event logs Archives

Winsage

March 25, 2025

How To Secure Windows on a Mid-Sized Business Budget

Access provides advice on IT challenges, career transitions, and workplace dynamics. A mid-sized company faced a ransomware scare due to a user opening a malicious attachment but recovered data without paying the ransom. To enhance security in a Windows environment on a limited budget, the following steps are recommended: 1. Evaluate data storage by centralizing it on servers rather than individual workstations to improve security and simplify backups. 2. Implement the principle of Least Privilege Access, limiting user access to only necessary resources to reduce potential damage during attacks. 3. Utilize Microsoft's AppLocker to control which applications can run on Windows desktops, blocking unauthorized software. 4. Set up a ransomware kill switch using a custom PowerShell script to monitor for suspicious activities and trigger defensive actions if ransomware is detected.

Tech Optimizer

March 20, 2025

Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs

Microsoft Incident Response has identified a new remote access trojan (RAT) called StilachiRAT, which extracts sensitive information from infected computers, including passwords, cryptocurrency wallet details, operating system specifications, and device identifiers. StilachiRAT has a self-reinstatement mechanism that allows it to reinstall itself if removed. It targets digital wallets from platforms like Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, and Bitget Wallet. The malware can harvest credentials from web browsers, monitor clipboard data, gather system information, detect camera presence, and track active Remote Desktop Protocol (RDP) sessions. It can extract credentials from Google Chrome, monitor clipboard activity, and maintain its presence using the Windows service control manager. StilachiRAT can impersonate users to monitor RDP sessions and employs anti-forensics mechanisms to evade detection. Discovered in November of the previous year, it has not yet achieved widespread distribution. Microsoft advises users to download software from official websites, use robust security software, install reputable antivirus, be vigilant against phishing attacks, avoid clicking on unexpected links, and consider using a VPN and password manager for enhanced security.

Winsage

March 10, 2025

Threat Actors Exploited PHP-CGI RCE Vulnerability To Attack Windows Machines

Cisco Talos has reported a series of cyberattacks exploiting a critical vulnerability in PHP (CVE-2024-4577) to target Windows systems, primarily affecting organizations in Japan since January 2025. The vulnerability allows attackers to execute arbitrary PHP code on servers running Apache with PHP-CGI. They use a Python script, “PHP-CGICVE-2024-4577RCE.py,” to send crafted POST requests and confirm exploitation through a specific MD5 hash. After gaining access, attackers deploy a PowerShell injector script to establish a connection with their command and control (C2) server and utilize Cobalt Strike plugins for post-exploitation activities, including modifying registry keys for persistence and clearing event logs to evade detection. They conduct lateral movement using reconnaissance tools and exploit Group Policy Objects to execute malicious scripts, ultimately extracting credentials with Mimikatz. The attackers have access to a pre-configured installer script on their C2 server, suggesting potential for future attacks.

Winsage

March 5, 2025

Microsoft To Remove DES Encryption from Windows 11 24H2 & Windows Server 2025

Microsoft plans to phase out the Data Encryption Standard (DES) encryption algorithm from Kerberos authentication in future Windows releases, specifically affecting Windows Server 2025 and Windows 11 version 24H2 after updates on or after September 9, 2025. This is part of Microsoft's Secure Future Initiative aimed at eliminating outdated encryption technologies. DES, established in 1977, has become vulnerable to security breaches and was integrated into Kerberos in 1993. While Windows has not relied solely on DES, it has been disabled by default since Windows 7 and Windows Server 2008 R2, although it remains available as an optional feature. After September 2025, affected systems will enter "DES in Kerberos Disabled Mode," making DES unsupported. Microsoft advises organizations to identify and address any existing DES usage before the deadline, recommending the use of PowerShell scripts to detect DES in security event logs and to disable it through Active Directory and Group Policy settings. Organizations should transition to more secure ciphers like the Advanced Encryption Standard (AES) and ensure compatibility with AES by changing passwords for accounts on older domain controllers.

Winsage

February 10, 2025

5 built-in tools to use when troubleshooting Windows problems

Windows 11 is known for its stability and secure upgrade process, allowing seamless rollback to previous versions if issues occur. It includes troubleshooting tools like Event Viewer, which consolidates system event logs and helps identify causes of failures; Task Manager, which displays active applications and performance metrics; Resource Monitor, providing real-time data on resource usage; Command Prompt, enabling execution of diagnostic commands; and PowerShell, offering advanced scripting and automation capabilities. These tools assist users in diagnosing and resolving Windows-related issues effectively.

Tech Optimizer

December 16, 2024

7 GitHub Open Source You Need to See

Open-source tools are enhancing productivity and streamlining processes for developers and organizations. Notable projects include: - **Olshansk/postgres_for_everything**: Extends PostgreSQL's capabilities with resources for JSON/JSONB types, TimescaleDB for time-series data, full-text search, pgRouting for graph data, and advanced SQL analytics. - **Biggest Shell Programs in the World**: Analyzes large shell scripts and systems, including the Linux Kernel Build System, Android Build System, and Debian Packaging Tools. - **Pulumi**: An infrastructure-as-code platform that allows management of cloud infrastructure using languages like Python, JavaScript, and Go, with features like multi-cloud support and Kubernetes integration. - **yorukot/superfile**: A Python library for file operations, offering high-level methods for file handling and cross-platform compatibility. - **soci-snapshotter**: An AWS Labs project for optimizing container image management through lazy loading and snapshotting technology. - **Spark UI**: Enhances management and monitoring of Apache Spark applications with live metrics, interactive visualizations, and integration with event logs. - **LFI.dev**: A framework for developing real-time collaborative web applications with offline functionality and synchronization. - **WrenAI**: A tool for creating intelligent chatbots and virtual assistants with prebuilt NLU and NLG capabilities. - **Astro 5.0**: A framework for building content-focused websites with server-side rendering, static site generation, and improved Markdown handling. - **Outerbase Studio**: An open-source database management tool with a browser-accessible UI and compatibility with various relational databases. - **Undici**: A high-performance HTTP client for Node.js, featuring advanced connection pooling, a promise-based interface, and support for streaming requests.

Winsage

December 16, 2024

“Reinventing the Wheel: New Computing Concepts Using Windows NT Architecture and PowerShell”

The Windows NT architecture continues to support a significant portion of global IT infrastructure, with millions of installations across Windows Server, Windows 10, and Windows 11. It can be leveraged alongside modern PowerShell techniques to create next-generation computing solutions. A secure and distributed file system can be implemented using Windows NT's Distributed File System (DFS) with encryption capabilities through PowerShell scripts. This allows organizations to create a secure, fault-tolerant file-sharing mechanism. PowerShell scripts can also be used to establish a real-time health monitoring dashboard that aggregates data from event logs, system performance counters, and custom triggers, enabling system administrators to swiftly identify failures and monitor system health. Automating patch management can be achieved through PowerShell by utilizing Windows Update Services (WSUS) to streamline the detection of missing updates, apply patches, and audit systems for compliance. PowerShell can enhance identity and access management (IAM) processes by automating compliance and monitoring permissions, ensuring continuous auditing of user access rights and adherence to corporate policies.

Winsage

October 25, 2024

Windows Server 2025 Insider Preview build 26311 is now available

Microsoft has released Windows Server build 26311 for the Windows Server Insider Program, branding it as Windows Server 2025. The change log for build 26311 is similar to build 26304 and includes the Windows Defender Application Control for Business (WDAC), which enhances security by enforcing a list of authorized software. The Windows Server 2025 Security Baseline Preview allows users to apply over 350 preconfigured security settings categorized by server roles: Domain Controller, Member Server, and Workgroup Member. Known issues include incorrect labeling for the flight, problems with WinPE PowerShell scripts, intermittent upgrade failures from Windows Server 2019 or 2022, issues with archiving event logs, and installation recommendations related to Secure Launch/DRTM. Downloads are available in various formats, but may not be accessible in certain regions due to Microsoft's sales suspension in Russia. The preview is set to expire on September 15, 2025.

Winsage

October 17, 2024

Another day, another huge Windows 11 24H2 update bug, this time triggering the dreaded Blue Screen of Death

Users are experiencing system crashes and Blue Screens of Death (BSOD) linked to the Windows 11 24H2 update, particularly affecting Western Digital SSD models SN770 and SN580. Reports of increased crashes began over a week ago after the update was installed. Users have identified a common error message: "The driver detected a controller error on DeviceRaidPort1." A temporary workaround involving registry changes has been proposed by a community member, although no official response from Western Digital or Microsoft has been provided. Both companies are aware of the issue and are expected to release patches and firmware updates.

Winsage

October 12, 2024

Windows Server 2025 Insider Preview build 26304 adds Windows Defender Application Control

Microsoft has released build 26304 of Windows Server for the Windows Server Insider Program, transitioning to the Windows Server 2025 branding. The key feature introduced is Windows Defender Application Control for Business (WDAC), which enforces a strict list of approved software and includes a predefined default policy for implementation via PowerShell cmdlets. The Windows Server 2025 Security Baseline Preview is also available, featuring over 350 preconfigured settings based on Microsoft’s best practices, categorized by server roles such as Domain Controller, Member Server, and Workgroup Member. Users are advised to preview the security baseline only on test systems due to potential irreversible configurations. The new build will be automatically delivered to Server Flighting participants, and the updated Feedback Hub app is available for Server Desktop users. Known issues include mislabeling in flight references, PowerShell script malfunctions in WinPE, intermittent upgrade failures from previous Windows Server versions, potential crashes when archiving event logs, and restrictions for those with Secure Launch/DRTM code path enabled. Downloads are available in limited regions, with previews for Windows Server Long-Term Servicing Channel and Datacenter Azure Edition in various formats. The preview keys are valid only for preview builds, and the preview is set to expire on September 15, 2025.