We shall remember them

Today marks the anniversary of the cessation of hostilities in the First World War. It was a multi year bloodbath that killed millions, many in the most terrible of ways. Many of whom have no known grave.

Today we pause to remember all those whose lives have been affected by war. Any war.

Today, many people are still experiencing war and many live with the threat of imminent war. For them we hope that horrors of the past remain in the past. Unfortunately, all too often, history repeats and brings death and destruction to their door step through no fault of their own. Let us hope that todays brief remembrance reminds everyone of the immense and continuing impact war has and why it should be prevented at all costs, not with empty promises and gestures, but real action.  

Times may change but the impact of war hasn’t. This seems to be a lesson we fail tor learn.

In times like these we celebrate and remember the human spirit of the those that sacrificed for others. Those that put the needs of others ahead of their own, and for those that put their lives on the line to save others from harm. These are the special people, who come from all walks of life but had the single purpose of service to a greater good. They are special and worthy of our utmost respect.

War is a human construct. born of the worst aspects of the human condition. It is however also something that we can just as easily could and should prevent. As those that went before, we can prevent these horrors by thinking of others before ourselves and working for the common rather than individual good.

Every day is a blessing and life is far too short. For those that we remember today, it was cut short for reasons that fad with the passing years. Let the memory of the reasons fad but never those who have paid the ultimate price.

Lest We Forget.

MVP 2022-23

image

I am once again happy to report that I have been renewed as an MVP for 2022-23. This is now my 11th year as an MVP and I am honoured to have been recognised.

Many people are not aware that the MVP award is annual. It isn’t something you ‘apply’ for, it is given is recognition of the work you do from the community around a Microsoft product or service in the previous year. For me, that is Microsoft 365. Thus, to continue to be recognised as an MVP you need to make relevant community contributions annually.

As always, I take this opportunity to thank Microsoft for this award. I have made so many great contacts there that help me every day in all sorts of ways. I am truly grateful for their assistance. Of course I also thank other members of the MVP community who also help me everyday by providing information that I simply couldn’t find elsewhere. Their real world application and implementation of Microsoft technologies is amazing! Finally, there is community of people using and implementing Microsoft cloud technologies that continue to provide real world questions that challenge me to assist and find solutions for. For all these people I also say thanks because this is where the rubber hits the road.

Hopefully, as we move to a world that is more open, it will be possible to once again travel and catch up with all these marvellous people face to face and strengthen the bonds that we have and share yet more information that I can then provide to my community, again face to face I hope.

Again I say thanks for the recognition and being award as an MVP for another year and I’m ready to continue to share my learnings and knowledge with the community at large.

ANZAC Day 2022

Today we take a moment to commemorate ANZAC day here in Australia. It is probably the one day that truly unites unites Australia. This is largely due to it harking back to a time when Australia came together as a nation for the first time. The benefit of historical hindsight may question the value of that military action all those years ago but the core values that came from that are what should be celebrated. It cemented the bond between unknown individuals who came together in truly terrifying circumstance to survive, flourish and in many ways, give birth to a nation on the back of their commitment to each other.

The actions all those years ago, across many battlefronts, brought many Australians face to face with other Australians they would have probably never met had the circumstances been different. It thrust them into life and dead experiences that many would have never expected. It thrust the average Australian into circumstances that would truly demonstrated man’s inhumanity to man. Yet, through all this adversity, Australians began to forge a bond, a concept of mateship, that lives on today.

This is something that perhaps we now need more than ever as we face an uncertain and divided world. The past few years have seen many live through life changing and unexpected circumstances that have irrevocably altered our community and the world. They have perhaps, cemented the fragility of life in people’s mind and hopefully made them appreciate how truly lucky we are every day. Our celebration today should look to the example these people provided us all those years ago.

Of course, not everyone is lucky. As with that day back in 1915, many paid the ultimate price and had their lives cut sort by simply being in the wrong place at the wrong time. A unique fact about Australian troops throughout World War One was that they were a total volunteer force. Each one, chose to be there. Many chose to remain, through the horrors of war, to be with their mates and do what they could for each other above all else. Today we also remember those in our community that continue to live and demonstrate that spirit to service.

This is the sacrifice and commitment we honour today. It is about what people do for others. It is about what people did that they thought was right. It is about what people did for what they believed was the greater good. You can judge their motives and ideals through the lens of history but you can’t question their devotion to each other and to their commitment. Today, we celebrate their devotion to each other.

Their hope, after enduring war, was that no one else would have to go through the same experience. The ‘war to end all all wars’ as it was known, sadly did not eventuate. That failure lies on the shoulders of modern society, who do not readily learn the lessons of history. Who lets their world view become full of negativity, impatience, violence and revenge all too readily. We should take a leaf from our ANZAC forebears and focus on what is truly important, our mates.

Lest We Forget

If you want to learn more about the ANZAC battlefields in northern France, visit my web site – www.anzacsinfrance.com.

Offboarding devices from Microsoft Defender for Business using an API with PowerShell

I have detailed how you can offboard Windows 10 devices from Microsoft Defender for Endpoint using an Intune policy here:

Offboarding Windows 10 devices from Microsoft Defender for Business

You can also offboard all devices centrally using an API and PowerShell quite easily.

The first thing you’ll need to do is create an Azure AD app in the destination tenant. I’ve covered off how to do this via the web interface here:

https://blog.ciaops.com/2019/04/17/using-interactive-powershell-to-access-the-microsoft-graph/

and using a PowerShell script I wrote here:

https://blog.ciaops.com/2020/04/18/using-the-microsoft-graph-with-multiple-tenants/

You’ll also need to provide this Azure AD app the appropriate permissions in the Defender for Endpoint API to offboard devices (as well as have a license for Defender for Endpoint in your tenant). To see how to set these permissions you can review my previous article:

Using the Defender for Endpoint API and PowerShell

image

To permit device offboarding you’ll need to provide your Azure AD application with these additional permissions from the Defender API as shown above:

Machine.Offboard

Machine.Read.All

Machine.ReadWrite.All

Don’t also forget to consent to these after you have added them.

In summary, an Azure AD app is used to provide access to the Defender for Endpoint API. This access also requires the appropriate permissions be assigned to that Azure AD app for the Defender for Endpoint API to offboard devices.

When the Azure AD app was initially created the following parameters should have been available:

1. Client (or Application) ID

2. Tenant ID

3. Client (or Application secret)

You’ll need to enter these into the script I have created here:

https://github.com/directorcia/Office365/blob/master/mde-apioffboard.ps1

around line 35:

image

Ensure your values these are kept secure! I have discussed ways of doing this using the Azure Keyvault or encrypted XML files previously.

image

After updating the values in the script and running it, the script will firstly get a list of all the devices currently onboarded with Defender for Endpoint.

image

You should then be presented with a list of devices currently onboarded to Microsoft Defender for Endpoint as shown above. Select the device or devices you wish to offboard. Multiple selections are available here using the CTRL and SHIFT plus select. When the selection is made press the OK button to continue.

image

The devices selected will then be offboarded via the API. As you can also see above, if a device has already commenced the offboarding process you will receive a warning.

Although using an API to offboard devices is no faster than using an Intune policy or a local script, it still provides a handy centralised approach for offboarding management.

If you also have a look at this article I wrote:

Using the Microsoft Graph with multiple tenants

you’ll probably see how you can easily extend this script so that it enables you to offboard devices from multiple tenants. I have already done this and that premium script is available for CIAOPS Patrons.

Once you have an Azure AD application in place within your tenant with the appropriate permissions, offboarding devices from Microsoft Defender for Endpoint via an API is pretty straight forward. Hopefully, my free script takes care of most of the heavy lifting for you as well making it a simple process to select and offboard devices for Microsoft Defender for Endpoint in any number of tenants you manage.

More security testing options with sec-test

image

I’ve added three more security testing options to my free script here:

https://github.com/directorcia/Office365/blob/master/sec-test.ps1

The Word document Backdoor drop will download and open a Word document that contains a macro that will itself, download an EXE file to the desktop.

The PowerShell script fileless attack if successful will open Notepad.exe on the device.

The Dump credentials using SQLDumper.exe will download the SQL utility SQLDumper.exe and use that to try and dump the credentials from the the system LSASS.EXE process.

All the tests are benign and designed to firstly, test your environment again common breach techniques and secondly, to generate alerts in your environment to ensure your protection is correctly configured.

It is getting hard for me to determine all the outcomes of these tests, so I’d love to hear any feedback you have on your own results so I can improve the script. Also, if you have any suggestions for what tests you’d like to see included please let me know.

We shall remember them

It is time to pause and reflect on the sacrifices of others. Many of these, unfortunately, go unnoticed and unappreciated. The good thing is most sacrifices are not made with a desire of repayment, they are freely given.

Over 100 years ago our nation, along with many others, sacrificed the lives of millions of people in what is commonly referred to as the Great War. Yet, immediately after that sacrifice, a greater of lives were lost to the Spanish Flu.

The outcome of both events was the same for many. Death. This is also something that all of us have in our future. It is a certainty, yet we spend our whole lives avoiding the acknowledgement that our time is limited. For many, it came much sooner than they expected and in places they didn’t expect.

As we enter a world that is opening up after this generations’ pandemic, we should turn and examine the lessons of history. It wasn’t that long after the Great War and the Spanish Flu that the world was plunged yet again, into another global war that slaughtered yet more millions of people.

The moral is that appreciation for what we have is something worth contemplating. A great way to acknowledge this gift is to sacrifice for others. It is not the amount or value of the sacrifice that matters, it is the effort of that sacrifice that makes it worthwhile for both giver and receiver.

Today, we take a moment. In silence, and remember the many that provided the ultimate sacrifice for us to live with the benefits we experience today. As much as we need to thank those who gave to us, we must provide for those who are to come. We should look to build on what those before gave to us. That is the best way to demonstrate our gratitude.

The world and people in it are far from perfect, but if they have anything in common it is a sense of where they are right here, right now. That is not a result of their own designs. It is the  integration of their intention and the sacrifices of others.

To those that served us, and continue to serve us. Whether on the battlefield or in a hospital, directly or indirectly. Thanks. Your efforts have made a difference far beyond what you will ever appreciate.   

Displaying execution path in Windows Task Manager

image

I came across a handy tip recently that I thought I share.

When you use Task Manager in Windows, select the Details tab and then Right-mouse click on the headings to reveal the menu as shown above. From this menu choose Select Columns.

image

Scroll down the list of columns that appears and select:

Image path name

and

Command line

as shown above, then select OK.

image

As shown above, you should now see a column that displays the path to the executable for that task as well as a column showing the actual command line options required to run that task. This is a very handy option when you are troubleshooting tasks.