Microsoft Archives - Course Monster Blog

WMI Management’s Different Flavours

Posted on January 31, 2023January 31, 2023 by Marbenz Antonio

WMI is considered a valuable tool for system administrators, allowing management of Windows workstations, interaction with Microsoft products like Configuration Manager, monitoring of server resources, and more. Microsoft will explore various WMI usage options with PowerShell. By the end, you will understand when to use each method and may not have a clear favorite.

The Ways

There are three tools for managing WMI I want to share with you.

The System.Management namespace.
The WMI Scripting API.
The CIM cmdlets.

Regarding WMI cmdlets such as Get-WmiObject, they won’t be discussing them today for two reasons: they’re only available in Windows PowerShell and the System.Management namespace offers similar functionality. If you haven’t tried PowerShell 7 yet, they highly recommend giving it a try.

The Procedure

Microsoft aims to address common tasks encountered in administering Windows devices, including:

Querying.
Calling a WMI Class method.
Creating, Updating, and Deleting a WMI Class Instance.
Bonus: Creating, Populating, and Deleting a custom WMI Class.

Microsoft also aims to demonstrate the advantages and disadvantages of each method and highlight where one method excels over the others.

The System.Management Namespace

If Microsoft had to choose, their favorite would be this method. It brings an object-oriented approach to WMI and makes WMI management easier to understand. Additionally, if you’re a C# developer, you’ll feel right at home.

Querying

To execute a query, you need an instance of the ManagementObjectSearcher class. There are three constructors worth examining.

ManagementObjectSearcher(String)
- The simplest one. Creates a searcher object specifying the query string.
ManagementObjectSearcher(String, String)
- Creates the object with the query and the scope.
ManagementObjectSearcher(ManagementScope, ObjectQuery)
- The same as the previous one, but with instances of the objects instead of strings. This gives you more options.

After obtaining the searcher, the Get method is called to retrieve the ManagementObjects.

$query = "Select * From Win32_Process Where Name = 'powershell.exe'"
$searcher = [wmisearcher]($query)
$result = $searcher.Get()

The variable $result holds an instance of the ManagementObjectCollection class, which contains all the Win32_Process instances as ManagementObjects.

$result = $searcher.Get()
$result | Format-Table -Property ProcessId, Name, ExecutablePath -AutoSize

```Output
ProcessId Name           ExecutablePath
--------- ----           --------------
     4116 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

This is how it looks like using the second and third constructors.

$query = "Select * From Win32_Process Where Name = 'powershell.exe'"
$scope = 'root\cimv2'
$searcher = [wmisearcher]::new($scope, $query)
$result = $searcher.Get()

# Or

$query = [System.Management.ObjectQuery]::new("Select * From Win32_Process Where Name = 'powershell.exe'")
$scope = [System.Management.ManagementScope]::new('root\cimv2')
$scope.Connect()
$searcher = [System.Management.ManagementObjectSearcher]::new($scope, $query)
$result = $searcher.Get()

Calling a WMI Method

Microsoft can either call a method on the resulting ManagementObject from the query operation, such as Terminate or call a method on the WMI Class object. Let’s create a new process using the Create method.

$commandLine = 'powershell.exe -ExecutionPolicy Bypass -Command "Write-Output ''Howdy! From WMI!''; Read-Host"'
$processClass = [wmiclass]'Win32_Process'
# The parameters are: CommandLine, CurrentDirectory and ProcessStartupInformation.
$processClass.Create($commandLine, $null, $null)

If the method is successful, you should see a PowerShell console and the Output Parameters displayed.

__GENUS          : 2
__CLASS          : __PARAMETERS
__SUPERCLASS     :
__DYNASTY        : __PARAMETERS
__RELPATH        :
__PROPERTY_COUNT : 2
__PROPERTY_COUNT : 2
__DERIVATION     : {}
__SERVER         :
__NAMESPACE      :
__PATH           :
ProcessId        : 11896
ReturnValue      : 0
PSComputerName   :

Creating, Updating, and Deleting a WMI Class Instance

Microsoft will use ManagementClass.CreateInstance() method to create a new instance of the SMS_Collection class and then use Put to save it to the namespace.

$collection = ([wmiclass]'root\SMS\site_PS1:SMS_Collection').CreateInstance()
$collection.Name = 'AwesomeDeviceCollection'
$collection.LimitingCollectionID = 'PS1000042'
$collection.Put()
# The Get() method updates the $collection object with the new
# property values populated by the Config Manager.
$collection.Get()

Updating and deleting.

$collection = [wmiclass]"root\SMS\site_PS1:SMS_Collection.CollectionID='PS1000043'"
$collection.Name = 'AwesomeDeviceCollection_NewName'
$collection.Put()

# Deleting

$collection.Delete()

The WMI Scripting API

The WMI Scripting API is simply the WMI COM interfaces exposed through a Runtime Callable Wrapper, also known as the WMI COM Object. Although not as straightforward as the System.Management namespace, this method of managing WMI offers greater flexibility in its implementation.

Querying

To begin, Microsoft needs to create an instance of the SWbemLocator object, which serves as the interface to other objects and obtain a SWbemServices object by connecting to the server.

$locator = New-Object -ComObject 'WbemScripting.SWbemLocator'
$services = $locator.ConnectServer()

Next, Microsoft uses the ExecQuery method from the SWbemServices object to execute their query. This method returns a SWbemObjectSet, which is a collection of SWbemObjects, and its properties can be found under the Properties_ property.

$result = $services.ExecQuery("Select * From Win32_Process Where Name = 'powershell.exe'")
$object = $result | Select-Object -First 1
$value = $object.Properties_['ProcessId'].Value

Calling a WMI Method

First, they create an instance of the __Properties class, which holds the input parameters for the Create method. Then, they use the SWbemServices.ExecMethod() method to call Create.

$commandLine = 'powershell.exe -ExecutionPolicy Bypass -Command "Write-Output ''Howdy! From WMI!''; Read-Host"'
$parameters = $object.Methods_['Create'].InParameters.SpawnInstance_()
$parameters.Properties_['CommandLine'].Value = $commandLine

$output = $services.ExecMethod('Win32_Process', 'Create', $parameters)

The $output variable contains a SWbemObject, which is an instance of the Output Parameters property class.

$services.ExecMethod('Win32_Process', 'Create', $parameters)

Value       : 16172
Name        : ProcessId
IsLocal     : True
Origin      : __PARAMETERS
CIMType     : 19
Qualifiers_ : System.__ComObject
IsArray     : False

Value       : 0
Name        : ReturnValue
IsLocal     : True
Origin      : __PARAMETERS
CIMType     : 19
Qualifiers_ : System.__ComObject
IsArray     : False

Creating, Updating, and Deleting a WMI Class Instance

Let’s replicate our last example using the Scripting API.

$collection = $services.Get('\\.\root\SMS\site_PS1:SMS_Collection').SpawnInstance_()
$collection.Properties_['Name'].Value = 'AwesomeDeviceCollection'
$collection.Properties_['LimitingCollectionID'].Value = 'PS1000042'
$collection.Put_()

Updating and deleting.

$collection = $services.Get("\\.\root\SMS\site_PS1:SMS_Collection.CollectionID='PS1000043'")
$collection.Properties_['Name'].Value = 'AwesomeDeviceCollection_NewName'
$collection.Put_()

# Deleting

$collection.Delete_()

The CIM Cmdlets

For quick and efficient WMI data analysis without the need for interaction, the CIM Cmdlets are unbeatable. They are fast and provide convenient features such as auto-complete for class and namespace names and easy class retrieval with Get-CimClass.

Querying

Performing queries with the CIM Cmdlets is very pleasant. One line does it all.

$result = Get-CimInstance -Query "Select * From Win32_Process Where Name = 'powershell.exe'"

The parameters are similar to those of Get-WmiObject and can be used in a similar manner.

$result = Get-CimInstance -ClassName 'Win32_Process' -Filter "Name = 'powershell.exe'"

The auto-complete feature in Visual Studio Code.

Calling a WMI Method

The CIM Cmdlets offers a distinctive approach to executing WMI methods. The outcome of a CIM query is referred to as CimInstances, and instance methods cannot be invoked in the same way as with the other two options. Instead, a separate Cmdlet named Invoke–CimMethod is used.

$commandLine = 'powershell.exe -ExecutionPolicy Bypass -Command "Write-Output ''Howdy! From WMI!''; Read-Host"'
$result = Get-CimClass -ClassName 'Win32_Process'
$params = @{
  MethodName = 'Create'
  Arguments = @{
    CommandLine = $commandLine
  }
}
$output = $result | Invoke-CimMethod @params

# Or
$params = @{
  ClassName = 'Win32_Process'
  MethodName = 'Create'
  Arguments = @{
    CommandLine = $commandLine
  }
}
$output = Invoke-CimMethod @params

And the result:

Invoke-CimMethod -ClassName 'Win32_Process' -MethodName 'Create' -Arguments @{ CommandLine = $commandLine }

ProcessId ReturnValue PSComputerName
--------- ----------- --------------
    14932           0

Struggling to recall parameters? Same here! Fortunately, auto-complete also works with them.

Creating, Updating, and Deleting a WMI Class Instance

If you used the old WMI Cmdlets before, this will look familiar.

$params = @{
  Namespace = 'root\SMS\site_PS1'
  ClassName = 'SMS_Collection'
  Property = @{
    Name = 'AwesomeDeviceCollection'
    LimitingCollectionID = 'PS1000042'
  }
}
$collection = New-CimInstance @params

Updating and deleting.

$params = @{
  Namespace = 'root\SMS\site_PS1'
  Query = "Select * From SMS_Collection Where Name = 'AwesomeDeviceCollection'"
  Property = @{
    Name = 'AwesomeDeviceCollection_NewName'
  }
}
Set-CimInstance @params

#Or

$params = @{
  Namespace = 'root\SMS\site_PS1'
  Query = "Select * From SMS_Collection Where Name = 'AwesomeDeviceCollection'"
}
$collection = Get-CimInstance @params
$collection | Set-CimInstance -Property @{
  Name = 'AwesomeDeviceCollection_NewName'
}

#Deleting

$params = @{
  Namespace = 'root\SMS\site_PS1'
  Query = "Select * From SMS_Collection Where Name = 'AwesomeDeviceCollection'"
}
$collection = Get-CimInstance @params
$collection | Remove-CimInstance

Pros and Cons

The System.Management namespace is efficient for obtaining objects or class instances, and their aliases such as [wmi] or [wmiclass] simplify their usage if their paths are known. Calling methods is straightforward, but performing queries and complex operations may be slower and require managing more objects.

The WMI Scripting API is ideal when constructing comprehensive scripts for WMI management. With the SWbemServices object, you have access to most WMI features. Its direct access to RCW interfaces also delivers improved performance compared to the System.Management namespace, which wraps these interfaces for abstraction. However, retrieving individual objects or performing data analysis queries can be cumbersome with this method, as it requires more effort compared to the System.Management namespace.

The CIM cmdlets excel in performance when it comes to querying large datasets, and the CimInstance object is easy to work with when combined with other common objects like PSCustomObject. However, calling methods is not as straightforward as with other methods, and accessing methods like Put, Get, or Delete can be challenging.

Conclusion

With the knowledge gained from this discussion, you should now be able to choose the appropriate tool for working with WMI depending on your needs. No single method is the best in all situations, but each has its own strengths. By utilizing all of them, you will become a more effective System Administrator.

Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Posted in MicrosoftTagged MicrosoftLeave a Comment

Registry Monitor for PowerShell

Posted on January 31, 2023January 31, 2023 by Marbenz Antonio

During a work conversation, a colleague asked me if it was possible to track changes to a Windows registry key. Microsoft was aware that changes to files can be monitored using the System.IO.FileSystemWatcher.NET class, but they were unaware of registry monitoring. However, they later learned that Windows has an API for it and that it can be called from PowerShell using Interop Services.

About tools

To achieve this, Microsoft will utilize Platform Invoke, also known as PinVoke. PinVoke is a .NET library that allows native APIs to be accessed by managed .NET code. This library is included in Windows via the Global Assembly Cache and also in PowerShell Core.

Moreover, they will utilize several Windows API functions, as listed below:

RegOpenKeyEx: Responsible for opening a handle to the key.
RegNotifyChangeKeyValue: Responsible for monitoring the key, and triggering an event when a change happens.
CreateEvent: Responsible for creating the event.
WaitForSingleObject: This will monitor the event, and return a result based on the outcome.
RegCloseKey: To close the handle to our registry key.
CloseHandle: To close the handle to the event created.

The final two commands are optional, as Interop Services provides a Safe Handle to wrap the handles. This handle is automatically freed by the Garbage Collector, but it is still good practice and builds the habit of tracking object lifecycles. If you plan to frequently interact with Windows, it’s important to become familiar with its memory management to avoid any unexpected behavior.

About definition

To utilize System.Runtime.InteropServices, Microsoft will need to write some of their code in C#. Don’t be intimidated, as C# and PowerShell are quite similar and it won’t be difficult. We’ll begin by defining our functions.

They will show step-by-step how to use RegOpenKeyEx, and the other functions will follow the same process. According to Microsoft’s documentation, the function definition appears as follows:

LSTATUS RegOpenKeyExW(
  [in]           HKEY    hKey,
  [in, optional] LPCWSTR lpSubKey,
  [in]           DWORD   ulOptions,
  [in]           REGSAM  samDesired,
  [out]          PHKEY   phkResult
);

Don’t be concerned about the “W” at the end. Many Windows functions have both ANSI and UNICODE versions. Functions ending in “A” are ANSI-compliant and those ending in “W” are UNICODE-compliant. When you call RegOpenKeyEx, Windows will automatically use one of the two versions.

HKEY: This represents a handle, which is a type of pointer and can be represented as System.IntPtr in C#. As memory addresses are numerical, System.IntPtr is a specific type of integer.
LPCWSTR: A pointer to a constant string with 16-bit Unicode characters, represented as System.String in our case.
DWORD: A 32-bit unsigned integer, equivalent to System.UInt32.
REGSAM: A Registry Security Access Mask, which they will discuss later.
PHKEY: A pointer to a variable that will receive the opened key handle, which can be represented as System.IntPtr.
LSTATUS: The function’s return type, mapped to a long, which we will represent as System.Int in C#.

The REGSAM data type is a collection of definitions that map Registry Key security to unsigned integers and can be represented as a System.UInt32 in C#. Microsoft will use the KEY_NOTIFY REGSAM, which corresponds to 0x0010. The final function definition will look similar to this:

[DllImport("Advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern int RegOpenKeyExW(
    IntPtr hKey,
    string lpSubKey,
    uint ulOptions,
    uint samDesired,
    out IntPtr phkResult
);

The first line in square brackets is the DllImport Attribute. It specifies the DLL containing the definition for RegOpenKeyExW. The CharSet = CharSet.Unicode sets Unicode as the encoding and SetLastError = true sets the last error with the corresponding Win32 error if the function call fails, which is important for debugging and problem resolution.

Following the same approach, we write the full code:

using System;
using System.Runtime.InteropServices;

namespace Win32
{
    public class Regmon
    {
        [DllImport("Advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
        public static extern int RegOpenKeyExW(
            int hKey,
            string lpSubKey,
            int ulOptions,
            uint samDesired,
            out IntPtr phkResult
        );

        [DllImport("Advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
        public static extern int RegNotifyChangeKeyValue(
            IntPtr hKey,
            bool bWatchSubtree,
            int dwNotifyFilter,
            IntPtr hEvent,
            bool fAsynchronous
        );

        [DllImport("Advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
        public static extern int RegCloseKey(IntPtr hKey);

        [DllImport("Advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
        public static extern int CloseHandle(IntPtr hKey);

        [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
        public static extern IntPtr CreateEventW(
            int lpEventAttributes,
            bool bManualReset,
            bool bInitialState,
            string lpName
        );

        [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
        public static extern int WaitForSingleObject(
            IntPtr hHandle,
            int dwMilliseconds
        );
    }
}

The original lpEventAttributes parameter is from the LPSECURITY_ATTRIBUTES structure, but since we won’t be using it, defining it as int will not cause any issues. If Microsoft needed to use it, they would have to define LPSECURITY_ATTRIBUTES.

Writing the PowerShell code

With the necessary setup completed, we can now write the PowerShell code that utilizes these functions. To simplify the view, the previous definition text is represented as $signature. You just need to create a string variable to hold the C# code, which can be done using here-strings.

$signature = @'
    Your code goes here.
'@

The final script looks like this:

using namespace System.Runtime.InteropServices

[CmdletBinding()]
param (
    [Parameter(Mandatory)]
    [string]$KeyPath,

    [Parameter()]
    [string]$LogPath = "$PSScriptRoot\RegMon-$(Get-Date -Format 'yyyyMMdd-hhmmss').log",

    [Parameter()]
    [int]$Timeout = 0xFFFFFFFF #INFINITE
)

Add-Type -TypeDefinition $signature

if (!(Test-Path -Path $KeyPath)) { throw "Registry key not found." }

switch -Wildcard ((Get-Item $KeyPath).Name) {
    'HKEY_CLASSES_ROOT*' { $regdefault = 0x80000000 }
    'HKEY_CURRENT_USER*' { $regdefault = 0x80000001 }
    'HKEY_LOCAL_MACHINE*' { $regdefault = 0x80000002 }
    'HKEY_USERS*' { $regdefault = 0x80000003 }
    Default { throw 'Unsuported hive.' }
}

$handle = [IntPtr]::Zero
$result = [Win32.Regmon]::RegOpenKeyExW($regdefault, ($KeyPath -replace '^.*:\\'), 0, 0x0010, [ref]$handle)
$event = [Win32.Regmon]::CreateEventW($null, $true, $false, $null)

<#
This will run indefinitely until it fails or reaches a timeout.
Adjust accordingly.
#>
:Outer while ($true) {
    $result = [Win32.Regmon]::RegNotifyChangeKeyValue(
        $handle,
        $false,
        0x00000001L -bor #REG_NOTIFY_CHANGE_NAME
        0x00000002L -bor #REG_NOTIFY_CHANGE_ATTRIBUTES
        0x00000004L -bor #REG_NOTIFY_CHANGE_LAST_SET
        0x00000008L, #REG_NOTIFY_CHANGE_SECURITY
        $event,
        $true
    )
    $wait = [Win32.Regmon]::WaitForSingleObject($event, $Timeout)

    switch ($wait) {
        0xFFFFFFFF { break Outer } #WAIT_FAILED

        0x00000102L { #WAIT_TIMEOUT
            $outp = 'Timeout reached.'
            Write-Host $outp -ForegroundColor DarkGreen
            Add-Content -FilePath $LogPath -Value $outp
            break Outer
        }

        0 { #WAIT_OBJECT_0 ~> Change detected.
            $outp = "Change triggered on the specified key. Timestamp: $(Get-Date -Format 'hh:mm:ss - dd/MM/yyyy')."
            Write-Host $outp -ForegroundColor DarkGreen
            Add-Content -FilePath $LogPath -Value $outp
        }
    }
}

[Win32.Regmon]::CloseHandle($event)
[Win32.Regmon]::RegCloseKey($handle)

Note

When calling RegOpenKeyExW for the first time, we don’t have the handle to the key yet, so we specify which root key we want to use. The parameter lpSubKey is optional. When not specified, the function will monitor the root key.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Posted in MicrosoftTagged MicrosoftLeave a Comment

Reports and Analytics for Administrators of Microsoft Power Platform

Posted on January 31, 2023 by Marbenz Antonio

Admins of the environment can view analytics for Power Automate in the Microsoft Power Platform admin center. The analytics reveal information about flow runs, usage, errors, flow types (automated, button, scheduled, approval, business process), shared flows, and connector details. However, these reports do not cover Desktop Flows. To access the reports, the admin must:

Go to the navigation bar on the left side.
Select Analytics.
Select Microsoft Power Automate.
View the reports on the right side.

Who can view these reports?

Admins with a license and specific roles are able to access Power Automate analytics reports.

Environment Admin – can view reports for the environments that the admin has access to.
Power Platform Admin – can view reports for all environments.
Dynamic 365 Admin – can view reports for all environments.
Microsoft 365 Global Admin – can view reports for all environments.

For details on managing your tenant across the platform with different roles, refer to “Use service admin roles to manage your tenant.

Data Storage

A user-created environment is hosted in the region it is created in and all its data stays within that region for up to 28 days.

Data refresh occurs every 3 hours, with the last refresh time displayed in the top right corner of the page

What are the available reports?

Tenant and environment admins have access to the following tenant-level reports. Reports under the Runs, Usage, Created, and Errors tabs provide insights for both Cloud and Desktop flows. The default view is for the last viewed environment.

Runs report

The Runs report is displayed by default, offering a daily, weekly, and monthly view of all flow runs in an environment.

Usage report

This report gives insights into the types of flows in use, their trends, and the names of their creators.

Created report

This report offers insights into flow types created, trends, and details such as creation date and creator’s email.

Error report

This report provides information on recurring error types and includes error count, creator’s email, last occurrence time, and creator’s email for each flow.

Shared report

This report provides information on shared flows and their trends within the environment.

Connectors report

This report displays connector details and their related flows. Metrics such as calls per connector per flow, flow runs, and the flow creator’s email are available for standard and custom connectors.

Download reports

The reports are created using Power BI. Users can export data by selecting the ellipsis (…) for a KPI.

View reports in other environments

To view reports in another environment:

Select Change Filters.
Select the new environment from the Environment list and optionally, select a Time Period.
Select Apply

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Posted in MicrosoftTagged MicrosoftLeave a Comment

Microsoft Announces the Sales of Fungible to Enhance Datacenter Innovation

Posted on January 11, 2023January 11, 2023 by Marbenz Antonio

Microsoft has announced today that they are acquiring Fungible Inc., a company that specializes in composable infrastructure that aims to speed up the performance of networking and storage in data centers by using high-efficiency, low-power data processing units (DPUs).

Fungible’s technology will support high-performance, reliable, and secure data center infrastructure that is disaggregated and can be easily scaled out.

The team of Fungible will be integrated into Microsoft’s data center infrastructure engineering teams and will focus on developing various solutions based on DPUs, advancing network technology, and making hardware systems improvements.

The acquisition of Fungible Inc. further demonstrates Microsoft’s dedication to making long-term investments in its data center infrastructure, which will improve its wide range of technologies and offerings. These include reducing workloads, minimizing latency, maximizing data center server density, increasing energy efficiency, and cutting down costs.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Posted in MicrosoftTagged MicrosoftLeave a Comment

PAT Scopes are now Supported by all Azure DevOps REST APIs

Posted on December 29, 2022December 29, 2022 by Marbenz Antonio

The Azure DevOps team recently implemented a change to connect all of their REST APIs with a specific personal access token (PAT) scope as part of their efforts to improve security. Before this change, some of these APIs were not tied to a PAT scope, which could potentially lead to customers using full-scoped PATs to access them. Full-scoped PATs grant access to all the permissions of the corresponding user and could be misused by malicious actors to access sensitive information such as source code or production infrastructure. By associating these APIs with a PAT scope, the Azure DevOps team is reducing the risks associated with a compromised PAT credential.

If you are using a full-scoped personal access token (PAT) to authenticate to an Azure DevOps REST API, you should consider switching to a PAT with a more specific scope to limit access. The specific scopes accepted by each API are listed in the “Security” section of the API’s documentation. By using a PAT with the appropriate scope, you can avoid granting unnecessary access.

Additionally, these improvements should allow more customers to prevent the creation of full-scoped personal access tokens (PATs) by enabling the corresponding control plane policy.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Posted in MicrosoftTagged Microsoft, Microsoft AzureLeave a Comment

3 Major Trends in Migrating and Modernizing Workloads toward the Cloud

Posted on December 22, 2022December 22, 2022 by Marbenz Antonio

Over the past few years, organizations have faced significant challenges as they have had to adapt to economic, political, and societal changes. These challenges are not over yet, as the business environment remains uncertain and there are ongoing concerns such as inflation, supply chain disruptions, and rising energy costs.

Microsoft believes that organizations can best navigate this uncertainty by doing more with fewer resources, such as reducing complexity and cost while increasing agility, resilience, and innovation. This can be achieved through the use of digital technologies to achieve more despite current limitations.

Migrating workloads to the cloud allow organizations to better align their IT investments with business needs while taking advantage of the cost savings provided by cloud economies of scale. Modern infrastructure and cloud capabilities can also enable an organization’s IT workforce to focus on the workloads and applications that are most important to their customers.

To gain insight into the challenges faced by our customers and their plans for cloud adoption, Microsoft conducted a global survey with over 1200 IT decision-makers.

The study revealed three key cloud adoption trends:

1. Cloud adoption plans remain integral to strategies in uncertain business climates

According to the survey, 62% of organizations have a migration and modernization strategy in place, demonstrating the growing importance of cloud adoption in IT transformation. The top motivators for these organizations are reducing overall business costs, future-proofing business strategy, and driving revenue growth. The survey also showed that security, business continuity, disaster recovery, and scalability are among the top benefits desired from cloud migrations. Despite these benefits, Microsoft expects that return on investment will continue to be a top consideration for customers as they prioritize cloud initiatives, whether it be optimizing their existing cloud workloads or moving additional workloads to the cloud. This focus on cost optimization and the rise of financial operations teams (FinOps) is also reflected in the Flexera State of the Cloud 2022 report, which found that optimizing the existing use of the cloud (cost savings) was the top initiative for the sixth year in a row, followed by migrating more workloads to the cloud.

Organizations are taking a comprehensive approach to their cloud adoption plans by evaluating their entire IT infrastructure to better prepare for the future. According to the survey, the number of organizations with more than half of their workloads in the cloud will increase from 27% to 47% over the next 18 months, with investments covering both business-critical and non-business-critical workloads. Additionally, the survey found that organizations with a cloud migration and modernization strategy are 58% more likely to be “cloud-only” (with all or nearly all applications and workloads running in the cloud) three years from now.

2. Modernization is a key focus for digital transformation

According to the survey, 82% of organizations said that migrating to the cloud is a stepping stone toward digital transformation. Migrating workloads to the cloud are about moving them to a new platform, while modernization involves adapting existing applications and workloads to take advantage of cloud-native technologies like Platform-as-a-Service (PaaS) or containers. Of the workloads that have already been migrated, 74% were identified as candidates for modernization. Modernizing workloads can facilitate digital transformation, whether by speeding up product innovation cycles or providing personalized end-user experiences.

3. Hybrid and multi-cloud interoperability and integration are expected

Organizations are continuing to adopt multi-cloud approaches and are looking for cross-cloud management and interoperability from their cloud providers. According to our recent research on hybrid and multi-cloud, 71% of customers surveyed want to retain investment flexibility and access the best cloud capabilities and are planning to implement a hybrid or multi-cloud strategy.

There are several barriers that can slow down cloud adoption, including the complexities of cloud-to-cloud integration, adapting existing applications, and integrating with legacy systems. It is therefore not surprising that support from a dedicated migration and modernization team was the top priority for customers surveyed in terms of their wishes from cloud vendors. Other important areas identified in the survey included post-migration support, access to engineering resources, and assistance with technical skills development. These findings have significant implications for cloud providers as they develop programs and investments to support customers during these uncertain times.

How Microsoft Azure can help customers with cloud migration and modernization efficiently

Microsoft has been undergoing its own digital transformation journey since we started migrating on-premises workloads to the cloud in 2014. We have used the built-in tools and data insights provided by Azure to optimize costs (such as Azure Advisor, Azure Cost Management and Billing, and Azure Monitor) and reinvest in modernization to drive business growth. Today, more than 95% of our workloads run on the cloud, and while our annual budget for Azure has remained constant since 2014, Microsoft has grown by more than 20%. Our own experience and insights inform how we can help customers meet their current and future technology needs.

Fiserv, a global fintech and payment company, improved its payment processing infrastructure to streamline operations, reducing risk and saving costs. Perrigo, a worldwide producer, and supplier of consumer self-care products for businesses, gained agility and flexibility by modernizing finance workloads to create a single source of truth for finance. The Bank of Angola became the first bank in Angola to embrace digital transformation by moving to the cloud to innovate and improve processes and infrastructure. O2 Czech Republic, the leading telecommunications company in the Czech Republic, achieved 30% total cost of ownership (TCO) savings for every workload they migrated while improving security and scaling their entertainment business.

Microsoft is committed to helping our customers get the most out of their Azure investments by providing solutions that enable them to do more with fewer resources.

Microsoft is introducing a new total cost of ownership (TCO) or business case tool that helps customers estimate the savings they can achieve by migrating their Windows Server and SQL Server estate to Azure. This tool will be available within Azure Migrate, our free self-service migration tool that enables organizations to plan and execute their move to Azure. You can try out this new capability and share your feedback.
Customers can optimize their cloud investments with their unique offers and pricing benefits. For example, the Azure Hybrid Benefit allows customers to save costs by using their software assurance-enabled Windows, Server SQL Server, Red Hat Enterprise Linux, and SUSE Linux licenses on Azure, while Extended Security Updates are free only on Azure. Running Windows Server and SQL Server VMs on Azure is up to 80% less expensive than with our main competitor. Additionally, with the Azure savings plan for computing, customers can significantly reduce resource costs by up to 65% compared to pay-as-you-go prices.
The Azure Migration and Modernization Program (AMMP) offers a range of expert assistance to help customers reduce migration costs and speed up their transition to Azure, including technical training, engineering resources, specialized partners, and cost-effective incentives.

Microsoft is dedicated to helping our customers succeed, achieve strong business results, and maximize their return on investment in the cloud, especially during difficult times like the present.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Posted in MicrosoftTagged Microsoft, Microsoft AzureLeave a Comment

Defense-in-depth Strategy for Cloud Vulnerabilities using Microsoft Azure

Posted on December 22, 2022December 22, 2022 by Marbenz Antonio

Microsoft Azure is a digital platform that helps customers build and run their organizations. It is one of the largest cloud service providers and aims to help its customers be secure from the beginning and to do more with the security of its cloud platforms, which are built-in and embedded. This is particularly important in a world with persistent, sophisticated, and driven cybercriminals, where trust is crucial and risks and threats are increasing. By building trust, Microsoft Azure hopes to help its customers protect their organizations, people, and data for a more secure future, while also satisfying complex compliance regulations.

Microsoft Azure has implemented a security strategy that includes multiple layers of protection throughout all stages of the design, development, and deployment of their platforms and technologies. This approach is known as defense in depth. In addition, Microsoft Azure is transparent about its efforts to continually learn and improve its offerings in order to protect against current and future cyber threats.

Past, present, and future of the security commitments

Microsoft has a long history of prioritizing customer security and continually improving the security of its platforms. Their approach includes multiple layers of protection implemented during the design, development, and deployment phases, as well as a focus on transparency to keep customers informed about their efforts to improve security. They have also played a leading role in establishing security best practices, including the Security Development Lifecycle (SDL) framework, which has influenced international application security standards and the White House’s Executive Order on Cyber Security.

Microsoft Azure has a comprehensive approach to security, with layers of protection built throughout the design, development, and deployment of their platforms and technologies. They prioritize transparency and regularly invest in internal security research and a bug bounty program to identify and address vulnerabilities. Their team of over 8,500 security experts works to discover and understand potential threats and protect customers, Microsoft, and open-source software.

They focus on customer security and improving the security of their platforms. They take a defense-in-depth approach with layers of protection built into all phases of design, development, and deployment of their platforms and technologies. Microsoft also values transparency and makes sure customers are aware of its efforts to improve security and mitigate cyber threats. The company has a long history of leading security best practices and currently invests heavily in internal security research and a comprehensive Bug Bounty Program. They have more than 8,500 security experts and have awarded over $13.7 million in bug bounties in 2021. Their public bounty program, which includes higher rewards for cross-tenant bug reports, has helped to further secure specific Azure services and protect their customers.

Microsoft Azure is a cloud service provider that focuses on security to build trust with its customers. They use a defense-in-depth approach, which includes layers of protection throughout the design, development, and deployment of their platforms and technologies. They also prioritize transparency and constantly work to improve their security offerings. Microsoft invests heavily in internal security research and has a comprehensive bug bounty program. They also collaborate with others in the security industry, including the NIST Secure Software Development Framework and the OpenSSF Alpha-Omega project.

It is also committed to providing a secure experience for its customers and has a long history of prioritizing security. The company invests heavily in internal security research and has a comprehensive bug bounty program to identify and address vulnerabilities. Microsoft also believes in the importance of collaboration in the field of security and has contributed to initiatives such as the NIST Secure Software Development Framework and invested in the OpenSSF Alpha-Omega project to improve the security of open-source software. The company has also pledged to invest over $20 billion in cybersecurity over the next five years.

Microsoft Azure’s latest learning and improvements for a more secure cloud

Microsoft is committed to ensuring the security of its platforms and products and has a history of implementing best practices in security, including the Security Development Lifecycle (SDL) framework and a comprehensive bug bounty program. The company also invests heavily in internal security research and threat intelligence and works to improve the security posture of open-source software. In addition, Microsoft collaborates with other organizations in the security ecosystem and has committed to investing over $20 billion in cybersecurity over the next five years. To further secure its platforms, the company performs root cause analysis and post-incident reviews for every reported vulnerability in Azure, in order to reflect and apply lessons learned.

They are focused on improving its security measures in three key areas. These include improving their response process, expanding their internal security research, and continuously working to secure multitenant services. They have learned from recent reports of vulnerabilities in Azure and are using these insights to make changes to their security practices.

1. Integrated response

Microsoft is looking to improve its response to vulnerabilities in Azure by accelerating response timelines, increasing the frequency and scope of its security live site reviews, and improving the integration of its external security case management and internal incident communication and management systems. These changes aim to reduce the mean time to engagement and remediation of reported vulnerabilities and improve rapid response. Microsoft is also expanding its internal security research and will be using more artificial intelligence and machine learning to help identify and mitigate threats. Finally, the company is working to improve the security of its multitenant services by implementing stronger security controls and better incident management processes.

2. Cloud Variant Hunting

They are implementing changes to improve their response process for reported vulnerabilities in Azure, including increasing the frequency and scope of their Security LiveSite Reviews and improving the integration of their external security case management and internal incident communication systems. They have also expanded their variant hunting program to include a dedicated Cloud Variant Hunting function to identify similar vulnerabilities across other services and understand vulnerability patterns in order to drive holistic mitigations and fixes:

In Azure Automation they identified variants and fixed more than two dozen unique issues.
In Azure Data Factory/Synapse they identified significant design improvements that further harden the service and address variants. They also worked with our supplier, and other cloud providers, to ensure that risks were addressed more broadly.
In Azure Open Management Infrastructure they identified multiple variants, their researchers published CVE-2022-29149 and they drove the creation of Automatic Extension Upgrade capabilities to reduce time to remediate for customers. Their Automatic Extension Upgrade feature is already benefiting Azure Log Analytics, Azure Diagnostics, and Azure Desired State Configuration, customers.

Cloud Variant Hunting actively searches for and addresses potential issues in all of our services. This includes identifying and fixing a wide range of vulnerabilities, both known and unknown. In the future, they plan to share more information about their research with their customers and the wider community to improve the security of their services.

3. Secure multitenancy

They are constantly updating their Secure Multitenancy requirements and automation processes at Microsoft to detect and address potential security risks. Their internal and external security researchers have identified ways to breach isolation barriers in Azure and other cloud platforms. In response, they have invested heavily in proactive security measures to prevent these types of issues. By analyzing these cases and determining the most common causes, they are able to make targeted changes to Azure to improve its security.

To further strengthen their defense-in-depth strategy, they are implementing even more stringent standards for isolating Compute, Network, and Credential resources across all Azure services, particularly when using third-party or open-source software components. Microsoft also works with the open-source community, including PostgreSQL, and other cloud providers to develop features that are specifically designed for multitenant cloud environments.

So far, this effort has resulted in a large number of findings and fixes, with the majority (86%) related to improving Compute, Network, or Credential isolation. To further improve automation, we are expanding our internal Dynamic Application Security Tests (DAST) to include more checks for validating Compute and Network isolation and adding new runtime Credential isolation check capabilities. At the same time, our security experts are carefully examining our cloud services to ensure that they meet our standards and developing new automated controls for the benefit of our customers and Microsoft.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Posted in MicrosoftTagged Microsoft, Microsoft AzureLeave a Comment

Microsoft Security: 3 starting Strategies to help you get more done with less

Posted on December 22, 2022December 22, 2022 by Marbenz Antonio

In today’s cybersecurity landscape, organizations face a range of challenges, including persistent attackers, evolving attack tactics, and numerous potential vulnerabilities that attackers may try to exploit. The cost of a data breach has reached an all-time high of $4.35 million in 2022, highlighting the importance of protecting both people and data from adversaries. Managing multiple cybersecurity technologies can also be stressful and resource-intensive. However, it is possible to simplify and streamline your security solution without sacrificing effectiveness, even in the face of complex modern threats.

Microsoft Security solutions are designed to help organizations eliminate vulnerabilities and protect against threats in a changing world. These solutions provide comprehensive protection and expert guidance, enabling organizations to innovate and grow with confidence. With Microsoft Security, you have the capabilities to stay ahead of adversaries who are constantly developing and deploying new threats. Rather than reacting to threats in a panicked and chaotic manner, Microsoft Security provides a comprehensive solution across clouds and platforms that helps you do more with less. By streamlining and simplifying your security efforts, you can be more efficient, effective, and unified in your approach to cybersecurity.

When Microsoft says “do more with less,” they are referring to the idea of using technology to reduce the workload for IT departments and streamline the security response process. This can involve increasing efficiencies and adapt quickly to unexpected events, such as the pandemic or economic uncertainty. It also means being able to manage the security of your business with fewer resources and freeing up time for security professionals to focus on the most important tasks. In other words, it’s about using technology and processes to work smarter and more effectively, rather than simply relying on additional resources.

The concept of “doing more with less” involves a shift in mindset and a focus on efficiency and effectiveness. This approach does not necessarily involve sacrificing quality or capabilities, but rather finding ways to work smarter and more efficiently. There are several strategies that organizations can use to implement this approach, and many customers have successfully adopted one or more of these strategies to achieve better results.

Three examples of these strategies include streamlining processes, leveraging technology to automate tasks and improve efficiency, and consolidating or optimizing resources. In each case, the goal is to get the most value and impact out of the resources available, rather than simply trying to add more resources.

1. Simplify vendor management

The idea of “doing more with less” often involves simplifying processes and reducing complexity. In the context of cybersecurity, this means protecting what is most important to your organization without overburdening IT or creating unnecessary complexity. Research has shown that large organizations often have an average of 75 different security solutions, which can be difficult to manage and can result in fragmented visibility and potential vulnerabilities. To simplify and streamline your security efforts, it may be beneficial to consolidate or optimize your resources and consider working with a single vendor or a smaller number of vendors.

Microsoft Security offers several features that can help organizations simplify vendor management and reduce complexity. By choosing Microsoft Security as their comprehensive security solution, organizations can eliminate redundant capabilities and consolidate the number of vendor contracts they need to manage. Additionally, using Microsoft Security, compliance, and identity solutions in Microsoft 365 E3 and Microsoft 365 E5 can help organizations streamline their security efforts and achieve cost savings of up to 60%. Overall, by simplifying vendor management and consolidating security solutions, organizations can improve efficiency, reduce complexity, and better protect against threats.

Rabobank, a financial institution based in the Netherlands, is an example of a company that has successfully implemented simplified vendor management with Microsoft Security. By using Microsoft 365 E3 and Microsoft 365 E5, Rabobank was able to decrease its security vendors from over 20 to 4, with Microsoft as its main vendor. By switching to Microsoft Defender for Cloud threat and vulnerability management, Rabobank was able to save €400,000. Additionally, Microsoft Security has replaced multiple security information and event management systems (SIEMs) for Rabobank. By streamlining its security vendors and consolidating its security solutions, Rabobank has been able to improve efficiency, reduce complexity, and better protect against threats.

Up to 60% in savings from simplifying your vendor approach

Microsoft has estimated that using its security, compliance, and identity solutions in Microsoft 365 E3 and Microsoft 365 E5 can help organizations achieve cost savings of up to 60%. According to available pricing estimates, it would cost an organization around USD63 per user per month to purchase a representative selection of solutions to meet typical security, compliance, identity, management, and privacy needs. By consolidating these solutions and working with a single vendor, organizations may be able to achieve significant cost savings while still effectively protecting against threats.

By adding advanced compliance and security features from Microsoft 365 E5 to the core security and compliance features of Microsoft 365 E3, organizations may be able to reduce their costs by up to 60%. Based on web direct prices for Microsoft offerings, these organizations could potentially reduce their costs to around USD24 per user per month. In addition to cost savings, consolidating security solutions and working with a single vendor can help organizations streamline their operations, reduce complexity, and better protect against cyber threats. By simplifying vendor management and consolidating security solutions, organizations can “do more with less” and achieve improved efficiency and effectiveness.

Figure 1: Potential cost savings of up to 60 percent when consolidating security solutions by using Microsoft 365 E5 Compliance and Security add-ons to a Microsoft 365 E3 license—instead of using multiple-point solutions. Savings are based on publicly available estimated pricing for other vendor solutions and web direct/based price shown for Microsoft offerings. Price is not guaranteed and subject to change.

2. Reduce threats with AI and automation

As cyber threats continue to challenge IT teams and talent shortages make it difficult to fill open roles, organizations can benefit from using AI, machine learning, and automation to improve their security efforts. These technologies can help humans to better protect sensitive data, more quickly detect and respond to threats, and more accurately predict future attacks and insider risks.

By using AI and automation tools, organizations can more easily manage and govern their on-premises, multi-cloud, and software-as-a-service (SaaS) data. These technologies can help improve compliance, monitor and remediate potentially risky activity, and enable productive work for employees using multiple devices in multiple locations.

Organizations are also using AI and machine learning to:

Filter events and make connections between incidents.
Focus the IT team’s threat investigation on the biggest security issues.
Disrupt ransomware attacks, which traditionally are “discovered” when receiving a ransomware note.

Land O’Lakes, a consumer goods company based in the United States, must protect its cybersecurity in a complex environment that includes 9,000 employees, nearly 10,000 endpoints, an on-premises infrastructure, Google Cloud Platform, Amazon Web Services clouds, and Microsoft Azure. To help manage this challenge, the company uses security and compliance solutions from Microsoft 365 E5 to gain visibility into its threat landscape. Land O’Lakes also utilizes the built-in AI and machine learning capabilities of Microsoft Sentinel and Microsoft Defender for Cloud to proactively manage threats and reduce alert fatigue.

3. Improve operational efficiency

By improving the efficiency of its security operations (SecOps), an organization can save a significant amount of time. A unified security information and event management system (SIEM) and extended detection and response (XDR) can improve visibility across identities and endpoints. A comprehensive security solution from Microsoft that is deeply integrated can help protect identities, devices, apps, and data against breaches, making it easier to keep systems and data secure.

Frasers Group, a UK-based sporting goods retailer, recognized that in order to incorporate new brands into its business, it needed a security solution that was flexible and interoperable. By using a Microsoft security information and event management system (SIEM) and extended detection and response (XDR) solution, as well as Microsoft Sentinel and Microsoft 365 Defender, the company was able to gain a single view of security threats and alerts, and implement tailored protection measures to keep its systems and data secure.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Posted in MicrosoftTagged MicrosoftLeave a Comment

5 Endpoint Management Predictions from Microsoft Intune for 2023

Posted on December 22, 2022December 22, 2022 by Marbenz Antonio

As the end of the year approaches, it is common for a number of reports and forecasts to be published, offering predictions for the year ahead. These predictions are not always accurate, but they can be useful in helping to consider the potential developments and trends that may occur in the coming year and how they might impact your organization. With this in mind, Microsoft would like to suggest five predictions for 2023 that they believe are worth considering, particularly in relation to endpoint management. These predictions can help you to evaluate your current endpoint security posture and consider how Microsoft Intune might be able to further improve it in 2023.

1. Strong cloud adoption rates will continue

Although some economists may have concerns about economic growth in Europe and the United States in 2023, the demand for cloud services is expected to continue to grow significantly. According to Gartner ®, there will be nearly 30% growth in the infrastructure as a service and nearly 25% growth in the platform as a service sector in 2023, compared to 2022. In a survey of chief technology officers (CTOs) conducted in September 2022, 44% of respondents said that they would increase their use of the cloud in response to budget constraints or inflationary pressures. Gartner also predicts that by 2025, more than 90% of organizations will be using cloud-based unified endpoint management (UEM) tools, up from 50% in 2022. Therefore, if you have not yet migrated your UEM to the cloud, 2023 may be a good time to start.

2. Security will remain the top issue for CTOs into 2023

In a survey conducted in September, 42% of chief technology officers (CTOs) identified cloud security as their top priority in terms of incremental spending, with network security as the second most common response and analytics in third place. In a separate poll conducted by Credit Suisse, CTOs predicted that security would be the top area of IT budget growth in 2021 and 2022, with an expected increase of 11%. Looking ahead to 2026, security again ranked highest in terms of budget growth, with a predicted increase of 14%.

There are several factors driving this trend, including the ongoing geopolitical tensions and the emergence of new threats such as deepfake videos and ransomware as a service. To strengthen their organization’s defenses in 2023, chief information security officers (CISOs) may consider consolidating their security software vendors and integrating their security software with a unified console to reduce the number of vulnerabilities and improve automation. They may also invest in training their staff to be more aware of potential attacks and how to prevent them.

3. Worker mobility will increase further

In the past few years, the way in which knowledge workers operate has changed significantly, and this trend is expected to continue in 2023. One factor contributing to this shift is the mass adoption of 5G capable devices. According to Juniper Research, there will be an additional 600 million 5G connections in 2023 alone. This technological trend is being compounded by demographic factors, such as the desire of workers to be “productivity paranoia“, regardless of their location. For chief information security officers (CISOs), this means that they will need to be prepared to protect their workers from new types of threats that may arise as a result of these changes, including new working styles, networks, and devices. In 2023, it will be important to be ready to protect workers who are working from anywhere, not just from home.

4. CTOs will need to pay more attention to local factors

In 2023, it is likely to become more challenging to implement a one-size-fits-all global approach to technology initiatives, due to the increasing number of national regulations related to data sovereignty and the need to consider where data is stored and secured. This trend will be particularly relevant for public sector agencies, which often have more country-specific security and compliance requirements than private sector organizations. As a result, chief information security officers (CISOs) will need to ensure that their endpoint management solutions and overall technology architecture are flexible enough to accommodate these local requirements. This may involve adapting their solutions to meet specific regulatory or compliance standards in different countries.

5. Truly transformative technology will rise to the top

One of the predictions for 2023 is that it will become clearer which technologies are truly transformative and which have been overhyped. One technology that is expected to perform well for enterprises in 2023 is advanced forms of automation, such as artificial intelligence (AI). Since 2020, AI start-ups have received more than $100 billion in venture capital investment for a range of applications, including the development of new drugs and creative works. Security is one area where advanced automation and AI can be particularly useful, as they can help to address the complex and constantly evolving challenges faced by chief information security officers (CISOs).

While AI-generated images may garner headlines, other enterprise software solutions are also likely to benefit from both sophisticated AI and greater automation in 2023. For example, Gartner predicts that by 2027, unified endpoint management (UEM) and digital employee experience tools will converge to enable autonomous endpoint management and reduce human effort by at least 40%. The more security tasks can be automated, the more time will be freed up for strategic work by key staff.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Posted in MicrosoftTagged MicrosoftLeave a Comment

Web Shell Evolution and Discovery in IIS Modules

Posted on December 15, 2022 by Marbenz Antonio

Web exploitation and web shells are common ways that attackers gain access to corporate networks. Web servers provide an external access point into the network, and are often the first point of entry for attackers. It is important for all networks to monitor for signs of exploitation and web shells, and to take steps to prevent them. While some techniques for detecting these threats are specific to IIS modules, many can be applied more broadly to protect against web shells in general.

History of malicious IIS modules

The concept of malicious IIS modules has been around since at least 2013. Historical analysis of malware has shown that crimeware groups have used IIS modules to intercept client logins and payment information by using the BeginRequest triggers to read user-provided parameters before the web server processes them.

One of the earliest examples of sophisticated IIS modules was discovered in late 2021. The vendor’s ICEAPPLE report describes an IIS module that was used by an attacker to load additional .NET modules, which in turn allowed the attacker to load additional capabilities. This allowed the attacker to minimize the number of malicious indicators in the base IIS module, and only load additional capabilities as needed.

Malicious IIS modules techniques

Event handlers

A key part of IIS module functionality is the ability to handle events. Event triggers are used to call code when specific actions occur. IIS modules have access to 27 default event triggers, including:

Begin Request: When a request is received by the web server.
End Request: When a response is about to be sent to the client.
Error: When an error happens.
Log Request: When a request is about to be logged.

Event handlers, which are called when their associated event triggers are fired, can be used by attackers to set up a proxy on the IIS server. By setting up event handlers on the BeginRequest, EndRequest, and Error event triggers, an attacker can intercept all requests before the web service can process them and before the response is sent to the client. This allows the attacker to control the communication between the client and the server, and potentially steal sensitive information.

Figure 1. Diagram showing how the malicious IIS module sits between the web server and the client

Event handlers are given full access to read and write requests, which allows malicious IIS modules to hide web shell communications within any part of the web request. This can include hiding web shell communications in the parameters, body, headers, or HTTP methods of the request. This makes it difficult for defenders to detect the presence of web shells since they can be hidden in a wide range of different parts of the request. Additionally, because web shell communications can be hidden on pages that do or do not exist, it can be challenging to identify which pages are being used for malicious purposes.

The ability of malicious IIS modules to hide web shell communications in various parts of web requests makes them difficult to detect using standard IIS logs. Traditional web shell detection strategies, such as looking for high-frequency page requests or specific URI patterns, are not effective against malicious IIS modules. Instead, new detection techniques and the use of advanced IIS logging are required to detect these threats.

Request and response tampering

Another challenge with malicious IIS modules is that they can manipulate any part of the request and response. This can include removing web shell commands from parameters or headers and preventing web shell commands from being logged.

IIS modules can also intercept responses before they are sent to the client, which provides an opportunity for attackers to serve malicious payloads in the response from the website. This can potentially infect viewers of the website with malware.

Process creation

‘W3wp.exe’, also known as IIS worker processes, is used by web applications that run within IIS. The creation of new processes is a common indication of a web shell on IIS servers. Monitoring for the creation of common shell tools (such as cmd, PowerShell, rundll32, or mshta) with the parent process w3wp.exe can help to detect low-sophistication IIS modules.

Monitoring for the creation of common shell tools with the w3wp.exe process should not be considered a strong detection method for IIS modules. Because IIS modules have full integration with C# and the .NET framework, a wide range of functionality can be integrated to execute directly within the IIS process without the need to create child processes.

.NET assembly loading

A common tactic used by attackers is to load .NET modules directly into memory using the reflective loading of assemblies. This allows common tools, such as SharpHound or the Potato PrivEsc family, to be loaded without being written to disk. This is seen as a stealthier alternative to process creation because the tools are loaded within the context of the w3wp.exe process, rather than as a separate child process.

Figure 2. SweetPotato named pipes being created from within w3wp.exe

As mentioned in a previous vendor paper, assemblies can be provided arbitrarily to deliver additional functionality to IIS modules. This can be done by providing the assembly through the web request, or by downloading it from an attacker-controlled command and control (C2) server. The figure below illustrates this process:

SharpHound is downloaded from an external C2 and loaded through the Reflection Assembly Load method.
Two methods are invoked within the binary and the output directory is set to ProgramData.

Figure 3. Example of an IIS module remotely downloading SharpHound and reflectively invoking it

Because IIS modules have access to .NET, attackers can use it to add additional layers of evasion to prevent the detection of their IIS modules. This can include techniques such as encoding or encryption. The figure below illustrates this process:

A base64 encoded blob and the size of the decoded assembly.
A new memory allocation is made, where the assembly is decoded and deflated into the new allocation.
The assembly is loaded and invoked, executing the command whoami.

Figure 4. Example of SweetPotato being reflectively loaded and invoked

Logging and monitoring

Advanced IIS Logs

IIS logs are a good starting point for hunting for web shells, but it is recommended to use advanced IIS logging because IIS modules can remove malicious traffic from the standard IIS logs. The IIS Service can provide additional advanced logging, such as the Microsoft IIS Configuration Operational log, which can be enabled through the event log tool using the following commands:

Lists additional logs available for IIS: `wevtutil el | findstr -i IIS`
Configuration for the selected log: `wevtutil gl Microsoft-IIS-Configuration/Operational`
Enable the selected log: `wevtutil sl /e:true Microsoft-IIS-Configuration/Operational`

$A screenshot of the Windows Terminal showing the results of running two commands. The first command run is "wevtutil.exe el | findstr IIS". The result shows a list of five additional logs available for IIS: Microsoft-IIS-Configuration/Administrative, Microsoft-IIS-Configuration/Analytic, Microsoft-IIS-Configuration/Debug, Microsoft-IIS-Configuration/Operational, and Microsoft-IIS-Logging/Logs. The second command run is "wevtutil.exe gl "Microsoft-IIS-Configuration/Operational". The results highlighted show that the selected log is not enabled, the logFileName is %SystemRoot%\System32\Winevt\Logs\Microsoft-IIS-Configuration%Operational.evtx, and the max size is 1052672 bytes.$
Figure 5. Example showing wevtutil querying the IIS Configuration Operational event log

The log that will be discussed in this blog is the Microsoft IIS Configuration Operational log. When enabled, the default path for this log is `C:\Windows\System32\winevt\Logs\Microsoft-IIS-Configuration%4Operational.evtx’ (as shown in the figure above).

The Microsoft IIS Configuration Operational log captures information about the addition and removal of IIS modules (Event ID 29). IIS modules are not commonly added to production IIS servers, so it is recommended to enable alerts for this event ID within your SIEM or security products.

Figure 6. Event ID 29 shows the IIS module ‘ProxyShell’ being added to the default website

Note: This IIS module has no correlation with the Exchange Vulnerability ProxyShell.

Figure 7. Event ID 29 showing the IIS module ‘ProxyShell’ being removed from the default website

IIS module listing

IIS modules can be installed at the global level or at the site level. In order to detect malicious IIS modules, it is important to check both levels for unauthorized modules. Regular monitoring of these locations, and comparison against a known-good list of modules, can help to detect and identify malicious IIS modules. The Appcmd tool (located at %windir%\system32\inetsrv\appcmd.exe), which is a command-line tool for managing IIS servers, can be used for this purpose. The command appcmd list modules will list global IIS modules on your server, while the command appcmd list modules /app.name:<appName>/ will let you search for specific websites. Using these commands can help you to identify unauthorized IIS modules, and take steps to remove them.

Figure 8. appcmd lists the modules for Default Web Site and shows two malicious modules: “ProxyShell” and “Malicious IIS Module”

Modules listed through Appcmd will be ordered based on the order in which they were installed. In the figure below, the two malicious IIS modules, ProxyShell and Malicious IIS Module are the two most recent IIS modules installed, and therefore appear at the end of the list. The type parameter also shows the class that is called when the module is loaded.

Web.config

The web.config file, which contains the settings for a website, can include information about the modules that the website loads. This means that monitoring the web.config file can be useful for detecting malicious IIS modules. When monitoring web.config files, it is important to focus on tracking modifications to the file. This can be done using various tools and sources, such as the Microsoft IIS Configuration Operational event log, which produces Event ID 50 when a modification is made to a website. Because the content of the modification is not captured in the event log, it is recommended to keep a backup of the web.config file for easy comparison with the modified version.

Figure 9. Event ID 50 showing that a modification has been made to a default website

Many endpoint detection and response (EDR) systems capture file modification events as well. Enabling an alert for the modification of web.config, especially from the w3wp.exe process, can help to detect unauthorized changes to the config file.

Hunting for malicious IIS modules

IIS module loading

While IIS modules are typically loaded as DLLs, not all tools can detect .NET modules that are loaded into w3wp.exe. One tool that does show IIS modules loaded into w3wp.exe is Process Hacker, which, if used with administrative privileges, will display them under the Modules tab.

Figure 10. Malicious ProxyShell IIS module loaded within the w3wp.exe process

In Microsoft Defender for Endpoint, an IIS module that is loaded into w3wp.exe will appear twice: first when it is loaded from the bin directory where it resides, and then immediately afterward from the temporary ASP.NET directory.

$A screenshot of the Advanced Hunting query window in Microsoft Defender for Endpoint. The KQL query run is: DeviceImageLoadEvents | where FileName has “ProxyShell” | where InitiatingProcessFileName has “w3wp.exe” | project FolderPath. The results of the query are two folder paths: “C:\inetpub\wwwroot\bin\ProxyShell.dll” and “C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\e22c2559\92c7e946\assembly\dl3\db6147e5\e6334bff_63bfd801\ProxyShell.DLL”.$
Figure 11. Malicious IIS module ProxyShell being listed in Defender for Endpoint

By default, IIS modules are loaded when the w3wp.exe process is created. If an IIS module is loaded while the w3wp.exe process is already executing, and at a different time than the rest of the modules, it can be an indicator of malicious IIS module loading. Monitoring for abnormal module loads can help to detect malicious IIS modules. A query like the one below, which groups together modules loaded into w3wp.exe at the same second, can be useful for this purpose:

DeviceImageLoadEvents
| where InitiatingProcessFileName has "w3wp.exe"
| summarize loaded_modules=make_set(FileName) by format_datetime(Timestamp, 'yy-MM-dd HH:mm:ss')
| project Timestamp, loaded_modules, count=array_length(loaded_modules)

Figure 12. Anomalous module loading based on timeframe of other IIS modules

Assembly loading

Although IIS modules have the ability to load .NET modules arbitrarily and reflectively within the context of w3wp.exe, the AppDomains are still registered within the hosting process. By using a tool like Process Hacker to list the AppDomains loaded within an assembly, you can identify the loaded IIS module and any .NET modules that have been loaded.

Figure 13. Malicious ProxyShell IIS module, SharpHound and SweetPotato App Domains

In the figure above, the malicious IIS module ProxyShell can be seen alongside the loaded assemblies SharpHound and SweetPotato. Another thing to note is that reflectively loaded modules usually do not have the Flags property. In the figure, all the assemblies without Flags are either loaded through the malicious IIS module or through Visual Studio debugging.

The ETW provider Microsoft-Windows-DotNETRuntimeRundown provides a snapshot in time of the loaded .NET modules within active processes. Two events that can help to detect malicious assemblies loaded within IIS are:

Event ID 151 lists loaded AppDomains.
Event ID 155 enumerates assemblies loaded at the time of the rundown.

The ModuleILPath field in the Microsoft-Windows-DotNETRuntimeRundown events shows the path of the loaded assembly. However, if an assembly is loaded reflectively, rather than from a file, the ModuleILPath field will just show the name of the assembly. The figure below shows how SharpHound and SweetPotato, both with reflectively loaded assemblies, do not have paths, while other events do:

$A screenshot of a snippet of Microsoft-Windows-DotNETRuntimeRundown showing a snapshot of loaded .NET modules. The ModuleILPath fields are highlighted, three of them showing just the assembly name with no path (“SharpHound”, “SweetPotato”, “SweetPotato”) and one showing the assembly path (“C:\\Windows\\Microsoft.NET\\Framework64\\...”).$
Figure 14. Example of reflectively loaded assemblies not having a file path within the ModuleILPath field

The Assembly Flags field in the Microsoft-Windows-DotNETRuntimeRundown events may also be 0, similar to how the Flags field appears empty for the assemblies in Figure 13 when using Process Hacker.

Figure 15. Example of empty assembly flags for .NET rundown

IIS module installation

Processes that contain appcmd or gacutil within the command line and have the parent process w3wp.exe should be investigated for potential installation of malicious IIS modules. The following Defender for Endpoint queries can help to detect such installations:

DeviceProcessEvents
| where ProcessCommandLine has "appcmd.exe add module"
| where InitiatingProcessParentFileName == "w3wp.exe"

DeviceProcessEvents
|where ProcessCommandLine has "\\gacutil.exe /I"
| where InitiatingProcessParentFileName == "w3wp.exe"

Process creation

It is important to monitor process creation events with the parent process w3wp.exe for abnormal child processes. For IIS servers that require child processes of w3wp.exe, ignore lists should be created for these child processes to prevent false flags.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ('w3wp.exe', 'httpd.exe')
| where FileName in~ ('cmd.exe', 'powershell.exe', 'cscript.exe', 'wscript.exe', 'net.exe', 'net1.exe', 'ping.exe', 'whoami.exe')
| summarize instances = count() by ProcessCommandLine, FolderPath, DeviceName, DeviceId 
| order by instances asc

Conclusion

To protect against malicious IIS modules, it is recommended to enable additional logging in your IIS environment, monitor web.config and IIS modules for suspicious activity, and regularly hunt for abnormalities in w3wp.exe behavior. This can be done using tools such as Microsoft Defender for Endpoint or a preferred EDR solution. It is important to look for irregularities in behavior, as IIS modules can execute malicious code in various ways. Detecting and responding to these threats should be a priority for all organizations, and following these recommendations can assist in this effort.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Posted in MicrosoftTagged cybersecurity, MicrosoftLeave a Comment

OUR BLOG

The Ways

The Procedure

The System.Management Namespace

Querying

Calling a WMI Method

Creating, Updating, and Deleting a WMI Class Instance

The WMI Scripting API

Querying

Calling a WMI Method

Creating, Updating, and Deleting a WMI Class Instance

The CIM Cmdlets

Querying

Calling a WMI Method

Creating, Updating, and Deleting a WMI Class Instance

Pros and Cons

Conclusion

About tools

About definition

Writing the PowerShell code

Who can view these reports?

Data Storage

What are the available reports?

Runs report

Usage report

Created report

Error report

Shared report

Connectors report

Download reports

View reports in other environments

The study revealed three key cloud adoption trends:

1. Cloud adoption plans remain integral to strategies in uncertain business climates

2. Modernization is a key focus for digital transformation

3. Hybrid and multi-cloud interoperability and integration are expected

How Microsoft Azure can help customers with cloud migration and modernization efficiently

Past, present, and future of the security commitments

Microsoft Azure’s latest learning and improvements for a more secure cloud

1. Integrated response

2. Cloud Variant Hunting

3. Secure multitenancy

1. Simplify vendor management

Up to 60% in savings from simplifying your vendor approach

2. Reduce threats with AI and automation

3. Improve operational efficiency

1. Strong cloud adoption rates will continue

2. Security will remain the top issue for CTOs into 2023

3. Worker mobility will increase further

4. CTOs will need to pay more attention to local factors

5. Truly transformative technology will rise to the top

History of malicious IIS modules

Malicious IIS modules techniques

Event handlers

Figure 1. Diagram showing how the malicious IIS module sits between the web server and the client

Request and response tampering

Process creation

.NET assembly loading

Figure 2. SweetPotato named pipes being created from within w3wp.exe

Figure 3. Example of an IIS module remotely downloading SharpHound and reflectively invoking it

Figure 4. Example of SweetPotato being reflectively loaded and invoked

Logging and monitoring

Advanced IIS Logs

Figure 5. Example showing wevtutil querying the IIS Configuration Operational event log

Figure 6. Event ID 29 shows the IIS module ‘ProxyShell’ being added to the default website

Figure 7. Event ID 29 showing the IIS module ‘ProxyShell’ being removed from the default website

IIS module listing

Figure 8. appcmd lists the modules for Default Web Site and shows two malicious modules: “ProxyShell” and “Malicious IIS Module”

Web.config

Figure 9. Event ID 50 showing that a modification has been made to a default website

Hunting for malicious IIS modules

IIS module loading

Figure 10. Malicious ProxyShell IIS module loaded within the w3wp.exe process

Figure 11. Malicious IIS module ProxyShell being listed in Defender for Endpoint

Figure 12. Anomalous module loading based on timeframe of other IIS modules

Assembly loading

Figure 13. Malicious ProxyShell IIS module, SharpHound and SweetPotato App Domains

Figure 14. Example of reflectively loaded assemblies not having a file path within the ModuleILPath field

Figure 15. Example of empty assembly flags for .NET rundown

IIS module installation

Process creation