Quickpost: Encrypting Azure Virtual Machine using BitLocker

Here are the steps that are required to encrypt the disk of Azure Virtual Machine. This is a very high level overview of the process, and I do recommend on reading the full guide: https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption#run-the-azure-disk-encryption-prerequisites-powershell-command Open Azure portal and navigate to the virtual machine (Windows 2008 R2 and above) you want to encrypt and then…


Chasing Adversaries with Autoruns – evading techniques and countermeasures

Abstract Sysinternals Autoruns is a great utility for defenders to discover and disable malware and adversaries’ persistence points. There are similar programs, but as the author of Autoruns says: “(Autoruns) has the most comprehensive knowledge of auto-starting locations “, therefore the focus here is on Autoruns. In the last weeks couple of security researches (Kyle…


Securing remote connections

Consider the following scenario: a standard user was tricked to run a malicious code and his device was compromised. Typically, standard users do not have high privileges, so the next thing for the attackers is getting their hands on privileged accounts. How? They can delete an important file required by Office or by slowing down…


Locking up Your BitLocker

Hello, Today I want to talk about securing your Bitlocker-enabled devices against a common attack vector: Direct Memory Access/Side channel attack. BitLocker quick overview First, a little primer on how BitLocker works is in order Trusted Platform Module (TPM) is a hardware security device that stores a master key, or Storage Root Key (SRK), and…


Duck and cover or how AtomBombing is really unnecessarily alarmism

The so-called AtomBombing code injection technique discovered by Tal Liberman seemed to be getting a lot of attention recently. Websites like thehackernews describe the issue as: “no existing anti-malware tools can detect” and “…What’s worse? The company said all versions of Windows operating system, including Microsoft’s newest Windows 10, were affected. And What’s even worse? There…


Sysinternals Sysmon unleashed

Introduction Warning: This post recommends Sysmon monitoring policy implementations that are not official Microsoft recommendations. Readers are encouraged to review and test all policy recommendations prior to their implementation in a production environment. Sysmon from Sysinternals is a very powerful Host-level tracing tool, which can assist you in detecting advanced threats on your network. In…


Process Monitor for Dynamic Malware Analysis

Sysinternals Process Monitor is a powerful tool for investigating and troubleshooting application issues, as well as malware forensics and analysis tasks. Process Monitor lets you ‘peek under the hood’: Display files, registry, network and image loading activities in real time; all of the output can be exported to an external file for later viewing. The…


Get VirusTotal Report using PowerShell

VirusTotal is a free virus, malware and URL online scanning service. File checking is done with more than 50 antivirus solutions. Using this script you can query VirusTotal service from PowerShell using a file name or by hash, and get a detailed report about the file. Written by Moti Bani – mobani@microsoft.com – (http://blogs.technet.com/b/motiba/) with script portions copied…


How to reset the password in Windows on Azure ARM based VM?

Azure has two different deployment models for creating and working with resources: Resource Manager and classic.   For classic machines you can easily reset the password using the portal or PowerShell, however these options are not available yet for virtual machines created by Resource Manager:     You can still reset the password by using…


Five rules for a successful boot trace

Many words have been spoken about Slow Boot and Slow Login analysis, but today I want to focus on some rules that will help you to capture a good boot trace. Reduce human factor  Because the trace is taken all the way until the user has logged in, we need to login as quickly as possible….