Cool study about cybersecurity trends

Stumbled across a very interesting study “Considerations on Challenges and Future Directions in Cybersecurity” by the National CyberInt and CERT-RO organizations.

It can be accessed here: https://cert.ro/doc/CybersecurityRO2019.pdf

Take time to read it as it is quite detailed and very long.

Setting the IP address in Windows recovery mode

I had to restore a server and when trying to get to the network to access the backup I had an error saying there was no IP address.

I tried running

name="Local Area Connection" static IPAddress subnet mask gateway

but I received an error: unknown connection.

To fix this we need to first run wpeinit from the command prompt and then run

name="Local Area Connection" static IPAddress subnet mask gateway

Hyper-V Updating Integration components for Windows Server 2016

The way to do things before was painful – you had to use Windows Update to update the VMGuest.ISO which then you had to mount inside the guest and run the update from the VMGuest.ISO and reboot the VM. This had to be done manually on each VM.

You could use System Center Virtual Machine Manager (SCVMM) which allowed for batch reboots.

In Windows Server 2016 things have changed for the better – Windows Update will automatically update the integration components inside the VM if you are running any of the OSes below:

  • Windows Server 2016
  • Windows 10
  • Windows Server 2012 R2
  • Windows 8.1

If you are running an older OS like below you need to enable the Data Exchange Integration service and make sure it is running:

  • Windows Server 2012
  • Windows 8
  • Windows 7
  • Windows Vista SP2

But now we have another scenario – what if I live migrated my VMs from Windows Server 2012 /2012 R2 to Windows Server 2016? Will Windows update work from the start ? Well, not really. So what we need to do is to update manually the integration services by downloading the latest version of the integration services as a cab file from the Microsoft Download Center here: https://support.microsoft.com/en-us/help/3071740/hyper-v-integration-components-update-for-windows-virtual-machines-tha and run a PowerShell cmdlet:

Add-WindowsPackage -Online –PackagePath <path to .CAB file>

This can now be automated via Powershell to be done in batches on all VMs.

PowerShell – Finding AV definitions update for McAfee

I had a customer where we had to find which is the last update time of the AV definitions files for the McAfee but did not had access to the orchestrator console.

The script will read the the AVDatVersion and AVDatDate from the registry and write it which then can be passed to a monitoring tool for alerting.

 ######################################################
#
# NAME: Get-AVStatus.ps1
#
# AUTHOR: Alin Daniel Stanciu
#
# COMMENT: Script to check the last update for McAfee antivirus by reading the registry
# keys and taking the last DAT version and DAT date
# In order to also check for services status uncomment last line
#
# VERSION HISTORY:
# 1.0 10.09.2017 – Initial release
# 2.0 21.09.2017 – Stable Version for production usage
# USAGE: get-avstatus.ps1 -computername Localhost
#
########################################################
#force the computername as a parameter of the script
param (
[parameter(mandatory=$true)][string]$computername
)
try {
#Set up the key that needs to be accessed and what registry tree it is under
$key = „Software\McAfee\AVEngine”
$type = [Microsoft.Win32.RegistryHive]::LocalMachine
#open up the registry on the remote machine and read out the TOE related registry values
$regkey = [Microsoft.win32.registrykey]::OpenRemoteBaseKey($type,$server)
$regkey = $regkey.opensubkey($key)
$status = $regkey.getvalue(„AVDatVersion”)
$datdate = $regkey.getvalue(„AVDatDate”)
}
catch {
try {
$key = „Software\Wow6432Node\McAfee\AVEngine”
$type = [Microsoft.Win32.RegistryHive]::LocalMachine
#open up the registry on the remote machine and read out the TOE related registry values
$regkey = [Microsoft.win32.registrykey]::OpenRemoteBaseKey($type,$server)
$regkey = $regkey.opensubkey($key)
$status = $regkey.getvalue(„AVDatVersion”)
$datdate = $regkey.getvalue(„AVDatDate”)
}
catch {
$status = „Cannot read regkey”
}
}
New-Object PSobject -Property @{
Computername = $computername
DATVersion = $status
DatDate = $datdate
} |select Computername,DatVersion,DatDate 

PowerShell – getting system uptime in human readable format

In order to get the system uptime in the format No Days No Hours No Minutes we use the below script:

######################################################
#
# NAME: Get-SyatemUptime.ps1
#
# AUTHOR: Alin Daniel Stanciu
#
# COMMENT: Script to check the last update for McAfee antivirus by reading the registry
# keys and taking the last DAT version and DAT date
# In order to also check for services status uncomment last line
#
# VERSION HISTORY:
# 1.0 09 november 2017 – Initial release
# USAGE: get-systemuptime.ps1
########################################################
$OS = Get-WmiObject win32_operatingsystem
$BootTime = $OS.ConvertToDateTime($OS.LastBootUpTime)
$enddate=(Get-Date)
$diff=(NEW-TIMESPAN –Start $boottime –End $EndDate)
write-host $diff.days Days $diff.Hours Hours $diff.Minutes Minutes

The result is like this: 21 Days 21 Hours 56 Minutes.

Enjoy!

PowerShell – Send reboot notification email via a scheduled task

I needed to be able to send an email 24 hours before a server is rebooted via a scheduled task.

In order to achieve this I have a task that will reboot the server called „Computer reboot for updates”. The below script gathers the Next Run time of the scheduled task for the server reboot and then sends an email with that information.

#Destination email
$To = "john.doe@nodomain.com"

#Sender email
$From = "it@nodomain.com"

#SMTP server used
$SMTPServer = "0.0.0.0"

#name of the scheduled task for reboots
$taskname = "Computer reboot for updates"

#getting the reboot time from the task details
$rebootime = $((Get-ScheduledTask -TaskName $taskname | Get-ScheduledTaskInfo).NextRunTime)

#Building the email
$messageParameters = @{
Subject = "$env:ComputerName.$env:USERDNSDOMAIN Will be REBOOTED on $rebootime"
Body = "Server $env:ComputerName.$env:USERDNSDOMAIN Will be REBOOTED on $rebootime in order to apply the Windows Updates. Thank you, IT Team"
from = $From
To = $To
SmtpServer = $SMTPServer
}

#Sending the email
Send-MailMessage @messageParameters -BodyAsHtml

The result is an email like below:
From: it@nodomain.com
To: john.doe@nodomain.com
Subject: Test.domain.com Will be REBOOTED on 11/30/2017 06:00:00
Body: Server test.domain.com Will be REBOOTED on 11/30/2017 06:00:00 in order to apply the Windows Updates. Thank you, IT Team