#customact | Explore Tumblr Posts and Blogs

ibarrau · 3 years

Text

Intro scripting C# en Power Bi con Tabular Editor

Algo que había esquivado por mucho tiempo es la posibilidad de escribir scripts contra Power Bi. Tal vez porque pensaba que NO ameritaba tanto para los medianos modelos con los que trabajo diariamente y probablemente ustedes estan pensando lo mismo.

Por un motivo u otro tuve que aplicarlo en un gran modelo que debía cambiar 160 medidas agregando en todas ellas una condición. La experiencia fue muy interesante hasta llevarme a replantear el usarlo aun en pequeños modelos.

Éste artículo mostrará algunas lineas de código en C# que nos ayudarán y definiciones de que podemos hacer.

Tabular Editor

Tabular Editor es una herramienta que le permite manipular y administrar fácilmente medidas, columnas calculadas, carpetas de visualización, perspectivas y traducciones en los modelos de Analysis Services Tabular y Power BI XMLA (desde el nivel de compatibilidad 1200 en adelante). Esto quiere decir que podemos hacer mucho más que lo que mostraremos en este post con la herramienta.

Scripts en C#

La herramienta nos brinda la posibilidad de ejecutar código C# que podemos utilizar de distintos modos para ayudarnos en la eficiencia de operaciones de DAX, como por ejemplo: Crear muchas medidas con un mismo patrón, modificar más de una medida al mismo tiempo, etc.

El script que hacemos puede correr de distintos modos según lo deseamos. Entonces lo primero que necesitamos entender son dos sentencias:

Model: representa el modelo actual conectado. Corre nuestro script contra todo el modelo.

Selected: refleja la operación para la selección actual que tengamos sobre los componentes de la UI en tabular editor. Necesitamos seleccionar por lo menos un elemento de la lista de la izquierda para que funcione (podemos seleccionar varios con Ctrl)

En redundancia, podemos armar scripts que ejecuten contra todo el modelo o simplemente seleccionar medidas o columnas que nos ayuden a ejecutar cierto código.

Ahora veamos unas funciones comunes de interés:

Output() la función para retornar lo deseado, es ideal para debugging

CustomAction() corre otro script que fue grabado previamente como acción personalizada

FormatDax llama a DAXFormatter.com para formatear el código de respuesta

ConvertDax() convierte separadores/decimales entre UK/US

ExportProperties() exporta propiedades de objetos a una tab separada

ImportProperties() importa propiedades de objetos a una tab separada

Éstos métodos nos ayudarán a modo informativo o para complementar nuestro código. Lo último que necesitamos saber antes de comenzar a escribir nuestro código es que lo que vamos a correr esta muy relacionado con linq. Para aquellos familiarizados con este modo de querear una BD dentro de C# puede resultarles más sencillo.

Manos a la obra

Iniciaremos nuestro camino de práctica haciendo una query que nos traiga un resultado, no vamos a hacer cambios o creación la primera vez, siempre es bueno ir familiarizándose.

Veamos como hacer una consulta para saber que medidas tiene un nombre semejante al texto parametrizado (color) > Model.AllMeasures.Where(m => m.Name.Contains("Color")).Output();

Veamos que vamos a ejecutar sobre Todo el modelo apuntando a Todas las Medidas donde el nombre tenga la palabra Color. Al final agregamos Output() para conocer esas medidas que podrían ser aquellas a editar o simple análisis.

La respuesta incluye una descripción de propiedades de la medida para conocer más detalladamente su información. Esto también nos enseña que podríamos buscar otra cosa además del nombre de la medida como por ejemplo si la Expresión de DAX contiene una palabra

Consultar las medidas cuya expresión tenga la palabra calculate: > Model.AllMeasures.Where(m => m.Expression.Contains("CALCULATE")).Output();

De ese modo pudimos encontrar todas las medidas que tienen ciertos patrones lo cual sería muy importante si necesitamos cambiar masivamente contra todo el modelo una determinada línea.

También podemos hacer otras operaciones sencillas como:

Renombrar la selección > Selected.Measures.Rename("Amount", "Value");

Prestemos atención a esta operación que inició de otro modo. No vamos a correrlo contra todo el modelo sino la selección. Entonces definimos Selected.Measures.[Operación]. De ese modo cambiamos el texto de una medida por otro. Muy util si tenemos muchas bajo un patron como YTD que necesitamos representar como YearToDate. Veamos como la foto tiene seleccionada la medida al ejecutar.

De este modo vamos viendo como escribir sobre nuestro modelo. Ahora si nos gusta esto podríamos inclusive crear medidas aquí directamente sin usar el motor de Power Bi Desktop de la siguiente manera:

Crear una medida con sus detalles más importantes > var nuevita = Model.Tables["InternetSales"].AddMeasure("TabMedida", "SUM(InternetSales[Unit Cost])"); > nuevita.FormatString ="$#0.0"; > nuevita.Description = "Nuevita creada por tabular editor";

En esta oportunidad vemos que Model no solo ejecuta contra la totalidad sino que también podemos enfocarlo sobre una tabla en particular como ejemplo “InternetSales”. Esta sería la mejor práctica en un desarrollo de Power Bi donde anotamos no solo el código DAX sino su formato y descripción correspondiente.

Ahora vamos a saltar a algo más complejo y muy atractivo. Sabiendo que podemos consultar el modelo para obtener un determinado conjunto de medidas, nos vamos a aprovechar de eso para ejecutar una transformación solo en esa lista que se determinó con código para ser más eficiente y no estar ejecutando contra todas las medidas del modelo.

Change text where text like (adding comment) foreach ( var medida in Model.AllMeasures.Where(m => m.Expression.Contains("SWITCH(_Units")) ) { medida.Expression = medida.Expression.Replace("SWITCH(_Units","--Changing units \nSWITCH(_Units"); }

Esta función nos ayudaría a hacer un reemplazo masivo en la Expresión DAX de las medidas cambiando el texto “SWITCH(_Units” por “--Changing units \nSWITCH(_Units". De ese modo agregaríamos un comentario en todas las expresiones que tengan un switch de la variable __units dentro de su expresión DAX. Todo esto con ayuda de un for que recorra cada medida devuelta por nuestra consulta a la cual le asignamos una Expression que sea su Expression.Replace. Esto nos muestra que también podemos ejecutar contra un único item especifico además del modelo y lo seleccionado pero de un modo un poco más completo. Así mismo vemos una de las funciones más potentes e importantes que es Replace.

No todo se trata de modificar y reemplazar sino también de crear. La creación de medidas nuevas puede ser muy atractivo cuando comenzamos un modelo nuevo y sobre todo si estamos en la industria de Retail. Podemos usar código para crear muchas medidas SUM ( Tabla[Columna] ) seleccionando las columnas que nos gustaría que tengan medidas simples como esa. Una vez que todas esas tienen medida podríamos hacerlo mismo para generar medidas como Año Anterior (LY) o YTD. Vamos a ver esta ultima opción en el ejemplo porque es más completa pero podríamos hacerlo con la selección de columnas para los SUM sencillos.

Crear medidas de Time Intelligence para LY y YTD. Aprovechamos para formatear el nuevo código DAX. Obviamente necesitamos tabla fecha. var dateColumn = "'TablaFecha'[Fecha]" foreach (var m in Selected.Measures) { //YTD m.Table.AddMeasure( m.Name + " YTD", "TOTALYTD(" + m.DaxObjectName + ", " + dateColumn + ")" ); //LY m.Table.AddMeasure( m.Name + " LY", FormatDax( "CALCULATE(" + m.DaxObjectName + "," + "SAMEPERIODLASTYEAR(" + dateColumn + "))" ) ); }

En este caso vamos a recorrer las medidas seleccionadas para agregar dos medidas a cada una de ellas. Fijense que volvemos a usar AddMeasure como vimos antes pero de este modo se crearía en más de una oportunidad. Nos aprovechamos de DaxObjectName y Name para parametrizar el nombre de la medida y el objeto interno de la expresión que daría vida a las nuevas medidas bien ejecutadas para cada uno. Notese que la segunda medida incorpora FormatDax para que nuestra medida salga formateada como DAXFormatter lo haría. Si bien nosotros podríamos agregar \n para saltos de línea o \t para tabulaciones, es más simple llamar al formateador.

Al terminar nuestro trabajo y todas las ejecuciones debemos dar en el siguiente botón para que nuestros scripts se hagan reales en nuestro modelo de Power Bi Desktop, AAS, etc.

De esto modo concluimos nuestro paseo con algunas potentes opciones por las cuales deberíamos introducirnos en Tabular Editor. Espero que esto nos ayude a entender mejor esto de escribir código C# para scripting contra un modelo de Power Bi.

#powerbi #power bi #power bi desktop #tabular editor #power bi dax #dax #power bi training #power bi tips #power bi tutorial #power bi argentina #power bi cordoba #power bi jujuy

0 notes

fictionwriterkl · 4 years

Link

0 notes

crescentcampbell · 4 years

Text

If you’re looking to make some extra money and enjoy reading, the app that I write for is having a contest where you can get money for reading. https://www.dreame.com/act/customactivity/20200826_Read&Share?theme=20200826_Read%26Share

#reading

0 notes

terabitweb · 5 years

Text

Original Post from Trend Micro Author: Trend Micro

by Llallum Victoria (Threats Analyst)

Windows Installer uses Microsoft Software Installation (MSI) package files to install programs. Every package file has a relational-type database that contains instructions and data required to install or remove programs.

We recently discovered malicious MSI files that download and execute other files and could bypass traditional security solutions. Malicious actors can abuse custom actions in these files to execute malicious scripts and drop malware that are either capable of initiating a system shutdown or targeting financial systems located in certain locations.

Analyzing malicious MSI files

We discovered JScript/VBScript codes within several samples of malicious *.msi files. However, the parts of the script were distributed (and truncated, it seems) to other parts of the file and did not directly execute wscript.exe to run them. (Installer msiexec.exe itself, however, has its interpreter.)

Figure 1. MSI file containing JavaScript that appears to be truncated

We used the tool Orca MSI Editor, which allows a user to look at how and where files may be delivered, to view the tables and find the script in question in the CustomAction table. The CustomAction table permits integration of custom code and data into installations. The source of the executed code can be a stream from within a particular database, an installed file, or an existing executable. The table lists various information such as action, type, source, target, and extended type to provide further details.

Figure 2. From Orca MSI Editor: CustomAction that contains JavaScript

The malicious JS code (detected by Trend Micro as Trojan.JS.MSAIHA.A) accesses the URL hxxps[:]//s3-eu-west-1[.]amazonaws[.]com/{random characters}/image2[.]png to download files. The downloaded file or .txt file will be stored in either of the following folders:

%User Startup%

%User Profile%Saved Games

%User Profile%Contacts

%User Profile%Links

%User Profile%Music

For downloaded files (.exe, .msi, or dump files from zip), the malware uses the filename jesus or dump. For created .txt files, the filename varies between desktop.txt, desktop, and desktop.ini. The malware can also initiate a system shutdown.

At the time of our analysis, one of the samples related to Trojan.PS1.MSAIHA.A had a URL that was still up. We learned that it won’t continue its malicious routine if it finds the file %Application Data%/{yyyyMM}.ini, and will drop the file as an infection marker instead. It also downloads an encrypted .zip file then decrypts it by using XOR with hardcoded 0x29.

Figure 3. Contents of the .zip file saved in the Microsoft folder

Figure 4. The trojan executing context_snapshot.exe

The .zip file contains normal files like iLua.inf, msvcr120.dll, and msvcp120.dll; files digitally signed by Avira; AutoIt-related files; and an encrypted dynamic-link library (DLL). The trojan executes the freeware automation language AutoIt to decrypt the encrypted DLL and execute context_snapshot.exe in order to inject its DLL, all while pretending to be a legitimate process.

The AutoIt script here (seen in Figure 3 as v8_context_snapshot.src and detected as Trojan.AutoIt.AUTINJECT.AA) is password-protected, so we ran a modified myAut2Exe, a tool for password-guessing and producing pathnames and other information.

Figure 5. Log output of v8_context_snapshot.src

Figure 6. Avira executable is injected with an encrypted DLL

After decrypting the file, it appears that the trojan used the AutoIt script, which we found available online, for injection and modified it for self-use. Additionally, it appended a DLL that it consequently loaded to its memory. This use of DLL is for the purpose of executing the digitally signed Avira file (context_snapshot.exe). The Avira executable is then injected with the encrypted DLL (Jlib.dll) in its process and passes itself as a legitimate process.

We shared our analysis with Avira, which responded with the following: “Our top priority is to protect our users, therefore we’ve immediately added detections for all files together with the accessed URLs. To be able to execute malicious code in the context of a legitimate process and bypass security solutions, the malware is using one of our Avira executables out of the context of an Avira regular installation to inject malicious code into it. This can be done only because the Avira protection is not enabled on the user machine. When Avira is installed, there is a software protection process in place which does not allow any third-party processes or components to modify or inject one of our own processes. In the past, there were no reports of malware infection/injection bypassing by any third-party processes. This issue is currently under investigation, thus we will be able to provide more information in the following days.”

Other samples related to Trojan.PS1.MSAIHA.A were also seen capable of restarting target machines and using Dropbox links to download the aforementioned .zip file. Some even check for the following folder names (whereby if the paths exist, the malware continues with its routine):

%AppDataLocal%Aplicativo Itau (related to a bank in Brazil)

%Program Files%AppBrad (related to banking and financial service companies in Brazil)

%ProgramFiles%DieboldWarsaw (related to the financial and retail technology company)

Figure 7. A supposed Adobe Acrobat Reader DC pop-up window

Another notable aspect of the malicious MSI files we analyzed is that they also pretended to be legitimate. The files were disguised as Adobe Acrobat Reader DC (as seen in Figure 7) and redirect the user to the site www[.]adobe[.]com/br/, which is in Portuguese.

Figure 8. The MSI files redirect users to this site

Figure 9. Spam containing a .zip file that downloads from a malicious URL

We also found a related spam email during our analysis. The email contains text written in Portuguese and is written concisely, indicating an attachment and asking the recipient to treat it urgently. It contains a .zip file labeled “Fatur432952-532-674.zip”, which downloads from one of the malicious URLs we detected to be part of this campaign. The “image2.png” in the said URL is, in fact, an archive when downloaded.

Figure 10. Script that downloads the archive

The archived file contains dump.msi (detected as Trojan.JS.MSAIHA.A), dump.exe (detected as TrojanSpy.Win32.CASBANEIRO.XLB), and ssleay64.dll (detected as TrojanSpy.Win32.CASBANEIRO.XLB).

Figure 11. Malicious routine of the MSI in spammed email

The malicious payload targets Brazil and Portugal by checking country codes in hxxps[:]//www[.]localizaip[.]com[.]br/api/iplocation[.]php. Specific events could be related to banking and financial information, or even keystrokes.

Figure 12. Flowchart of executed dump.exe’s routine

Here are some of the decrypted strings in the callback function of the created windows:

AMARELO_PASS_6 AMARELO_PASS_8 AMARELO_PASS_CERT AMARELO_QR AMARELO_CERT_SIMPLES AMARELO_PASS_SIMPLES AMARELO_PASS_QR SICREDI_ASS SICREDO_TOKEN_FISICO SICREDO_TOKEN_MOB SICREDO_PASS_QR SANTA_ASSI_ELECTRO SANTA_TOKEN SANTA_N_SERIE SANTA_PASS_QR SANTA_POS_TABELA CEF_ASS_NUMERO CEF_ASS_NUMER0_LETRAS CEF_PASS_QR NORD_POS_CARTAO NORD_PASS_QR BANESTER_CERTIFICADO BANESTES_COD_ACCESSO

BANESTES_PASS_QR BANRI_SENHA BANRI_SENHA_TECLADO SAFRA_TOKEN_MOB SAFRA_TOKEN_DISPLAY SAFRA_SENHA_TECLADO SAFRA_PASS_QR DESCO_POS_TABELA DESCO_CERT DESCO_TOKEN_6 DESCO_TOKEN_8 DESCO_PASS_QR DESCO_CEL_VISOR DESCO_PISCA BRB_CODIGO BRB_SENHA_TECLADO BRB_PASS_QR ITA_DATA ITA_SENH6 ITA_TOKAPP ITA_TOKCELL ITA_QR

Abusing custom actions in MSI

Outside of standard, built-in actions used to execute installations, there are cases where a developer may need to write a custom action. Microsoft enumerates the following scenarios where custom actions could be necessary:

An executable installed on the user’s machine or being installed with an application has to be launched during the installation process.

Special functions defined in a DLL has to be called during the installation process.

Functions written in the programming languages Microsoft Visual Basic Scripting Edition or Microsoft JScript literal script text have to be used during the installation process.

Some actions have to be deferred until the execution of the installation script.

Time and progress information have to be added to a ProgressBar control and a TimeRemaining Text control.

Consequent to these situations, abuse of the first and second scenarios is also not unlikely with sophisticated malware.

Figure 13. From Orca MSI Editor: CustomAction contains VBScript

After checking another sample containing VBScript (see Figure 13), we could infer that the malware creator used the Advanced Installer application to build the samples, because the sample needs a third-party library such as powershellscriptlauncher.dll to run the PowerShell script for viewing logs and processes.

Figure 14. Advanced Installer with other custom actions

We were able to add to or modify custom actions of the samples, such as executing JS, VBS, and PowerShell scripts, and even loading libraries, with Advanced Installer. This could be favorable to malicious actors looking to abuse the functions so that they can easily modify normal MSI packages and insert malicious scripts.

Figure 15. Custom actions indicating existing and newly created PowerShell scripts

Figure 16. Adding a new custom action to run a PowerShell script

Currently, the malware downloads archives that contain multicomponent (DLL side-loading) malware.

Mitigation and solutions

We have noted that abusing MSI packages for malicious intent is typically done to install potentially unwanted applications (PUAs) and not necessarily to drop malware. Malware installation utilizing MSI packages and custom actions is another mechanism to look out for, as malicious actors may use it to skirt around security software that only detects traditional installation methods.

The malware creators in this case might be testing different malware arrival methods and focusing on targets located in Brazil and Portugal, based on the language in the spam email, site redirection, and folder paths that we encountered during our analysis. As a first line of defense, we recommend that users avoid installing unknown files and clicking on URLs that may redirect to sites that download malicious files. Users can also practice good security hygiene by updating systems with the latest security patches or by employing solutions that can defend against possible exploits.

Trend MicroXGen security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen protects against today’s purpose-built threats that bypass traditional controls and exploit known, unknown, or undisclosed vulnerabilities. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

The list of indicators of compromise (IoCs) related to this threat can be found in this appendix.

With additional analyses by Henry Alarcon Jr., John Rey Cañon, and Jay Nebre

The post Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and PowerShell Scripts appeared first on .

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Trend Micro Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and PowerShell Scripts Original Post from Trend Micro Author: Trend Micro by Llallum Victoria (Threats Analyst) Windows Installer uses Microsoft Software Installation (MSI) package files to install programs.

#Trend Micro

0 notes

adamgdooley · 7 years

Text

Packaging Suite 5.0 – A combination of proven and new functionality

Raynet, provider of services and products for application lifecycle management in Europe, has released an advanced and comprehensive software packaging and virtualisation solution: Packaging Suite 5.0

Packaging Suite 5.0 delivers high performance, connectivity, and versatility for the highly demanding tasks. The components of Packaging Suite, including RayFlow Client, RayEval, RayPack, RayQC, and RayQC Advanced, are claimed to provide better performance than most of the currently available solutions on the market.

This makes it possible to easily perform even the most complex tasks, such as the processing of complex packaging projects. Packaging Suite 5.0 is so dynamic that it adapts to the most diverse requirements. Through the individual product components, Packaging Suite covers all aspects of enterprise packaging: application readiness, software evaluation, packaging and virtualisation as well as quality assurance and workflow management. The seamless integration of all components ensures a much more productive and efficient processing of all package-related processes.

In addition to the stunning new design of the user interface, Packaging Suite 5.0 comes with new features, making it the most advanced and comprehensive solution and taking software packaging to the next level.

The new RayFlow Deployment Wizard now allows users to integrate software packages directly in the deployment solutions RayManageSofti (RMSi) or System Center Configuration Manager (SCCM). The pre-configuration via the user interface enables the deployment at the push of a button, saves time and reduces the error rate.

The Package Store is now integrated in RayFlow and RayPack and gives users direct access to previously analyzed, standardized, preconfigured and quality-assured software packages, which can be adjusted in the Packaging Suite per needs and requirements.

RayPack now also offers the possibility to create non-Windows-projects and therefore also professionally covers macOS packaging.

The extended support for App-V 4.6 to 5.0, including 5.0 SP2, 5.1 and App-V for Windows 10, enables to refer to specific App-V versions in order to use the latest features of App-V technology. Further separate rule sets in RayQC Advanced for different App-V versions complete the range of test possibilities.

Raynet’s packaging solution RayPack uses Universal Windows Platform (UWP) bridge to support conversion and repackaging of applications for the Windows 10 APPX / UWP format. Older desktop applications are delivered in an APPX container and can be distributed via the Windows Store. New features and security features of the Windows 10 UWP platform are used. The new rule set for UWP Apps enables RayQC Advanced to test whether software packages can be converted to the UWP Bridge Desktop App format. In addition, users can now perform comprehensive collision and compatibility checks with various Windows 10 editions including Anniversary and Creators updates.

PowerShell CustomActions makes it possible to script complex installations in a modern language. Of course, RayPack now also provides full integration with Windows Installer Session Properties. With RayPack the creation of a PowerShell App Deployment Toolkit wrapper for generated projects is easily realized.

With a new plug-in system, users can expand RayPack. RayPack already provides some sample plugins with the installation, such as: adaptation of the complexity index, integration of an established community website for package developers and many more.

To significantly increase user comfort, Raynet also provides the PackBench with a multilingual user interface available in English, German and Polish.

Go to Source

The post Packaging Suite 5.0 – A combination of proven and new functionality appeared first on Statii News.

from Statii News http://news.statii.co.uk/packaging-suite-5-0-a-combination-of-proven-and-new-functionality/ from Statii News https://statiicouk.tumblr.com/post/163714093777

0 notes