Detecting Windows Lateral Movement

I came across a great article on detecting windows lateral movement and wanted to share it with everyone: CERT-EU Security Whitepaper 17-002 “Detecting Lateral Movements in Windows Infrastructure”

Install Chrome using PowerShell

To install Google Chrome using Powershell (headless install) run the following command from and Administrative PowerShell Prompt: $LocalTempDir = $env:TEMP; $ChromeInstaller = "ChromeInstaller.exe"; (new-object System.Net.WebClient).DownloadFile('', "$LocalTempDir\$ChromeInstaller"); & "$LocalTempDir\$ChromeInstaller" /silent /install; $Process2Monitor = "ChromeInstaller"; Do { $ProcessesFound = Get-Process | ?{$Process2Monitor -contains $_.Name} | Select-Object -ExpandProperty Name; If ($ProcessesFound) { "Still running: $($ProcessesFound -join ', ')"... » read more

Windows Batch Programming Notes and Examples

Recently I’ve been writing a lot of windows batch files that need to be compatible with both Windows 7 and Windows 10. I’ve decided to document some of what I have learned below. Check if .bat file was ran with elevated privileges WHOAMI /Groups | FIND "12288" >NUL IF ERRORLEVEL 1 ( ECHO This batch... » read more

Disabling Internet Explorer Security Mode from PowerShell

Internet Explorer Enhanced Security mode can be frustrating to disable. Here is a fast way to disable it. First open an Administrative PowerShell Window. Next run the following: $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" $UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0 Stop-Process -Name Explorer

Analyzing Windows Registry Keys on OSX

I’ll be reviewing how to analyze a .reg file for unique values on OSX Prerequisite dos2unix will be required brew install dos2unix Instructions In this example we will assume you have dumped all of HKEY_CURRENT_USER\Software\ in to a file named software-all.reg Converting the .reg file to UTF-8 The .reg file must be converted to a... » read more

Extracting Password Hashes from Active Directory

Extracting hashes from Active Directory To extract hashes from Active Directory you must first obtain a copy of the underlying Active Directory database; ntds.dit For more information on the Data Store Architecture please refer to this Microsoft Technet article Prerequisites You must be logged on to a domain controller. Extracting the Database To extract the... » read more

iis disable debug

In IIS to disable debug do the following. Modify the Web.config File Open the Web.config file in a text editor such as Notepad.exe. Web.config file is typically located in the application directory. Modify the compilation element and set debug=”false” <compilation debug="false" /> Save the Web.config file. The ASP.NET application automatically restarts. Modify the Machine.config file... » read more