tag:blogger.com,1999:blog-2382366207824767968.post4213481668373753553..comments2023-07-25T06:57:29.424-04:00Comments on red|blue: PowerShell: A Traceless Threat and How to Protect YourselfUnknownnoreply@blogger.comBlogger12125tag:blogger.com,1999:blog-2382366207824767968.post-59590087179459205302016-07-29T00:38:56.279-04:002016-07-29T00:38:56.279-04:00we are offering best splunk online training with j...we are offering best splunk online training with job support and high quality training facilities and well expert faculty . to Register you free demo please visit <a href="http://www.traininghyderabad.in/2015/09/splunk-training-in-hyderabad.html" rel="nofollow">splunk training in hyderabad</a>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2382366207824767968.post-35899635577941993522016-05-24T10:15:15.089-04:002016-05-24T10:15:15.089-04:00Correction - They are REG-DWORD for Win7Correction - They are REG-DWORD for Win7Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2382366207824767968.post-7655300035498671672016-01-22T16:53:55.697-05:002016-01-22T16:53:55.697-05:00You funny Canadians and your GUI's... ;-D~You funny Canadians and your GUI's... ;-D~HackerHurricanehttps://www.blogger.com/profile/08339030192273576202noreply@blogger.comtag:blogger.com,1999:blog-2382366207824767968.post-91004342036482987382016-01-22T14:45:36.168-05:002016-01-22T14:45:36.168-05:00LOL I blasphemed, I should have known better than ...LOL I blasphemed, I should have known better than to mention RegShot to the Log-MD creator hahaha.Anonymoushttps://www.blogger.com/profile/11624004577263582254noreply@blogger.comtag:blogger.com,1999:blog-2382366207824767968.post-53018222381750654602016-01-22T14:21:04.878-05:002016-01-22T14:21:04.878-05:00Using PS 4 everywhere to mimic Win 8.1 and 10 defa...Using PS 4 everywhere to mimic Win 8.1 and 10 defaults.<br /><br />RegShot ???? Have you heard of Log-MD? Our tool that not only does the Log-Dumps of important security related items that is now available - FREE, but upcoming version we do File Hash Diffs and Registry Diffs, even large reg keys and other fun stuff... ;-) But you will have to wait and beg us for a copy...<br /><br />;-)<br /><br />I will do some testing... seems the ones who have done this all have used GPO.<br /><br />Thanks for the plugs !<br /><br />MGHackerHurricanehttps://www.blogger.com/profile/08339030192273576202noreply@blogger.comtag:blogger.com,1999:blog-2382366207824767968.post-10335322607459298872016-01-22T13:43:35.392-05:002016-01-22T13:43:35.392-05:00Does your Windows 7/2008R2 have powershell 3.0 ins...Does your Windows 7/2008R2 have powershell 3.0 installed? The module logging is on powershell 3.0+.<br /><br />I'll update my document to reflect this.David Wellshttps://www.blogger.com/profile/03535045229479020690noreply@blogger.comtag:blogger.com,1999:blog-2382366207824767968.post-3773300375368177352016-01-22T12:44:06.462-05:002016-01-22T12:44:06.462-05:00@HackerHurricane if possible run RegShot on a DC a...@HackerHurricane if possible run RegShot on a DC and push this GPO policy, do a before and after and then RegShot will diff and compare the results for you. It should show the exact changes made which you can use to manually set these audit values.Anonymoushttps://www.blogger.com/profile/11624004577263582254noreply@blogger.comtag:blogger.com,1999:blog-2382366207824767968.post-3472050303010902892016-01-22T12:19:18.950-05:002016-01-22T12:19:18.950-05:00P.S. I loved your talk "Deep Look Into a Chin...P.S. I loved your talk "Deep Look Into a Chinese Advanced Attack" at DerbyCon and I'm a huge fan of your cheatsheets.<br />For everyone else:<br />https://n0where.net/deep-look-into-a-chinese-advanced-attack/<br />http://hackerhurricane.blogspot.com/David Wellshttps://www.blogger.com/profile/03535045229479020690noreply@blogger.comtag:blogger.com,1999:blog-2382366207824767968.post-90117177936531364102016-01-22T12:02:40.296-05:002016-01-22T12:02:40.296-05:00Windows 2008 R2 and Windows 7 were used for the la...Windows 2008 R2 and Windows 7 were used for the lab tests. I'm not sure about modifying the registry directly, but if you figure it out I would be happy to add it to the article.David Wellshttps://www.blogger.com/profile/03535045229479020690noreply@blogger.comtag:blogger.com,1999:blog-2382366207824767968.post-82308742000740183882016-01-22T11:56:23.678-05:002016-01-22T11:56:23.678-05:00Q: What version of Windows you using for this? Th...Q: What version of Windows you using for this? The Reg hacks do not seem to enable the extra logging in PS 4 on Win 7. All the articles use/set via GPO, but that is not always possible, say in a Lab...<br /><br />So do you have a Reg Tweak other than:<br />HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging - EnableModuleLogging - Reg_SZ=1<br /><br />and<br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging - EnableScriptBlockLogging - Reg_SZ=1<br /><br />Which BTW work fine on Win 8.1 and 10.<br /><br />Trying to get this working on Win 7 just using Reg Hacks.<br /><br />Good Stuff!<br /><br />@HackerHurricane<br />MalwareArchaeology comHackerHurricanehttps://www.blogger.com/profile/08339030192273576202noreply@blogger.comtag:blogger.com,1999:blog-2382366207824767968.post-76257357815457751702016-01-21T13:10:50.627-05:002016-01-21T13:10:50.627-05:00Oh good idea. Hopefully I'll have the time to ...Oh good idea. Hopefully I'll have the time to do that soon.David Wellshttps://www.blogger.com/profile/03535045229479020690noreply@blogger.comtag:blogger.com,1999:blog-2382366207824767968.post-51123517312356390652016-01-21T11:32:15.731-05:002016-01-21T11:32:15.731-05:00As a follow on blog, you should consider comparing...As a follow on blog, you should consider comparing/contrasting Windows 10 PowerShell event logging. In a nutshell, it has more verbose default configurations.Anonymoushttps://www.blogger.com/profile/04504094691388208575noreply@blogger.com