used by legitimate programs as well as malware to achieve persistence

Allows managing and monitoring the security posture of your resources.

conduct basic enumeration for the windows system. The machine is part of tryhackme room: hacking with powershell

and introduced port scanning and pattern matching. This video is part of TryHackMe OSCP Pathway - room: Hacking with Powershell.

security-related functions and serves as a secure root of trust for a computing system. It is a microcontroller that is integrated into a computer's motherboard or added as a discrete component.

what's changed and started browsing and comparing the various settings via the admin portal. Then I realized how that's not very optimal, and began looking for alternatives. I eventually got myself into trying something new, and went on to compare the Security Baselines Profiles using Powershell and the Microsoft Graph. The result of that journey is this post.

the reduction of the attack surface, which hardens applications such as Office, browsers, and Adobe Reader. The feature is not active by default and can be configured via group policies or PowerShell.

the protocols that facilitates this exchange is the Server Message Block (SMB), used predominantly in Windows environments. While SMB offers convenient file and printer sharing capabilities, it's essential to delve into one of its potential security pitfalls - unencrypted SMB [...]

keep these steps up to date but the module is still under development so the steps required to get set up could change at any time.

worry about the deep distracted deep reading needed in a slew of other CVE and parse relevant details to only their versions.

lists of passwords and then uploaded the code to Reddit. I received a lot of great critique on the code and even got some bugs pointed out. I decided to make it a challenge for myself and see if I could use the input from the good Reddit people and make the code better.

collection sensitive authentication information from individuals or systems. The goal of credential harvesting is to obtain usernames, passwords, or other authentication tokens that allow access to protected resources. This post will cover a variety of different credential harvesting techniques, how to leverage those techniques using SpecterInsight, and how to view the data in Kibana.

Administrators group on their Intune devices, and... That's where Custom Compliance policies come in 🙂 In this blog post, I will show you how to automatically check the Administrators group and mark the device as non-compliant if needed.

practical example:

Temporary Access Password and TAP is actually pretty cool, especially for MSPs deploying loads of devices. The TAP is a generated password th at has a maximum amount of uses...

prompting the user for logon credentials at boot time. Windows retrieves login account information from the registry, specifically three registry values: DefaultPassword,DefaultUserName,sDefaultDomainName. Anyone who has physical access to the computer can access the computer's contents, programs, and files, as well

access tools that are installed on a computer, and list the possible access URLs; that way he could easily document which access methods are open and audit them once in a while to see if he...

lot more questions about documenting Secure Score with the Secure Application model.

Server 2008. Like other Microsoft products, it also suffers from certain glitches, but many people around the globe rely on BitLocker Drive Encryption (BDE) to protect their data at rest.

by effectively creating a copy of them - that's what happens when you create a rule from a template.

Sign-in allows you to sign in using your M365 credentials and multifactor authentication token, or using a Azure AD Temporary Access Pass. Web-Sign in is pretty cool as users get presented with a modern authentication pop-up dialog when signing in, the same one they are used to seeing when logging into the Office suite applications.

boredom. Four months have passed, and I decided to share it with the world, as it may be helpful to some of you. Today I would like to introduce you to PSPGP - PowerShell module that provides PGP functionality in PowerShell.

information such as passwords with PowerShell. It is specifically for the encryption in transit and encryption at rest scenarios, where, for example, you may be sending data to a backend service and securely storing it in that service.

takes any text and encrypts it automatically, no password needed. Instead of a password, it uses either your user account and machine, or just your machine as a secret.

you can safely encrypt text on a machine. Now let's take a look at the decrypting part.

actors to exploit. As a result, it is crucial for organizations to start Enhancing PowerShell Telemetry to detect and respond to potential threats if they have not already done so. By utilizing PowerShell telemetry tools and log sources, organizations can enhance their

you are all set by then. Make sure to go through all your accounts, especially those old ones that you rarely ever touch, and see if you still need it or what is the best way

of 4 blog posts is meant to supplement the talk and provide additional technical details. In this article, part 3 of the series, I describe a chain of 3 vulnerabilities that led to remote code exec

Hammond. Recorded in person in Utah, we delve into John's unique insights on PowerShell and its role in cybersecurity. John shares his experiences with PowerShell attacks, discussing how it's used in various malware and the importance of implementing security features like constrained language mode and script block logging. He highlights practical tips for making PowerShell environments more secure and emphasizes the need for continuous learning and experimenting within safe environments. We also explore how to transition into security-focused roles, with John providing valuable advice for those looking to combine their PowerShell skills with a career in cybersecurity.

collaboration in Office 365. While allowing collaboration with external users can enhance productivity, it also introduces security risks.

specific recommendations which may not be relevant to you. By navigating to the ASC's default initiative in the Azure Policy blade, you can disable a recommendation:

could have a very bad day. Recently, we uncovered one artifact that we would like to break down and showcase. We will get "into the wee ds" here and really deep-dive on the technical details, so put on your ear protection and let's walk down range...

coding aspects.

so it will be a matter of calling one PowerShell function

execution of specific PowerShell commands. If you are just looking for one specific command, you can run query as shown below. But if you are looking for several functions, then there is going to be a lot of manual editing, and so the idea was born to use PowerShell to help me generate an advanced hunting query.

one of the most common occurrences happens to be that users somehow don't get their tokens setup completely, and need to retrieve these again.

out, the 1E PowerShell module exists called the PSTachyonToolkit that lets you leverage the power of Tachyon PowerShell!

actor who has targeted at least 69 entities.

created to simplify the hardening of Windows. Now, HardeningKitty supports guidelines from Microsoft, CIS Benchmarks, DoD STIG and BSI SiSyPHuS Win10. And of course my own hardening list.

tutorial is for you. In this tutorial, you're going to learn, step-by-step, how to configure VS code to connect over SSH via key exchange for both a user with sudo rights (homelab in this guide) and the built in root user.

interesting to provide to all users, who are already familiar with it, a method to export all keys, certs and secrets stored in it once via Powershell.

backdoor on a box we're investigating . The box does not have any extra installed software such as sysinternals its just a basic windows image . This has lead me to wondering if there is a good way to detect process injection such as DLL hijacking or PE injection with native commands . Links to any resources or scripts is greatly appreciated .

gsudo and take control of your system!

your organizations, you're in luck. Managing NTFS permissions using a GUI is time-consuming especially when working with many users or groups. Luckily, we have PowerShell to make it all better. How? The Microsoft.PowerShell.Security module.

discuss why organizations should care about malicious PowerShell activity, how attackers use PowerShell to steal credentials (e.g., Mimikatz), and how to prevent and detect malicious PowerShell activity.

discuss why organizations should care about malicious PowerShell activity, how attackers use PowerShell to steal credentials (e.g., Mimikatz), and how to prevent and detect malicious PowerShell activity.

permissions that hackers like to exploit. This article explains how to use PowerShell to detect apps with high-priority permissions and report them to administrators for review.

the MS Defender Powershell module and wrote a helper function to scan on-demand a file using mpcmd.exe.

to organizational networks. Singular purpose devices made available through the Internet of Things (IoT) offering has increased network complexity even further with the ease of adding said devices to the network and sometimes without the knowledge of a system administrator. Hence the following received question: "How do I ensure all the appropriate ports are closed with all these devices being added to my network?"

Anti-Virus runtime solution installed is working as expected.

offers you more features and options than every other desktop operating system. Microsoft also provides users a free antivirus tool known as Microsoft Defender Antivirus.

additional files the malware has introduced to the system.

PowerShell-based incident response framework called Kansa. Kansa uses PowerShell Remoting to run user contributed modules across hosts in an enterprise to collect data for use during incident response, breach hunts, or for building an environmental baseline. This framework can be run across a single host, or even tens of thousands of hosts.

throughout.

Backdoors. This was part of TryHackMe Investigating Windows 2.0 lab.

novel PowerShell-based implant called PowerLess Backdoor, according to new research published by Cybereason.

vulnerability as it freezes some models of hard drives on older computers. [...]

changes associated with CVE-2023-24932 - Microsoft Support TLDR: GitHub: garytown/ConfigMgr/Baselines/CVE-2023-24932 Disclaimer: Before continuing, I've created all of this in a very short time with VERY LITTLE testing, so please, as with anything you're pulling from the internet, inspect and test before using

in KeePass, perhaps to run a script, 2) inject a password stored in KeePass into that PowerShell.exe process as a variable, such as for a secure string or a PSCredential object, but 3) you cannot expose the password as a command-line argument or other plaintext channel when launching PowerShell.exe because it could be logged or captured. This article will show you how to do it.

session with customers that highlighted a problem.  If any of us change the local admin password of the servers or redeploys the environment with a password of their own.  We no longer can access it without contacting the group and request the new password....

wherever they may be

started popping up. Errors that didn't really point to a security problem.

attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials.

options available to manage, protect and monitor endpoints. I was not surprised a few months ago when I needed to implement a monitoring check for Nagios that there was a dedicated PowerShell module that did exactly what I needed.

actors to perform typosquatting attacks, spoof popular packages and potentially lay the ground for massive supply chain attacks.

and Teams, providing comprehensive data governance, compliance, and protection capabilities across these platforms. One of the standout components of this suite is the Audit Search Graph API, which is currently in public preview. It allows developers and administrators retrieve detailed audit logs programmatically, providing deep insights into user activities across Microsoft services. In this blog, I will explore the full potential of the Microsoft Purview Audit Search Graph API and demonstrate how to use the API through both PowerShell and HTTP methods.

shows how it's now detected. IEX now appears to have a new Fully Qualified Error ID.

this script we're trying to get all the files that could suffer from the Log4J issue in CVE-2021-44228.

pain points in our current stack is the monitoring of anti-virus, we often felt like there is not enough transparency and data returned via our RMM system. Either the system does not return the current state of alerts or forces us to use separate portals.

Access Management tool that will be living in your Azure environment, mostly designed for MSPs. If you want to see how AzPam looks or contribute, check out the Github page about it here. I should be pretty close to releasing an alpha version soon!

should always assume breach. The attack will come and it can strike from any direction - the Internet, on-prem, BYOD, etc. The first thing an organisation experiences after the fact is often confusion, fear, and panic. Not the best mix of feelings to have while trying to sort things out! Most organisations don't have a clear plan of what to do next.

alongside JEA to setup secure functions for non privileged users or services like SQL jobs or scheduled tasks, which has to use alternate credentials.

advice, instead of just how to work around it. Definitely worth a read.

PowerShell campaign that employs several advanced techniques to infiltrate networks, maintain persistence, and enable covert communications.

someone can get access to your systems. We talked about how he started his journey into ethical hacking, and the support he got when he submitted for hak5.

recommending system administrators to use PowerShell to prevent and detect malicious activity on Windows machines.

Director for a Managed Services Provider (MSP). From exploring the pitfalls of NTLM and discussing alternatives to learning the ins and outs of Jupyter and .NET interactive notebooks, we cover it all. We also compare major cloud providers and uncover untapped security features in Office 365 that you could be leveraging right now. Join us for an insightful conversation packed with valuable information and actionable advice for IT professionals navigating the ever-changing landscape of the industry.

different places that this damn protocol needs to be killed depending on the OS. It's still a work in progress (needs testing and error handling) but in case it's useful feel free to use it

manipulating them into executing a malicious PowerShell script.

created the module because I wanted to be able to:

GUID (AAGUID) during registration. An AAGUID is a 128-bit identifier indicating the key type, such as the make and model. Passkey providers on desktop and mobile devices are also expected to provide an AAGUID during registration.

always feels like a weak link in the security chain. I love running code as multiple accounts (my team probably has 75+ AD accounts we own), but hate everything else we have to do with those accounts.

and generates nicely viewable reports in HTML format by highlighting the spots that require attention. The script manipulates user data using facts collected with benchmark values.

tenant. The flexibility of Conditional Access means it can fit most organizational and security requirements easily. However, as with most things in technology, with flexibility there often comes complexity.

erase all the secrets, keys, and certificates in it.

product, and more.

automation? Isn't PowerShell just another command shell? No! Attend this talk by SANS Faculty Fellow Jason Fossen to see what PowerShell really is, how it's being used (and abused) today, and future trends.

an exciting announcement of PowerShelldle, a community tip, and a deep dive into my own PowerShell journey in response to a viewer question. The main segment is a fascinating conversation with Spencer Alessi, where we delve into the world of PowerShell and pentesting. Spencer generously shares the tools he would use as a sysadmin pentesting his own environment, including PowerSploit, PingCastle, Bloodhound, LockSmith, and ADeleg. He provides invaluable tips for PowerShell enthusiasts looking to transition into security and pentesting, shedding light on the current and emerging trends in the security landscape. Spencer also gives us insights into the role that PowerShell plays in his role as a pentester. Get ready for a riveting episode filled with tips, tools, and trends in the world of PowerShell and security.

when authenticating to an SFTP server.

security! Whether you're a red or blue teamer, you'll gain a deep understanding of PowerShell's security capabilities and how to use them.

PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.

our esteemed guest, Fred Weinmann. We explore the strengths and weaknesses of VS Code and the ISE, as well as discuss crucial topics like script block logging, Windows Event Forwarding, and the importance of code signing. Fred also gives us a sneak peek of his PSConfEU topics, highlighting JEA and parameter binding while providing valuable insights on the dos and don'ts of PS Remoting. Security aficionados won't want to miss our discussion on the biggest threats to PowerShell security and PowerShell profiles. Lastly, we catch up with Fred on his latest projects and developments in the PowerShell world. Don't miss this opportunity to learn and laugh with us!

line and terminal in Linux. They now seem to understand the strengths and advantages of the command line, and as a response, introduced the Windows PowerShell.

behavior is the same for the PowerShell attack. The following post focuses on PowerShell obfuscation and how to monitor with Microsoft Sentinel.

simply search copy and paste secret. The problem with navigating a GUI every day is that it's time consuming, and there's room for improvement, especially if you enjoy delving into some PowerShell and/or always have a terminal open.

to develop a password generator which outputs an account name and the corresponding password and stores it in the clipboard.

your IT Org has N different resource groups where you want to activate every day. It would be time consuming to activate them one by one. Instead, you can build a custom app using PowerShell or UI so that you can activate to all of these resource groups in one shot.

changes associated with CVE-2023-24932 - Microsoft Support Related: Words of Warning Once you've applied the mitigations outlined in the KB, the device is difficult to work with when it comes to boot media / reimaging.

Basic commands Scipts (Ping-Play, Enumeration, Silent Installer) and more

PowerShell. I already wrote a couple of posts about it. First Look into the beta module 1-Introduction 2-Installation and first steps 3-Use secrets in scripts Recently i tested a Macbooc Air M1 and wanted to use the secrets i had on my main Windows machine. The approac was to simply generate a CSV-file from the secrets and import it on the Mac. As a reminder, lets summarize what Secrets Managemt Architecture is about. Secrets are stored in Vaults Secrets may occur in the form

Constrained Mode? Microsoft explains this as follows: The ConstrainedLanguage mode permits all cmdlets and [...]

mind. Authored by a seven year Office 365 MVP, this book will provide you with practical advice on how to use PowerShell to manage the Security and Compliance Center.

effort it takes to manage and configure Windows. But much like the blue shell in Mario Kart, it can also wreak havoc when it's used as an attack mechanism. It has access to things like file systems, registries, certificate stores, and a whole host of other sensitive data.

Logging ETW providers

viewing the metadata of Kubernetes secrets.

for a while without enforced consistency of your Role Based Access Control, you might want to explore your existing RBAC assignments at scale or query the permissions for a specific user.

the way.

heard about the recommendation to disable the legacy protocol NetBIOS in Windows. If this is news to you, there's some interesting reading for you in this article: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Sub-technique T1557.001 - Enterprise | MITRE ATT&CK NOTE: Before disabling anything, make sure you do your due diligence and monitor your environment for NetBIOS traffic, so you don't accidently break stuff!

PowerShell Gallery. Release 1.1.6 of the SailPoint IdentityNow PowerShell Module is the result of updates by Sean McGovern, Yannick Beot, David Minnelli and myself.

commands, script blocks, etc., that you have used. This can be very helpful if your computer or servers are hacked at your office. Or, if you just want to check things 😉 In this blog post, I will show you how to retrieve all those events locally and remotely and save those in an Excel sheet.

Enough Administration scenarios.

target critical organizations in Ukraine's military and security intelligence sectors, employing a refreshed toolset and new infection tactics.

PowerShell Gallery. Release 1.1.4 of the SailPoint IdentityNow PowerShell Module is the result of considerable effort by myself and Sean McGovern. Release 1.1.4's numerous updates comprise changes to cmdlets to account for changes to IdentityNow API authentication, four new cmdlets, cmdlet updates for API changes, bug-fixes and documentation updates..

spiffy new icon!

and SOAR (Security, Orchestration, Automation, and Response) product. Security is a constantly changing landscape, and Sabrina gives some tips on a successful test/deployment of Microsoft Sentinel to that you can get robots (AI) to help you think!

interconnected, safeguarding sensitive information such as API keys has never been more important. These keys grant access to valuable resources and services, making them targets for malicious actors if not adequately protected. Azure Key Vault offers a robust and secure solution for managing and storing API keys and other secrets. This article explores how you can leverage PowerShell Secrets Management with Azure Key Vault to ensure the security of your API keys.

up. We cover a lot of ground on security and PowerShell

and the cloud with David das Neves. From his beginnings as a developer to starting his own company, Shift Avenue, David shares the importance of addressing security misconfigurations, integrating security policies in the cloud, and the true meaning of DevOps. Additionally, we discuss tackling tech debt, embracing digital transformation, and David's commitment to sharing knowledge and fostering community growth. Join us for an inspiring chat packed with valuable insights.

security and harden PowerShell itself.

Graph API by PowerShell. But before doing this, I thought you should first need to know something about app registration in Azure Active Directory in this context. App registrations are really powerful, as you can raise any request if

then retrieve them from PowerShell.

running: Set-TlsConfiguration -EnableSecure -DisableInsecure Fortunately it IS that simple with the new PowerShell module TlsConfig

allows for passwords and secrets to be shared among users via Azure AD authentication and policies with the relatively inexpensive Azure Key Vault resource. While communications are always encrypted and stored securely when working with the Azure Key Vault, further security can be utilized to independantly encrypting the passwords before they are transmitted to Azure.

can exploit operating systems like Windows. Luckily, Windows logs OS security events to help you track down this behavior.

advance of Patch Tuesday; Sophos customers are protected

the interaction with the OS is done through the graphical interface although the underlying text-based interface still exists and is important to reach certain nooks and crannies that are not exposed graphically.

SharePoint Online site and Teams channel. At the time, I used a stored credential to authenticate and access SharePoint and Teams. Azure Key Vault offers another way to store secrets (bits of information) securely. This article explores how to store secrets in Azure Key Vault and retrieve and use the secrets in a runbook script and interactive PowerShell.

and tooltip for labels so that they appear in the language chosen by a user. Most people don't both because it's painfully slow to insert the translated strings for multiple languages. However, when you apply a mixture of PowerShell and the Microsoft Translator service, the task becomes so much easier.

PowerShell.

script. We dissect how each function of it works.

load and execute PowerShell commands within AutoIt scripts to evade detection. [...]

which will generate an output hash value in 256 bit. SHA-256 is designed by the National Security Agency (NSA). SHA-256 is one of the cryptographic hash functions. SHA-256 is also named one-way function where the generated hash value cannot be reversed theoretically. This makes SHA-256 very useful for password validation, challenge hash authentication, anti-tamper, digital signatures, X.509, SSL/TLS certificates etc.

years to reduce the attack surface on the Windows environment against viruses and spyware, and ransomware.

allows you to export security event logs to SQL Server Express, which Windows cleans from the system after a certain number of days. The tool enables you to create an offline Event Viewer for a specific computer.

focuses on enumerating different parts of a Windows machine to identify security weaknesses and point to components that need further hardening.

verify if the file, URL, domain name, or IP Address is trusted or not. Of course, it's not a silver bullet, but it brings tremendous value, and I often verify files I download before executing. Since I release a lot of new or updated PowerShell modules on a weekly/monthly basis, I thought it would be great to send newly released versions straight to Virus Total so I can have them checked before anyone executes them. I also hope to prevent false positives from some antivirus vendors that may tag my modules as malware because they haven't seen the DLL or PowerShell module in this form before. I've seen it happen to DBATools, so why not try and push my modules before users even use them?

need to secure that sensitive information! One way to do that is with the PowerShell SecretManagement module. Offering a convenient way for a user to store and retrieve secrets using PowerShell, the SecretManagement module also has the ability to interface with different back-end systems such as Azure KeyStore or KeePass too using an extension vault!