Data Collection Tier in Azure Security Center

Within the Azure Security Center, Security Policy node, you can select a workspace and there define the data collection configuration for security events. All Events Common Minimal None More details about the Azure Data Collection and the data collection tier can be found here. The page also has a list of all the Event IDs that are being collected within each tier. To better understand the exact meaning of each Event ID, I’ve created the Read More …

Collecting NetTcpConnection and Process information with PowerShell

if you need information on active TCP connections, you probably start with the netstat command When using the -b or -o parameter netstat will also list the executable involved in creating the process respectively the owing Process ID. The output then looks as following. In PowerShell we can use Get-NetTCPConnection to retrieve TCP connection information. When suspecting that something malicious is running on a device, I look at the TCP connections and want to know Read More …

Exploring Microsoft Security Update information with PowerShell

Nowadays regular deployment of security updates is a must, whether at home or within the enterprise. If you are responsible to keep systems up to date you deploy the latest updates as soon as possible.  But it is equally important to understand the vulnerabilities being addressed by these updates. The Microsoft Security Update Guide allows you to find detailed information about security updates. Go to https://portal.msrc.microsoft.com/en-us/ and select “Go to the security update Guide” Next Read More …

How to check if Control Flow Guard is enabled

How to check if Control Flow Guard is enabled Control Flow Guard helps mitigate exploits that are based on flow between code locations in memory. Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. So how to check if an Application is Control Flow Guard is enabled? For my own testing purposes I created two executables one called ConsoleApplication1.exe that Read More …

PowerShell Script – Get-IscMSSecBulletinInfo

Hey there, the Internet Storm Center recently extended their Rest API with some features for Microsoft Patch Data. So where there is a REST API, there’s an opportunity for a PowerShell Script.  The Get-IscMSSecBulletinInfo can be found here: https://github.com/alexverboon/posh/blob/master/Security/Get-IscMSSecBulletinInfo.ps1 Cheers /Alex

MBSA 2.3 Preview Release Available

Based on a statement made by Microsoft in the August 2012 security bulletin, I wrote a short blog post back in November 2012 that there would be no MBSA version available for Windows 8. But it looks like plans have changed as Microsoft has now released a preview version of MBSA 2.3 that does provide support for Windows 8, Windows 8.1 as well as the new server editions. MBSA 2.3 release adds support for Windows Read More …

How to create a SCCM 2012 SP1 Configuration Baseline with Security Compliance Manager (SCM) 3.0

Most enterprises take advantage of Group Policies to manage security configuration settings across their server and desktop infrastructure. Usually once tested and implemented it’s assumed they get applied correctly. But can we be 100% sure that our clients and servers do actually receive these settings? With the help of the Microsoft Security Compliance Manager 3.0 and SCCM 2012 SP1 we can configure a security baseline to monitor security group policy settings compliance. To do so Read More …

No MBSA for Windows 8 planned

Many companies and individuals use the Microsoft Baseline Security Analyzer (MBSA) to assess the security state of their Windows Clients. But according to a statement from Microsoft in their August 2012 Security Bulletin, there are currently no plans to release an updated version for Windows 8. Q: Will the current version of MBSA support Windows 8? A: No, the current version of MBSA will not support Windows 8 and Microsoft currently has no plans to Read More …

Adobe introduces new Update Mechanism for Adobe Flash Player

A few days ago Adobe released a security update for Adobe Flash player and with that update Adobe also introduced a new mechanism for Flash Player updates. When deploying Adobe Flash player within a controlled corporate environment you most likely want to prevent the player from automatically updating itself or show notifications about a new version being available. When installing Adobe Flash Player 11.2 you will find the following: A new Scheduled Task called Adobe Read More …

How To test if your Antivirus program is working

I was doing some Antivirus stuff this afternoon now let me share with you how to test if your Antivirus program is working, e.g. alerts you in the event of a virus. Of course you can go to certain places on the internet where it won’t take long until you get a real virus, but that’s probably not what you want to do, so here’s a brief description how to use the “Test-Virus”. Go to Read More …