Security baseline for Windows 10 v1703 now out!

September 4, 2017 Ulv BjørnssonLeave a comment

Microsoft just published the security baseline for Windows 10 “Creators Update” v1703!

Now you might ask, why should I use a security baseline? First off – it’s for OS hardening, and it saves you a lot of manual work by having ready made settings setup and gives you the importable GPOs, as well as a multitude of custom ADMX files with them visually laid out for you in a spreadsheet.

This allows you to tweak your settings to what best suits your environment.

It’s an incredibly helpful tool for image building, particularly for those of us in verticals that require constant vigilance.

Now if you are new to OS hardening and security baselines, you really should check out Microsoft’s Security Compliance Toolkit!

You can get the Security baseline for Windows 10 “Creators Update (v1703) from here.

WannaCrypt – What is it?

May 16, 2017May 18, 2017 Ulv Bjørnsson2 Comments

What is WannaCrypt?

A large Ransomware campaign that spread across the world.
The attack used a vulnerability that was patched in March 2017 Security Update (MS17-010, SMBv1)
How can I mitigate WannaCrypt?

Timeline

August 2016
The Shadow Brokers attempt to auction NSA tools

Claims they hacked Equation Group, author of Stuxnet and Flame
Auction lists attack-ready code with 0-day exploits and trojans.

September 2016
Microsoft encourages users to stop using SMB1

March 2017
Microsoft releases Security Update to address the MS17-010 for SMB1 vulnerability

April 2017
The Shadow Brokers release the toolbox

Includes SMB (Eternal Blue) and the Trojan Code (Double Pulsar)
Microsoft releases an advisory that no new vulnerabilities are found in Shadow Brokers release

May 2017
WannaCrypt is released by unknown attacker
Which utilizes [ETERNALBLUE] with [DOUBLE PULSAR] and a ransomware payload that demands 300-600 USD in Bitcoins from its infected hosts.

What does WannaCrypt do?

Infects

It attacks through [ETERNALBLUE] if MS17-010 is not installed.
Installs the Trojan if the attack is successful [DOUBLEPULSAR]

Encrypts

Encrypts 179 file types
Shows a message that demands for payment of 300$-600$ in bitcoins to a listed wallet.

Spreads

It scans the local LAN and wider internet for port 445
Attempts to infect over SMBv1 [ETERNALBLUE] if port is open.

Payments

We find references to three different wallets these are:

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn 73 transactions, total of 17460 USD
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 98 transactions, total of 26570 USD
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 82 transactions, total of 23450 USD

Which gives the attackers wallet a total of 67480 USD (14:00 GMT 16.05.17)

Curious of how to mitigate it, or want to read how to disable the SMBv1 vulnerability or patch it? Check out my previous article on mitigation.

As always, if you have suggestions on topics you want to read more about, or feedback. Leave a comment or tweet me at UlvBjornsson

Creating a Windows Master Control Panel shortcut .{ED7BA470-8E54-465E-825C-99712043E01C}

May 12, 2017May 12, 2017 Ulv BjørnssonLeave a comment

The Windows Master Control Panel, also known as Windows God Mode, or the All Tasks folder is a shortcut to access a variety of control settings found in any operating system later then Windows Vista.

It is one of those stories that hits the blogosphere and spins; however the background for the registry key “ED7BA470-8E54-465E-825C-99712043E01C” was actually just an “All Tasks“-page created by Windows developers to make it easier to find what was needed.

So if you use the search box in the “Control Panel“-window, see illustration below. It will leverage the key “ED7BA470-8E54-465E-825C-99712043E01C“.

The key that it looks up you can find it under:
HKEY_CLASSES_ROOT\CLSID\{ED7BA470-8E54-465E-825C-99712043E01C}

So now let’s create and give you a shortcut to the blogosphere’s godmode, or the Windows developers “All Task”-folder.

musings of a consultant

Tag: Operating System