/ #yolosec Tue, 22 Apr 2025 09:00:01 +0000 en-US hourly 1 https://wordpress.org/?v=6.9 /2024/03/powershell-script-invoke-encryptionsimulator/ Thu, 14 Mar 2024 04:53:37 +0000 /?p=6120 Invoke-EncryptionSimulator Invoke-EncryptionSimulator is designed to be a simple and safe way to emulate the encryption stage of a ransomware deployment to aid in development and testing of controls focusing on file system level changes rather than process related telemetry. Invoke-EncryptionSimulator is designed to be a simple and safe way to emulate the encryption stage of […]

The post Introducing Invoke-EncryptionSimulator: A PowerShell Tool for Simulating Late-Stage Ransomware Attacks first appeared on RobWillis.info.]]> /2022/06/powershell-script-invoke-rpcmap/ Mon, 27 Jun 2022 02:13:00 +0000 /?p=5365 Invoke-RPCMap Invoke-RPCMap can be used to enumerate local and remote RPC services/ports via the RPC Endpoint Mapper service. This information can useful during an investigation where a connection to a remote port is known, but the service is running under a generic process like svchost.exe. This script will do the following: Create a local log […]

The post New Tool! Invoke-RPCMap: PowerShell Script for Remote RPC Service Enumeration first appeared on RobWillis.info.]]> /2021/04/powershell-script-quickly-find-the-largest-files/ Tue, 06 Apr 2021 07:05:37 +0000 /?p=5334 A few years ago I wrote a script to help find the largest files on a drive using PowerShell without the need to install any additional software. This script was extremely useful for quickly narrowing in on files that may be easy to remove in order to help free up disk space, particularly in situations […]

The post Revisiting & Revising An Old PowerShell Tool – Quickly Find The Largest Files first appeared on RobWillis.info.]]> /2021/02/vmware-vcenter-cve-2021-21972-scan-tool/ Sat, 27 Feb 2021 10:31:52 +0000 /?p=5318 In this post, I am releasing a PowerShell POC script that will scan the specified target hosts and attempt to detect those that are vulnerable to VMware vCenter CVE-2021-21972. You can find the script, Invoke-CVE-2021-21972-Scan.ps1, on my github here: https://github.com/robwillisinfo/VMware_vCenter_CVE-2021-21972 The script executes in the following order: Create a log file, default log name is […]

The post VMware vCenter CVE-2021-21972 Scanner first appeared on RobWillis.info.]]> /2021/02/defending-against-powershell-attacks/ Mon, 22 Feb 2021 04:07:54 +0000 /?p=4971 It’s no secret that I am a big fan of PowerShell and recently I have been spending a considerable amount of time researching and testing it from a security perspective. While there is a lot of solid information out there, I have found it can still be a challenge to really get a solid grasp […]

The post Defending Against PowerShell Attacks first appeared on RobWillis.info.]]> /2020/08/invoke-decoder-a-powershell-script-to-decode-deobfuscate-malware-samples/ Sun, 02 Aug 2020 03:57:08 +0000 /?p=4931 I have been spending a lot of time reviewing PowerShell based attacks and malware over the last few months and I wanted to take some time to really understand how some of the common obfuscation techniques really work under the hood. The best way for me to learn more about something like this is to […]

The post Invoke-Decoder – A PowerShell script to decode/deobfuscate malware samples first appeared on RobWillis.info.]]> /2020/01/disabling-powershell-v2-with-group-policy/ Mon, 20 Jan 2020 11:39:09 +0000 /?p=4855 In this post I am going to tackle something that I have been wanting to play around with for awhile, disabling PowerShell v2 at an enterprise scale. As a former systems engineer and now a security engineer, I have a love/hate relationship with PowerShell since it is amazingly useful but also incredibly dangerous in the […]

The post Disabling PowerShell v2 with Group Policy first appeared on RobWillis.info.]]> /2019/10/everything-you-need-to-know-to-get-started-logging-powershell/ Mon, 07 Oct 2019 00:15:30 +0000 /?p=4432 Intro Recently, I have been spending a lot of time researching and working with PowerShell logging. Since PowerShell is readily available (built-in to the OS) and has an assortment of functionality that can be used across the entire kill chain right out of the box, it is an ideal candidate for virtually any type of […]

The post Everything You Need To Know To Get Started Logging PowerShell first appeared on RobWillis.info.]]> /2019/05/gathering-windows-powershell-and-sysmon-events-with-winlogbeat-elk-7-windows-server-2016/ Tue, 07 May 2019 02:43:19 +0000 /?p=4162 In part I of this series, Installing ELK 7 (Elasticsearch, Logstash and Kibana) on Windows Server 2016, I covered the following: Installing and configuring Elasticsearch, Logstash, and Kibana as Windows services Installing and configuring Winlogbeat to forward logs from the ELK server into ELK Installing and configuring Curator as a scheduled task (optional) Now, in […]

The post Gathering Windows, PowerShell and Sysmon Events with Winlogbeat – ELK 7 – Windows Server 2016 (Part II) first appeared on RobWillis.info.]]> /2019/05/installing-elk-7-elasticsearch-logstash-and-kibana-windows-server-2016/ Tue, 07 May 2019 02:42:55 +0000 /?p=4058 I am a huge fan of the Elastic stack as it can provide a great deal of visibility into even the largest of environments, which can help enable both engineering and security teams rapidly triage technical issues or incidents at scale. There’s also the fact that unlike Splunk, the Elastic software is free to use […]

The post Installing ELK 7 (Elasticsearch, Logstash and Kibana) – Windows Server 2016 (Part I) first appeared on RobWillis.info.]]>