Wednesday, March 1, 2017

Blocking outbound PowerShell traffic using the Windows Firewall

Some malware use PowerShell to download additional components, such as highlighted in the blog posting found at https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/.  To block outbound traffic using the Windows Firewall, add two rules:

64-bit

%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

32-bit

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

image

To test the rule, use the command below.

cmd /c PowerShell (New-Object System.Net.Webclient).DownloadFile('http://test.com','%TMP%\test.txt');

image

The following commands can be excuted as a test within PowerShell.

$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile("http://www.test.com/","%TEMP%")

image

How to disable the Customer Experience Improvement Program within Windows 7

To disable the Customer Experience Improvement Program within Windows 7, click on the Start Menu and type “customer”.  One of the available selections should be Control Panel –> Change Customer Experience Improvement Program settings.  Once launched, select the “No” option and use the Save Changes button.

image

Several scheduled tasks may be present under Microsoft –> Windows –> Customer Experience Improvement Program that can be disabled.

image

Additional scheduled task entries can be disabled under Microsoft –> Windows –> Application Experience.

image

Another entry may be present under WPD.

image

Also verify that the Diagnostic Tracking Service is disabled.

image

EtreCheck

EtreCheck is an utilty for Apple Mac OS X.  The application consolidates information from over 50 different diagnostics tasks and displays it all on one concise report.

https://etrecheck.com/

CloneApp

CloneApp is an utility that allows you to easily back up configuration files in program directories and the Registry for many popular Windows programs.

http://mirinsoft.com/

dbatools

dbatools is a free PowerShell module with several SQL Server administration, best practice and migration commands included.

https://dbatools.io/

PowerShell version 5.1 for Windows 7

PowerShell version 5.1 is available for Windows 7 and Windows Server 2008 R2.

https://blogs.msdn.microsoft.com/powershell/2017/01/19/windows-management-framework-wmf-5-1-released/

http://www.microsoft.com/en-us/download/details.aspx?id=54616

VMware IOInsight Fling

VMware IOInsight is a tool to help people understand a VM's storage I/O behavior. By understanding their VM's I/O characteristics, customers can make better decisions at storage capacity planning and performance tuning. IOInsight ships as a virtual appliance that can be deployed in any vSphere environment and an intuitive web-based UI allows users to choose VMDKs to monitor and view results.

https://labs.vmware.com/flings/ioinsight

https://www.vladan.fr/how-to-use-vmware-ioinsight-free-io-testing-tool/

PacketTotal

PacketTotal is similar to VirusTotal but accepts network packet captures to be evaluated.

http://www.packettotal.com/