Analyzing & Detecting IIS Backdoors

Posted on November 5, 2022 by robwillisinfo

IIS Extensions As Backdoors Microsoft recently published an interesting blog explaining how they’ve noticed a new trend where attackers have been leveraging Internet Information Services (IIS) extensions to covertly backdoor Windows servers: https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ The Microsoft post contains a wealth of Continue reading →

PowerShell Script – Invoke-RPCMap

Posted on June 26, 2022 by robwillisinfo

Invoke-RPCMap Invoke-RPCMap can be used to enumerate local and remote RPC services/ports via the RPC Endpoint Mapper service. This information can useful during an investigation where a connection to a remote port is known, but the service is running under Continue reading →

PowerShell Script – Quickly Find The Largest Files

Posted on April 6, 2021 by robwillisinfo

A few years ago I wrote a script to help find the largest files on a drive using PowerShell without the need to install any additional software. This script was extremely useful for quickly narrowing in on files that may Continue reading →

PowerShell Script – VMware vCenter CVE-2021-21972 Scan Tool

Posted on February 27, 2021 by robwillisinfo

In this post, I am releasing a PowerShell POC script that will scan the specified target hosts and attempt to detect those that are vulnerable to VMware vCenter CVE-2021-21972. You can find the script, Invoke-CVE-2021-21972-Scan.ps1, on my github here: https://github.com/robwillisinfo/VMware_vCenter_CVE-2021-21972 Continue reading →

Defending Against PowerShell Attacks

Posted on February 21, 2021 by robwillisinfo

It’s no secret that I am a big fan of PowerShell and recently I have been spending a considerable amount of time researching and testing it from a security perspective. While there is a lot of solid information out there, Continue reading →

Invoke-Decoder – A PowerShell script to decode/deobfuscate malware samples

Posted on August 1, 2020 by robwillisinfo

I have been spending a lot of time reviewing PowerShell based attacks and malware over the last few months and I wanted to take some time to really understand how some of the common obfuscation techniques really work under the Continue reading →

Disabling PowerShell v2 with Group Policy

Posted on January 20, 2020 by robwillisinfo

In this post I am going to tackle something that I have been wanting to play around with for awhile, disabling PowerShell v2 at an enterprise scale. As a former systems engineer and now a security engineer, I have a Continue reading →

Everything You Need To Know To Get Started Logging PowerShell

Posted on October 6, 2019 by robwillisinfo

Intro Recently, I have been spending a lot of time researching and working with PowerShell logging. Since PowerShell is readily available (built-in to the OS) and has an assortment of functionality that can be used across the entire kill chain Continue reading →

Dell XPS 15 9570 – Thermal Mods

Posted on August 21, 2019 by robwillisinfo

I have always been a big fan of Dell hardware from their laptops to servers. Two things always seem to remain the same with Dell, you can get a considerable amount of performance bang for the buck and their hardware Continue reading →

Gathering Windows, PowerShell and Sysmon Events with Winlogbeat – ELK 7 – Windows Server 2016 (Part II)

Posted on May 6, 2019 by robwillisinfo

In part I of this series, Installing ELK 7 (Elasticsearch, Logstash and Kibana) on Windows Server 2016, I covered the following: Installing and configuring Elasticsearch, Logstash, and Kibana as Windows services Installing and configuring Winlogbeat to forward logs from the Continue reading →

RobWillis.info

everything tech.