Detecting Emotet using Windows Event Logs
Emotet is a trojan malware that steals sensitive information. Many companies are concerned that their users will get infected by this malware and might leak sensitive information.
A customer I’m currently helping with their Security Operations Center (SOC) asked me, how they can detect Emotet in their environment.
Here’s what I came up with – maybe it helps you detecting Emotet or similar malware in your environment, too! (more…)
EventList – the Baseline Event Analyzer
When it comes to securing Windows Systems, it doesn’t matter if you harden a Domain Controller, a server system or a client – one thing they all have in common:
There are baselines provided by Microsoft, which security settings should be applied for each system.
Amongst others, there are some audit recommendations included.
I often work with customers who just started building their Security Operations Center (SOC). Many customers are confused by the variety of Windows Events: which events should be monitored? Which events will be generated when a specific baseline is applied?
Writing down each event and monitoring recommendations would be a huge effort. That’s why I automated it and created EventList – I hope, it helps you, too! (more…)
Securing your infrastructure with Just Enough Administration
I was giving a talk about Just Enough Administration (JEA) at PSConfEU 2018 in Hannover and I also wanted to share my thoughts with you writing this blog post.
My PSConfEU presentation and demo code can be found on GitHub. The recording on the session will be released soon on the official PSConfEU YouTube channel (I will update this link, once the recording of my session is released). (more…)
Stop using Lan Manager and NTLMv1!
When performing Security checks in customer environments I often find out that LAN Manager or NTLMv1 is still allowed. Most customers don’t know that this setting leaves the environment highly vulnerable to attacks targeting their authentication methods.
Why you should not use LAN Manager and NTLMv1 anymore you will read in this article. (more…)
myDeckWishlist – Magic the Gathering
Magic the Gathering, played with real cards, can be a very expensive hobby: If you want to buy cards for a new deck, you often have to wait some months to get all cards you need.
If you already own other cards which fit in your deck, you may also want to play them instead until you can afford the more expensive cards. (more…)
Hakin9 – How to become a hacker
For all of you who ever wondered how to become a hacker, Hakin9 interviewed a few people about how to become a hacker including me. (more…)
Video Tutorial: XSS – Cross Site Scripting
Cross Site Scripting is the consequence of a vulnerability in websites or Client Software. It allows an attacker to inject his own malicious code.
It is used either to trick the user to believe that the injected code is part of the website or to run scripts which are not distributed by the website itself.
Do you know the difference between a DOM-based, a Not Persistent and a Persistent attack? (more…)
Thank you: Over 100 YouTube Subscribers!
To get your individual YouTube channel name, your channel needs to have at least 100 followers.
Man, I was longing for my own channel name…
Finally this weekend I reached this goal: I got my 100th subscriber!
By now, you can find my YouTube channel here:
Thank all of you who helped me to get my new channel URL and see you in the next video!
Exchange: Hide Disabled Users from the Global Address List (GAL)
When a user leaves the company, often the Exchange mail account is deleted and the user account gets disabled .
In this way, the former employee can not access corporate data, but he still appears in the Global Address List (GAL) for internal staff. He can still be selected in the address book and is also still visible in the team calendar.
The reason for this lies in the fact that the account is still in the Active Directory and in the attribute msExchHideFromAddressLists, which contains no value. If this attribute is set to TRUE, the user disappears from the Global Address List and from certain calendar groups.
To ease the work with disabled users, you can use the following PowerShell CMDlets. (more…)