When you can’t shutdown or power off a VM , this is how to force kill it

Open this directory in File Explorer and find the folder with the same name as your virtual machine has. Copy the GUID that is specified in the name of the VM configuration file with the *.vmcx extension.

Run the Task Manager and go to the Details tab. All virtual machines are running in their own instance of vmwp.exe. To determine which process is responsible for your VM, you need the GUID of the hung-up VM you obtained earlier. Locate the process vmwp.exe that has the GUID of your VM in the User name column. Kill this process (End Task).

• No Comments

Once created , powershell

• No Comments

Any existing CSV Shared Storage Disk was trying to be added to a new host on a different cluster however came up as RAW

What needed to run was the below ( for Disk 0 ) and I could see the CSNTFS permissions again

clear-clusterdiskreservation -disk 0

• No Comments

Trying to enroll a device for MAM and the below error messaged showed up

The user was not in the right groups assigned for Enrolling devices in MAM , changing this fixes the Error

• No Comments

<#  
	.SYNOPSIS  
	Displays list of accounts that have been locked out in AD since the last time each DC's Event Log has rolled over.

	.DESCRIPTION
	By default, this script displays list of accounts that have been locked out on the current domain since the last time the Event Log rolled over. Results can be filtered by using parameters.

	.PARAMETER forest
	Queries all DCs in the current forest

	.PARAMETER Domain
	Queries only DCs within the specified domain. If no domain is listed, it will default to the current domain.
	
	.PARAMETER DCs
	Queries only specified DCs
	
	.PARAMETER Start
	Filter by start time in 'MM/dd/yyyy HH:mm:ss' format.
	
	.PARAMETER End
	Filter by end time in 'MM/dd/yyyy HH:mm:ss' format.
	
	.NOTES  
	Author  : Chrissy LeMaire 
	Requires:     PowerShell Version 3.0
	DateUpdated: 2015-Feb-5
	Version: 1.1
	 
	.LINK
	
	 
	.EXAMPLE
	.\Get-LockoutHistory.ps1
	Gets all locked out accounts in the current domain.
	
	.EXAMPLE
	.\Get-LockoutHistory.ps1 -forest
	Gets all locked out accounts in the current forest
	
	.EXAMPLE
	.\Get-LockoutHistory.ps1 -domain ad.local -start '1/28/2015' -end '1/29/2015'
	Gets all locked out accounts in the ad.local domain, starting at 01/28/2015 00:00:00 and ending at 01/29/2015 00:00:00
#> 
#Requires -Version 3.0
[CmdletBinding(DefaultParameterSetName="Default")]

Param(
	[switch]$forest,
	[string]$domain,
	[string[]]$dcs,
	[datetime]$start,
	[datetime]$end
	)

if ($domain.length -ne 0) { $domain = $domain.toLower() }

if (($forest -eq $true -or $domain -ne $null) -and $dcs.length -eq 0) {
	$currentforest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
	$currentdomains = $currentforest.Domains
	
	if ($domain.length -ne 0) {
		$singledomain = ($currentdomains | Where-Object { $_.Name -eq $domain })
		if ($singledomain -eq $null) { throw "$domain could not be found in the forest." }
		$dcs = $singledomain.DomainControllers.name 
	} else { $dcs = $domains.DomainControllers.name }
} 

if ($dcs -eq $null) {
	$currentdomain = [directoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
	$dcs = $currentdomain.FindAllDomainControllers()
}

$filter = @{LogName='Security';Id=4740;}

if ($start -ne $null) {
	$start = (Get-Date $start -Format 'MM/dd/yyyy HH:mm:ss')
	$filter += @{StartTime=$start;}
	Write-Host "Filter Start: $start" -ForegroundColor Yellow
}

if ($end -ne $null) {
	$end = (Get-Date $end -Format 'MM/dd/yyyy HH:mm:ss')
	$filter += @{EndTime=$end;}
	Write-Host "Filter End: $end" -ForegroundColor Yellow
}

$allevents = $null; $lockedout = @()

foreach ($dc in $dcs) {
Write-Host "Contacting $dc" -ForegroundColor Green
	try {
		$allevents = (Get-WinEvent -ComputerName $dc -FilterHashtable $filter   -ErrorAction Stop).ToXml()
		$allevents = "<root>$allevents</root>"

		foreach ($event in ([xml]$allevents).root.Event) {
			$user = ($event.EventData.data |  Where-Object { $_.Name -eq "TargetUserName" }).'#text'
			$from = ($event.EventData.data | Where-Object { $_.Name -eq "TargetDomainName" }).'#text'
			$dc = (($event.EventData.data | Where-Object { $_.Name -eq "SubjectUserName" }).'#text').TrimEnd("$")
			$domain = ($event.EventData.data | Where-Object { $_.Name -eq "SubjectDomainName" }).'#text'
			$entrytime = [datetime]$event.System.TimeCreated.SystemTime
			$status = (Get-ADUser -Identity $user  -Server $DC -Properties LockedOut).LockedOut
		
			$lockedout += [pscustomobject]@{User=$user; From=$from; DC=$dc; Domain=$domain; Timestamp=$entrytime; "Currently Locked Out"=$status}
		}
	}
	catch {
		$msg = $_.Exception.Message
		if (!$msg.StartsWith("No events were found")) {
			Write-Warning "$dc was unreachable or otherwise unparsable."
			Write-Warning "Ensure your account has Read access to the DC's Security log and the appropriate firewall ports are open."
		}
	}
}

if ($lockedout.count -eq 0) {
	Write-Host "No locked out events could be found."
} else {
	$lockedout | Out-Gridview
}

• No Comments

Symptoms

Start menu not working for all users

System Event log shows the following error

EventID:10001 – Source: DCOM

Unable to start a DCOM Server: Microsoft.Windows.Cortana_1.11.6.17763_neutral_neutral_cw5n1h2txyewy!CortanaUI.AppXynb3eakad12451rv00qxextfnce9sxb8.mca as Unavailable/Unavailable. The error:

“0”

Happened while starting this command:

“C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe” -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

Fix

Backup registry key below (could take awhile 1 hr+)

In powershell

Remove-Item “HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules”

New-Item “HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules”

Set DWORD “DeleteUserAppContainersOnLogoff = 1
in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

• No Comments

** If using Windows 10 you will need Enterprise License

Guide

1. Enable the Virtual Machine for Secure Boot \ EUFI and Enable Virtualisation CPU on CPU Settings
2. Install Hyper V Role on the server
3. TPM Doesn’t seem to be enabled but its working
4. Enable GPO

   

Tool 

• No Comments

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

1. Update fails to stop all services ( do this manually ) 

2. Exchange services might remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition might occur if the service control scripts experience a problem when they try to return Exchange services to their usual state.
   
   To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator.

• No Comments

Error: he following error was generated when “Serror.Clear(); $dlIFile =join-path $RolelnstallPath “bin ExSMIME.dII”; $regsvr =join-path (join-path $env:SystemRoot system32) regsvr32.exe; start-SetupProcess -Name:”$regsvr” -Args:”/s -Timeout:120000; “was run: “Microsoft.Exchange.Configuration.Tasks.TaskException: Process execution failed with exit code 3. at Microsoft.Exchange.Management.Tasks.RunProcessBase.InternalProcessRecordo at Microsoft.Exchange.Configuration.Tasks.Task.

Microsoft.Exchange.Configuration.Tasks.Task.InvokeRet ableFunc(Strin • funcName, Action func, Boolean terminatePipelinelfFailed)”

Fix

Checking logs there was missing Visual C++ 2012 and 2013 runtime. 2013 was a new requirement for CU18/19 so no surprises there, but 2012 has been a req for as far back as I can see. Definitely wasn’t present. So the pre-flight dependency check script doesn’t actually check for deps… From what I can tell it checks for the presence of RSAT and that’s about it. Once that was sorted (I had to install both 2012 & 2013) I was able to run CU19 again successfully. 

• No Comments

There is a method to check whether a recently patched (or unknown) server is vulnerable to the SSRF exploit.

Please run this procedure for each of your assigned clients, either that have been or not patched, we MUST ensure they are not vulnerable, even if we think we applied the patch. 

• Jump on a util machine inside customer network, or whatever machine as long as it is internal.
• Download nmap from nmap website and install with default settings
• Download nse script from Microsoft https://github.com/microsoft/CSS-Exchange/releases/latest/download/http-vuln-cve2021-26855.nse
• Move nse script file just download under c:\program files (386)\nmap\scripts
• Open nmap
• In the Command filed type: nmap -sV -p 443 –script=http-vuln-cve2021-26855 -script-args vulns.showall IPOFTHEEXCHANGESERVER

You must confirm it says “NOT VULNERABLE”

Example of vulnerable server:

What to do if your compromised

• Reset of all users’ account. ALL of them. Service accounts and administrator included.
• Review of all new users added/remove/edited during the last 2 weeks as well as security group change made.
• Immediate isolation of Exchange server (If server is exploited, full access is possible). Creation of a fresh Exchange, migrate mailboxes off the old Exchange (for this I invoke the Exchange experts). Burn the old Exchange server.
• Restore from Backup

• This repo contains all the hashes of the files you are supposed to have in Exchange. If something is different, consider the installation compromised. https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/Exchange
• This repo has a ps1 script which will go through log/files to see whether there are indicator of compromise https://github.com/microsoft/CSS-Exchange/tree/main/Security
• This is provided by Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

If you install the patch by downloading the patch and just double clicking on it, the patch will install but not fix the vulnerability because exchange services are still running, and it can’t replace the files.

See the known issues section. This also has a known side effect of leaving some services disabled.

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

Microsoft released patches for older/unsupported Exchange CU’s to help customers securing their servers faster:

https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020

Microsoft on Monday released a one-click mitigation software that applies all the necessary countermeasures to secure vulnerable environments against the ongoing widespread ProxyLogon Exchange Server cyberattacks.

Called Exchange On-premises Mitigation Tool (EOMT), the PowerShell-based script serves to mitigate against current known attacks using CVE-2021-26855, scan the Exchange Server using the Microsoft Safety Scanner for any deployed web shells, and attempt to remediate the detected compromises.

“This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update,” Microsoft said.

The development comes in the wake of indiscriminate attacks against unpatched Exchange Servers across the world by more than ten advanced persistent threat actors — most of the government-backed cyberespionage groups — to plant backdoors, coin miners, and ransomware, with the release of proof-of-concept (PoC) fueling the hacking spree even further.

Based on telemetry from RiskIQ, 317,269 out of 400,000 on-premises Exchange Servers globally have been patched as of March 12, with the U.S., Germany, Great Britain, France, and Italy leading the countries with vulnerable servers.

Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its guidance to detail as many as seven variants of the China Chopper web shell that are being leveraged by malicious actors.

• No Comments