We had a user today receive an email with "See enclosed report" in the message body, and a random name as the email subject. Attached was a .dot file which presumably was macro-enabled. One of our users (I have been pushing for removing admin rights and setting application whitelisting for months, but hey, I'm the new guy, so...) clicked into the .dot and got herself infected. Trend Micro caught the residual breadcrumbs but only after being infected.

The next thing it did was it found another machine on the network which had a USB-drive attached and shared and began to encrypt THOSE files as well.

We didn't get a chance to thoroughly analyze what was going on, but it definitely dropped a .VBS in the user's appdata folder and executed that. The interesting thing about the file was that all the variables, objects, functions, etc. were named with a random set of alphanumeric characters, so it LOOKED encrypted, but it wasn't. Presumably to circumnavigate pattern-based detection.

In any case, this rolled right on through our Barracuda Spam Filter - they didn't have the definitions for the infection yet until an hour after we had cleaned up the mess.

The mail content:

Please find latest report attached.

Sharon Blackwell 

Attached file: 263_2567rh.dot

Obviously, the names and filenames are different per each email, but this was the format of the incoming infection this AM.

Just a head's up for everyone - keep any eye out.

Also, guess what I got approved to do starting tomorrow? Application whitelisting and removing admin rights...FINALLY.

Sooooo jealous.

Nice!

Looks cool - I'll have to try this out. For all the flashiness of the site (I'm guessing non-English speakers), you'd think there would a little more attention given to the grammar...some of the wording on the main page is...off.

@RoopanKumar said:

@scottalanmiller one of my senior said if it is installed then only we can open share drive in a network even it is in different subnet or ip class or ip segment

This really makes no sense. RSAT is a set of administration tools, it doesn't facilitate connectivity to any other resources a normal workstation wouldn't have access to.

Yep, those are containers. When you head into you Group Policy Management Console, you'll notice things like 'Computers' and 'Users' aren't listed there to which you can link your GPOs.

It does work really well, especially for form building. It's a trial thing, so it'll expire after a period of time. Porbably worth it if you're doing a lot of PowerShell work, tho'.

@scottalanmiller said:

@IRJ said:

That makes sense, but I was thinking traction.

Traction is what kills people Front wheel drive using traction to cause the car to spin and all wheel drive losing traction from the wheels pulling against each other...

This is why tire places will often put the new tires on the rear of front wheel drive cars. It helps to prevent the rear from overtaking the front of the car.

He's been posting on FB, no mention of accident, so he must be OK.

Yikes! Go big or go home.

Hope all is well...

Nice! I just came off of working on an Event Log audit script that takes in some parameters and returns results from all my domain controllers. I'll share it here when done - so far that I've seen, it returns results fairly quickly (querying multiple DCs at once). Using Get-WinEvent with an XML or hash filter is super fast!

@JaredBusch
Got it!

Thanks man

You can go into your filter's properties, look at the XML, then save it and use it in a PowerShell script (this is really basic - and I've not tested it):

$DateAfter = get-date((get-date).adddays(-1)) -format s #Get 1 day ago...

$QueryList = "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[(EventID='4624') and TimeCreated[@SystemTime&gt;='$DateAfter']]] </Select></Query></QueryList>"

Get-WinEvent -FilterXml $QueryList

4624 for logons, but logging off can be problematic, since a computer can become disconnected from the network or turned off abruptly. With that said, the logoff event is 4647.

I would enable logon auditing at the workstation level as well. You should be able to track a user pretty well if you need to.

Here's a great reference card that you can keep handy to help you track logon/logoff auditing: https://www.ultimatewindowssecurity.com/securitylog/quickref/default.aspx

That OSTicket looks pretty good. Anyone tried that?

My co-worker fired this up the other day...while it has some potential, it's very limited.

I noticed that if you want to import your assets, make sure you have your columns (CSV import) in the right order. With that said, even that doesn't guarantee that you will get an accurate import. I had weird values showing up under the deployment status (this was the best import out of the few that I tried).

The imported file never really lets you know when it completes, which is kind of annoying.

There is no bulk delete if you need to clean up your inventory because of a botched import. So, you need to clean them individually. one. by one. So, I would suggest that you try to perform a bulk import of one or two devices.

Also, I would get a 500 error on invalid logons - not sure if that was how my co-worker had it set up, or if that was a bug.

Honestly, Spiceworks could probably do most of what this Snipe IT is trying to achieve (especially if you are importing and managing manual assets). With that said, I'd wager that Snipe IT would be more stable and responsive; I do like how SW allows you to create custom attributes to help manage each device, which really is the feature that I would need the most.

Needs more work, but it looks nice.

I think what I should have implied was - to Windows should it not matter, or...?

If RSAT is pulling data from a Samba share, shouldn't Windows ignore case?

EDIT: After reading this I suppose this might depend on the share settings itself on the Samba side?

I did, but remember, since this is a Samba share, case-sensitivity doesn't (or shouldn't) apply. I'll change it tonight though to be sure.

@Lakshmana

Thanks Lakshmana! I know where to put the files, it's just that RSAT doesn't realize that they're there or something else is going on. The big variable here is that I'm running all of this against Linux and not a proper Windows DC.

I've been messing around with the home lab and have successfully created an Active Directory domain controller on Linux Ubuntu Server. Has anyone configured a Group Policy Central Store and had it successfully work with RSAT on a Windows client? I've created the PolicyDefinitions folder on my DC sysvol\Policies folder, but when I open up a policy and begin editing it, I get this, one after another...one for each admx file in the PolicyDefinitions folder:

'An appropriate resource file could not be found for file \domain.blah\SysVol\domain.blah\Policies\PolicyDefinitions\blah.admx (error = 2): The system cannot find the file specified.'

Seems like it should be a simple thing - create the language-specific folder ('en-US') and drop the adml files in, but for some reason, something ain't happy...

Anyone have any experience with this?

In the past, I've created same-sized VHD's in Windows, cloned to it (albeit not with Clonezilla) and then shrunk the VHD afterwards. It's not the fastest procedure in the world, but it works.