Detecting Emotet using Windows Event Logs


Emotet is a trojan malware that steals sensitive information. Many companies are concerned that their users will get infected by this malware and might leak sensitive information.

A customer I’m currently helping with their Security Operations Center (SOC) asked me, how they can detect Emotet in their environment.

Here’s what I came up with – maybe it helps you detecting Emotet or similar malware in your environment, too! (more…)

EventList – the Baseline Event Analyzer

mx_microsoft_borderWhen it comes to securing Windows Systems, it doesn’t matter if you harden a Domain Controller, a server system or a client – one thing they all have in common:
There are baselines provided by Microsoft, which security settings should be applied for each system.

Amongst others, there are some audit recommendations included.

I often work with customers who just started building their Security Operations Center (SOC). Many customers are confused by the variety of Windows Events: which events should be monitored? Which events will be generated when a specific baseline is applied?

Writing down each event and monitoring recommendations would be a huge effort. That’s why I automated it and created EventList – I hope, it helps you, too! (more…)

Securing your infrastructure with Just Enough Administration

mx_microsoft_borderI was giving a talk about Just Enough Administration (JEA) at PSConfEU 2018 in Hannover and I also wanted to share my thoughts with you writing this blog post.

My PSConfEU presentation and demo code can be found on GitHub. The recording on the session will be released soon on the official PSConfEU YouTube channel (I will update this link, once the recording of my session is released). (more…)

Stop using Lan Manager and NTLMv1!

mx_microsoft_borderWhen performing Security checks in customer environments I often find out that LAN Manager or NTLMv1 is still allowed. Most customers don’t know that this setting leaves the environment highly vulnerable to attacks targeting their authentication methods.

Why you should not use LAN Manager and NTLMv1 anymore you will read in this article. (more…)

Einfache Administration durch WMI-Filter

mx_microsoft_borderWenn man Gruppenrichtlinien zuweist, kann man diese bestimmten Organisationseinheiten (OUs) oder Sites zuweisen.

Doch manche Gruppenrichtlinien sollen nur für ein bestimmtes Betriebssystem angewandt werden. Client-Versionen unterscheiden sich manchmal und es müssen unterschiedliche Einstellungen konfiguriert werden.

Wie kann man diese Herausforderung lösen, ohne OUs für jeden Systemtyp anzulegen?

Erfahren Sie in diesem Artikel, wie Sie sich die Administration mit WMI-Filtern vereinfachen. (more…)

Exchange: Hide Disabled Users from the Global Address List (GAL)

mx_microsoft_borderWhen a user leaves the company, often the Exchange mail account is deleted and the user account gets disabled .

In this way, the former employee can not access corporate data, but he still appears in the Global Address List (GAL) for internal staff. He can still be selected in the address book and is also still visible in the team calendar.

The reason for this lies in the fact that the account is still in the Active Directory and in the attribute msExchHideFromAddressLists, which contains no value. If this attribute is set to TRUE, the user disappears from the Global Address List and from certain calendar groups.

To ease the work with disabled users, you can use the following PowerShell CMDlets. (more…)

Exchange: Deaktivierte User aus der Global Address List (GAL) ausblenden

mx_microsoft_borderVerlässt ein Benutzer das Unternehmen, so wird oft das Exchange-Mailkonto gelöscht und der Benutzeraccount gesperrt.

Dadurch kann der ehemalige Benutzer zwar nicht mehr auf Firmendaten zugreifen, in der Global Address List (GAL) wird er dennoch für interne Mitarbeiter angezeigt. Er kann weiterhin im Adressbuch ausgewählt werden und ist im Teamkalender sichtbar.

Das liegt daran, dass der Account noch vorhanden ist und das Attribut msExchHideFromAddressLists keinen Wert enthält.
Wird das Attribut auf TRUE gesetzt, wird der Benutzer weder in der Global Address List noch in Kalendergruppen angezeigt.

Um die Arbeit mit deaktivierten Usern zu vereinfachen, eignen sich die hier beschriebenen PowerShell CMDlets. (more…)

Registry Hacking against sysprep errors

NOTE: This article is meant for system administrators only. DO NOT CHANGE YOUR REGISTRY if you administer your PRIVATE PC!

mx_microsoft_borderIf you want to create images and execute Sysprep, sometimes it can happen that the following error message is displayed when the computer was restarted:

The computer restarted unexpectedly or encountered an unexpected error. Windows installation can not proceed. To install windows click "OK" to restart the computer, and then restart the installation.

After restarting the computer an error message appears every time you restart the system, that prevents Windows from starting properly. But you’ve already prepared the system for the image creation so you don’t want to reinstall the system.

In this article I will show you how to save your image, without reinstalling the system. (more…)