Analyzing & Detecting IIS Backdoors

Posted on November 5, 2022 by robwillisinfo

IIS Extensions As Backdoors Microsoft recently published an interesting blog explaining how they’ve noticed a new trend where attackers have been leveraging Internet Information Services (IIS) extensions to covertly backdoor Windows servers: https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ The Microsoft post contains a wealth of Continue reading →

PowerShell Script – Invoke-RPCMap

Posted on June 26, 2022 by robwillisinfo

Invoke-RPCMap Invoke-RPCMap can be used to enumerate local and remote RPC services/ports via the RPC Endpoint Mapper service. This information can useful during an investigation where a connection to a remote port is known, but the service is running under Continue reading →

PowerShell Script – VMware vCenter CVE-2021-21972 Scan Tool

Posted on February 27, 2021 by robwillisinfo

In this post, I am releasing a PowerShell POC script that will scan the specified target hosts and attempt to detect those that are vulnerable to VMware vCenter CVE-2021-21972. You can find the script, Invoke-CVE-2021-21972-Scan.ps1, on my github here: https://github.com/robwillisinfo/VMware_vCenter_CVE-2021-21972 Continue reading →

Defending Against PowerShell Attacks

Posted on February 21, 2021 by robwillisinfo

It’s no secret that I am a big fan of PowerShell and recently I have been spending a considerable amount of time researching and testing it from a security perspective. While there is a lot of solid information out there, Continue reading →

Invoke-Decoder – A PowerShell script to decode/deobfuscate malware samples

Posted on August 1, 2020 by robwillisinfo

I have been spending a lot of time reviewing PowerShell based attacks and malware over the last few months and I wanted to take some time to really understand how some of the common obfuscation techniques really work under the Continue reading →

Disabling PowerShell v2 with Group Policy

Posted on January 20, 2020 by robwillisinfo

In this post I am going to tackle something that I have been wanting to play around with for awhile, disabling PowerShell v2 at an enterprise scale. As a former systems engineer and now a security engineer, I have a Continue reading →

Everything You Need To Know To Get Started Logging PowerShell

Posted on October 6, 2019 by robwillisinfo

Intro Recently, I have been spending a lot of time researching and working with PowerShell logging. Since PowerShell is readily available (built-in to the OS) and has an assortment of functionality that can be used across the entire kill chain Continue reading →

Gathering Windows, PowerShell and Sysmon Events with Winlogbeat – ELK 7 – Windows Server 2016 (Part II)

Posted on May 6, 2019 by robwillisinfo

In part I of this series, Installing ELK 7 (Elasticsearch, Logstash and Kibana) on Windows Server 2016, I covered the following: Installing and configuring Elasticsearch, Logstash, and Kibana as Windows services Installing and configuring Winlogbeat to forward logs from the Continue reading →

Installing ELK 7 (Elasticsearch, Logstash and Kibana) – Windows Server 2016 (Part I)

Posted on May 6, 2019 by robwillisinfo

I am a huge fan of the Elastic stack as it can provide a great deal of visibility into even the largest of environments, which can help enable both engineering and security teams rapidly triage technical issues or incidents at Continue reading →

Apache Struts CVE-2018-11776 – Testing, Analyzing, & Detection

Posted on August 31, 2018 by robwillisinfo

Intro Any time a new Apache Struts vulnerability comes out it should be taken pretty seriously as there are many “mission critical” systems that are leveraging the framework, with a considerable amount of them being public facing. Unfortunately, as a Continue reading →

RobWillis.info

everything tech.

Category Archives: Security