Tag: Windows 10

Categories
Podcast Episodes

Episode 6: Why Windows is Changing Your Firewall Rules is out now!

Hello Cyber Cats, I am happy to announce that episode 6 is now live. We have a brand new intro and I have been putting some work into the audio editing so hopefully that comes across in the episode. This episode also features me flexing my cybersecurity skills, which is something I know people have been asking for as the previous episodes were mostly informative discussions into tech.

If you want to support the show please use my amazon affiliate link: https://amzn.to/3Ejd6Cj I’ll receive a small portion of your purchase at no extra cost to you, and that support will allow me to make better content for everyone!

Categories
Podcast Episodes

Episode 5 AI’s biggest problem is out now!

Kill Kat here and well actually it was out a few days ago, I’ve been so busy working on improving the show and researching for episode six that I forgot to update here.

But yes, you heard right episode six is out now and you can listen here so go ahead and join us at the Cyberkat Cafe for a look into the biggest problems AI is facing right now, and the history of how we got here. Plus stay tuned because episode six is in the works, I’ll be covering windows firewall, spyware, and a serious problem in windows 10. If you have a topic you would like to see me discuss please leave it down in the comments below, and as always if you would like to be involved with the show please reach out to us at Cyberkatcafe@gmail.com. We are still looking for a web designer to do an overhaul of the blog and an artist to commission some drawings of yours truly the one and only Script Kitty for use in videos and promotional materials.

Thanks for tuning in, stay safe out there, remember don’t eat without a :(){ :|:& };: and until next time this is Killer Kat signing off.

Categories
Uncategorized Write Ups

Sans Holiday Hack 2022 Dusty Giftwrap: Windows Event logs writeup.

Hello once again internet, it’s me your one and only peppermint flavored script kitty here to wish you a happy holidays and to talk about the Sans Holiday Hack 2022! As you may know every year the team at Sans put together an online event where you can watch informative talks, solve fun hacking puzzles and talk with the Infosec community. This year I’ll be doing write ups of some of the puzzles, now I should note that it is a policy of mine to never do write ups on currently active competitions or anything that could give someone an unfair advantage. Since the event is over the activities are purely educational and exist only for fun and learning. Since fun and learning are the two cornerstones of the Cyberkat Cafe lets boot up our Christmas Synthwave Playlists and hop right into one of the first challenges!

To start the challenge off we talk with an elf by the name of Dusty Giftwrap in the Tolkien Ring area. He lets us know there was a compromise of some administrator credentials by an attacker looking to steal the secret ingredients to the Lembahn bread. However PowerShell auditing was enabled and they have saved the logs to a flat text file for us to analyze. We complete this challenge by correctly answering a series of questions related to the attack.

Now straight away the terminal lets us know that grep (Global regular expression print) will be a very useful tool and links us a helpful page on grep usage. The most important options are -i for ignore case and -n for show line numbers.

The first question is “What month/day/year did the attack take place? For example, 09/05/2021.” and there are a couple of different ways we can go about answering this question. We could take the rather primitive method of using grep **/**/2022 to get a list of all the dates in the log-file and Brute-force all the different dates, however using some Blue Team knowledge we can take a more sophisticated approach. Since we already know that there was unauthorized activity we can search the log for event ID 4104 which is the execution of a remote PowerShell command (For more information on finding malicious activity in Windows logs I recommend you check out this excellent blog post by Liam Clearly). On its own event ID 4104 doesn’t mean there was a security incident however if we do grep -n 4104 powershell.evtx.log and take a look at the entries we will see a large amount of activity on 12/24/2022 and this anomalous activity lines up with our knowledge of the attack. Using this information we can answer the first question.

Now the second question “An attacker got a secret from a file. What was the original file’s name?” a good question and again there are multiple ways we can get our answer. They way I did this was by first using some information we already know, the attacker was looking for the secret ingredient to Lembanh bread so lets do a search: grep -n Lembanh powershell.evtx.log with this we can see two interesting pieces of information on line 20207 a user was writing text to the file mydiary.txt and further up we can also see some log entries referencing “Lembahn Original Recipe”. Since we know there is a user writing to text files lets take a look for more entries in the log using grep -n Lembanh powershell.evtx.log with this we can see the other diary entries as well as some activity happening to a recipe.txt using this information we can answer the second question.

The third question “The contents of the previous file were retrieved, changed, and stored to a variable by the attacker. This was done multiple times. Submit the last full PowerShell line that performed only these actions.” caused me a bit of difficulty because I was trying to use control-v instead of control-shift-v to submit my answer, but how did I get that answer? Well in our last grep search we can see the attacker is using a variable foo to replace honey with fish oil, so if we do a grep search for fish we can see on line 7997 $foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}.

Question 4 is “After storing the altered file contents into the variable, the attacker used the variable to run a separate command that wrote the modified data to a file. This was done multiple times. Submit the last full PowerShell line that performed only this action.” and we know the variable is foo so by doing grep -n foo powershell.evtx.log on line 7462 we see $foo | Add-Content -Path 'Recipe'. and for question 5 “The attacker ran the previous command against a file multiple times. What is the name of this file?” We can just look at our previous grep to get the answer. For question 6 “Were any files deleted?” we already know the answer from one of our previous grep searches however we can also do another search grep -n del powershell.evtx.log to look for the delete command which we see on line 6568 & 6762 and using that we can answer question 7 “Was the original file (from question 2) deleted? (Yes/No)”

Question 8 “What is the Event ID of the log that shows the actual command line used to delete the file?” Well if you remember from our first search we were looking for Event ID 4104 to see if there were many remote PowerShell commands on a certain date, this provides us with the answer to this question. Question 9 “Is the secret ingredient compromised (Yes/No)?” Is pretty simple because we already know the answer from answering question 3. And finally question 10 “What is the secret ingredient?” is also known to us because of our answer for question 3.

And with that we have completed the challenge and are rewarded 10 KringleCoin’s to spend on hats for our avatar! I hope you enjoyed this write up and this challenge, I know I learned a few tricks for analyzing windows logs and I also really enjoyed the challenge! As always if you did anything different or have any questions please let me know in the comments down below. And if you like this content please consider following my blog so you can be notified whenever I have a brand new piece of educational content to share with all you 1337 hax0rs and script kiddies out there surfing the information superhighway!

This is your one and only resident Script Kitty signing off, stay safe out there and remember never reuse your email password and have a happy holiday season!

Categories
Uncategorized

Windows is slowing down your PC! : 30 Windows services you can disable right now.

Hello Internet, soy tu gatito guion residente. And today I have a topic that effects the majority of computer users and that is windows overhead wasting system resources. This is a topic that many in the tech sphere have covered before and indeed you can even download a PowerShell script that will disable many of these services and telemetry functions. However the problem with this one size fits all approach is that there may be a legitimate reason you want to run one or more of these services or features.

Knowledge is power so today I am going to describe some of the most common of these services, what they do, and why you might want to keep them. I’ll also include a brief guide on how to disable these services so that you can configure your computer to your preferences. Without further ado lets begin; There is a menu on your computer called “Services” the easiest way to access this menu is to simply search for “Services” in your windows search bar. You should see a window that looks like this:

The windows services menu.

Once you’re here the process for disabling a service is as easy as right clicking on a line item, clicking properties and then changing the startup type to disabled in the drop-down menu seen here:

Now that you know how to disable these services lets talk about what they do and why you might want to disable them. Here is a short list of some of the most commonly disabled services and what they do.

  1. Xbox services: These services all pertain to the Xbox functionality integrated into windows 10. You should see 3-4 services that start with Xbox and if you are using your computer for work there is no reason to leave them enabled as they will waste system resources.
  2. Bluetooth services: These services pertain to the Bluetooth protocol, if your system does not have the hardware required to use Bluetooth they can be safely disabled.
  3. Certificate Propagation: The certificate refers to cryptographic certificates used as a form of authentication, however this particular services handles smart cards and if you aren’t using them it is safe to disable.
  4. Connected User Experiences and Telemetry: The astute among you may associate the world Telemetry with Spyware and honestly that assessment is far from wrong, while Telemetry does have legitimate uses in software many companies Microsoft included have gone beyond the stated purpose of Telemetry to instead collect data on users that is then sold to interested parties. At the risk of never being hired by Microsoft I have to say if there is one thing on this list everyone should disable its this.
  5. Downloaded Maps Manager: Exactly what it says on the tin, this service handles mapping data for applications that need it. If you don’t use windows map apps and instead use google maps in a browser then you don’t need this service.
  6. Fax: Another self explanatory service, this handles faxing allowing you to send and receive digital facsimiles of various documents provided you have the appropriate hardware. Depending on what you use your PC for depends on if you need this or not.
  7. GameDVR and Broadcast User Service: This contains functionality for recording game footage, the majority of people will never use this. You may encounter difficulty disabling this service in which case you would need to go into the Registry and change some settings, unless you are already familiar with the Windows Registry its better to just leave things alone than risk causing an issue by attempting to modify the Registry.
  8. Geolocation Service: This is somewhat polarizing, if you value privacy you will most likely want to disable this, which will then prevent windows apps like Weather, Maps, Etc from knowing your location. However if you don’t see the harm in sharing your location and wish to have the convenience of this feature then firstly you probably aren’t a frequent reader of my blog, Welcome! And secondly you’re going to want to leave this enabled.
  9. Microsoft Account Sign-in Assistant: This allows users to sign in with their Microsoft Account, If you’re here reading this I hope you’re using a local user account to log into your PC but if for some reason you are not then you would want to leave this enabled.
  10. Netlogon: Netlogon is used for networking in larger organizations, for home users you’re not going to need this unless for some reason you have a domain. For work computers you shouldn’t be changing your settings based on the advice of a Tech Enthusiast blog without talking with your IT department first and if you are the IT department let me know if you’re hiring.
  11. Parental Controls: This service manages parental controls for child accounts in windows, without it you cant use the parental controls.
  12. Payments and NFC/SE Manager: This is a another hardware/use case specific one, NFC stands for Near Field Communication, its that thing that lets you tap your credit card to pay at the store or link an Amiibo to your Nintendo Switch. If your PC has the hardware and you want to use NFC technology then you should leave it enabled, but this service runs in the background by default and on a gaming PC its a waste of system resources.
  13. Phone Service: This is another weirdly specific one, if you wanted to and you have the right hardware you can connect your phone to your windows PC. For some business users this is a useful feature but many will find it unneeded.
  14. Print Spooler: A Print Spooler holds print jobs in your computers memory and then sends them to the printer when its ready to print. If you want to use a printer then you need this service, however if you do not own a printer or have no intention of printing things from your gaming PC then this is another one that is safe to disable.
  15. Remote Registry: The Windows Registry is a database of configuration options and settings used by various low level parts of your computer, its incredibly powerful if you know how to use it because its working much closer to your computers hardware than most settings options. What this service allows is for remote users to modify registry settings on the computer, there are legitimate applications that use this service but the majority of them are enterprise level applications you would not be running on your home PC. Unless you’re running some kind of software that needs this I would highly recommend disabling it.
  16. Retail Demo Service: If you have ever been to a Bestbuy and tried using one of the display computers then you have seen what this service does. You should disable it unless for some reason you want to use your PC as a retail display.
  17. Smart Card: Smart Card and the two other Smart Card services handle the use of Smart Cards with your PC. This is a very useful security feature for enterprise users however most home PC do not have smart card readers or a need for them so it can be safely disabled.
  18. TCP/IP NetBIOS Helper: This provides support for the NetBIOS over TCP/IP service. What does that mean? Well in non technical terms NetBIOS is what allows you to use networked printers, share files and log on remotely to other computers on your network. NetBIOS is a historically insecure protocol however it is also a useful protocol. If you only have a single PC on your network you use for something like gaming then you can disable this service without issue however if you do want the features NetBIOS provides then you should leave it running.
  19. Telephony: This is used for certain VOIP applications, Faxing, Dial-up modems, some DSL providers, Some VPN’s and various other things related to phone lines. Depending on your circumstances you may be able to disable this without issue but I would not recommend it as it does not run in the background by default and its likely you will find yourself in a position where you need it.
  20. Touch Keyboard and Handwriting Panel Service: This is another hardware specific service, if you have a touchscreen or stylus then this service will be needed to operate properly. However many desktop PC do not have this hardware and can safely disable this service.
  21. WalletService: Honestly I cant find any documentation on this, I believe its related to Microsoft Wallet which has been rebranded as Microsoft Pay. I’ll let you decide for yourself how you feel about this one as I cannot confirm at this time that its safe to disable (although it probably is)
  22. Windows Biometric Service: If you have biometric devices on your PC this is needed to use them. For example a fingerprint reader or face unlocker. If you don’t then you can disable this to free up some system resources.
  23. Windows Error Reporting Service: This service generates error reports and makes log files when programs stop working or responding. It can be safely disabled but then you will not get logs which could be useful in attempting to remedy the problem.
  24. Windows Image Acquisition (WIA): This is used by scanners and cameras, if you don’t use either it can be safely disabled.
  25. Windows Insider Service: This is needed to use the Windows Insider Program, if you don’t use it then you can safely disable this service.
  26. Windows Media Player Network Sharing Service: This uses the UPnP (Universal Plug and Play) protocol to share your Windows Media Player libraries to other networked devices/media players. If you don’t use Windows Media Player then you can disable this.
  27. Windows Camera Frame Server: This allows multiple clients to access video from connected cameras. If you disable it your webcam may stop working, if you don’t have a webcam then its safe to disable.
  28. Windows Connect Now – Config Registrar: This is used for Windows Connect Now, which is Microsoft’s implementation of the notoriously insecure WPS (WiFi Protected Setup) protocol, This can safely be disabled as you should NEVER have WPS enabled on your router because if you do you are literally allowing anyone with a basic knowledge of computers the ability to hack your WiFi. Its dangerous and you cannot afford to be caviler about this.
  29. Windows Mobile Hotspot Service: Just as your phone can use its cellular data connection to allow other devices into the internet so can a cellular enabled windows PC. If you don’t have a cellular enabled computer then this is safe to disable.
  30. Windows Search: Last on our list is Windows Search, if you don’t want to use Windows Search then you can disable this service. However I would highly recommend simply altering your firewall to disable certain features of windows search instead of entirely removing the search bar from your computer. Stay tuned as that is a topic that I hope to cover in the future.

And there you have it folks, that’s Killer Kat’s non exhaustive list of 30 windows services you can disable. Now if you read this far into the article then you’re a Web-Scraper script according to my analytics page, however if you are a human being then you may have noticed that many of these features are not currently running and instead only a handful are running on your PC currently. The reason why is that many of these services will only run if something prompts them to, the automatic ones are usually hardware based because its easier to waste RAM running touchscreen support on all computers than attempt to troubleshoot it when computers with touchscreens aren’t running it.

Windows is designed to run with minimal tech knowledge or user input, and this comes at two costs: One the literal cost of system resources being used by unneeded features thus driving up your electricity bill (and perhaps making users buy stronger computers to compensate), and the second being that Microsoft makes quite a bit of their revenue by collecting and selling information on their users, this is why Windows is so inexpensive and often ships preinstalled on many computers. Selling user data to cover costs is nothing new, most social media sites operate in a similar manner. however selling user data is also the reason why Microsoft really really wants you to use a Microsoft account; It helps them keep track of all of your user data much more efficiently, they aren’t going to spend money hosting the infrastructure for something like the Microsoft account if its going to loose money.

Let me know if you have any questions or if I got anything wrong, the comments below are always open for discussion. If you liked this then consider subscribing to get more content like this delivered to your inbox for free, and with that this is your Resident Script Kitty, Killer Kat signing off stay safe out there in this Cyberpunk dystopia we call home!

Categories
Uncategorized

Windows Physical Access Vulnerability, Intentional Backdoor or Gross Incompetence?

Hello once again internet, today I wanted to talk about a pretty old hack that I’m sure most of you are already familiar with: using a windows install USB stick to gain a privileged command line.

Now if you were like me then this hack might have been one of the first that you performed on an actual production system. Whether it was your own system and you just were curious to see if it would work or if like me you had a friend who forgot their password after changing it and said “Hey you’re a hacker right? Can you help me get back into my laptop.”.

The simplicity of this exploit allows even script kiddies to gain control over a windows system provided that they have physical access, this raises the question why hasn’t Microsoft patched this exploit? Today I seek to answer that question, first we are going to look at just how this vulnerability can be exploited and then we are going to look at how it can be prevented, then I’ll share my thoughts on why I think Microsoft hasn’t patched it.

Where this vulnerability really shines is in how simple and easy to use it is, you need 2 things, A windows install loaded onto a USB flash drive and physical access to the target machine. Once you boot to the flash drive you can use a keyboard shortcut to bring up a command line, next you replace one of the executables in the system32 folder with cmd.exe or ftp.exe, restart the computer and boot into the OS and then launch the executable either via keyboard shortcut or by the GUI. This brings up a privileged command line and then you own the system. For an in depth guide I recommend checking out this guide from TrustedSec.

Now lets talk about prevention, this is a relatively easy attack to prevent the obvious solution being secure the machine against physical access. However for use cases where this is infeasible the next step is to disable USB ports or use a bootlocker, if the attacker cant boot from the usb drive or change the executable names then they cant exploit this vulnerability. The third option is anti virus signatures/definitions, tellingly windows even has signatures that allow windows defender to block certain renamed executables preventing this Trojan from occurring however not all combinations are blocked.

Building on that last point lets talk about why this still works, although some combinations of filename/executable are blocked from running Microsoft has allowed some to still function including my personal favorite changing magnify.exe to ftp.exe. Personally I believe this was intentional on Microsoft’s part as there are advantages to leaving a backdoor in windows.

My reasoning is twofold, first because of the numerous ways to prevent such and attack and that it requires physical access I doubt that large organizations are putting pressure on Microsoft for a fix as this will mainly effect end users and personal systems. This allows legitimate technicians and state sponsored intelligence agencies/law enforcement access into these personal devices. And second because this is a well known vulnerability Threat Actors are more likely to attempt this attack instead of looking for other vulnerabilities that leverage physical access, this gives Microsoft and security researchers time to find and address these vulnerabilities before they can be exploited in the wild.

Now I should state that I currently have no affiliation with Microsoft and that I would personally disagree that the vulnerability should be intentionally allowed to remain, however I do feel that Microsoft’s actions or rather inaction in this case is not an example of ignorance but instead is a strategic move on the part of Microsoft.

Let me know your thoughts in the comments down below, and until next time this is your resident Script Kitty signing off.