16 August 2021

Enable Hyper-V on a Hyper-V VM

Enable Hyper-V on a Hyper-V VM

Pure genius this:

Enable Hyper-V on the Hyper-v host for specific VM:

Set-VMProcessor -VMName "guest VM name" -ExposeVirtualizationExtensions $true
And then enable Hyper-V on the guest VM machine:
Windows 10
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All

Server 2016 & 2019
Install-WindowsFeature -Name Hyper-V, RSAT-Hyper-V-Tools

05 August 2021

List of potential dangerous attachment types and their file extensions to block

 

List of potential dangerous attachment types and their file extensions to block:

.EXE – An executable program file. Most of the applications running on Windows are .exe files.

.PIF – A program information file for MS-DOS programs. While .PIF files aren’t supposed to contain executable code, Windows will treat .PIFs the same as .EXE files if they contain executable code.

.APPLICATION – An application installer deployed with Microsoft’s Click Once technology.

.GADGET – A gadget file for the Windows desktop gadget technology introduced in Windows Vista.

.MSI – A Microsoft installer file. These install other applications on your computer, although applications can also be installed by .exe files.

.MSP – A Windows installer patch file. Used to patch applications deployed with .MSI files.

.COM – The original type of program used by MS-DOS.

.SCR – A Windows screen saver. Windows screen savers can contain executable code.

.HTA – An HTML application. Unlike HTML applications run in browsers, .HTA files are run as trusted applications without sandboxing.

.CPL – A Control Panel file. All of the utilities found in the Windows Control Panel are .CPL files.

.MSC – A Microsoft Management Console file. Applications such as the group policy editor and disk management tool are .MSC files.

.JAR – .JAR files contain executable Java code. If you have the Java runtime installed, .JAR files will be run as programs.

.BAT – A batch file. Contains a list of commands that will be run on your computer if you open it. Originally used by MS-DOS.

.CMD – A batch file. Similar to .BAT, but this file extension was introduced in Windows NT.

.VB, .VBS – A VBScript file. Will execute its included VBScript code if you run it.

.VBE – An encrypted VBScript file. Similar to a VBScript file, but it’s not easy to tell what the file will actually do if you run it.

.JS – A JavaScript file. .JS files are normally used by webpages and are safe if run in Web browsers. However, Windows will run .JS files outside the browser with no sandboxing.

.JSE – An encrypted JavaScript file.

.WS.WSF – A Windows Script file.

.WSC.WSH – Windows Script Component and Windows Script Host control files. Used along with with Windows Script files.

.PS1.PS1XML.PS2.PS2XML, .PSC1.PSC2 – A Windows PowerShell script. Runs PowerShell commands in the order specified in the file.

.MSH.MSH1.MSH2.MSHXML, .MSH1XML.MSH2XML – A Monad script file. Monad was later renamed PowerShell.

.SCF – A Windows Explorer command file. Could pass potentially dangerous commands to Windows Explorer.

.LNK – A link to a program on your computer. A link file could potentially contain command-line attributes that do dangerous things, such as deleting files without asking.

.INF – A text file used by Autorun. If run, this file could potentially launch dangerous applications it came with or pass dangerous options to programs included with Windows.

.REG – A Windows registry file. .REG files contain a list of registry entries that will be added or removed if you run them. A malicious .REG file could remove important information from your registry, replace it with junk data, or add malicious data.

.DOCM.DOTM.XLSM.XLTM.XLAM.PPTM, .POTM.PPAM.PPSM, .SLDM – New file extensions introduced in Office 2007. The M at the end of the file extension indicates that the document contains Macros. For example, a .DOCX file contains no macros, while a .DOCM file can contain macros.

.GZ GNU Zipped Archive Files

.ACE Proprietary compression file archive compressed by WinAce

.ZIP & .RAR Compression files used to obfuscate malware.


Source

04 August 2021

Add file extentions to the default Exchange Online Protection MalwareFilterPolicy with PowerShell

By default there are only a few extensions on the EOP list:

Get-MalwareFilterPolicy -Identity default | fl filetypes            
            
FileTypes : ace, ani, app, docm, exe, jar, reg, scr, vbe, vbs
You might want to add some more, here a quick way to do so:

First add the following to your PowerShell session to see all output:
$FormatEnumerationLimit =-1

The following to add the desired extensions to the list: Note the + sign, this is not an error but allows the list to be appended.
$FileTypesAdd = Get-MalwareFilterPolicy -Identity Default | select -Expand FileTypes            
$FileTypesAdd += "ace", "ani", "app", "appcontent-ms", "appref-ms", "bat", "cdxml", "cer", "cmd", "cnt", "com", "crt", "der", "diagcab", `
"docm", "epub", "exe", "grp", "hpj", "iqy", "jar", "jnlp", "js", "lnk", "mcf", "msh", "msu", "nzb", "par", "par2", "pif", "pl", "printerexport", `
"ps1", "ps1xml", "ps2", "ps2xml", "psc1", "psc2", "psd1", "psdm1", "pssc", "py", "pyc", "pyo", "pyw", "pyz", "pyzw", "reg", "scf", "scr", `
"settingcontent-ms", "theme", "udl", "vb", "vbe", "vbp", "vbs", "webpnp", "website", "wsb", "wsc", "wsh", "xbap", "xll", "xnk"
Set-MalwareFilterPolicy -Identity Default -EnableFileFilter $true -FileTypes $FileTypesAdd
Check to see the setting:
Get-MalwareFilterPolicy -Identity default | fl filetypes
$FileTypesAdd += ace, ani, app, appcontent-ms, appref-ms, bat, cdxml, cer, cmd, cnt, com, crt, der, diagcab, `
docm, epub, exe, grp, hpj, iqy, jar, jnlp, js, lnk, mcf, msh, msu, nzb, par, par2, pif, pl, printerexport, `
ps1, ps1xml, ps2, ps2xml, psc1, psc2, psd1, psdm1, pssc, py, pyc, pyo, pyw, pyz, pyzw, reg, scf, scr, `
settingcontent-ms, theme, udl, vb, vbe, vbp, vbs, webpnp, website, wsb, wsc, wsh, xbap, xll, xnk
In case you made a mistake and want to start over:

Set-MalwareFilterPolicy -Identity default -FileTypes $null

03 August 2021

Create certificates in bulk from .CSR files with PowerShell

This is a bit of a work in progress, if anyone can help me out with the last bit.
I know it can be done with an foreach statement but haven't had the time to test it.

<#
  .Synopsis
     Request certificates from csr's
  .DESCRIPTION
     This script requests certificates from an on-premises CA
     Define you CA, PKI name, and output path
     Then copy the lines below for each certificate and fill the name between the quotes

     $name = ""
     $filename = "$name.cer"
     $status = Submit-CertificateRequest -path "C:\Scripts\Get-CertificateFromCSR\CSR\$name.csr" -CA $PKI -Attribute "CertificateTemplate:Webserver" 
     $ReqID = $status.requestid
     Get-IssuedRequest -RequestID $reqID -CertificationAuthority $PKI | Receive-Certificate -Path $OutPath\$name -Force
     cd $outpath\$name
     $item = ls
     Rename-Item -path $item -newname $filename

  .Created by
     Edwin van Brenk
  .Created for
     vanbrenk.blogspot.com
  .Date
     03-08-2021
  .Version
     1.0
  #>

# Run as Admin
Import-Module pspki

cd C:\Scripts\Get-BulkCertFromCSR\csr

$ca = Connect-CA caname.domain.lan
$PKI = "CAname.domain.lan"
$OutPath = "C:\Scripts\Get-CertificateFromCSR\IssuedCertificates\"

<#
$name = ""
$filename = "$name.cer"
$status = Submit-CertificateRequest -path "C:\Scripts\Get-CertificateFromCSR\CSR\$name.csr" -CA $PKI -Attribute "CertificateTemplate:Webserver" 
$ReqID = $status.requestid
Get-IssuedRequest -RequestID $reqID -CertificationAuthority $PKI | Receive-Certificate -Path $OutPath\$name -Force
cd $outpath\$name
$item = ls
Rename-Item -path $item -newname $filename

#>


$name = "Certificate-01"
$filename = "$name.cer"
$status = Submit-CertificateRequest -path "C:\Scripts\Get-CertificateFromCSR\CSR\$name.csr" -CA $PKI -Attribute "CertificateTemplate:Webserver"
$ReqID = $status.requestid
Get-IssuedRequest -RequestID $reqID -CertificationAuthority $PKI | Receive-Certificate -Path $OutPath\$name -Force
cd $outpath\$name
$item = ls
Rename-Item -path $item -newname $filename

$name = "Certificate-02"
$filename = "$name.cer"
$status = Submit-CertificateRequest -path "C:\Scripts\Get-CertificateFromCSR\CSR\$name.csr" -CA $PKI -Attribute "CertificateTemplate:Webserver"
$ReqID = $status.requestid
Get-IssuedRequest -RequestID $reqID -CertificationAuthority $PKI | Receive-Certificate -Path $OutPath\$name -Force
cd $outpath\$name
$item = ls
Rename-Item -path $item -newname $filename

$name = "Certificate-03"
$filename = "$name.cer"
$status = Submit-CertificateRequest -path "C:\Scripts\Get-CertificateFromCSR\CSR\$name.csr" -CA $PKI -Attribute "CertificateTemplate:Webserver"
$ReqID = $status.requestid
Get-IssuedRequest -RequestID $reqID -CertificationAuthority $PKI | Receive-Certificate -Path $OutPath\$name -Force
cd $outpath\$name
$item = ls
Rename-Item -path $item -newname $filename

Convert .cer .p12 and .pfx files to .pem files in bulk with PowerShell

One of those things I have to do every year or so, and rather than doing things by hand, let PowerShell help me out.

<#
  .Synopsis
     Covert .cer to .pem 
  .DESCRIPTION
     This script converts .cer, .p12, and .pfx certificate files to .pem files
     Just define the source folder and the target folder
  .Created by
     Edwin van Brenk
  .Created for
     vanbrenk.blogspot.com
  .Date
     03-08-2021
  .Version
     1.0
  #>            
              
            
# Copy your .cer files to the temp dir below                        
mkdir C:\Temp\CerToPEM\cerfolder 2> $null                        
$cerfolder = "C:\Temp\CerToPEM\cerfolder"                        
# Copy your .p12 files to the temp dir below                        
mkdir C:\Temp\CerToPEM\p12folder 2> $null                        
$p12folder = "C:\Temp\CerToPEM\p12folder"                        
# Copy your .pfx files to the temp dir below                        
mkdir C:\Temp\CerToPEM\pfxfolder 2> $null                        
$pfxfolder = "C:\Temp\CerToPEM\pfxfolder"                        
# The new .pem files will end up in this folder                        
mkdir C:\Temp\CerToPEM\pemfolder 2> $null                        
$pemfolder = "C:\Temp\CerToPEM\pemfolder"             
            
            
#Function to convert .cer, .pem, .p12 and .pfx certs to .pem             
function convert {            
            
Get-ChildItem $cerfolder\*.cer | ForEach-Object {            
  certutil -encode $_.FullName ("{0}\{1}.pem" -f $_.DirectoryName,$_.BaseName)            
}            
            
Get-ChildItem $p12folder\*.p12 | ForEach-Object {            
  certutil -encode $_.FullName ("{0}\{1}.pem" -f $_.DirectoryName,$_.BaseName)            
}            
            
Get-ChildItem $pfxfolder\*.pfx | ForEach-Object {            
  certutil -encode $_.FullName ("{0}\{1}.pem" -f $_.DirectoryName,$_.BaseName)            
}            
}            
            
convert            
             
# After converting you can move the .pem files out of the source folder into the .pem destination folder            
Move-Item $cerfolder\*.pem -Destination $pemfolder            
Move-Item $p12folder\*.pem -Destination $pemfolder            
Move-Item $pfxfolder\*.pem -Destination $pemfolder