- Open Event Log
- Go to View and tick "Show Analytic and Debug logs
- Go to "Applications and Services logs > Microsoft > Windows > WLAN-AutoConfig" and right-click on "Diagnostic" and go to "Properties"
- and tick "Enable logging"
Only Forward
If you believe the possibility exists then you should seek it out. Keep moving, whatever it takes. Even if the way ahead lies through a river of mud.
Monday 15 July 2024
Enable Wireless Diagnostics in Windows
Wednesday 3 April 2024
How to Backup BitLocker Key to Azure AD Using PowerShell
BitLocker is particularly useful as it provides protection against unauthorised changes to your system such as firmware-level malware. It also helps mitigate unauthorised data access by enhancing file and system protections. BitLocker is an essential tool for securing your data, especially when data breaches and information theft are common.
The Command
Here is the command that we’ll be using:BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId ((Get-BitLockerVolume -MountPoint $env:SystemDrive ).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId
This command backs up the BitLocker key protector of type “RecoveryPassword” for the system drive to AAD.
Outputting the Key Protector to the Screen
If you want to output the key protector to the screen, you can use the following command:(Get-BitLockerVolume -MountPoint C).KeyProtector
This command retrieves the key protector for the C drive and outputs it to the screen.
Wednesday 27 March 2024
Resolving PowerShell Module Installation Error
WARNING: Unable to resolve package source 'https://www.powershellgallery.com/api/v2'
This error can occur due to various reasons, but one common cause is related to the Transport Layer Security (TLS) version that your PowerShell system is using.
The Role of TLS
The PowerShell Gallery, where PowerShell modules are hosted, only accepts connections using TLS 1.2 or later. If your system is using an older version of TLS, it may fail to establish a connection with the PowerShell Gallery, resulting in the error mentioned above.The Solution
To resolve this issue, you need to force your PowerShell system to use TLS 1.2. This can be achieved by running the following command in your PowerShell session:[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
This command sets the security protocol of your PowerShell session to TLS 1.2. After running this command, you should be able to install the PowerShell module without encountering the error.
Please note that this change will only apply to the current PowerShell session. If you start a new session, you will need to run the command again.
Wednesday 20 March 2024
How to Troubleshoot Sophos UTM Update Failures Due to Insufficient Disk Space
Diagnosing the Problem
To understand the root cause, you need to inspect the Up2Date log:Navigate to Management | Up2Date | Configuration.
Switch the Firmware and Pattern Download options to Manual and apply the changes.
Visit Management | Up2Date | Overview, open the live log or select Up2Date Messages, and initiate a check for Up2Date packages.
A message indicating a failure due to insufficient space in /var/up2date/sys confirms the issue.
Resolving Disk Space Issues
Resolution requires cautious shell access, given the potential risks involved. After backing up your system, follow these steps:Enable shell access on your Sophos UTM and log in as loginuser.
Elevate your access with su – and navigate to /var/up2date/sys.
Verify free space with df –h . and remove outdated updates using rm *.
Recheck the available space to ensure the updates have been cleared.
Triggering Up2Date Firmware Check
After clearing space, initiate a new firmware check and download process with audld.plx --trigger--verbose. Monitor the downloads and stop the process as needed to prevent space exhaustion. Attempt the update installation again, this time using auisys.plx --no-reboot --verbose for a controlled update without automatic reboots.Finalizing the Update Process
With the necessary updates installed, it's advisable to revert the Up2Date settings to automatic updates for firmware and patterns. This ensures ongoing protection without manual intervention, automating the download while keeping installation under your control.Friday 8 March 2024
Mastering Threat Detection with Microsoft 365 Defender Advanced Hunting: Queries and Strategies for Proactive Cybersecurity
The tool supports two modes: guided and advanced. If you're new to KQL or prefer a more structured approach, the guided mode offers a query builder to assist you. For those more experienced with KQL, the advanced mode allows for direct query crafting from scratch. It's also possible to use the queries developed during hunting to create custom detection rules, which can then automatically monitor for similar threat patterns and respond to them as needed.
Advanced hunting covers data from various sources within the Microsoft ecosystem, including Microsoft Defender for Endpoint, Office 365, Cloud Apps, and Identity, providing a comprehensive view of your organization's security posture. It's crucial to have the appropriate roles and permissions to access this feature, and data freshness is maintained rigorously with event data being available almost immediately and entity data updated every 15 minutes.
Several practical examples showcase the flexibility and power of Advanced Hunting:
Identify Devices with a Specific File:
This query checks if devices have files from a known malicious sender, useful for identifying devices affected by a malware distribution campaign.EmailAttachmentInfo
| where SenderFromAddress =~ "MaliciousSender@example.com"
| where isnotempty(SHA256)
| join (
DeviceFileEvents
| project FileName, SHA256, DeviceName, DeviceId
) on SHA256
Monitor Specific PowerShell Activities:
This example targets PowerShell processes and searches for suspicious commands that could indicate exploitation attempts.DeviceProcessEvents
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any("WebClient", "DownloadFile", "DownloadData", "DownloadString", "WebRequest", "Shellcode", "http", "https")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatngProcessCommandLine, FileName, ProcessCommandLine
Logon Events Post-Receiving a Malicious File:
This query investigates logon events occurring within a short timeframe after receiving a malicious file, helping to identify potential breaches.EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Malware"
| project EmailReceivedTime = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0])
| join (
DeviceLogonEvents
| where Timestamp > ago(7d)
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
| where (LogonTime - EmailReceivedTime) between (0min .. 30min)
Activities from Specific Cloud Apps:
A query to monitor activities from cloud apps, like Microsoft SharePoint Online, involving specific users or IP addresses.CloudAppEvents
| where Application == "Microsoft SharePoint Online"
| take 100
Investigate Cloud App File Uploads:
For tracking file uploads to SharePoint Online, this modified query adapts to the new CloudAppEvents table.CloudAppEvents
| where ActionType == "FileUploaded" and Application == "Microsoft SharePoint Online"
| where ObjectType == "File" and ObjectName endswith ".xlsx"
| project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode
Investigate Defender Folder Access Control
Each of these queries utilizes the Kusto Query Language (KQL) to interrogate various datasets available through Microsoft 365 Defender, from endpoint activities to cloud application events. They demonstrate how flexible and powerful Advanced Hunting can be when identifying, investigating, and responding to potential security threats across an organization's Microsoft 365 environment
Tuesday 20 February 2024
Optimizing Disk Space: A Visual Guide to Linux's du Command
du -hsx /* | sort -rh | head -10
Let's break down this command to understand its functionality and significance.
The command du -hsx /* | sort -rh | head -10 is a pipeline of three commands, each performing a unique function, working together to report the sizes of the top 10 directories that occupy the most space on the root filesystem:
du -hsx /*: The du (disk usage) command estimates file space usage. The flags used here are:
-h (human-readable): Converts the output to a more readable format using the most appropriate unit (KB, MB, GB).
-s (summarize): Displays only a total for each argument.
-x (one file system): Skips directories on different filesystems, focusing only on the root filesystem.
This part of the command scans all directories in the root (/*) and provides a summarized, human-readable output of their sizes, ensuring it only accounts for directories on the root filesystem.
sort -rh: This command sorts the output from the du command.
-r (reverse): Sorts the output in reverse order, placing larger items at the top.
-h (human-readable): Sorts numbers with unit suffixes (K, M, G, etc.), ensuring that 10M is considered larger than 9G.
head -10: This final command in the pipeline takes the sorted list of directory sizes and displays the top 10 entries. This is particularly useful for quickly identifying which directories are using the most disk space, allowing for efficient space management decisions.
This command is especially useful for system administrators and users who need to quickly identify high disk usage directories to clean up or monitor space usage. By focusing on the largest directories, one can efficiently manage disk space, ensuring that the system remains stable and that critical operations have enough space to function correctly.
Tuesday 6 February 2024
Alexa Occupancy sense
Occupancy Sense leverages environmental cues such as sound and movement to enable Echo devices to initiate predefined routines or actions based on the detected presence of people. This feature automates various tasks, like adjusting lighting or playing media, without requiring specific verbal commands, making interaction with smart home devices more intuitive.
Device Compatibility
This advanced feature is supported by newer models of Echo devices equipped with the necessary hardware to detect occupancy through sound and motion. Users should refer to the most current information from Amazon to determine if their Echo devices are compatible with Occupancy Sense.
Routines and Cooldown Mechanism
When Alexa routines are automatically executed when occupancy is detected they appears to be a cooldown of about 30 minutes, to avoid excessive triggering of the routines. This cooldown ensures that automated actions, such as activating lights or music, are not only responsive but also practical and not overly frequent.
Wake Word Triggering and Presence Detection
When you use the wake word for an Alexa device, it assumes someone is there. If you have several Echo devices close to each other, talking to one can accidentally activate another because it "hears" the wake word and thinks someone is in the room. To prevent this, you can set a different wake word for each Alexa device in your house. This way, devices won't mistakenly respond when you're talking to another one, keeping things running smoothly.