Monday, August 26, 2019

Windows 10 Evaluation Build 1903 Download for testlab

Keep forgetting the download link to Windows Evaluation Versions?

Basically it's always available at https://software-download.microsoft.com/download/pr/ $ISO_NAME

For Windows 10 build 1903 (May 2019) it is:
https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso

sha256sum (or get-filehash filename -Algorithm SHA256 | Format-List) should produce:
"ab4862ba7d1644c27f27516d24cb21e6b39234eb3301e5f1fb365a78b22f79b3"

Specifically for Packer:
  "variables": {
    "iso_checksum": "ab4862ba7d1644c27f27516d24cb21e6b39234eb3301e5f1fb365a78b22f79b3",
    "iso_checksum_type": "sha256",
    "iso_url": "https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso",
    "autounattend": "./answer_files/10/unattend.xml",
    "disk_size": "61440"
  }

The easiest way to find the ISO filename is to register on https://www.microsoft.com/en-us/evalcenter/
Get the name from that download and calculate the hash, then automate the installation (Using Packer or whatever your favorite is).

The same principle apply for Windows Server.
Server 2016: 17763.379.190312-0539.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us.iso
 is available at
https://software-download.microsoft.com/download/pr/17763.379.190312-0539.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us.iso


Tuesday, August 13, 2019

It's about 5 years too late - But let us kill Internet Explorer

<RANT>

When even Microsoft doesn't support it anymore, there's a Window of Opportunity to get the funding to make it happen



Go prepare that presentation for management showing why anything requiring IE should go - NOW!

Any system that still require IE is outdated and thus likely a security risk, so identify those and do something about it. Identify the developer or vendor of those applications and have them updated.

If a vendor still only support IE or Flash or Silverlight, look elsewhere, they're not worth your time and money.

If you still require IE for some crappy internal application, blocking it from accessing the Internet (UserAgent "Mozilla/4.0 (compatible; MSIE*") will significantly lower your risk.

The upgrade recommendation on Github should be read from right-to-left if you want to protect your privacy too:

  1. Firefox 
  2. Google Chrome
  3. Microsoft Edge

</RANT>


Worth reading too:
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-perils-of-using-internet-explorer-as-your-default-browser/ba-p/331732


Sunday, August 11, 2019

DMARC Reporting: Use Parsedmarc with Elastic



If you’re worried about hosting your DMARC data (not least the Forensics reporting) with a cloud provider, or just simply want to self-host because You’re already running the Elastic Stack or Splunk and want to save the $$ for the provider, there’s a tool for you called ‘Parsedmarc’ [1].

For further information on the tool, please read the description at [1] (It would be stupid repeating all of that here).



For the purpose of installing Parsedmarc on the Elastic Stack, here’s a simple shell script to do just that [2].

Prerequisites for the script:
  • Python3 Pip
  • X-Pack Security - You really should use that, it's part of the Basic License now
  • Run the script on the Elasticsearch node on which you want Parsedmarc to run
  • I disagree with using Cloudflare for name resolution, if your local DNS resolvers aren't running faster and better than them, you should look into your DNS setup, as well as use RPZ's to protect your organization.
And please don't forget to spare a thought (or a dime) for @seanthegeek who made this possible.


Monday, August 5, 2019

Installing logstash-filter-tld plugin for newer Logstash versions


The logstash tld plugin (logstash-filter-tld) is used to extract the individual labels of a fqdn. This is great for analysis of e.g. domains from a Domain Generation Algorithm (DGA). Unfortunately this plugin does not work on newer logstash versions. (See https://github.com/logstash-plugins/logstash-filter-tld/pull/10)
This is caused by java version requirements. To make it work, all that is needed is changing that requirement, then (re)building the gem. This is a few simple steps (done on Debian below - substitute with your distros package manager).
On the development machine:
The finalized plugin is now saved as logstash-filter-tld-3.0.3.gem. Copy that to your logstash instances, then install it using:
  • /usr/share/logstash/bin/logstash-plugin install --no-verify ./logstash-filter-tld-3.0.3.gem

For the logstash .conf-file(s) here's an example using the tld plugin:
filter {        

   tld {

        source => "computer_name"

    }


    mutate {

        rename => { "[tld][domain]" => "highest_registered_domain" }

        rename => { "[tld][trd]" => "sub_domain" }

        rename => { "[tld][tld]" => "top_level_domain" }

        rename => { "[tld][sld]" => "parent_domain" }

    }

}
 
 
Take a look at these logstash configurations too: https://github.com/HASecuritySolutions/Logstash

This post was first published on Peerlyst: https://www.peerlyst.com/posts/installing-logstash-filter-tld-plugin-for-newer-logstash-versions-martin-boller