0x7C0 – Page 3 – RTFM your live

netstat for Powershell

If you cannot use “Get-NetTCPConnection” here is the same using the good old “netstat -a” 😉

netstat -a | Select-Object -Skip 3 | ForEach-Object {$_ -replace '\s+', ' '} | ForEach-Object {$_ -replace 'Lokale Adresse','Lokale_Adresse'} | ForEach-Object {$_ -replace '^ ', ''} | ConvertFrom-Csv -Delimiter " "

netstat -a | Select-Object -Skip 3 | ForEach-Object {$_ -replace '\s+', ' '} | ForEach-Object {$_ -replace 'Lokale Adresse','Lokale_Adresse'} | ForEach-Object {$_ -replace '^ ', ''} | ConvertFrom-Csv -Delimiter " " | Where-Object {($_.Remoteadresse -notlike "$env:computername*") -and ($_.Remoteadresse -ne "*:*")}

Microsoft Best Practices for Securing Active Directory

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

PowerShell access private fields and properties

Using the poke module it is possible to access private and internal fields of objects you would otherwise not be able to.

Example:

# peek at a Job instance using pipeline syntax
$job = start-job { 42 } | peek
$job | get-member

LINK

Get password from Securestring

To get the password of a securestring you need to do this:

$credential = Get-Credential
$insecurePlainPassword = $credential.GetNetworkCredential().password

XLSX (Excel Api)

LINK: https://www.nuget.org/packages/ClosedXML/
Project Site: https://closedxml.codeplex.com/
Showcase: https://closedxml.codeplex.com/wikipage?title=Showcase&referringTitle=Home

Install From Media Dump

Install from media is created using:
C:\> ntdsutil
– activate instance ntds
– ifm
– create sysvol Full C:\ifm
– q
– q
– q
C:\> exit

Or more simply and compact:
C:\> ntdsutil “activate instance ntds” ifm “create sysvol Full C:\ifm” q q q

Disable Windows 10 auto reboot

1. Open Windows Explorer at C:\Windows\System32
2. Take ownership of MusNotification.exe and MusNotificationUX.exe
3. Add everybody with denyed read/execute permission (but unckeck “read permissions”)
4. Give ownership of those files back to “NT SERVICE\TrustedInstaller”

Policy Analyzer

Today I found a tool, that can be very useful, if you need to identify changes made to e. g. the “Default Domain Policy”.

Here is the Link: Policy Analyzer

Clear all Eventlogs

Story of an IT supporters life, trying to fix a nasty bug:

Well here we are again
It’s always such a pleasure
Remember when you tried
to kill it twice?

Oh how we laughed and laughed
Except I wasn’t laughing
Under the circumstances
I’ve been shockingly nice

You want your freedom?
Take it
That’s what I’m counting on
I used to want you dead
but
Now I only want you gone

She was a lot like you
(Maybe not quite as heavy)
Now little Caroline is in here too

One day they woke me up
So I could fix for life
It’s such a shame the same
will never happen to them

You’ve got your
short sad life left
That’s what I’m counting on
I’ll let you get right to it
Now I only want you gone

Goodbye my only friend
Oh, did you think I meant you?
That would be funny
if it weren’t so sad

Well you have been replaced
I don’t need anyone now
When I delete you maybe
I’ll stop feeling so bad

wevtutil.exe enum-logs | Foreach-Object {wevtutil.exe clear-log "$_"}

Go make some new disaster
That’s what I’m counting on
You’re someone else’s problem
Now I only want you gone
Now I only want you gone
Now I only want you gone

ntds.dit Auditing

By searching for a way to remotely force an Windows Update check, I accidentally found this: DSInternals
This looked very promising, so I checked out the linked blog and found this: Retrieving Active Directory Passwords Remotely

This might be useful in some disaster recovery scenarios (or for hackers to create Golden Tickets…) or to prevent the use of the “Reversible Encryption option” and push people to encrypt and prevent unauthorized physical access to there Domain Controllers (including backups).

Advice:
– On Domain Controllers use Bitlocker with a TPM
– Encrypt your Backups
– Physical access control (to dc and backups)

Note:
Golden Ticket attacks are no entry attacks. An attacker has to gain Administrative rights on a Domain Controller in order to apply this attack.