Detecting Windows Lateral Movement

I came across a great article on detecting windows lateral movement and wanted to share it with everyone: CERT-EU Security Whitepaper 17-002 “Detecting Lateral Movements in Windows Infrastructure” https://cert.europa.eu/static/WhitePapers/CERT-EU_SWP_17-002_Lateral_Movements.pdf

Install Chrome using PowerShell

To install Google Chrome using Powershell (headless install) run the following command from and Administrative PowerShell Prompt: $LocalTempDir = $env:TEMP; $ChromeInstaller = "ChromeInstaller.exe"; (new-object System.Net.WebClient).DownloadFile('http://dl.google.com/chrome/install/375.126/chrome_installer.exe', "$LocalTempDir\$ChromeInstaller"); & "$LocalTempDir\$ChromeInstaller" /silent /install; $Process2Monitor = "ChromeInstaller"; Do { $ProcessesFound = Get-Process | ?{$Process2Monitor -contains $_.Name} | Select-Object -ExpandProperty Name; If ($ProcessesFound) { "Still running: $($ProcessesFound -join ', ')"... » read more

Windows Batch Programming Notes and Examples

Recently I’ve been writing a lot of windows batch files that need to be compatible with both Windows 7 and Windows 10. I’ve decided to document some of what I have learned below. Check if .bat file was ran with elevated privileges WHOAMI /Groups | FIND "12288" >NUL IF ERRORLEVEL 1 ( ECHO This batch... » read more

Disabling Internet Explorer Security Mode from PowerShell

Internet Explorer Enhanced Security mode can be frustrating to disable. Here is a fast way to disable it. First open an Administrative PowerShell Window. Next run the following: $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" $UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0 Stop-Process -Name Explorer

Analyzing Windows Registry Keys on OSX

I’ll be reviewing how to analyze a .reg file for unique values on OSX Prerequisite dos2unix will be required brew install dos2unix Instructions In this example we will assume you have dumped all of HKEY_CURRENT_USER\Software\ in to a file named software-all.reg Converting the .reg file to UTF-8 The .reg file must be converted to a... » read more

Capturing https traffic on a headless server

Recently I needed to view the full HTTP GET and POST methods for a python application hosted on a headless server. I ended up using a tool call mitmproxy. This post will cover getting mitmproxy set up on a linux server and viewing the HTTP GET/POST requests on your local machine via a web interface.... » read more