PowerShell script Archives

AppWizard

February 20, 2025

Russian Groups Target Signal Messenger in Spy Campaign

Multiple Russian threat groups are targeting the Signal Messenger application, focusing on individuals likely to engage in sensitive military and governmental communications during the conflict in Ukraine. Researchers from Google's Threat Intelligence Group have identified these attacks as primarily aimed at individuals of interest to Russian intelligence services. The two main cyber-espionage groups involved are UNC5792 (tracked by Ukraine's CERT as UAC-0195) and UNC4221 (UAC-0185). Their goal is to deceive victims into linking their Signal accounts to devices controlled by the attackers, granting access to incoming messages. UNC5792 uses invitations that resemble legitimate Signal group invites with malicious QR codes, while UNC4221 employs a phishing kit that mimics Ukraine's Kropyva app and includes harmful QR codes on fake sites. Other Russian and Belarusian groups, including Sandworm (APT44) and Turla, are also targeting Signal Messenger in various ways, such as stealing messages from databases or local storage. Additionally, Belarus-linked group UNC1151 uses the Robocopy tool to duplicate Signal messages for future theft. The increased activity against Signal reflects a broader interest in secure messaging apps used by individuals in espionage and intelligence roles. These apps' strong security features make them attractive to at-risk individuals and communities but also high-value targets for adversaries. Russian groups are also targeting Telegram and WhatsApp, with a recent report detailing attacks by the Russian group Star Blizzard on WhatsApp accounts of government officials and diplomats.

Winsage

February 17, 2025

Winhance transforms Windows 11 (and Windows 10) into the bloat-free, faster operating system you always wanted

User sentiment towards Windows 11 has led to the development of third-party tools to enhance the experience. Talon can debloat Windows 11 with just two clicks, removing unnecessary pre-installed applications like Microsoft Edge, OneDrive, Copilot, and Clipchamp. Winhance is another tool that debloats and optimizes Windows 11, also compatible with Windows 10 (22H2). Winhance features include: - Software & Apps: - Install Software - Permanently Remove Windows Apps (e.g., Microsoft Edge, OneDrive, Copilot) - Optimize: - Set UAC Notification Level - Disable/Enable Windows Security Suite - Privacy Settings - Gaming Optimizations - Windows Updates - Power Settings - Scheduled Tasks - Windows Services - Customize: - Toggle Windows Dark or Light Mode - Taskbar Customization - Start Menu Settings - Explorer Options - Notification Preferences - Sound Settings - Accessibility Options - Search Configuration To use Winhance, users must open PowerShell as Administrator, confirm privileges, enable script execution, and run a specific command to download and execute the application from GitHub. Winhance has received significant updates since its release in February, with version 2 introducing UI/UX improvements, critical fixes, and bug resolutions, including issues with Windows Search and OneDrive folder cleanup. A demonstration video is available for viewing.

Tech Optimizer

February 15, 2025

Simplify database authentication management with the Amazon Aurora PostgreSQL pg_ad_mapping extension

Authentication is essential for security in enterprise environments, protecting sensitive data and resources from unauthorized access. Kerberos authentication is utilized for Amazon Aurora PostgreSQL-Compatible Edition with AWS Directory Service for Microsoft Active Directory, particularly through the pg_ad_mapping extension, which enhances access control management. Aurora PostgreSQL supports multiple authentication methods, including password authentication, AWS Identity and Access Management (IAM) database authentication, and Kerberos authentication. By default, password authentication is enabled, while IAM and Kerberos can be used independently. Users are assigned specific roles based on the authentication method: rds_iam for IAM, rds_ad for Kerberos, and no specific roles for password authentication. Kerberos authentication integrates with Microsoft Active Directory, allowing centralized authentication and single sign-on (SSO) capabilities. With versions 14.10 and 15.5, Aurora PostgreSQL introduced the pg_ad_mapping extension, which allows administrators to manage access through Active Directory (AD) security groups instead of provisioning individual users. This extension checks AD group memberships upon user login and assigns corresponding database roles, prioritizing roles based on assigned weights. The pg_ad_mapping extension includes functions such as pgadmap_set_mapping to add mappings between AD security groups and database roles, pgadmap_read_mapping to list existing mappings, and pgadmap_reset_mapping to delete or reset mappings. To deploy the solution, a CloudFormation stack is used to create necessary resources, including an AWS Managed Microsoft AD server, an Aurora PostgreSQL database cluster, and a Windows EC2 instance. Users can be added to AD groups, and roles can be mapped to facilitate access management. Security best practices for Aurora PostgreSQL include using IAM policies for resource management, implementing security groups for database access control, utilizing encryption for data protection, and employing Transport Layer Security (TLS) for secure connections. For auditing, the pg_stat_gssapi view can be used to identify authenticated users, and enabling the log_connections parameter will log session establishments, including AD user identities.

Winsage

February 7, 2025

Microsoft says Windows 11 KB5044284/KB5046617 still can’t install new updates via USB/CD

In December, Microsoft acknowledged a known issue affecting users installing security updates on Windows 11 version 24H2, particularly those using CDs or USB drives. Users faced difficulties with the October 2024 (KB5044284) and November 2024 (KB5046617) Patch Tuesdays, including those using the Media Creation Tool. Installations via Windows Update or the Update Catalog were unaffected. Microsoft suggested a workaround: avoid installing the October and November patches. The issue has since been marked as "resolved," with the workaround now stated as the official resolution: do not install Windows 11, version 24H2 with the October or November updates. Instead, use media that includes the December 2024 security update or later. If a device cannot receive further updates due to this issue, it can be fixed by reinstalling Windows 11, version 24H2 with the appropriate media. Microsoft also introduced a new PowerShell script for updated Windows 11, 10, and Server boot media.

Winsage

February 6, 2025

Microsoft script updates bootable media for BlackLotus bootkit fixes

Microsoft has released a PowerShell script to help users and administrators update bootable media, integrating the "Windows UEFI CA 2023" certificate. This update is in response to the BlackLotus UEFI bootkit, which can bypass Secure Boot and disable Windows security features. Microsoft has issued prior updates in March 2023 and plans additional measures for July 2024, addressing a Secure Boot bypass vulnerability (CVE-2023-24932). The fix will be rolled out in phases before full enforcement anticipated by 2026. The update will include the "Windows UEFI CA 2023" certificate in the UEFI Secure Boot Signature Database and revoke the "Windows Production CA 2011" certificate for older boot managers. Administrators are advised to update bootable media to use the new certificate to avoid booting issues. The PowerShell script is compatible with various media formats and requires the Windows ADK for functionality. Microsoft recommends thorough testing before the enforcement phase, which will begin by the end of 2026, with a six-month notice prior to implementation.

Winsage

February 5, 2025

Microsoft addresses Windows vulnerability with PowerShell script

Microsoft has introduced a PowerShell script, KB5053484, to address the 2023 BlackLotus Secure Boot vulnerability (CVE-2023-24932) in Windows operating systems. This update targets Windows-bootable media and aligns with the new Secure Boot Certificate Authority (CA) released in February 2024, replacing the outdated CA from 2011. The BlackLotus vulnerability allows attackers to bypass Secure Boot in Windows 10 and 11, potentially injecting harmful code at the UEFI level. The update is available immediately to enhance security against this threat.

Winsage

February 5, 2025

KB5053484: Microsoft shares new PowerShell script for updated Windows 11/10 boot media

In February 2024, Microsoft announced the rollout of new 2023 Secure Boot Certificate Authority (CA) keys to replace the 2011 certificates that were introduced with Windows 8. This initiative began with Patch Tuesday updates, specifically KB5034765 for Windows 11 and KB5034763 for Windows 10, as the 2011 certificates are set to expire in 2026. Microsoft released a PowerShell script, Make2023BootableMedia.ps1, to update Windows bootable media for compatibility with the new Windows UEFI CA 2023 certificate, addressing the Black Lotus Secure Boot vulnerability (CVE-2023-24932). The script can update various types of bootable media, including ISO files, USB drives, and local or network drive paths. Users must have the latest Windows Assessment and Deployment Kit (Windows ADK) for the script to function properly, and it should be executed from an elevated PowerShell prompt with the appropriate media source provided. Comprehensive details are available in the KB5053484 support article on Microsoft's website.

Tech Optimizer

December 19, 2024

LNK Files And SSH Commands: A New Cyber Attack Trend In 2024

Cyber attackers are increasingly using malicious LNK files, which disguise themselves as harmless shortcuts, as an infection vector in 2024. Security experts, particularly Cyble Research and Intelligence Labs (CRIL), have noted a significant rise in this tactic. Attackers leverage LNK files to gain access to systems, triggering malicious actions that can deploy advanced malware. This method reflects a shift in attack vectors aimed at bypassing traditional security measures. One primary technique in these attacks is the exploitation of Living-off-the-Land Binaries (LOLBins), which are trusted system binaries manipulated to execute harmful commands without external malware. Attackers have refined their methods to evade detection by endpoint detection and response (EDR) solutions. Recent campaigns have incorporated SSH commands within malicious LNK files, allowing attackers to establish persistent connections and download malicious files from remote servers. This use of SSH is concerning as it is not typically associated with Windows systems, making it harder for conventional security measures to detect. Threat actors have also used SSH commands to execute malicious PowerShell or CMD commands indirectly through LNK files. For example, a malicious LNK file was found to trigger a PowerShell script that downloaded a malicious payload. Advanced Persistent Threat (APT) groups, known for their long-term cyber espionage, are increasingly utilizing these techniques, with groups like Transparent Tribe deploying stealer malware using similar methods. The combination of LNK files and SSH commands presents a significant threat to organizations, necessitating enhanced monitoring and detection systems to identify abnormal activities. Security teams must evolve EDR solutions to recognize malicious SSH and SCP activity, especially in environments where SSH is not commonly used. Additionally, organizations should restrict the use of legitimate SSH utilities and disable unnecessary features to minimize the attack surface.

Winsage

December 16, 2024

“Reinventing the Wheel: New Computing Concepts Using Windows NT Architecture and PowerShell”

The Windows NT architecture continues to support a significant portion of global IT infrastructure, with millions of installations across Windows Server, Windows 10, and Windows 11. It can be leveraged alongside modern PowerShell techniques to create next-generation computing solutions. A secure and distributed file system can be implemented using Windows NT's Distributed File System (DFS) with encryption capabilities through PowerShell scripts. This allows organizations to create a secure, fault-tolerant file-sharing mechanism. PowerShell scripts can also be used to establish a real-time health monitoring dashboard that aggregates data from event logs, system performance counters, and custom triggers, enabling system administrators to swiftly identify failures and monitor system health. Automating patch management can be achieved through PowerShell by utilizing Windows Update Services (WSUS) to streamline the detection of missing updates, apply patches, and audit systems for compliance. PowerShell can enhance identity and access management (IAM) processes by automating compliance and monitoring permissions, ensuring continuous auditing of user access rights and adherence to corporate policies.

Winsage

November 17, 2024

Windows 10 KB5048239 causes 0x80070643 error but Microsoft already has an official fix

Microsoft released its November 2024 updates, including dynamic updates for Windows 11 and a rare set for Windows 10. The Recovery update KB5048239 has been causing installation failures with the error "0x80070643." Users have reported similar issues with previous updates KB5034440 and KB5034441. The installation failures are attributed to insufficient space in the Windows Recovery partition, which requires a minimum of 250 MB for successful installation. Microsoft has provided guidance for users to resize their recovery partition to ensure eligibility for the update.