Vectra: AI Threat Detection (Live Threat Detection)

Many industries are either in the prevent or in the forensic stage to resolve their threat. However, non are detecting active threats running in the enterprise. Thus, this will lead to huge implication to the enterprise.

vectra-logo-og

Vectra is an Artificial Intelligent (AI) Threat Detection and Response. How cool is that?

Vectra uses algorithm to detect threats, instead of using a Database of threats to identify threats in the network environment.

What does Vectra do ;

  1. Is that it always keeps tracks of packets following in and out of the premises
  2. Detects types of threat that is found on a packet
  3. Keep tracks of the packet threat stage
  4. Provide “From” and “To” details of the transmission of packets
  5. Alert the premises’s technical team about threat
  6. Allow premises’s technical team to determine what types of threat to detect on packets

2 types of flow of compromise of threats;

vectra1.png

  • Procedure steps threats
    • Go through number of stages to extract confidential data
  • Direct attack threats
    • Extract confidential data directly once compromise

These are the summarize definition of the image above (stages of threats);

Command & Control Botnet monetization Internal reconnaissance Lateral Movement Exfiltration
•C&C

•Cyber admin  coordinate an attack over time

•Commonly associated with click fraud, sending spam or generating DDoS traffic at a target

Consume valuable resources

Damage the external reputation of the network

•Target is not an organization’s more critical assets

•Vital part of a targeted attack

•Begins shortly after an initial infection

•Allow Cybercriminals orient an attack inside a network and identify targets for lateral movement

•Establish multiple points of persistence in a network while moving deeper toward key assets Extract compromised data from inside a network to a remote external attacker

•Multiple hops or staging phases to evade security controls

Is good to know that there is a technology that could help enterprise to avoid threats attack first before being compromised.

Vectra detects Active Attacks;

v1

Below is a graph of how most organization focus on which phases more to protect their environment from threats,

v2.png

References:

  1. https://vectra.ai/understanding-todays-cyber-security-challenges

Office 365: Synchronized/Migrated user showing wrong UPN in Office 365

Oh no! I forgot to change/set the user’s UPN correctly before migration! Even a simple job we could get it wrongly. Thus, this will lead you to panic. Well, if you are panic, just take a deep breath.

Usually, such problem we resolve it by breaking/disable the DirSync so that the user’s status change from “Sync from on prem” to “cloud”. So that if we could make the changes at the Office 365, without interrupting the on-prem. However, this kind of solution is troublesome because it takes hours for the DirSync to complete disable and waiting for the user’s status to change. When I mean by hours, depends of the amount of users you have at Office 365. The larger the amount the longer it takes for the time taken for the DirSync to complete disable and for the user’s status to change.

Here are the problems we faced:

  1. Forgot to set the email policy
  2. Forgot how to set email policy
  3. Set the wrong email policy
  4. Highly confident and doesn’t double check
  5. Doesn’t do enough research about preparation of migration

Lucky for me that I have found a way to solve this kind of clumsiness, please refer to the reference given below.

Note: This solution is only for clumsy situation. Don’t put it into your planing of migration, because this will make you feel like a total blockhead in front of your customers. Please do not take it in as a habit.

Reference:

  1. http://www.codenutz.com/office365-changing-the-main-login-name-for-upn-for-a-user-via-powershell/

[Old Version] Azure & Office 365: How to enable RMS?

Aloha (Hello)…I know there is the new feature from Microsoft, Azure Protection P2 where users can protect their attachments and etc. For short, double protection. This feature is actually another license (Azure License) is not include in the Enterprise licenses. Thus, you have to purchase it separately.

Anyway, this article is only for users/customer that doesn’t need double protection/smaller industry. I am more comfortable to activate RMS using the Azure classic portal;

Step by steps;

  1. Go to https://manage.windowsazure.com
  2. Key in your global admin credentials
  3. Click on Active Directory
    1. azureportalv1.png
  4. At the top bar, select Rights Management
    1. azureportalv2
  5. In the Rights Management page you can view whether your RMS is Active or Deactivate
  6. To activate it there is a button at the bottom bar of the page
  7. If you wish to manage it or create new policy, you can just go ahead and click on the RMS that you just activate it.
  8. Note: If you wish to manage or create new policy, please seek for advice from Microsoft Support for further understanding.
  9. Note:Please review the below Reference to fully activate RMS that is in need of using Powershell to complete.
  10. Note: Default RMS policies are unable to be deleted.

Reference:

  1. https://docs.microsoft.com/en-us/information-protection/deploy-use/activate-azure-classic
  2. https://blogs.technet.microsoft.com/canitpro/2015/05/19/step-by-step-setup-and-enablement-of-office-365-message-encryption/

Office 356: How to export list with licenses details and smtp details via PowerShell?

I know I am not the best coder but I always like to find the simplest coding way so it is easier for beginners to not feel frustrated.

I do find it confusing when you got an error in your exported csv file of the list.

System.Collections.Generic.List`1[System.String]

*Note: This is basically only for attributes which contain more characters/words or more than a word (means there are “:” or “;” as a divider), such as the value in accountskuid attribute is {contoso:enterprisepackage}.

For example;

  1. If you try to export a list of user from office 365, as a logical thinker you would probably type such code;

    Get-MsolUser -All | Select userprincipalname, proxyaddresses, licenses.accountskuid | Export-csv list.csv

However, this code will not get you what you want, instead it will give you the error.

The proper code should be:

Get-MsolUser -All | Select userprincipalname, {$_.proxyaddresses}, {$_.licenses.accountskuid} | export-csv list.csv

The “licenses.accountskuid” means a class named licenses in office 365 system, inside it has an attribute name, “accountskuid”. You have to do it this way to get/call/pull out the attribute you wish to be propagated in your csv file.

If you wish to test out my code whether it works, then it is best for you to replace “-All” with “-MaxResults”(Means display max result among the list of users).
Example;

#This will only display 1 user with license assigned

Get-MsolUser -MaxResults 1 | Select userprincipalname, {$_.proxyaddresses}, {$_.licenses.accountskuid} | where {$_.islicensed -eq $true} | export-csv list.csv

There are lots of ways to do so. You could use the fancy way that is using the “-expandproperty” or “-properties” and etc.
Coding is up to your comfortably and understandable.

References:

  1. https://mymicrosoftexchange.wordpress.com/2015/03/23/office-365-script-to-get-detailed-report-of-assigned-licenses/

Skype for Business: How to setup QoS at client side?

Well there are 2 ways you could perform this is by editing the client’s computer (local group policy) or push the settings using group policy management.

Anyway, both of these methods or steps are similar and simple to setup.

*Note: A wrong value can causes the QoS not running correct

Steps for local group policy;

  1. Make sure you are login as local administrator on your computer
  2. Go to > Start > Search > Group policy
  3. At the group policy > computer configuration > Windows settings > policy QoS settings
  4. Create new policy
  5. Just follow the below image to create total of 5 QoS policies

sfb2

6. During creating the policy, just change which is necessary. Leave the others as default.

7. Do a restart of the computer (I always do this)

Steps for  GPM;

  1. Open GPM
  2. Create a new GPO and name it
  3. Right click the GPO and click edit
  4. At the group policy > computer configuration > Windows settings > policy QoS settings
  5. Create new policy
  6. Just follow the below image to create total of 5 QoS policies

sfb2

7. Link this GPO to the OU you wish to have this GPO implemented

8. After that remember to do gpupdate /force on both the server and the client computer

For testing;
1. Install wireshark

2. Select the network you connected and Start the wireshark (Start Capture traffic)

3. Start your skype for business audio call or video call, or both within the same network. Do a peer-to-peer communication.

4. Talk to the audio or make some sound for a minute or 2.

5. End the skype for business call (audio or video)

6. Stop your wireshark

7. Save your traffic

8. You should be able to see your QoS is working

 

wireshark.png

References:

  1. https://three65.blog/2015/09/07/skype-for-business-configuring-quality-of-service-qos/
  2. https://gallery.technet.microsoft.com/office/Configure-QoS-for-Skype-cdea2e67
  3. https://gallery.technet.microsoft.com/lync/Configure-QoS-for-Skype-cdea2e67

Windows 10: How to setup Windows Hello?

This blog is based on my experience on how to setup windows hello. I really like to capture every single steps or actions are performed, because it is much easier for me (beginner) and end users to understand.

*Note

Please go through this blog first “https://sabrinaksy.wordpress.com/2017/08/27/ad-gpo-how-to-enable-windows-hello/

Precaution;

Before implementing, please do go through and understand the steps given below. Each steps are given clear elaboration on how to perform it. Skipping a step will causes you confusion.

Here are the steps by steps;

For administrator;

At end user’s computer

  1. Run Command prompt as Administrator at end user’s computer
  2. Type in the following commands;
Gpupdate /force
  1. Close Command prompt, once all policies has updated

OR, At the AD server

  • Open Group Policy Management
  • At the OU where the windows hello GPO is created for
  • Right click on the OU and click on the force gpupdate on all active computers

For end users;

After successfully updated the group policy on the end user side.

  1. Go to > Start
    hello1
  2. Click on the > Setting
    • Then it will direct you to the setting interface;
    • hello2
  1. Click on > Accounts
  2. At the left-side bar
    • Select > Sign-in Options
    • hello3
  3. Scroll down and find PIN
    • Select > Add
    • hello4
  4. After that it will prompt you to enter your computer login password
    • hello5
  5. After successfully authenticate your credential, then enter convenience PIN number
    • hello6.png
  6. After enter the PIN number, your PIN status will change into something like below image;
    • hello7.png
  7. Scroll back up and find ‘Face Recognition’
    • Select > Set up
    • hello8
  8. A ‘Welcome’ interface will appear;
    • Select > Get started
    • hello9
  9. Enter the PIN, that you had set for yourself earlier;
    • hello10.png
  10. After successfully authenticate your PIN number, a face recognition interface will appear;
    • Place your face in-front of the camera where it can detect your face
    • hello11.png
  11. After that a successful interface will appear;
    • Select > Close
    • hello12.png
  1. To give it a try out;
    • Sign out from your computer account and you will see a different interface like the image below;
    • hello13.png

 

Active Directory & Read-Only Domain Controller: Unable to login into RODC

Sometimes the environment will have problems such as, network down, RPC is disconnected or even worst problems that you couldn’t imagine. These which would definitely causes login problems. For now I would like to only pin point on RODC. Usually inexperience engineers, will not notice that there is a most important feature has to be enable at the RODC.

That is the Password Replication Policy or you could call it the Password cache.

Yes, there are some environment where all the user’s are pointing to RODC instead of the DC.  Anything happens to the RODC will lead to huge complaints from the users and the person whom is supporting the back end will definitely get the blame.

So is better to avoid the trouble even though how good or stable is the environment. Here are the articles you could refer to;

  1. https://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx
  2. https://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy(v=ws.10).aspx
  3. http://windowsitpro.com/windows-server/configure-credential-caching-rodc-windows-server-2016

AD & GPO: How to enable or configure Windows Hello?

To create this GPO is pretty simple, just by creating a new GPO or you could reuse a existing GPO (Not the default GPO).

*Note: Windows Hello only works with Windows Server 2016 and Surface Pro, Windows 10

Here are the simple steps;

  1. At the Group Policy Management > Group Policy Objects > right click to create a new policy/edit the existing policy
  2.  The image below is basically the policy to enable Windows Hello featuregpowinhello.JPG
  3. After this, remember to link the gpo to the OU that you wish it will take the gpo
  4. Remember to also do a “gpupdate /force” at both the server and computer side.
    • Open cmd > type the command “gpupdate /force”
  5. There is a gpupdate function with one push, but you have to make sure that the user’s computer are connected.
    • In the GPMC > select the OU > right click > select GPO Update policy
      • This will update all the objects inside that particular OU

AD & GPO: Why password/account policy is not working?

To those are newbie to GPO (Group Policy Objects) or Group policy management, your mentor sure told you to not configure default domain policy and instead they will tell you to create a new GPO.

Here is something you should know, Not all policy settings are workable under newly create GPO”. This means that there are still dependencies with Default GPOs. Even you’ve try to enable “Enforce” or “Block Inheritance”, the Default GPO will always there running. Thus, always research and understand in-dept of GPO.

Below is the supporting article is the answer to you.

References:

  1. https://technet.microsoft.com/en-us/library/cc748850(v=ws.10).aspx

AD & DNS: RODC not appear as Name Server?

Why ONLY the writable domain controller (RWDC) appear as “Name Server” in the DNS?

Why Read-only domain controller appears as “Host(A)” in the DNS?

*Note: This is a normal behavior

Reference:

https://social.technet.microsoft.com/wiki/contents/articles/4031.how-read-only-domain-controllers-and-dns-works.aspx

https://awinish.wordpress.com/2011/10/04/rodc-read-only-domain-controller/

https://technet.microsoft.com/en-us/library/cc754956(v=ws.10).aspx