DOCSLIB.ORG

Managing Images and Deployments Using the Windows

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Managing Images and Deployments Using the Windows Module 5: Managing images and deployments using the Windows ADK Lab A: Preparing the imaging and Windows PE environment (VMs: 20695D-LON-DC1, 20695D-LON-CFG, 20695D-LON-REF1) Exercise 1: Configuring a custom Windows PE environment Task 1: Set up the Windows PE build environment 1. On LON-CFG, open the Start menu, expand Windows Kits, right-click Deployment and Imaging Tools Environment, click More, and then click Run as administrator. 2. In the Administrator: Deployment and Imaging Tools Environment window, create the directory structure by typing the following command, and then pressing Enter: Copype amd64 E:\Winpe64 3. Minimize the Deployment and Imaging Tools Environment window. 4. Click File Explorer on the taskbar. 5. In the navigation pane, expand Allfiles (E:), expand WinPE64, expand Media, and then click Sources. Note: Note the size of the Boot.wim file. It will be 239,002 kilobytes (KB). 6. Close File Explorer. Task 2: Mount the base Windows PE image Note: To avoid syntax errors, copy and paste the commands into the Windows PowerShell command prompt from the E:\Labfiles\Mod05\Mod05_DISM_Powershell.txt file. 1. Click Start and then click the Windows PowerShell tile. Note: The version of DISM installed with Windows ADK for Windows 10 is not the same as the version in the default Windows PowerShell console. You must add the correct DISM module for the current version of Windows ADK. 2. In the Administrator: Windows PowerShell window, type the following cmdlet, and then press Enter: Import-Module "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM" 3. In the Administrator: Windows PowerShell window, mount the Boot.wim image by typing the following command, and then pressing Enter: Mount-WindowsImage –ImagePath E:\Winpe64\Media\Sources\Boot.wim – Index 1 –Path E:\Winpe64\Mount Task 3: Add drivers and optional components to the Windows PE image 1. To add the Microsoft Hyper-V drivers to the Windows PE image, type the following command, and then press Enter: Add-WindowsDriver –Path E:\winpe64\mount –Driver E:\Software\Drivers\HyperVx64 -Recurse -ForceUnsigned Note: The third-party drivers you injected into the image will be listed. Confirm that the last one on the list has a Published Name of oem9.inf. 2. To add support for the Windows PowerShell command-line interface to the Windows PE image, type the following commands, and then press Enter after each: CD “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment kit\Windows preInstallation Environment\amd64\WinPE_OCs” Add-WindowsPackage –Path E:\winpe64\mount –PackagePath .\WinPE- NetFX.cab Add-WindowsPackage –Path E:\winpe64\mount –PackagePath .\WinPE-Scripting.cab Add-WindowsPackage –Path E:\winpe64\mount –PackagePath .\WinPE- WMI.cab Add-WindowsPackage –Path E:\winpe64\mount –PackagePath .\WinPE- PowerShell.cab Add-WindowsPackage –Path E:\winpe64\mount –PackagePath .\WinPE- DismCmdlets.cab Note: Each Add-WindowsPackage cmdlet might take several minutes. Note: To avoid syntax errors, copy and paste the commands from the E:\Labfiles\Mod05\Mod05_DISM_Powershell.txt file into the Windows PowerShell command prompt. Task 4: Save changes and dismount the image 1. Commit the changes to the Windows PE image by typing the following command, and then pressing Enter: Dismount-WindowsImage –Path E:\winpe64\mount –Save 2. Use File Explorer to view the contents of the E:\Winpe64\media\Sources folder. Note the new size of the Boot.wim file. 3. Close File Explorer and Windows PowerShell. Task 5: Create Windows PE Media 1. To create an International Organization for Standardization (ISO) image of the Boot.wim that you can use to create boot media, restore the Deployment and Imaging Tools Environment window, and then run the following commands, pressing Enter after each command: MD E:\BootISO MakeWinpeMedia /iso E:\Winpe64 E:\BootISO\WinPEx64.iso 2. Use File Explorer to open the E:\BootISO folder, and then ensure that the WinPEx64.iso file was created. Results: After completing this exercise, you should have customized the Windows Preinstallation Environment (Windows PE) image and created an .iso file of the image. Task 6: Prepare for the next lab • Leave the virtual machines running for the next lab. Do not revert. Lab B: Building a reference image by using Windows SIM and Sysprep Exercise 1: Building a custom answer file by using Windows SIM Task 1: Create a new answer file on a virtual floppy disk by using Windows SIM 1. In the 20695D-LON-CFG virtual machine connection window, click Media, point to Diskette Drive, and then click Insert Disk. 2. Navigate to D:\Program Files\Microsoft Learning\20695\Drives, select the reference.vfd file, and then click Open. 3. On LON-CFG, on the taskbar, click File Explorer and click This PC. Right-click Floppy Disk Drive (A:), and then click Format. 4. In the Format Floppy Disk Drive (A:) window, click Start. 5. In the Format Floppy Disk Drive (A:) warning window, click OK. 6. In the Format Floppy Disk Drive (A:) Format Complete window, click OK. 7. In the Format Floppy Disk Drive (A:) window, click Close. 8. Close File Explorer. 9. Open the Start screen, and then click Windows Kits. Locate and click Windows System Image Manager from the list. 10. In Windows System Image Manager, click File, and then click Select Windows Image. 11. In the Select a Windows Image dialog box, browse to the E:\sources folder, select install.wim, and then click Open. 12. In the Windows System Image Manager message box, click Yes. The catalog creation will take a few minutes. 13. In the Answer File pane, right-click Create or open an answer file, and then click Open Answer File. 14. In the Open dialog box, browse to the E:\Labfiles\Mod05 folder, select Autounattend_x64_BIOS_sample.xml, and then click Open. 15. In the Windows System Image Manager pop-up window, click Yes to associate the answer file with the image. 16. In Windows System Image Manager, click File, and then click Save Answer File As. 17. In the Save As dialog box, click This PC, double-click Floppy Disk Drive (A:), in the File name field, type Autounattend and then click Save. Task 2: Add and configure component and component settings 1. In the Answer File pane, expand 1 WindowsPE, expand amd64_Microsoft- WindowsSetup_neutral, select UserData, and then in the FullName field, type your name. In the Organization field, type Adatum. 2. Expand UserData, right-click ProductKey, click Delete, and then click Yes. 3. In the Windows Image pane, expand Components, right-click amd64_Microsoft-WindowsUnattendedJoin_10.0.17134.1._neutral, and then click Add Setting to Pass 4 specialize. 4. In the Answer File pane, under 4 specialize, select amd64_Microsoft- Windows-ShellSetup_neutral. In the ComputerName field, type Reference. 5. Expand amd64_Microsoft-Windows-Shell-Setup_neutral, right-click and delete the OEMInformation component, and then click Yes. Note: In the list of component names, note that after amd64_Microsoft- Windows, the rest of the component name is alphabetically listed. 6. Under 4 specialize, expand amd64_Microsoft-Windows- UnattendedJoin__neutral, select Identification, and then in the JoinWorkgroup field, type imaging. 7. In the Windows Image pane, under Components, right-click amd64_Microsoft- WindowsInternational-Core_10.0.17134.1_neutral, and then click Add Setting to Pass 7 oobeSystem. 8. In the Windows Image pane, under Components, expand amd64_Microsoft- Windows-ShellSetup_10.0.17134.1_neutral, right-click OOBE, and then click Add Setting to Pass 7 oobeSystem. 9. In the Windows Image pane, under amd64_Microsoft-Windows- ShellSetup_10.0.17134.1_neutral, expand UserAccounts, right-click AdministratorPassword, and then click Add Setting to Pass 7 oobeSystem. 10. In the Windows Image pane, under amd64_Microsoft-Windows- ShellSetup_10.0.17134.1_neutral, User Accounts, expand LocalAccounts, right- click LocalAccount, and then click Add Setting to Pass 7 oobeSystem. 11. In the Answer File pane, under 7 oobeSystem, select amd64_Microsoft- Windows-InternationalCore_neutral. In the InputLocale, UILanguage and UserLocale fields, type en-us. 12. In the Answer File pane, under 7 oobeSystem, select amd64_Microsoft- Windows-ShellSetup_neutral. 13. In the TimeZone field, type Pacific Standard Time. 14. Select OOBE, in the HideEULAPage line, click the drop-down list, and then select true. 15. In the NetworkLocation line, click the drop-down list, and then select Work. 16. Expand UserAccounts, select AdministratorPassword, right-click the Value label, and then select Write Empty String. 17. Expand LocalAccounts, and then select LocalAccount. In the DisplayName field, type your full name. In the Group field, type Administrators, and then in the Name field, type your first name. 18. Expand LocalAccount[Name=”yourname”], select Password, and then in the Value field, type Pa55w.rd 19. In the Windows Image pane (directly beneath Components), expand Packages, expand Foundation, right-click amd64_Microsoft-Windows- Foundation-Package_10.0.17134.1, and then click Add to Answer File. 20. In the Answer File pane, expand Packages, expand Foundation, and then select amd64_MicrosoftWindows-Foundation-Package_10.0.17134.1. 21. In the Microsoft-Windows-Foundation-Package Properties pane, expand Microsoft-Hyper-V All, right-click Microsoft-Hyper-V-Tools-All, and then click Enable Parent Features. If the Windows System Image Manager dialog box opens, click Yes. 22. Expand Microsoft-Hyper-V-Tools-All, and then enable Microsoft-Hyper-V- Management-Clients and Microsoft-Hyper-V-Management-PowerShell. Task 3: Validate and save the answer file 1. In the Windows System Image Manager, click Tools, and then click Validate Answer File. Note: You will see warnings that say The setting has not been modified. It will not be saved to the answer file. You will also see a warning that the Setting Network Location has been deprecated. You can ignore these warnings. 2. In Windows System Image Manager, click File, and then click Save Answer File. 3. In Windows System Image Manager, click File, and then click Close Answer File.
Load more

Recommended publications
  • Introduction to Windows 7
    [Not for Circulation] Introduction to Windows 7 This document provides a basic overview of the new and enhanced features of Windows 7 as well as instructions for how to request an upgrade. Windows 7 at UIS Windows 7 is Microsoft’s latest operating system. Beginning in the fall of 2010, UIS will upgrade all classroom and lab PCs to Windows 7. Any new PC that is ordered will automatically come installed with Windows 7. To request an upgrade, contact the Technology Support Center (TSC) at 217/206-6000 or [email protected]. The TSC will evaluate your machine to see if it’s capable of running Windows 7. (Your computer needs a dual core processor and at least 2 GB of RAM.) Please note that University licensing does NOT cover distribution of Windows 7 for personally owned computers. However, it is available for a discounted price via the WebStore at http://webstore.illinois.edu. What to Consider Before Upgrading There is no direct upgrade path from Windows XP to Windows 7. Therefore, the TSC will take your computer, save your files, and install Windows 7 on a clean hard drive. Please budget a couple days for this process. In some cases, you may have older devices that will not work with Windows 7. While many vendors are providing and will continue to provide drivers for their hardware, in some cases, printers, scanners, and other devices that are more than 5 years old may have issues running on Windows 7. To check the compatibility of your devices with Windows 7, visit the Microsoft Windows 7 Compatibility Center at http://www.microsoft.com/windows/compatibility/windows-7/en-us/default.aspx.
    [Show full text]
  • Attacker Antics Illustrations of Ingenuity
    ATTACKER ANTICS ILLUSTRATIONS OF INGENUITY Bart Inglot and Vincent Wong FIRST CONFERENCE 2018 2 Bart Inglot ◆ Principal Consultant at Mandiant ◆ Incident Responder ◆ Rock Climber ◆ Globetrotter ▶ From Poland but live in Singapore ▶ Spent 1 year in Brazil and 8 years in the UK ▶ Learning French… poor effort! ◆ Twitter: @bartinglot ©2018 FireEye | Private & Confidential 3 Vincent Wong ◆ Principal Consultant at Mandiant ◆ Incident Responder ◆ Baby Sitter ◆ 3 years in Singapore ◆ Grew up in Australia ©2018 FireEye | Private & Confidential 4 Disclosure Statement “ Case studies and examples are drawn from our experiences and activities working for a variety of customers, and do not represent our work for any one customer or set of customers. In many cases, facts have been changed to obscure the identity of our customers and individuals associated with our customers. ” ©2018 FireEye | Private & Confidential 5 Today’s Tales 1. AV Server Gone Bad 2. Stealing Secrets From An Air-Gapped Network 3. A Backdoor That Uses DNS for C2 4. Hidden Comment That Can Haunt You 5. A Little Known Persistence Technique 6. Securing Corporate Email is Tricky 7. Hiding in Plain Sight 8. Rewriting Import Table 9. Dastardly Diabolical Evil (aka DDE) ©2018 FireEye | Private & Confidential 6 AV SERVER GONE BAD Cobalt Strike, PowerShell & McAfee ePO (1/9) 7 AV Server Gone Bad – Background ◆ Attackers used Cobalt Strike (along with other malware) ◆ Easily recognisable IOCs when recorded by Windows Event Logs ▶ Random service name – also seen with Metasploit ▶ Base64-encoded script, “%COMSPEC%” and “powershell.exe” ▶ Decoding the script yields additional PowerShell script with a base64-encoded GZIP stream that in turn contained a base64-encoded Cobalt Strike “Beacon” payload.
    [Show full text]
  • Powershell Integration with Vmware View 5.0
    PowerShell Integration with VMware® View™ 5.0 TECHNICAL WHITE PAPER PowerShell Integration with VMware View 5.0 Table of Contents Introduction . 3 VMware View. 3 Windows PowerShell . 3 Architecture . 4 Cmdlet dll. 4 Communication with Broker . 4 VMware View PowerCLI Integration . 5 VMware View PowerCLI Prerequisites . 5 Using VMware View PowerCLI . 5 VMware View PowerCLI cmdlets . 6 vSphere PowerCLI Integration . 7 Examples of VMware View PowerCLI and VMware vSphere PowerCLI Integration . 7 Passing VMs from Get-VM to VMware View PowerCLI cmdlets . 7 Registering a vCenter Server . .. 7 Using Other VMware vSphere Objects . 7 Advanced Usage . 7 Integrating VMware View PowerCLI into Your Own Scripts . 8 Scheduling PowerShell Scripts . 8 Workflow with VMware View PowerCLI and VMware vSphere PowerCLI . 9 Sample Scripts . 10 Add or Remove Datastores in Automatic Pools . 10 Add or Remove Virtual Machines . 11 Inventory Path Manipulation . 15 Poll Pool Usage . 16 Basic Troubleshooting . 18 About the Authors . 18 TECHNICAL WHITE PAPER / 2 PowerShell Integration with VMware View 5.0 Introduction VMware View VMware® View™ is a best-in-class enterprise desktop virtualization platform. VMware View separates the personal desktop environment from the physical system by moving desktops to a datacenter, where users can access them using a client-server computing model. VMware View delivers a rich set of features required for any enterprise deployment by providing a robust platform for hosting virtual desktops from VMware vSphere™. Windows PowerShell Windows PowerShell is Microsoft’s command line shell and scripting language. PowerShell is built on the Microsoft .NET Framework and helps in system administration. By providing full access to COM (Component Object Model) and WMI (Windows Management Instrumentation), PowerShell enables administrators to perform administrative tasks on both local and remote Windows systems.
    [Show full text]
  • Run-Commands-Windows-10.Pdf
    Run Commands Windows 10 by Bettertechtips.com Command Action Command Action documents Open Documents Folder devicepairingwizard Device Pairing Wizard videos Open Videos Folder msdt Diagnostics Troubleshooting Wizard downloads Open Downloads Folder tabcal Digitizer Calibration Tool favorites Open Favorites Folder dxdiag DirectX Diagnostic Tool recent Open Recent Folder cleanmgr Disk Cleanup pictures Open Pictures Folder dfrgui Optimie Drive devicepairingwizard Add a new Device diskmgmt.msc Disk Management winver About Windows dialog dpiscaling Display Setting hdwwiz Add Hardware Wizard dccw Display Color Calibration netplwiz User Accounts verifier Driver Verifier Manager azman.msc Authorization Manager utilman Ease of Access Center sdclt Backup and Restore rekeywiz Encryption File System Wizard fsquirt fsquirt eventvwr.msc Event Viewer calc Calculator fxscover Fax Cover Page Editor certmgr.msc Certificates sigverif File Signature Verification systempropertiesperformance Performance Options joy.cpl Game Controllers printui Printer User Interface iexpress IExpress Wizard charmap Character Map iexplore Internet Explorer cttune ClearType text Tuner inetcpl.cpl Internet Properties colorcpl Color Management iscsicpl iSCSI Initiator Configuration Tool cmd Command Prompt lpksetup Language Pack Installer comexp.msc Component Services gpedit.msc Local Group Policy Editor compmgmt.msc Computer Management secpol.msc Local Security Policy: displayswitch Connect to a Projector lusrmgr.msc Local Users and Groups control Control Panel magnify Magnifier
    [Show full text]
  • View the Slides (Smith)
    Network Shells Michael Smith Image: https://commons.wikimedia.org/wiki/File:Network-connections.png What does a Shell give us? ● A REPL ● Repeatability ● Direct access to system operations ● User-focused design ● Hierarchical context & sense of place Image: https://upload.wikimedia.org/wikipedia/commons/8/84/Bash_demo.png What does a Shell give us? ● A REPL ● Repeatability ● Direct access to system operations ● User-focused design ● Hierarchical context & sense of place Image: https://upload.wikimedia.org/wikipedia/commons/8/84/Bash_demo.png Management at a distance (netsh) Netsh: Configure DHCP servers with netsh -r RemoteMachine -u domain\username [RemoteMachine] netsh>interface [RemoteMachine] netsh interface>ipv6 [RemoteMachine] netsh interface ipv6>show interfaces Reference: https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts Management at a distance (netsh) Netsh: Configure DHCP servers with netsh Location-r RemoteMachine -u domain\username Hierarchical [RemoteMachine] netsh>interfacecontext Simpler [RemoteMachine] netsh interface>ipv6 commands [RemoteMachine] netsh interface ipv6>show interfaces Reference: https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts Management at a distance (WSMan) WSMan (in Powershell): Manage Windows remotely with Set-Location -Path WSMan:\SERVER01 Get-ChildItem -Path . Set-Item Client\TrustedHosts *.domain2.com -Concatenate Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/about/about_wsman_provider
    [Show full text]
  • Download Snipping Tool for Windows 10 Snipping Tool
    download snipping tool for windows 10 Snipping Tool. Snipping Tool is an easy to use graphic capture application that can help users to very quickly manage image capture of their Windows OS desktop area, with dedicated tools for not only intuitive and detailed area capture but also extensive options for file preparation and exporting. In addition to the local image saving, the app also has built-in support for several major cloud storage locations (including Dropbox , Google Drive , and WebRequest ), an automatically generated shareable link, and even advanced support for the automatic sending of captured desktop area images to FTP server of your choice. While Windows 7 OS (and all newer versions) has a built-in tool for full desktop and area snipping tool for quick capture of screenshots, many users have expressed a need for a bit more comprehensive toolset for managing more advanced types of capture and additional options for screenshot sharing. To provide service that many users desire, Free Snipping Desktop Tool comes with its own feature set. Snipping Tool app can enable anyone to set up their real-time or delayed capture of the entire or predefined desktop area. The captured snips are not just saved to your local storage immediately. You get the chance to review them, and even use built-in highlighting tools to mark them, freely draw on them via the pen tool, or even place some of the available overlay shapes (a wide variation of arrows, rectangles, circles, and more). The user interface of the app features a canvas where your snips are displayed, and a row of 12 main tools, including Upload, Delay, Highlighter tool, Pen tool (both with customizable colors), Shapes, and Reset Snip.
    [Show full text]
  • Program Name Run Command About Windows Winver Add a Device
    List of Run Commands in Win7/8 to Windows Managment By Shree Krishna Maharjan in some commands need to use .msc Program Name Run Command About Windows winver Add a Device devicepairingwizard Add Hardware Wizard hdwwiz Advanced User Accounts netplwiz Authorization Manager azman Backup and Restore sdclt Bluetooth File Transfer fsquirt Calculator calc Certificates certmgr Change Computer Performance Settings systempropertiesperformance Change Data Execution Prevention Settings systempropertiesdataexecutionprevention Change Printer Settings printui Character Map charmap ClearType Tuner cttune Color Management colorcpl Command Prompt cmd Component Services comexp Component Services dcomcnfg Computer Management compmgmt.msc Computer Management compmgmtlauncher Connect to a Network Projector netproj Connect to a Projector displayswitch Control Panel control Create A Shared Folder Wizard shrpubw Create a System Repair Disc recdisc Credential Backup and Restore Wizard credwiz Data Execution Prevention systempropertiesdataexecutionprevention Default Location locationnotifications Device Manager devmgmt.msc Device Pairing Wizard devicepairingwizard Diagnostics Troubleshooting Wizard msdt Digitizer Calibration Tool tabcal DirectX Diagnostic Tool dxdiag Disk Cleanup cleanmgr Disk Defragmenter dfrgui Disk Management diskmgmt.msc Display dpiscaling Display Color Calibration dccw Display Switch displayswitch DPAPI Key Migration Wizard dpapimig Driver Verifier Manager verifier Ease of Access Center utilman EFS REKEY Wizard rekeywiz Encrypting File System
    [Show full text]
  • Creating a Screenshot in Windows 7
    BRYN MAWR COLLEGE February 2015 Library & Information Technology Services Creating a Screenshot in Windows 7 You can take screenshots to capture all or part of what is currently on your screen. Screenshots are useful for extracting images, relaying error messages or particular elements of your screen, and creating graphics. There multiple methods for taking screenshots, each with different capabilities. An example screenshot is shown below. Method One: Snipping Tool The Snipping Tool is found within the Start menu under All Programs -> Accessories. Once the Snipping Tool is open, use the drop-down arrow next to the New button to select what you would like to capture: the full screen, a select window, a drawn rectangle, or a free-form shape. If you selected the full screen, it will automatically capture a picture of your entire screen except for the Snipping Tool win- dow. If you select a window, you will need to click on the window you want to capture. Once selected, it will take a picture. If you select a rectangle, you will be given a crosshair cursor, indicating that you should drag and draw a rectangle around the area you would like to be captured. Once you release the cursor after dragging the rectangle, it will take a picture of your selection. If you select a free-form shape, you can then draw a shape on your screen while holding down your cursor (left mouse button). When you release the button, the Snipping Tool will capture everything in that shape. You will then be shown a preview of your capture.
    [Show full text]
  • Revoke Obfuscation Report
    Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science Daniel Bohannon @danielhbohannon | Lee Holmes @Lee_Holmes Revoke-Obfuscation is the result of industry research collaboration between Daniel Bohannon - Senior Applied Security Researcher at Mandiant/FireEye, and Lee Holmes – Lead Security Architect of Azure ManaGement at Microsoft. Background By far the most prevalent delivery and execution vehicle for malware in the industry today is basic malicious executables and malicious documents. While not represented accurately by its popularity in the news, a small portion of the current malware ecosystem leverages PowerShell as part of its attack chain. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to download another executable and run it. Despite its relative statistical rarity, development of malicious and offense-focused PowerShell techniques has been a rich field of innovation. Commercial products have started to react to these techniques in several ways. Because they are often delivered as script files, Antivirus vendors have long had the ability to write signatures that block malicious PowerShell scripts. With the release of Windows 10, some vendors have additionally begun to implement support for Windows’ Antimalware Scan Interface. This interface gives Antivirus vendors the ability to implement deep content scanning, providing visibility as each stage of malware fetches and dynamically executes new instructions from a remote network location. In addition to antivirus signatures, many SIEM vendors have started to implement alerting based on command-line parameters that are frequently used in malicious contexts. Palo Alto provides an excellent survey of commonly-used malicious PowerShell command-line arguments in their post, Pulling Back the Curtains on EncodedCommand PowerShell Attacks.
    [Show full text]
  • WINDOWS POWERSHELL 4.0 LANGUAGE QUICK REFERENCE Created By
    WINDOWS POWERSHELL 4.0 LANGUAGE QUICK REFERENCE Created by http://powershellmagazine.com Useful Commands Bitwise Operators , Comma operator (Array -band Bitwise AND constructor) Update-Help Downloads and installs newest help -bor Bitwise OR (inclusive) . Dot-sourcing operator runs a files -bxor Bitwise OR (exclusive) script in the current scope Get-Help Displays information about -bnot Bitwise NOT . c:\scripts\sample.ps1 commands and concepts -shl, -shr Bitwise shift operators. Bit Get-Command Gets all commands shift left, bit shift right $( ) Subexpression operator Get-Member Gets the properties and methods (arithmetic for signed, @( ) Array subexpression operator of objects logical for unsigned values) & The call operator, also known as Get-Module Gets the modules that have been the "invocation operator," lets imported or that can be imported Other Operators you run commands that are into the current session -Split Splits a string stored in variables and “abcdefghi” -split “de” represented by strings. Operators $a = "Get-Process" -join Joins multiple strings & $a Assignment Operators “abc”,”def”,”ghi” -join “;” $sb = { Get-Process | Select –First 2 } =, +=, -=, *=, /=, %=, ++, -- Assigns one or more values & $sb to a variable .. Range operator Logical Operators 1..10 | foreach {$_ * 5} Comparison Operators -and, -or, -xor, -not, ! Connect expressions and -eq, -ne Equal, not equal statements, allowing you to test -is, -isnot Type evaluator (Boolean). -gt, -ge Greater than, greater than for multiple conditions Tells whether an object is an or equal to Redirection Operators instance of a specified .NET -lt, -le Less than, less than or >, >> The redirection operators enable Framework type. equal to you to send particular types of 42 –is [int] -replace changes the specified output (success, error, warning, elements of a value verbose, and debug) to files and -as Type convertor.
    [Show full text]
  • How to Evade Application Whitelisting Using REGSVR32
    EXTERNAL/INTERNAL, RED TEAM, RED TEAM TOOLS CASEY SMITH, COM+ SCRIPLETS, DLL, FOLLOW US 10 SUBTEE, WEVADE, WHITELISTING MAY 2017 How to Evade Application Whitelisting Using REGSVR32 Jo Thyer // I was recently working on a Red Team for a customer that was very much up to date with their defenses. This customer had tight egress controls, perimeter proxying, strong instrumentation, and very tight application whitelisting controls. My teammate and I knew that we would have to work very hard to get command and control outbound from this environment, and that would be after obtaining physical access (yet another signicant challenge). Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD The week before going on-site, we began to LOOKING FOR research all of the various methods for SOMETHING? potential application whitelisting bypass. We assumed the best case defensive scenario whereby the customer would have all binary execution blocked with the exception of specic applications permitted. In prior tests SUBSCRIBE TO THE with other customers and this same BHISBLOG customer, we had used “rundll32.exe” to execute DLL content. This method is really useful if you can host shellcode Don't get left in the dark! Enter within a DLL, and have a nice controlled entry point. In the Metasploit case, the your email address and every DLL entry point is named “Control_RunDLL”. While this might evade time a post goes live you'll get instant notication! We'll also whitelisting, we also knew this old trick had been played before and we likely add you to our webcast list, so could not count on it again.
    [Show full text]
  • Automated Malware Analysis Report for Ud-Win-X64.Exe
    ID: 197137 Sample Name: ud-win-x64.exe Cookbook: default.jbs Time: 21:35:52 Date: 18/12/2019 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report ud-win-x64.exe 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 7 Mitre Att&ck Matrix 7 Signature Overview 8 AV Detection: 8 Spreading: 8 Networking: 8 System Summary: 8 Data Obfuscation: 9 Persistence and Installation Behavior: 9 Hooking and other Techniques for Hiding and Protection: 9 Malware Analysis System Evasion: 9 Anti Debugging: 10 HIPS / PFW / Operating System Protection Evasion: 10 Language, Device and Operating System Detection: 10 Malware Configuration 10 Behavior Graph 10 Simulations 11 Behavior and APIs 11 Antivirus, Machine Learning and Genetic Malware Detection 11 Initial Sample 11 Dropped Files 11 Unpacked PE Files 11 Domains 11 URLs 12 Yara Overview 12 Initial Sample 12 PCAP (Network Traffic) 12 Dropped Files 12 Memory Dumps 12 Unpacked PEs 12 Sigma Overview 12 Joe Sandbox View / Context 12 IPs 12 Domains 12 ASN 12 JA3 Fingerprints 13 Dropped Files 13 Screenshots 13 Thumbnails 13 Startup 14 Created / dropped Files 14 Domains and IPs 17 Contacted Domains 17 URLs from Memory and Binaries 18 Contacted IPs 18 Static File Info 18 General 18 File Icon 19 Static PE Info 19 General 19 Entrypoint Preview 19 Data Directories 21 Copyright Joe Security LLC 2019 Page 2 of 40 Sections 21 Resources 22 Imports 22 Version Infos 22 Possible Origin 22 Network Behavior 23 Code Manipulations 23 Statistics 23 Behavior 23 System
    [Show full text]