T O P

Audit Error – Office365

Recently, I was trying to perform an audit search on an Office365 organization and found auditing wasn’t enabled. When I tried to do it straight from the audit screen, I encountered this error:

Sorry! We couldn’t update your organization settings. Please try again.

I went straight to PowerShell and ran Get-AdminAuditLogConfig | FL Unified* and it was not enabled.

To resolve this, I ran Enable-OrganizationCustomization 

And then I ran the Powershell command Set-AdminAuditLogConfig – UnifiedAuditLogIngestionEnabled $true

And that did it!

Using ProcessExplorer Integration with VirusTotal

1. Download Process Explorer from its homepage here: Process Explorer

2. Extract the ZIP file contents to a folder of your choosing. If you don’t have a 3rd party Zip program (I recommend 7-Zip!) you can use Windows’ built-in one: right click the Zip file and select “Extract all…”

3. Double-click the file procexp.exe

4. Enable “Check VirusTotal.com”

Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-enable-vt.png

The new column VirusTotal will be added automatically, and initially show “Hash submitted…”. After a few seconds it will show the results

Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-vt-standard.png

5. Processes that are running as System and not as a standard user won’t show a VirusTotal result until Process Explorer is restarted with elevated permissions

Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-admin-launch.png

You may see a UAC prompt here… click Yes. After a few seconds, we will see the VirusTotal result for every process:

Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-admin.png

A VirusTotal result of 0/55 means that 55 anti-virus products have checked the file and that non of them have detected anything awry!

Click the result/link to open the detailed report in a web browser. There you’ll find when the scan was done and other useful information like what anti-virus products detected anything and what type of possible infection/malware.

Example of a VirusTotal detection:

Process Explorer + VirusTotal (to check all processes with 50+ AV's)

   Note If only one AV detected something chances are that it’s a “false positive” (wrongly detected) and that the file is clean. Click the VirusTotal link to get more details about it. 6. If you have processes that show “Unknown” in the VirusTotal column, it means that specific file and version has never been uploaded to VirusTotal. To automatically upload these files to VirusTotal select this option:

Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-submit-unknown.png

7. To submit a file to VirusTotal manually, any file (not only “Unknown” ones), which means to upload and re-scan the file, double click a process, go to the Image tab and click the button below named “Submit”

Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-submit-one.png

You can then exit the Properties window and wait until you see a result in the VirusTotal column for that process. It’ll take a few minutes.
8. You can also do a VirusTotal check for all the DLL files a process uses. Select a process and press Ctrl+L to toggle the lower pane. It will submit the file hashes to VirusTotal and show the result after a few seconds:

Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-lower-pane.png

If you find more than one suspicious process and want to terminate them, it’s recommended by Mark Russinovich, the father of Process Explorer, to first suspend (via right click menu) them. As the vast majority of malware infections include multiple processes that can easily restart each other when a single one is killed, suspending first is a much safer way.

Reset Your Password in Windows 10 Bash / Ubuntu

If you forget your root password for Bash on Windows, you can do the following to reset your password:

First, run: lxrun /setdefaultuser root . This will open a new Bash window as root.

From there, run: passwd your_username and then enter your new root password

Then change the default user for Bash back to your user: lxrun /setdefaultuser your_username

 

That’s it! Enjoy Bash on Windows 10.

Rebooting Computers with Symantec PGP Encryption Installed

In the same vain as my previous post on rebooting Macs with FileVault, computers with Symantec PGP Encryption also require users to enter a password before Windows boots which can be quite annoying. However, there is a workaround!

First, via command prompt navigate to C:\Program Files\PGP Corporation\PGP Desktop OR C:\Program Files (x86)\PGP Corporation\PGP Desktop depending on if you are 64-bit or 32-bit.

For a one-time password bypass, run this:

pgpwde –add-bypass –admin-passphrase [phrase]

Or for several reboots, run this:

 pgpwde –add-bypass –disk [number] –count [number] –admin-passphrase [phrase]

Where phrase is the password / passphrase and the number is the number of reboots. Disk is for if multiple disks are encrypted. Enjoy your reboots now!

 

Securely Transmitting Passwords

I’ve been doing a lot of research recently on secure methods of password sharing. Being in IT, I have to share many passwords each day and also have passwords shared with me by clients.

My favorite so far is ZeroBin. It is no-frills, open source (so anyone can vet it), and fairly simple. It requires no database and doesn’t store any information in a database. It is as simple as downloading the components, throwing it on a web server and going to the index page. That’s it. I did it on my server here and have been using it personally with no issues.

You can set messages / data to delete after a certain amount of time, like 5 or 10 minutes, or longer… 10 – 30 days.

How is this secure?

  • The text or data is encrypted & compressed inside the browser, then sent to the server already encrypted
  • The server has the encrypted data and that is all
  • The text is encrypted inside the browser. The encrypted data is sent to the server, while the encryption key does not get sent. Therefore even if a server was compromised, nothing could be done with the data
  • The encryption key is part of the URL and that is what unlocks the data

Diagram below

zerobin