Locking up Your BitLocker

Hello, Today I want to talk about securing your Bitlocker-enabled devices against a common attack vector: Direct Memory Access/Side channel attack. BitLocker quick overview First, a little primer on how BitLocker works is in order Trusted Platform Module (TPM) is a hardware security device that stores a master key, or Storage Root Key (SRK), and…

0

Duck and cover or how AtomBombing is really unnecessarily alarmism

The so-called AtomBombing code injection technique discovered by Tal Liberman seemed to be getting a lot of attention recently. Websites like thehackernews describe the issue as: “no existing anti-malware tools can detect” and “…What’s worse? The company said all versions of Windows operating system, including Microsoft’s newest Windows 10, were affected. And What’s even worse? There…

5

Sysinternals Sysmon unleashed

Introduction Warning: This post recommends Sysmon monitoring policy implementations that are not official Microsoft recommendations. Readers are encouraged to review and test all policy recommendations prior to their implementation in a production environment. Sysmon from Sysinternals is a very powerful Host-level tracing tool, which can assist you in detecting advanced threats on your network. In…

2

Process Monitor for Dynamic Malware Analysis

Sysinternals Process Monitor is a powerful tool for investigating and troubleshooting application issues, as well as malware forensics and analysis tasks. Process Monitor lets you ‘peek under the hood’: Display files, registry, network and image loading activities in real time; all of the output can be exported to an external file for later viewing. The…

0

Get VirusTotal Report using PowerShell

VirusTotal is a free virus, malware and URL online scanning service. File checking is done with more than 50 antivirus solutions. Using this script you can query VirusTotal service from PowerShell using a file name or by hash, and get a detailed report about the file. Written by Moti Bani – mobani@microsoft.com – (http://blogs.technet.com/b/motiba/) with script portions copied…

0

How to reset the password in Windows on Azure ARM based VM?

Azure has two different deployment models for creating and working with resources: Resource Manager and classic.   For classic machines you can easily reset the password using the portal or PowerShell, however these options are not available yet for virtual machines created by Resource Manager:     You can still reset the password by using…

3

Five rules for a successful boot trace

Many words have been spoken about Slow Boot and Slow Login analysis, but today I want to focus on some rules that will help you to capture a good boot trace. Reduce human factor  Because the trace is taken all the way until the user has logged in, we need to login as quickly as possible….

0

List of SVCHOST related hotfixes for Windows 7, Windows 8, Windows Server 2012 and Windows Server 2012 R2

Notes: You should always check http://support.microsoft.com for the latest version of the different files   Carefully review the list and decide which might be applicable to your unique environment. Hotfixes must be tested on a representative non-production environment prior to being deployed to production. This will help to gauge the impact of such changes Symptom Description…

3

Page File – The definitive guide

Hello! Today I will share with you my best practices for configuring the paging file in Windows Server 2008 and 2012. Paging file seems to be a very popular subject, as we get questions about it all the time. Many customers are configuring the paging file incorrectly, based on outdated rules-of-thumb that are no longer apply…

22

Hello World

Hello everyone. I’m Moti Bani, and I’ve been working in the IT industry for over 15 years, last 6 at Microsoft as a Senior Premier Field Engineer. Currently I’m a Windows Server and Windows Client Premier Field Engineer (PFE). As the name implies this blog is focused on Windows performance, security, troubleshooting and related issues.

0