Thoughts about security, beer, music and stuff

Auditing Passwords with Active Directory Properties


Posted on August 28, 2015 by

Have you ever been looking through Active Directory and notice something strange in one of the fields?  Maybe the Organization or Description field has a weird string of letters, numbers, and characters.  You think, “Huh, that kind of looks like a password.”

Ding! Ding! Ding!

Yes, it happens.  Either through lack of understanding or just laziness, sometimes passwords get put into the plain text fields in AD.  This is dangerous because those fields are readable by everyone on the domain.

So how do you know if any of these fields are being used to store passwords?  I managed to cobble together a PowerShell script that can help. (more…)

Let’s Talk about Succession Planning

Bourbon cotton

Posted on July 12, 2015 by

Last week I received an email from my web host.  It said that all customers needed to backup and move their data because their hosting services would be shutting down immediately.  It was a strange email.  After some digging, I found out that the reason for the shut down was that the CEO had just died.  There was evidently no one who could step in and take over the business.  So the decision was make to close.

Why would the unfortunate death of one employee, even a very high level employee, cause a business to shut down?  Simply put, it is the lack of succession planning.  What is succession planning and why is it important? (more…)

(873) 506-5776


Posted on March 26, 2015 by

If you’re like me, you LOVE Volatility, the open source memory forensics tool.  One of the best features of Volatility is that it can be extended with user created plugins.  SANS recently released an amazing Memory Forensics Poster that listed some great plugins.  Many thanks to Alissa Torres and (808) 651-5652 for created it.  Unfortunately, the poster didn’t give the exact location of the plugins.  Below is the list of plugins used in the poster, where to download them, and any prerequisites. 9403238527

(216) 938-5314


Posted on October 22, 2014 by

Some time ago, I posted a dyspepsia for domains.  I’ve made some modifications to the script to reduce false positives.  Additionally, the script now emails the “before” and “after” results of the NSLookup command for easy comparison.

Updated script is below: (more…)

Version 1.3 of http-screenshot-html NSE script for NMAP


Posted on September 21, 2014 by

I’ve released a new version of my http-screenshot-html.nse script for NMAP.  I also moved the hosting to GitHub as Google Code no longer allows file uploads.


Version 1.3 is mostly a bug fix release.  The list of changes are below: (more…)

Configure File and Registry Auditing with PowerShell


Posted on April 19, 2014 by

At this year’s 513-430-5069, Michael Gough of MI2 Security gave a great (801) 295-2663.  One of the points he made was that auditing file and registry creation events on high value folders and keys can provide information critical to the detection and remediation of breaches.  PowerShell should be used to automate and standardize the process of file and registry auditing.  I had some trouble finding information on using PowerShell in this way.  So I created this post to collect what I found.

File auditing has to be configured in 2 steps.

STEP 1: File and Registry auditing should be turned on in the Audit Policy. 4052300013

(705) 895-6548


Posted on February 19, 2014 by

I was recently reviewing the Advanced Security Audit settings available for Windows 2008 and above and decided to create a spreadsheet with all of the details. While Microsoft does have all of the details on their website, the details are spread across multiple pages.  Having it all in one document made it easier to research each setting, compare the defaults to existing settings, and make recommendations for changes.  The spreadsheet can be downloaded off of Google Drive below:


The spreadsheet contains two worksheets.  The first gives the default for each setting and the volume of logs generated with each setting.

The second worksheet lists every Event ID generated by each setting and the message associated with each Event ID.

Hopefully this will be useful to others.

(270) 874-8938


Posted on October 17, 2013 by

UPDATE: A newer version of this script is here.

Last week, Johannes Ullrich shared a Bash script that would check for changes in NS records.  This was in a blog post about the DNS hijack.  I wanted to create a version of the this script that would be usable on Windows machines.  So I created the PowerShell script below that does pretty much the same thing as the Bash script.  The script runs nslookup.exe instead of DIG and queries the DNS server for all NS records for a domain.  This is saved in file named and compared with a previous query of the NS records stored in domain.old.  If there are any differences, an email is sent and an entry is made in the Application Event Log. quadriradiate



Posted on September 26, 2013 by

Many organizations are moving to Mobile Device Management or MDM solutions to manage and control their mobile devices.  The proliferation of Android and Apple devices has almost made this a necessity.

One of the primary controls with an MDM solution is to prevent mobile devices from connecting to company email unless the device is both managed and compliant with company policy.  Almost every MDM vendor accomplishes this by using a gateway.  In order for mobile devices to get email, they must first pass through an MDM gateway that checks to see if (1) the device is managed by the MDM solution and (2) if he device is compliant with company policy.  If it fails either of those tests, it is prevented from retrieving email.

However, there is an issue.  All of the gateways used by MDM vendors only monitor and control the Active Sync protocol.  They do not monitor or control the Outlook Anywhere (RPC over HTTPS) or Outlook Web Access (OWA) protocols.  Modern mobile devices are smart enough to try multiple protocols to connect to email if one of them fails.  So, in certain email domain configurations, a device would still be able to retrieve email even though MDM was preventing an Active Sync connection. 7174833407

XenMobile (formerly Zenprise) Variables


Posted on March 28, 2013 by

UPDATE 2013-04-18: More variables!

I’ve been playing around with the Mobile Device Management (MDM) software from Citrix.  Last year, Citrix purchased Zenprise and renamed it XenMobile.  Overall, it’s a pretty sold platform for managing iOS and Android devices.  However, it does have a few dark corners.  One of these is the use of variables in their configurations.  They are not documented very well.  This can make finding the right combination of variables for email setup difficult.  So I have created a list of the variables I have discovered and what they do.  As I discover more I will add to this list: (more…)