scheduled tasks Archives

Winsage

May 7, 2025

Play ransomware affiliate leveraged zero-day to deploy malware

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, which has a CVSS score of 7.8 and is categorized as a "Use after free" vulnerability. This flaw allows an authorized attacker to elevate privileges locally and has been confirmed to be exploited in real-world attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog in April. Microsoft addressed this vulnerability during its April Patch Tuesday security updates, acknowledging its exploitation in limited attacks targeting various sectors in the U.S. and Saudi Arabia. Researchers from Symantec reported that the Play ransomware gang used the CVE-2025-29824 exploit in an attack against a U.S. organization before the public disclosure and patching of the vulnerability. The attackers utilized the Grixba infostealer tool and initially exploited a public-facing Cisco ASA firewall to gain entry. They deployed tools to gather information, escalated privileges using the CVE-2025-29824 exploit, and executed malicious scripts to steal credentials. The exploit took advantage of race conditions in driver memory handling, allowing kernel access and manipulation of files. Before the patch was released, the exploit was reportedly used by multiple threat actors, and Microsoft linked it to other malware.

Winsage

May 6, 2025

I used Sophia Script to take back control of Windows 11, and I wish I did it sooner

Sophia Script is a PowerShell module available on GitHub that simplifies the process of adjusting Windows settings through the command line interface (CLI), offering over 150 regularly updated functions. It provides GUI-based options for managing tasks like telemetry settings, scheduling tasks, and uninstalling OneDrive, allowing users to select multiple tasks at once. The setup process involves opening the main PS1 file in Notepad++, changing the directory, and executing a command from GitHub, with comprehensive instructions available. Users can customize settings by adding or replacing code with a hashtag next to the script they wish to run, and it allows changes to be applied across all user accounts. Sophia Script is particularly useful for configuring new PCs or fresh installations, as it helps remove unnecessary bloatware and streamline system performance. It can uninstall Microsoft apps, including the Windows Copilot app, and has created five scheduled tasks after running, saving time compared to traditional methods. The creator, Farag2, is also developing a GUI version, SophiApp 2.0.

Winsage

April 14, 2025

Windows Server 2025 Restart Bug Breaks Connection with Active Directory Domain Controller

Microsoft has warned IT administrators about a significant issue affecting Windows Server 2025 domain controllers, which may struggle to manage network traffic after a system restart. This problem arises because the domain controllers revert to the standard firewall profile instead of the required domain firewall profile, leading to potential inaccessibility on the domain network, application failures, and open ports that could pose security risks. The issue specifically affects Windows Server 2025 systems with the Active Directory Domain Services role, while client systems and earlier server versions remain unaffected. To address this, Microsoft recommends a temporary workaround: manually restarting the network adapter using PowerShell with the command Restart-NetAdapter * after each reboot. Administrators are advised to create a scheduled task for automation, monitor domain controllers for disruptions, and minimize unnecessary restarts. Microsoft is working on a permanent fix, with an update expected in the future.

AppWizard

March 28, 2025

How to use ChatGPT: A beginner’s guide to the most popular AI chatbot

ChatGPT, developed by OpenAI, was launched in late 2022 and has evolved into a versatile tool for tasks such as composing emails, generating essays, brainstorming ideas, translating languages, assisting with coding, and answering questions. OpenAI offers a free version and paid plans for additional features. Users can access ChatGPT via its website or app without creating an account, although registration unlocks features like saving chat history. The user base has grown to over 400 million weekly users within six months. OpenAI's subscription plans include a free tier, a Plus plan at per month, and a Pro plan at 0 per month. ChatGPT can assist with advice, data analysis, browsing, deep research, image generation with DALL·E, and file uploads. Features include Voice Mode for spoken interaction, ChatGPT Canvas for visual organization, and ChatGPT Tasks for scheduling reminders. ChatGPT can also generate images and videos, with the upgraded GPT-4o image generator available to Plus subscribers. The desktop app is available for Windows and MacOS, and users can try ChatGPT without logging in. Accuracy may vary, and users are advised to fact-check responses.

Winsage

March 17, 2025

Invisible Windows Rootkit Hides Dangerous Files Using This Prefix

Obscure#Bat is a malware campaign targeting Windows users that uses obfuscated batch scripts to deploy a user-mode rootkit, which can hide its activities from standard security measures. It stores hidden scripts in the Windows Registry and can conceal files, registry entries, and running processes through application programming interface hooking. The malware can embed itself within legitimate Windows processes, making it undetectable by conventional security methods, and is capable of deleting evidence of its activity. Attackers use social engineering tactics, such as fake CAPTCHA tests and legitimate software tools, to lure victims into executing the malicious batch file. The rootkit obscures files, processes, or registry keys that begin with the “$nya-” prefix and is identified as an open-source ring-3 rootkit known as r77. It avoids kernel modifications and relies on registry and scheduled tasks for persistence, allowing it to evade detection by traditional kernel-based security tools. Windows users are advised to be cautious of social engineering tactics and to inspect batch files in a text editor before execution.

Winsage

March 10, 2025

Threat Actors Exploited PHP-CGI RCE Vulnerability To Attack Windows Machines

Cisco Talos has reported a series of cyberattacks exploiting a critical vulnerability in PHP (CVE-2024-4577) to target Windows systems, primarily affecting organizations in Japan since January 2025. The vulnerability allows attackers to execute arbitrary PHP code on servers running Apache with PHP-CGI. They use a Python script, “PHP-CGICVE-2024-4577RCE.py,” to send crafted POST requests and confirm exploitation through a specific MD5 hash. After gaining access, attackers deploy a PowerShell injector script to establish a connection with their command and control (C2) server and utilize Cobalt Strike plugins for post-exploitation activities, including modifying registry keys for persistence and clearing event logs to evade detection. They conduct lateral movement using reconnaissance tools and exploit Group Policy Objects to execute malicious scripts, ultimately extracting credentials with Mimikatz. The attackers have access to a pre-configured installer script on their C2 server, suggesting potential for future attacks.

Winsage

February 17, 2025

Winhance transforms Windows 11 (and Windows 10) into the bloat-free, faster operating system you always wanted

User sentiment towards Windows 11 has led to the development of third-party tools to enhance the experience. Talon can debloat Windows 11 with just two clicks, removing unnecessary pre-installed applications like Microsoft Edge, OneDrive, Copilot, and Clipchamp. Winhance is another tool that debloats and optimizes Windows 11, also compatible with Windows 10 (22H2). Winhance features include: - Software & Apps: - Install Software - Permanently Remove Windows Apps (e.g., Microsoft Edge, OneDrive, Copilot) - Optimize: - Set UAC Notification Level - Disable/Enable Windows Security Suite - Privacy Settings - Gaming Optimizations - Windows Updates - Power Settings - Scheduled Tasks - Windows Services - Customize: - Toggle Windows Dark or Light Mode - Taskbar Customization - Start Menu Settings - Explorer Options - Notification Preferences - Sound Settings - Accessibility Options - Search Configuration To use Winhance, users must open PowerShell as Administrator, confirm privileges, enable script execution, and run a specific command to download and execute the application from GitHub. Winhance has received significant updates since its release in February, with version 2 introducing UI/UX improvements, critical fixes, and bug resolutions, including issues with Windows Search and OneDrive folder cleanup. A demonstration video is available for viewing.

Winsage

February 13, 2025

Russian Hackers Leverages Weaponized Microsoft Key Management Service (KMS) To Hack Windows Systems

The Sandworm APT group, also known as APT44 or UAC-0145, has been exploiting weaponized Microsoft Key Management Service (KMS) activators to breach Windows systems in Ukraine since late 2023. This campaign uses pirated KMS tools and counterfeit Windows updates to spread malware, targeting state bodies and critical infrastructure. The attackers deploy Trojanized KMS activators, such as “KMSAuto++x64_v1.8.4.zip,” often shared on torrent sites and forums for Ukrainian speakers. The attack begins with the BACKORDER loader, which disables Windows Defender and delivers the DarkCrystal RAT (DcRAT) to exfiltrate sensitive data. A new backdoor named Kalambur is also identified, distributed via a typosquatted domain that pretends to be a Windows Update. Security teams are advised to use Sigma rules and detection tools aligned with the MITRE ATT&CK framework to counter these threats.

Winsage

February 13, 2025

Russian Hackers Leverages Weaponized Microsoft KMS to Hack Windows Systems

The Russian state-sponsored hacking group Sandworm, affiliated with the GRU, has been using pirated Microsoft Key Management Service (KMS) activation tools to infiltrate Ukrainian Windows systems since late 2023. They distribute a harmful ZIP file named “KMSAuto++x64_v1.8.4.zip” on torrent platforms, which, when executed, deploys the BACKORDER loader and disables Windows Defender. The BACKORDER loader then downloads the Dark Crystal Remote Access Trojan (DcRAT) from attacker-controlled domains, allowing data theft, including keystrokes and browser credentials. The campaign exploits Ukraine's high prevalence of unlicensed software, estimated at 70% in the public sector, increasing vulnerability to cyberattacks. Researchers have linked this activity to Sandworm through shared infrastructure and tactics, highlighting its role in Russia's hybrid warfare strategy against Ukraine. Cybersecurity experts recommend avoiding pirated software and implementing robust security measures to mitigate these threats.

Winsage

February 11, 2025

9 SysInternals tools that should be built into Windows

Windows is a popular operating system known for its versatility but often lacks advanced troubleshooting and system monitoring tools. SysInternals is a suite of utilities developed by Microsoft for power users and IT professionals, offering enhanced control over systems. Key tools in the SysInternals suite include: - Process Explorer (procexp.exe): Provides a detailed overview of running processes, including resource usage and file access, and allows users to identify locked files and potential malware. - Process Monitor (procmon.exe): Records file system, registry, and process activities in real-time, with filtering options to diagnose performance issues and application errors. - Autoruns (autoruns.exe): Displays all startup programs and processes, allowing users to disable or delete unnecessary entries to improve performance and security. - TCPView (tcpview.exe): Shows active TCP and UDP connections, detailing which processes are using network connections, enabling users to manage network activity. - SDelete (sdelete.exe): A command-line tool for secure file deletion that overwrites data to prevent recovery, useful for safeguarding sensitive information. - ZoomIt (zoomit.exe): Enhances presentations by allowing users to zoom in on screen areas and annotate, beneficial for educators and IT professionals. - RamMap (rammap.exe): Analyzes physical memory allocation, helping identify memory leaks and inefficient usage. - PendMoves (pendmoves.exe): Lists files scheduled for movement or deletion upon reboot, aiding in troubleshooting file modification issues. - BgInfo (bginfo.exe): Generates a desktop background displaying vital system information, customizable for user needs. The integration of these tools into Windows would enhance its diagnostic and troubleshooting capabilities, benefiting both everyday and power users.