From Event to Object

So I needed to do gather some information on the usage on a Fileserver so we enabled auditing but those logs aren’t that fun. Using the event viewer isn’t really an option with thousands of logentries to process. So I went to Powershell which has Get-WinEvent which returns [System.Diagnostics.Eventing.Reader.EventRecord] objects. But those still isnt that fun, they are event logs so I cant just do a Where-Object search on them as the message is a textblock. BUT I can convert them into XML which allows me to do queries on the XML with Where-Object but that still is limiting as I needed to do convertions, and depending on Powershell version you can do it different ways. So I did a cmdlet to do those for me so I dont have to in the future.

It reads the events you throw at it and create a translation map from the XML to a Powershell object.

So I created ConvertFrom-VirotEvent, a small sample below.

Sample ConvertFrom-VirotEvent
Lets see all times somebody used runas, eleveted them selfs using UAC or RDP.. Well anytime windows presented a loginbox for an already logged on user. Or other process did this to as the taskscheduler.

Or we can just group the SourceUserName

 

group_sourceusername

 

Every function has a beginning, a middle and an end.

Okey so I used a bit of artistic freedom there, the truth is that the main parts of a function is:

  • Parameters
  • Begin
  • Process
  • End

Parameters

So this is kinda self-explanatory. This is where we input all our parameters that the function will use. For today this is not really an important part so for simplicity I have created an input parameter called….(drumroll).. Input.

Begin

This script-block contains things that isn’t really dependent on any parameters that you supply. Here would be a good spot to verify that you have any required modules, have write access or connect to a database.

Process

This is the big script-block that has all the magic. All your core logic goes in here.

End

When you are done there might be things cleanup or close. Close any database connection that you opened in the beginning.

So whats up with text and no powershell?? Okey here we go.

How it works with code
[Read more…]

Convenience rollup KB3125574 with bonus powershell [W7 & W2K8R2]

So Microsoft has released a convenience rollup that contains loads of updates..

There are a few issues, especially one connected to vNics. So they also released a small VB Script to help remove the offending parts from the registry.
But I hate VBscript and love Powershell so I rewrote it. It went from 30 lines to 8. I know I can sqeeze it into 2 without loosing to much readability but I like it like that.

You can find information about the update at KB3125574. The download is available through the Microsoft Update Catalog (requires IE).

Finding password cheaters

So In my last blog I talked about the possibility of faking a password change, by setting the last time the password was changed.

So lets find out if somebody has been tampered with. To do this we check the last time somebody updated the pwdlastset attribute and compare to the last time somebody updated the ntPwdHistory attribute. If you change passwords the AD will update both. Also I added an allowance for 10 if you needed to check or uncheck the password must be changed checkbox. The AD does store loads of data that most people never see or have to see, One such attribute is the last time an attribute was updated.

Script to check for faked password changes

The script

[Read more…]

User password age and why you cant trust it blindly

There are many ways to check when a user set his password lastly, my two favorites are using either Powershell or the builtin net command that is present in all Current Windows versions.

There are other things that matter when we are discussing passwords. There are a few we need to keep in mind. The most basic are:

  • Checkbox – Password never expires
  • Checkbox – User must change password at next logon
  • Value – Maximum password age
  • Value – When was the password last set

So how is all this stored:

[Read more…]

Active Directory Schema versions

The Active Directory Schema is a living platform that receives changes with every new Windows version. You check what each schema version does by looking at the ldf files in “Support\ADPrep” folder on the installation media.

This is done during the Adprep, before you promote a new Windows Server to a Domain Controller.

Schema Version Introduced with
13 Windows 2000
30 Windows 2003
31 Windows 2003R2
44 Windows 2008
47 Windows 2008R2
56 Windows 2012
69 Windows 2012R2
87 Windows 2016 (Technical preview)

Reverting the AdminSDHolders changes

So everyone knows what the AdminSDHolders does. Okey lets do a short version of that too.

The AdminSDHolder is what is that then.

Well windows has a few “protected” groups and users. If you are a member of one of these protected groups, Windows will do a few things every 60 minutes by default.

  • Set the AdminCount property of a user to 1
  • Disable inheritance on the user object
  • Set the rights on the user objects to a reduced set

This is an extremely simplified version. For more information please read in the Technet article AdminSDHolder.

Users and groups that by default are managed by the AdminSDHolder

Name Type
Administrator User
Account Operators Group
Administrators Group
Backup Operators Group
Cert Publishers Group
Domain Admins Group
Domain Controllers Group
Enterprise Admins Group
Krbtgt User
Print Operators Group
Read-only Domain Controllers Group
Replicator User
Schema Admins Group
Server Operators Group
[Read more…]

Who is 2.16.4.xxx

So I got a question from a customer. Their firewall team detected that clients tried to connect to 2.16.4.xxx (I replaced the last octet with x’s to protect the innocent).
So who is 2.16.4.xxx, lets start with a simple reverse dns query

So now we know that we are talking about Akamai, well that doesn’t really help since it is the or one of the biggest CDN’s in the world.

  1. So I asked the firewall team for information what was sent and they couldn’t help me.
  2. So we need to figure out which name is pointing to the IP. And I didn’t have access to the clients to check either. If I had access to a client I could have run “ipconfig /displaydns” this would have given me the same kind of information as I got from the cache.
  3. But wait I do have access to the DNS servers. Lets check in the DNS Cache.

Exploring the Windows DNS Server cache

Lets dump the entire cache to a file so we can work with it.

Now we have a good file to look through. Lets start looking for A record is pointing to 2.16.4.xxx. I found another akamai name, so I needed to see what CNAME was pointing to that name and so it went a two times.. But in the end we found it. Below is the interesting parts of the dump I did.

So in the end the client tried to reach crl.microsoft.com. This is a standard case why locking down your firewalls by IPs can be a time consuming endeavour.

Nothing lasts forever

For the last 3 years I have been employed by Knowledge Factory Consulting AB based here in Stockholm, Sweden. But nothing lasts forever, last year KF was purchased by Advania AB. Working in a small companies means that you know everyone, but working at a large company gives you an entirely different possibilities. This is change, one of my first consultant companies had an internal motto “the only constant is change”. You cannot expect things not to change.

Two months ago I turned in my letter of resignation to my boss. At the end of business today I will no longer be affiliated with Knowledge Factory or Advania. I will really miss the all the people that made up the company, what is was and what it is. There is no way I can say this without missing everyone. From some of the best technical guys in the business to the management and sales team and Lotta for making sure we got payed. I know I will run into some of you again, I’m not sure where yet though. My best guesses are Microsoft Ignite, at customers or perhaps over an after work beer.

I will continue to deliver what I do best. For inquiries please contact Toriv AB, just call me or mail [email protected]

During the coming weekend I will try to re-brand everything that I have related to the company on my blog, linkedin, twitter etc.

Remember who you are in a powershell window

So sometimes you run the same command so many times that you want it run at every time you start a powershell windows.

There are several profiles that can be loaded depending on how powershell is started. And there are also global policies for all users of a computer.

Variable
$PROFILE.AllUsersAllHosts
$PROFILE.AllUsersCurrentHost
$PROFILE.CurrentUserAllHosts
$PROFILE.CurrentUserCurrentHost

AllHosts are run for all types of Powershell, both regular console and ISE sessions. CurrentHost runs just for that specific so you can have different settings for ISE and console sessions.

The basic structure for the profiles are:

  • Locations:
    • Current user:  “$([environment]::getfolderpath(“mydocuments”))\WindowsPowerShell”
    • All users: “$($env:systemroot)\System32\WindowsPowerShell\v1.0\”
  • Filenames:
    • All types: profile.ps1
    • Console: PowerShell_profile.ps1
    • ISE:  PowerShellISE_profile.ps1

Since I am usually have more than one powershell at a time running with alternative credentials I had a hard time remember which windows was which. Of course I could have just run “whoami”, but that is also more work than needed. So I decided that placing the Username in the title was the way to go. This is also a good place to place other functions that you have written and you call all the time.

powershell with domain-username  [Read more…]