PowerShell: Malware detection and tracking of new autoruns

Old Project realized A month ago I reinstalled one of my PC's and thought of a project I started but never finished many years ago. It was when I found out about autorunsc.exe , one of the many awesome tools from the Sysinternals suite and the creator Mark Russinovich, when I thought of an idea…


Port Mirroring for Advanced Threat Analytics

The main data source used by ATA is deep packet inspection of the network traffic to and from your domain controllers. For ATA to see the network traffic, port mirroring needs to be configured. Port mirroring copies the traffic on one port, known as the source port, to another port, known as the destination port….


SCOM tuning: the video

Thanks to Jonas Lenntun from Approved Consulting AB http://www.approved.se/ in Sweden, you can now watch the recorded version of my presentation at the SCOM Days in Göteborg. It's a 45 minute presentation about the best practices in tuning your Operations Manager Environment and your management packs. Enjoy! https://youtu.be/GgLkscRz6oo And there's more coming soon – Watch…

Prevent Lateral Movement With Local Accounts

What is Lateral Movement? Lateral movement is an activity used when an attacker is scavenging a network for credentials, typically used in a Pass-The-Hash scenario.   From Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques.pdf   "In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another…


Access denied on C:, even though you have given the user Full Control

Overview One of my customer was in the process of migrating away from Windows XP. As a part of this work, the customer was verifying application compatibility. During the testing of applications, they discovered that 2 applications that are business critical for the customer were having issues with file creations. These issues are counted as…


Get location of Hyper-V Virtual Machines with Powershell

Sometime you probably like to re-install your system or replace a disk where you have installed Hyper-V. In that situation you better keep track of your VMs files. Here’s a one-liner to list the location of the VM files:   get-vm * |sort-object| ft -auto Name,path,configurationlocation,snapshotfilelocation,@{L=”Disks”;E={$_.harddrives.path}}    


Effective Rights – What can users do?

I guess I’m not the only one that have been sitting and wondering .. Hmm.. What permissions does these users got in Active Directory actually? I can see a lot of groups in the access control list but how do I relate that to a certain user. Ok, we got the Effective Rights tab under…


Take Control Over AD Permissions and the AD ACL Scanner Tool

What is the state of your delegation? Have you a documented and recent report over the permissions in your Active Directory? Have you granted permissions on the relevant OU’s in the past and left it like this ever since?? Maybe it’s time to take a look again to see what’s actually delegated in Active Directory?…

How to get DRM protected E-Books to be able to be read on a Windows 8 RT device

During the evening yesterday my daughter wanted to read some E-books on her new Windows RT slate. She wanted to borrow an E-Book from our local library in Sweden. I was expecting this to be an easy task and gladley tried to find a download link for Windows RT at the library hompage. I found…


Do You Allow Blank Passwords In Your Domain?

Do you or did you back in the days use your own code or a third party tool to create user accounts that did not update the userAccountControl attribute after the account was created? Well then there’s a change you might have accounts in your domain that are allowed blank passwords or even worse have…