It’s never too late to start learning PowerShell

It’s 2018 now and you might think who doesn’t know PowerShell yet. Although I’ve seen the number of people using PowerShell increasing over the past years, there’s still plenty of people out there that have the learning curve for PowerShell ahead of them. A few years ago, when the use of PowerShell got traction amongst many IT professionals the web was full of learning resources by means of blog posts, podcasts and online trainings. It Read More …

How to get started with Azure log Analytics

If you’re interested in getting your hands dirty with Azure Log Analytics, here’s a few resources and tips on how to get started. The Video’s If you’re looking for some imagination of what Azure Log Analytics is all about and what you can do with it, here’s a couple of videos I recommend watching. Azure Log Analytics (13 minutes) https://channel9.msdn.com/Shows/Azure-Friday/Azure-Log-Analytics?ocid=player What’s changed in Azure Log Analytics? (5 minutes) https://channel9.msdn.com/Blogs/Azure/Whats-changed-in-Azure-Log-Analytics The improved Azure Log Analytics: A Read More …

Data Collection Tier in Azure Security Center

Within the Azure Security Center, Security Policy node, you can select a workspace and there define the data collection configuration for security events. All Events Common Minimal None More details about the Azure Data Collection and the data collection tier can be found here. The page also has a list of all the Event IDs that are being collected within each tier. To better understand the exact meaning of each Event ID, I’ve created the Read More …

OMS Security and Audit Baseline Assessment

The Microsoft Operations and Management Suite, Security and Audit Solution includes a Baseline Assessment component. The Baseline configuration definition includes a set of Registry, audit policy and security policy settings rules that are recommended to configure to achieve a secure operating environment. Within the Console we get an overview of “Rules” that have failed, because the servers don’t have the recommended configuration applied. While looking at this, I wondered where I can find the complete Read More …

Collecting NetTcpConnection and Process information with PowerShell

if you need information on active TCP connections, you probably start with the netstat command When using the -b or -o parameter netstat will also list the executable involved in creating the process respectively the owing Process ID. The output then looks as following. In PowerShell we can use Get-NetTCPConnection to retrieve TCP connection information. When suspecting that something malicious is running on a device, I look at the TCP connections and want to know Read More …

Automating CIS-CAT Pro with PowerShell

CIS-CAT stands for Center for internet Security Configuration Assessment Tool. The CIS-CAT tool is used to perform configuration and vulnerability assessments. The Pro version is only available to CIS members, however if you want to try out the software, you can download the CIS-CAT Lite version from here: https://www.cisecurity.org/introducing-cis-cat-lite/ Note that the Lite version does not include the command line interface, so you won’t be able to use the automation described in this blog post. Read More …

PowerShell Core logging configuration

After having browsed through the PowerShell code a bit, found some references as to how to configure PowerShell Core logging options through GPO or via a configuration file. There are no GPO Templates available for PowerShell Core, but the same settings as are written for Windows PowerShell also apply for Core, they just live within another registry key. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PowerShellCore So when you apply the folllowing registry settings , you can enable ScriptBlock logging and Transcripting Read More …

Enabling PowerShell logging for PowerShell Core 6 (Workaround)

By default, PowerShell Core does not log events to the Windows Event logs. From a security perspective this isn’t ideal, but that’s something I’ll take a closer look at later. To enable PowerShell logging you have to run RegisterManifest.ps1 which is located in the “C:\Program Files\PowerShell\6.0.0” folder. But unfortunately running that command would not work for me. Now this is the beauty of PowerShell being open sourced, the code as well as the comments from Read More …

Retrieving Windows Defender ATP query API data with PowerShell

I am currently working on some automation around Windows Defender, so started to look at the Windows Defender Advanced Threat Protection query API. Note that this API is still in preview. I wrote two functions for this. Connect-WindowsATP is used to get an access token. Note that you will need to first register the API in Azure Directory so that you get an Application ID that you have to include at the top of the Read More …