Collecting NetTcpConnection and Process information with PowerShell

if you need information on active TCP connections, you probably start with the netstat command When using the -b or -o parameter netstat will also list the executable involved in creating the process respectively the owing Process ID. The output then looks as following. In PowerShell we can use Get-NetTCPConnection to retrieve TCP connection information. When suspecting that something malicious is running on a device, I look at the TCP connections and want to know Read More …

Automating CIS-CAT Pro with PowerShell

CIS-CAT stands for Center for internet Security Configuration Assessment Tool. The CIS-CAT tool is used to perform configuration and vulnerability assessments. The Pro version is only available to CIS members, however if you want to try out the software, you can download the CIS-CAT Lite version from here: https://www.cisecurity.org/introducing-cis-cat-lite/ Note that the Lite version does not include the command line interface, so you won’t be able to use the automation described in this blog post. Read More …

PowerShell Core logging configuration

After having browsed through the PowerShell code a bit, found some references as to how to configure PowerShell Core logging options through GPO or via a configuration file. There are no GPO Templates available for PowerShell Core, but the same settings as are written for Windows PowerShell also apply for Core, they just live within another registry key. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PowerShellCore So when you apply the folllowing registry settings , you can enable ScriptBlock logging and Transcripting Read More …

Enabling PowerShell logging for PowerShell Core 6 (Workaround)

By default, PowerShell Core does not log events to the Windows Event logs. From a security perspective this isn’t ideal, but that’s something I’ll take a closer look at later. To enable PowerShell logging you have to run RegisterManifest.ps1 which is located in the “C:\Program Files\PowerShell\6.0.0” folder. But unfortunately running that command would not work for me. Now this is the beauty of PowerShell being open sourced, the code as well as the comments from Read More …

Retrieving Windows Defender ATP query API data with PowerShell

I am currently working on some automation around Windows Defender, so started to look at the Windows Defender Advanced Threat Protection query API. Note that this API is still in preview. I wrote two functions for this. Connect-WindowsATP is used to get an access token. Note that you will need to first register the API in Azure Directory so that you get an Application ID that you have to include at the top of the Read More …

Exploring the Blockchain – Part1

A few days ago I decided that I wanted to learn more about the Blockchain. So I started reading various documentations, browsed through GitHub, watched video’s online and finally took the online training at the Microsoft Virtual Academy “Microsoft Blockchain as a Service”. I guess this is only the beginning as there is so much more to explore in this field. But today I want to share with you the first steps I took trying Read More …

Exploring Microsoft Security Update information with PowerShell

Nowadays regular deployment of security updates is a must, whether at home or within the enterprise. If you are responsible to keep systems up to date you deploy the latest updates as soon as possible.  But it is equally important to understand the vulnerabilities being addressed by these updates. The Microsoft Security Update Guide allows you to find detailed information about security updates. Go to https://portal.msrc.microsoft.com/en-us/ and select “Go to the security update Guide” Next Read More …

PowerShell script Update-PoshModule

With nowadays rapid development and release cycles it’s a good practice to regularly check whether you have the latest available module versions installed. Using native PowerShell cmdlets you would first list the module installed locally and then search for the latest module online. When you have several modules installed, this becomes a laborious task. So I wrote a cmdlet that does all this work for me and you if you like. The Update-PoshModule cmdlet can Read More …

PowerShell Script Get-BatteryChargeStatus

Update 01.08.2017 I have updated the script to ensure that the Windows.Devices.Power.Battery class is properly loaded, as this wasn’t the case in a PowerShell 64 bit session. A little script i wrote to retrieve the Battery Charge status. The script makes use of the BatteryReport class that agregates the information should the device have more than one battery like the Surface Book.

 

How to check if Control Flow Guard is enabled

How to check if Control Flow Guard is enabled Control Flow Guard helps mitigate exploits that are based on flow between code locations in memory. Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. So how to check if an Application is Control Flow Guard is enabled? For my own testing purposes I created two executables one called ConsoleApplication1.exe that Read More …