Wednesday 3 April 2024

How to Backup BitLocker Key to Azure AD Using PowerShell

BitLocker is a security feature built into Windows that provides encryption for entire volumes. It addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. By encrypting the hard drive where Windows is installed, or the entire computer if it has multiple drives, BitLocker helps protect your data.

BitLocker is particularly useful as it provides protection against unauthorised changes to your system such as firmware-level malware. It also helps mitigate unauthorised data access by enhancing file and system protections. BitLocker is an essential tool for securing your data, especially when data breaches and information theft are common.

The Command

Here is the command that we’ll be using:

BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId ((Get-BitLockerVolume -MountPoint $env:SystemDrive ).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId

This command backs up the BitLocker key protector of type “RecoveryPassword” for the system drive to AAD.

Outputting the Key Protector to the Screen

If you want to output the key protector to the screen, you can use the following command:

(Get-BitLockerVolume -MountPoint C).KeyProtector

This command retrieves the key protector for the C drive and outputs it to the screen.

Wednesday 27 March 2024

Resolving PowerShell Module Installation Error

When installing a PowerShell module, you may encounter the following error:

WARNING: Unable to resolve package source ''

This error can occur due to various reasons, but one common cause is related to the Transport Layer Security (TLS) version that your PowerShell system is using.

The Role of TLS

The PowerShell Gallery, where PowerShell modules are hosted, only accepts connections using TLS 1.2 or later. If your system is using an older version of TLS, it may fail to establish a connection with the PowerShell Gallery, resulting in the error mentioned above.

The Solution

To resolve this issue, you need to force your PowerShell system to use TLS 1.2. This can be achieved by running the following command in your PowerShell session:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

This command sets the security protocol of your PowerShell session to TLS 1.2. After running this command, you should be able to install the PowerShell module without encountering the error.

Please note that this change will only apply to the current PowerShell session. If you start a new session, you will need to run the command again.

Wednesday 20 March 2024

How to Troubleshoot Sophos UTM Update Failures Due to Insufficient Disk Space

Upon deploying Sophos UTM appliances, you might find that the Up2Date process fails due to a lack of disk space. This is common if there's a backlog of updates or if the appliance was initialized with an outdated build. Unfortunately, the Sophos UTM interface does not readily indicate this problem, showing only the availability of updates without hinting at potential installation issues.

Diagnosing the Problem

To understand the root cause, you need to inspect the Up2Date log:

Navigate to Management | Up2Date | Configuration.

Switch the Firmware and Pattern Download options to Manual and apply the changes.

Visit Management | Up2Date | Overview, open the live log or select Up2Date Messages, and initiate a check for Up2Date packages.

A message indicating a failure due to insufficient space in /var/up2date/sys confirms the issue.

Resolving Disk Space Issues

Resolution requires cautious shell access, given the potential risks involved. After backing up your system, follow these steps:

Enable shell access on your Sophos UTM and log in as loginuser.

Elevate your access with su – and navigate to /var/up2date/sys.

Verify free space with df –h . and remove outdated updates using rm *.

Recheck the available space to ensure the updates have been cleared.

Triggering Up2Date Firmware Check

After clearing space, initiate a new firmware check and download process with audld.plx --trigger--verbose. Monitor the downloads and stop the process as needed to prevent space exhaustion. Attempt the update installation again, this time using auisys.plx --no-reboot --verbose for a controlled update without automatic reboots.

Finalizing the Update Process

With the necessary updates installed, it's advisable to revert the Up2Date settings to automatic updates for firmware and patterns. This ensures ongoing protection without manual intervention, automating the download while keeping installation under your control.

Friday 8 March 2024

Mastering Threat Detection with Microsoft 365 Defender Advanced Hunting: Queries and Strategies for Proactive Cybersecurity

Microsoft 365 Defender Advanced Hunting is a powerful, query-based threat hunting tool that allows security professionals to proactively search for threats across their organization's digital environment. This capability is part of Microsoft Defender XDR and enables you to inspect events across devices, emails, applications, and identities within your network by leveraging up to 30 days of raw data. Advanced Hunting is designed to help you identify both known and potential threats through unconstrained searching, using the Kusto Query Language (KQL) for crafting queries.

The tool supports two modes: guided and advanced. If you're new to KQL or prefer a more structured approach, the guided mode offers a query builder to assist you. For those more experienced with KQL, the advanced mode allows for direct query crafting from scratch. It's also possible to use the queries developed during hunting to create custom detection rules, which can then automatically monitor for similar threat patterns and respond to them as needed.

Advanced hunting covers data from various sources within the Microsoft ecosystem, including Microsoft Defender for Endpoint, Office 365, Cloud Apps, and Identity, providing a comprehensive view of your organization's security posture. It's crucial to have the appropriate roles and permissions to access this feature, and data freshness is maintained rigorously with event data being available almost immediately and entity data updated every 15 minutes​​.

Several practical examples showcase the flexibility and power of Advanced Hunting:

Identify Devices with a Specific File:

This query checks if devices have files from a known malicious sender, useful for identifying devices affected by a malware distribution campaign.

| where SenderFromAddress =~ ""
| where isnotempty(SHA256)
| join (
    | project FileName, SHA256, DeviceName, DeviceId
) on SHA256

Monitor Specific PowerShell Activities:

This example targets PowerShell processes and searches for suspicious commands that could indicate exploitation attempts.

| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any("WebClient", "DownloadFile", "DownloadData", "DownloadString", "WebRequest", "Shellcode", "http", "https")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatngProcessCommandLine, FileName, ProcessCommandLine

Logon Events Post-Receiving a Malicious File:

This query investigates logon events occurring within a short timeframe after receiving a malicious file, helping to identify potential breaches.

| where Timestamp > ago(7d)
| where ThreatTypes has "Malware"
| project EmailReceivedTime = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0])
| join (
    | where Timestamp > ago(7d)
    | project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
| where (LogonTime - EmailReceivedTime) between (0min .. 30min)

Activities from Specific Cloud Apps:

A query to monitor activities from cloud apps, like Microsoft SharePoint Online, involving specific users or IP addresses.

| where Application == "Microsoft SharePoint Online"
| take 100

Investigate Cloud App File Uploads:

For tracking file uploads to SharePoint Online, this modified query adapts to the new CloudAppEvents table.

| where ActionType == "FileUploaded" and Application == "Microsoft SharePoint Online"
| where ObjectType == "File" and ObjectName endswith ".xlsx"
| project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode

Investigate Defender Folder Access Control

This tracks processes that have been blocked

| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')

Each of these queries utilizes the Kusto Query Language (KQL) to interrogate various datasets available through Microsoft 365 Defender, from endpoint activities to cloud application events. They demonstrate how flexible and powerful Advanced Hunting can be when identifying, investigating, and responding to potential security threats across an organization's Microsoft 365 environment​​​​​​​

Tuesday 20 February 2024

Optimizing Disk Space: A Visual Guide to Linux's du Command

Understanding how to monitor and manage disk usage is essential for both administrators and power users. One powerful command that stands out for its utility in managing disk space is 

du -hsx /* | sort -rh | head -10

Let's break down this command to understand its functionality and significance.

The command du -hsx /* | sort -rh | head -10 is a pipeline of three commands, each performing a unique function, working together to report the sizes of the top 10 directories that occupy the most space on the root filesystem:

du -hsx /*: The du (disk usage) command estimates file space usage. The flags used here are:

-h (human-readable): Converts the output to a more readable format using the most appropriate unit (KB, MB, GB).

-s (summarize): Displays only a total for each argument.

-x (one file system): Skips directories on different filesystems, focusing only on the root filesystem.

This part of the command scans all directories in the root (/*) and provides a summarized, human-readable output of their sizes, ensuring it only accounts for directories on the root filesystem.

sort -rh: This command sorts the output from the du command.

-r (reverse): Sorts the output in reverse order, placing larger items at the top.

-h (human-readable): Sorts numbers with unit suffixes (K, M, G, etc.), ensuring that 10M is considered larger than 9G.

head -10: This final command in the pipeline takes the sorted list of directory sizes and displays the top 10 entries. This is particularly useful for quickly identifying which directories are using the most disk space, allowing for efficient space management decisions.

This command is especially useful for system administrators and users who need to quickly identify high disk usage directories to clean up or monitor space usage. By focusing on the largest directories, one can efficiently manage disk space, ensuring that the system remains stable and that critical operations have enough space to function correctly.

Tuesday 6 February 2024

Alexa Occupancy sense

Alexa's Occupancy Sense is a feature that enhances the functionality of Echo devices by detecting the presence of individuals in a room without any direct command or action from the user, using built-in sensors and microphones to discern activity and occupancy. 

Occupancy Sense leverages environmental cues such as sound and movement to enable Echo devices to initiate predefined routines or actions based on the detected presence of people. This feature automates various tasks, like adjusting lighting or playing media, without requiring specific verbal commands, making interaction with smart home devices more intuitive.

Device Compatibility

This advanced feature is supported by newer models of Echo devices equipped with the necessary hardware to detect occupancy through sound and motion. Users should refer to the most current information from Amazon to determine if their Echo devices are compatible with Occupancy Sense.

Routines and Cooldown Mechanism

When Alexa routines are automatically executed when occupancy is detected they appears to be a cooldown of about 30 minutes, to avoid excessive triggering of the routines.  This cooldown ensures that automated actions, such as activating lights or music, are not only responsive but also practical and not overly frequent.

Wake Word Triggering and Presence Detection

When you use the wake word for an Alexa device, it assumes someone is there. If you have several Echo devices close to each other, talking to one can accidentally activate another because it "hears" the wake word and thinks someone is in the room. To prevent this, you can set a different wake word for each Alexa device in your house. This way, devices won't mistakenly respond when you're talking to another one, keeping things running smoothly.

Tuesday 5 December 2023

Enhancing Email Security with First Contact Safety Tip in Microsoft 365

Email security is paramount. Microsoft 365 offers a feature called the First Contact Safety Tip, which is part of the anti-phishing policies in Microsoft Defender for Office 365. This safety tip is a proactive measure to alert users when they receive an email from a sender they haven’t interacted with before. 

To enable this feature and why it’s beneficial.
  1. Access the Microsoft 365 Defender Portal: Go to “”.

  2. Navigate to ‘Policies & Rules’: In the left-hand menu, select ‘Policies & Rules’.

  3. Go to ‘Threat Policies’: Here, you’ll find various options for managing your security policies.

  4. Select ‘Anti-Phishing’: Under the ‘Email & Collaboration’ section, click on ‘Anti-phishing’.

  5. Edit or Create a Policy: You can choose to edit the default policy or create a new one by clicking ‘+ Create’.

  6. Enable the Safety Tip: In the policy settings, find and turn on the ‘Show first contact safety tip’ setting.

Benefits of Enabling First Contact Safety Tip:
  • Increased Awareness: Users are made aware of new contacts, which encourages vigilance against potential phishing attempts.

  • Prevent Impersonation: It helps prevent attackers from impersonating trusted contacts.

  • User Empowerment: Empowers users to make informed decisions about the legitimacy of new email contacts.

  • Easy Implementation: The feature is simple to enable and can be applied organization-wide.

By implementing the First Contact Safety Tip, organizations can add an extra layer of security to their email communication, helping to protect against phishing and other email-based threats. It’s a small step that can make an impact on your organization’s cybersecurity posture.

Remember, staying ahead of security threats is a continuous process, and features like the First Contact Safety Tip are valuable tools in your defence arsenal.