Best Practice for Securing an Active Directory

Hi

I wanted to share a new doc Microsoft released, really interesting! As the last doc was dating from the 2008’era 🙂

This document provides a practitioner’s perspective and contains a set of practical techniques to help IT executives protect an enterprise Active Directory environment. Active Directory plays a critical role in the IT infrastructure, and ensures the harmony and security of different network resources in a global, interconnected environment. The methods discussed are based largely on the Microsoft Information Security and Risk Management (ISRM) organization’s experience, which is accountable for protecting the assets of Microsoft IT and other Microsoft Business Divisions, in addition to advising a selected number of Microsoft Global 500 customers

The doc can be found there

(https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory)

Advertisements
Posted in microsoft | Leave a comment

Windows 2016 SMB1 auditing in Windows 2012R2 !

Hi everyone

A good new if you want to know who still access your server in SMB1, Microsoft just backported the auditing from Windows 2016 into Windows 2012R2 in the latest July 2017 patch 🙂

  • Addressed issue to provide Server Message Block version 1 auditing on Windows Server 2012 R2.

June 27, 2017—KB4022720 (Preview of Monthly Rollup)

An extra – A funny pritnscreen for SMB1 use case..

SMB1-500x218

Posted in microsoft | Leave a comment

Ransomware Protection

Hi everyone

It exist some way to limit the attack vector of a ransomware, like appblocker or software restriction but today I wanted to talk a new way I found.


This new tip use a file screen that scan for know ransomware extension and block any user that write such file.

There is a list of know file screened: 

https://fsrm.experiant.ca/

Script exmple that watch for the file creation and it do an email alert:

https://github.com/nexxai/CryptoBlocker/blob/master/DeployCryptoBlocker.ps1

A reference of how to disable a useraccount in powershell

A small howto and script:

https://gallery.technet.microsoft.com/scriptcenter/protect-your-file-server-f3722fce
Tip got there

Raw file screened (list retrieved june 2017)

{“api”:{“version”:1,”format”:”json”,”file_group_count”:1147},”lastUpdated”:{“date”:”2017-06-28 19:23:24.000000″,”timezone_type”:3,”timezone”:”America\/Edmonton”},”filters”:[“*.gankLocked”,”perfc.dll”,”perfc.dat”,”perfc”,”*.ipygh”,”*.via”,”dllhost.dat”,”FE04.tmp”,”027cc450ef5f8c5f653329641ec1fed9*.*”,”petwrap.exe”,”*.lamo”,”File_Encryption_Notice.txt”,”*.suppose666″,”*.mention9823″,”*.breeding123″,”*.sux”,”*.cfm”,”*.Wana Decrypt0r Trojan-Syria Editi0n”,”Paxynok.html”,”*.pscrypt”,”*.a990″,”Tempimage.jpg”,”*.Tesla”,”WannaCry.TXT”,”*.kuntzware”,”*.nsmf”,”*.Facebook”,”*.pizdosik”,”*.[resque@plague.desi].scarab”,”*.sux.AES128″,”*.cspider”,”*.[teroda@bigmir.net].masterteroda@bigmir.net”,”*.zbt”,”*.MOLE02″,”your_key.rsa”,”OkuBeni.txt”,”*@*.blocking”,”*.ogre”,”*.tax”,”StrutterGear.exe”,”ReadMe_Important.txt”,”Sifre_Coz_Talimat.html”,”*.whycry”,”!READ.htm”,”!_\u0418\u041d\u0421\u0422\u0420\u0423\u041a\u0426\u0418\u042f_!.txt”,”*.cr020801″,”*.cerber6″,”*.netn6″,”*.rnsmwre”,”*.ghost”,”*.scarab”,”IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT”,”*.R4bb0l0ck”,”*.TraNs”,”#HOW_TO_UNRIP#.txt”,”*.BeethoveN”,”* .tdelf”,”*.spectre”,”mood-ravishing-hd-wallpaper-142943312215.jpg”,”Blooper.exe”,”SintaLocker.exe”,”SintaRun.py”,”*.switch”,”*.payforunlock”,”HOW TO RECOVER ENCRYPTED FILES.TXT”,”README_FOR_DECRYPT.txt”,”*.dolphin”,”*.dviide”,”*.sVn”,”*.R3K7M9″,”*.BMCODE”,”*.zilla”,”*.RaaS”,”*.resurrection”,”*.lost”,”*.ram”,”*.master”,”*.brickr”,”READ_DECRYPT_FILES.txt”,”*.ramen”,”*.TRMT”,”*.gommemode”,”*.andonio”,”*.phantom”,”*.r3store”,”Read me for help thanks.txt”,”*.imsorry”,”help_to_decrypt.txt”,”*.YYTO”,”*.read_to_txt_file.yyto”,”*.beep”,”*.666″,”AArI.jpg”,”*.crying”,”*.antihacker2017″,”*.theworldisyours”,”*.spora”,”*.sexy”,”*.realfs0ciety@sigaint.org.fs0ciety”,”*.pays”,”*.payrms”,”*.paymts”,”*.paymrss”,”*.paym”,”*.lol”,”*.madebyadam”,”*.locklock”,”*.lcked”,”*.kyra”,”*.kernel_time”,”*.kernel_pid”,”*.kernel_complete”,”*.ifuckedyou”,”*.grt”,”*.crypte”,”*.cbu1″,”*-webmafia@asia.com_donald@trampo.info”,”*.beef”,”*.write_us_on_email”,”*.LIGHTNING”,”*.xfile”,”DECRYPTION.TXT”,”*.oled”,”*.wtdi”,”*.4rwcry4w”,”*.Encrypted_By_VMola.com”,”*.wlu”,”Restore_maysomware_files.html”,”*.maysomware”,”*.damoclis”,”*.decrypter@tutanota.com”,”*.VisionCrypt”,”*.pwned”,”how_to_back_files.html”,”*.hNcrypt”,”*.~xdata~”,”*.b0ff”,”Galaperidol.exe”,”HOW_CAN_I_DECRYPT_MY_FILES.txt”,”*.xdata”,”Hello There! Fellow @kee User!.txt”,”*.kee”,”*.grux”,”Restore_your_files.txt”,”READ_ME.html”,”*.mordor”,”*.die”,”*.SaMsUnG”,”!#_DECRYPT_#!.inf”,”*.nuke55″,”*.onyon”,”*.blocked”,”!Please Read Me!.txt”,”!WannaDecryptor!.exe.lnk”,”*.DARKCRY”,”*.wincry”,”*.wncrypt”,”WannaCrypt 4.0.exe”,”t.wry”,”*.vCrypt1″,”*.theva”,”*.PAY”,”tor.exe”,”tasksche.exe”,”wcry.zip”,”taskhsvc.exe”,”taskse.exe”,”taskdl.exe”,”*.pky”,”*.eky”,”wcry.exe”,”Wannacry.exe”,”@WanaDecryptor@.*”,”*.slvpawned”,”*.WCRYT”,”*.WRNY”,”*.LOCKED.txt”,”*.wncryt”,”*.wnry”,”*.viki”,”RESTORE-12345-FILES.TXT”,”*.donation1@protonmail.ch.12345″,”*.block_file12″,”*.@decrypt2017″,”*.vdul”,”*.2cXpCihgsVxB3″,”*.son”,”loptr-*.htm”,”*.paycyka”,”*.medal”,”*.bagi”,”@Please_Read_Me@.txt”,”*.wncry”,”_!!!_README_!!!_*”,”_!!!_README_!!!_*_.hta”,”_!!!_README_!!!_*_ .txt”,”*.news”,”*.corrupted”,”HOW_TO_DECRYPT_FILES.html”,”*.shifr”,”DECRYPT_INFO.txt”,”*.FailedAccess”,”Cversions.2.db”,”*.helppme@india.com.*”,”ReadME_Decrypt_Help_*.html”,”*.fartplz”,”\u041a\u0410\u041a_\u0420\u0410\u0421\u0428\u0418\u0424\u0420\u041e\u0412\u0410\u0422\u042c_\u0424\u0410\u0419\u041b\u042b.txt”,”* .vCrypt1″,”*.xncrypt”,”*.Lockify”,”*.htrs”,”*.cryptowin”,”*.owned”,”*.x0lzs3c”,”*.UIWIX”,”*.CRYPTOBOSS”,”*.loptr”,”*.jaff”,”*.bitkangoroo”,”*.cloud”,”zcrypt.exe”,”*.uk-dealer@sigaint.org”,”*_luck”,”*.decrypt2017″,”*.[admin@hoist.desi].*.WALLET”,”*.[crysis@life.com].*.WALLET”,”*.[SHIELD0@USA.COM].*.WALLET”,”#_RESTORING_FILES_#.TXT”,”*.haters”,”*.anon”,”*.amnesia”,”*.keepcalm”,”*.MIKOYAN”,”RESTORE_FILES.HTML”,”*.WWW”,”*.CRYPTED000007″,”*.HELPPME@INDIA.COM.ID83994902″,”HOW_RETURN_FILES.TXT”,”*.MAYA”,”*.CONTACT_TARINEOZA@GMAIL.COM”,”*.CRYPTOBYTE”,”*.AES”,”NOTE;!!!-ODZYSKAJ-PLIKI-!!!.TXT”,”INSTRUCTION_FOR_HELPING_FILE_RECOVERY.txt”,”*.ADR”,”*.NM4″,”DesktopOsiris.*”,”OSIRIS-*.*”,”redchip2.exe”,”*.LOLI”,”ATLAS_FILES.txt”,”*.whatthefuck”,”*.loveyouisreal”,”*.okokokokok”,”*.ranranranran”,”READ_IT_FOR_GET_YOUR_FILE.txt”,”*.psh”,”*.GETREKT”,”*.one”,”!!! READ THIS – IMPORTANT !!!.txt”,”*.aes_ni_0day”,”*.JEEPERS”,”PAYMENT-INSTRUCTIONS.TXT”,”*.LOCKOUT”,”*.ATLAS”,”*.FLATCHER3@INDIA.COM.000G”,”*.AES-NI”,”*.DEXTER”,”*.CONFICKER”,”*.ONION”,”*.[NO.TORP3DA@PROTONMAIL.CH].WALLET”,”*.LCKD”,”*.MOLE”,”*.RANSOM”,”*.lambda.l0cked”,”009-READ-FOR-DECCCC-FILESSS.html”,”_READ_THI$_FILE_*”,”*.I’WANT MONEY”,”*.gembok”,”!Decrypt-All-Files-*.txt”,”*.[GOFMEN17@YA.RU],CRP”,”*.SERP”,”*.kilit”,”0_HELP_DECRYPT_FILES.HTM”,”HUR_DEKRYPTERA_FILER.html”,”HUR_DEKRYPTERA_FILER.txt”,”*.LAMBDA.LOCKED”,”*.ADMIN@BADADMIN.XYZ”,”*.SKJDTHGHH”,”*.LOCK75″,”*.B10CKED”,”*.A95436@YA.RU”,”*.IWANT”,”*.Fuck_You”,”Recupere seus arquivos aqui.txt”,”READ TO UNLOCK FILES.salsa.*.html”,”*.SALSA222″,”*.NUMBERDOT”,”How Decrypt My Files.lnk”,”How_Decrypt_My_Files”,”*.CRADLE”,”*.ID-7ES642406.CRY”,”READ ME ABOUT DECRYPTION.txt”,”*.Do_not_change_the_file_name.cryp”,”*.pr0tect”,”*.android”,”*_READ_THIS_FILE_*_*”,”*.btcware”,”*drakosho_new@aol.com*”,”*.AngleWare”,”*.zorro”,”*.CIFGKSAFFSFYGHD”,”*.A9V9AHU4″,”*.payfordecrypt”,”OKU.TXT”,”ZINO_NOTE.TXT”,”*.ZINO”,”*.kirked”,”*.CRPTXXX”,”HOW_TO_FIX_!.TXT”,”*.[BRAINCRYPT@INDIA.COM].BRAINCRYPT”,”*.pizdec”,”*.REVENGE”,”!!!READ_TO_UNLOCK!!!.TXT”,”*.openforyou@india.com”,”*.warn_wallet”,”*.nemo-hacks.at.sigaint.org”,”*.MATRIX”,”Crytp0l0cker.Upack.dll”,”Crytp0l0cker.dll”,”Crytp0l0cker.exe”,”decrypted_files.dat”,”padcryptUninstaller.exe”,”PadCrypt.exe”,”Vape Launcher.exe”,”READ_ME_!.txt”,”*.enjey”,”Aescrypt.exe”,”*.GG”,”*.[PINGY@INDIA.COM]”,”*.WORMKILLER@INDIA.COM.XTBL”,”*.CEBER3″,”IF_WANT_FILES_BACK_PLS_READ.html”,”*.iaufkakfhsaraf”,”_HELP_HELP_HELP_*”,”zXz.html”,”*.zXz”,”VictemKey_*_*”,”HVORDAN_DU_GENDANNER_FILER.html”,”HVORDAN_DU_GENDANNER_FILER.txt”,”HELP_ME_PLEASE.txt”,”!_RECOVERY_HELP_!.txt”,”PLEASE-READIT-IF_YOU-WANT.html”,”*.filegofprencrp”,”COME_RIPRISTINARE_I_FILE.*”,”fattura_*.js”,”*_steaveiwalker@india.com_”,”COMO_ABRIR_ARQUIVOS.txt”,”*info@kraken.cc_worldcza@email.cz”,”*.kr3″,”COMO_RESTAURAR_ARCHIVOS.txt”,”COMO_RESTAURAR_ARCHIVOS.html”,”*.ENCR”,”*.[File-Help@India.Com].mails”,”damage@india.com*”,”*.tmp.exe”,”What happen to my files.txt”,”*.jeepdayz@india.com”,”*.BarRax”,”*.damage”,”*.locked-*”,”*.jey”,”*.CRYPTOSHIEL”,”*.cfk”,”ASSISTANCE_IN_RECOVERY.txt”,”#_DECRYPT_ASSISTANCE_#.txt”,”*.lfk”,”_HELP_HELP_HELP_*.hta”,”_HELP_HELP_HELP_*.jpg”,”BTC_DECRYPT_FILES.txt”,”*.TheTrumpLockerp”,”*.TheTrumpLockerf”,”*.d4nk”,”*.x3mpro”,”READ-READ-READ.html”,”*.weencedufiles”,”*.jse”,”*.powned”,”[KASISKI]*”,”INSTRUCCIONES.txt”,”@_USE_TO_FIX_*.txt”,”*.happydayzz”,”*.hasp”,”001-READ-FOR-DECRYPT-FILES.html”,”DECRYPT_INFORMATION.html”,”Rans0m_N0te_Read_ME.txt”,”email-vpupkin3@aol.com*”,”*.hnyear”,”*.hnumkhotep@india.com.hnumkhotep”,”*.wowwhereismyfiles”,”*.decryptional”,”*.wowreadfordecryp”,”*.7zipper”,”*.youransom”,”*.gui”,”*.Harzhuangzi”,”*.encryptedyourfiles”,”*HERMES”,”[amanda_sofost@india.com].wallet”,”*.wcry”,”*.velikasrbija”,”*.razarac”,”*.serpent”,”*.msj”,”*.szesnl”,”_DECRYPT_INFO_szesnl.html”,”000-IF-YOU-WANT-DEC-FILES.html”,”*.evillock”,”*.letmetrydecfiles”,”*.yourransom”,”*.lambda_l0cked”,”*.gefickt”,”*.HakunaMatata”,”*.CRYPTOSHIELD”,”*.weareyourfriends”,”MERRY_I_LOVE_YOU_BRUCE.hta”,”How decrypt files.hta”,”unCrypte@outlook.com*”,”decipher_ne@outlook.com*”,”*.potato”,”*.otherinformation”,”*.vxLock”,”*.rdmk”,”*.paytounlock”,”TRY-READ-ME-TO-DEC.html”,”EMAIL_*_recipient.zip”,”*.sage”,”*garryweber@protonmail.ch”,”LEER_INMEDIATAMENTE.txt”,”*.killedXXX”,”*.doomed”,”*.sifreli”,”*.MERRY”,”000-No-PROBLEM-WE-DEC-FILES.html”,”*.noproblemwedecfiles”,”WE-MUST-DEC-FILES.html”,”*.powerfulldecrypt”,”*.stn”,”*bingo@opensourcemail.org”,”*.id-3044989498_x3m”,”*.x3m”,”READ_ME_TO_DECRYPT_YOU_INFORMA.jjj”,”*.wuciwug”,”*.kencf”,”*.file0locked”,”file0locked.js”,”CryptoRansomware.exe”,”*.VBRANSOM”,”_HELP_Recover_Files_.html”,”*.oops”,”*.deria”,”*.RMCM1″,”*.Locked-by-Mafia”,”*.\u043a\u0438\u0431\u0435\u0440 \u0440\u0430\u0437\u0432\u0435\u0442\u0432\u0438\u0442\u0435\u043b\u044c”,”*-filesencrypted.html”,”decrypt_Globe*.exe”,”*.hnumkhotep”,”DecryptFile.txt”,”*.L0CKED”,”NFS-e*1025-7152.exe”,”firstransomware.exe”,”HELP-ME-ENCED-FILES.html”,”*.helpmeencedfiles”,”*EdgeLocker*.exe”,”*.edgel”,”*.XBTL”,”*.firecrypt”,”YOUR_FILES_ARE_DEAD.hta”,”*.MRCR1″,”*.PEGS1″,”*.RARE1″,”*.airacropencrypted!”,”*[cryptsvc@mail.ru].*”,”WHERE-YOUR-FILES.html”,”*.Whereisyourfiles”,”*opentoyou@india.com”,”C-email-*-*.odcodc”,”*.maktub”,”*.hush”,”*.bript”,”_*_README.hta”,”_*_README.jpg”,”HOW_OPEN_FILES.hta”,”*.gangbang”,”GJENOPPRETTING_AV_FILER.html”,”GJENOPPRETTING_AV_FILER.txt”,”!!! HOW TO DECRYPT FILES !!!.txt”,”*.braincrypt”,”INSTRUCTION RESTORE FILE.TXT”,”*.lesli”,”Survey Locker.exe”,”!!!!!ATEN\u00c7\u00c3O!!!!!.html”,”Receipt.exe”,”WindowsApplication1.exe”,”HWID Lock.exe”,”VIP72.exe”,”DALE_FILES.TXT”,”*.DALE”,”*.8637″,”*.kok”,”HOW_TO_RESTORE_YOUR_DATA.html”,”*.paymrts”,”*.paymds”,”RESTORE_CORUPTED_FILES.HTML”,”READ@My.txt”,”Cyber SpLiTTer Vbs.exe”,”*.flyper”,”000-PLEASE-READ-WE-HELP.html”,”*.helpdecrypt@india.com”,”*.VforVendetta”,”popcorn_time.exe”,”*.filock”,”*.wallet”,”*_.rmd”,”*.uDz2j8mv”,”OSIRIS-*.htm”,”DesktopOsiris.htm”,”*[cryptservice@inbox.ru]*”,”*.no_more_ransom”,”bahij2@india.com”,”*.lovewindows”,”*.osiris”,”*.R.i.P”,”Important!.txt”,”!_HOW_TO_RESTORE_*.txt”,”HOW_TO_RESTORE_FILES.txt”,”_README_*.hta”,”*.Zzzz”,”*[lavandos@dr.com].wallet”,”*.coin”,”*.crypted_file”,”*.EncrypTile”,”*.hcked”,”_README_.hta”,”Runsome.exe”,”Payment_Advice.mht”,”lblBitcoinInfoMain.txt”,”lblFinallyText.txt”,”lblMain.txt”,”*.hannah”,”*.vindows”,”How to decrypt your files.jpg”,”How to decrypt your files.txt”,”How to get data back.txt”,”*.zycrypt”,”*.sgood”,”*.zzzzz”,”xort.txt”,”DOSYALARINIZA ULA\u015eMAK \u0130\u00c7\u0130N A\u00c7INIZ.html”,”HOWTO_RECOVER_FILES_*.TXT”,”HELP_RESTORE_FILES_*.TXT”,”Recovery+*.html”,”Recovery+*.txt”,”_H_e_l_p_RECOVER_INSTRUCTIONS+*.png”,”_H_e_l_p_RECOVER_INSTRUCTIONS+*.html”,”help_recover_instructions+*.html”,”help_recover_instructions+*.BMP”,”_how_recover+*.html”,”_how_recover+*.txt”,”ThxForYurTyme.txt”,”_HOW_TO_Decrypt.bmp”,”_RECOVER_INSTRUCTIONS.ini”,”###-READ-FOR-HELLPP.html”,”rtext.txt”,”DECRYPTION INSTRUCTIONS.txt”,”decrypt explanations.html”,”_WHAT_is.html”,”_HOWDO_text.html”,”readme_liesmich_encryptor_raas.txt”,”_Adatok_visszaallitasahoz_utasitasok.txt”,”How to restore files.hta”,”locked.bmp”,”README_TO_RECURE_YOUR_FILES.txt”,”Your files encrypted by our friends !!!.txt”,”ATTENTION.url”,”@WARNING_FILES_ARE_ENCRYPTED.*.txt”,”README!!!.txt”,”# README.hta”,”!Recovery_*.html”,”YourID.txt”,”recover.bmp”,”recover.txt”,”README HOW TO DECRYPT YOUR FILES.HTML”,”READ_IT.txt”,”*.lock93″,”*.!emc”,”*.adk”,”svchosd.exe”,”*.aesir”,”*.CHIP”,”*.happy”,”*.angelamerkel”,”*.razy1337″,”*.zendr4″,”*.dharma”,”*.locked3″,”*.duhust”,”*.exploit”,”*_crypt”,”*_help_instruct*.*”,”*!DMAlock*”,”*.GSupport3″,”*.rnsmwr”,”*.dCrypt”,”ransomed.html”,”*.Alcatraz”,”*_WHAT_is.html”,”readme.hta”,”*.96e2″,”*.thor”,”*.dxxd”,”*.usr0″,”*.shit”,”*.coded”,”*.raid10″,”*.realfs0ciety*”,”*.rip”,”*.okean*”,”*.globe”,”*.nuclear55″,”*.1txt”,”*.kostya”,”*.k0stya”,”*.comrade”,”*.exotic”,”*.fuck”,”*.Yakes”,”*.Zimbra”,”email-salazar_slytherin10@yahoo.com.ver-*.id-*-*.randomname-*”,”*._AiraCropEncrypted!”,”README_RECOVER_FILES_*.txt”,”README_RECOVER_FILES_*.png”,”README_RECOVER_FILES_*.html”,”*.~HL*”,”Sarah_G@ausi.com___*”,”*.zc3791″,”*.venusp”,”*.shino”,”*.bleepYourFiles”,”*.crashed”,”*.amba”,”*.7h9r”,”*.\u5df2\u52a0\u5bc6″,”*.\uc554\ud638\ud654\ub428″,”*.b5c6″,”*.ap19″,”*.a19″,”_*_HOWDO_text.html”,”*_HOWDO_text.bmp”,”*_HOWDO_text.html”,”*.odin”,”*.zypto*”,”zzzzzzzzzzzzzzzzzyyy”,”zycrypt.*”,”*decrypt your file*.*”,”*_nullbyte*”,”*.bart”,”*.axx”,”_H_e_l_p_RECOVER_INSTRUCTIONS+*.txt”,”HOW-TO-DECRYPT-FILES.HTML”,”HOW_TO_DECRYPT.HTML”,”exit.hhr.obleep”,”UnblockFiles.vbs”,”README_DECRYPT_HYDRA_ID_*.txt”,”DECRYPT_Readme.TXT.ReadMe”,”Decrypt All Files *.bmp”,”HowDecrypt.gif”,”HELP_YOURFILES.HTML”,”HOW TO DECRYPT FILES.HTML”,”BUYUNLOCKCODE”,”BitCryptorFileList.txt”,”*.crjocker”,”*.POSHKODER”,”*.hydracrypt_ID_*”,”*.CTBL2″,”*.unbrecrypt_ID_*”,”*.padcrypt”,”*.rekt”,”*.CCCRRRPPP”,”*.SecureCrypte”,”*.windows10″,”*.pdcr”,”*.keybtc@inbox”,”*.breaking_bad”,”*.cryptowall”,”*.xorist”,”*.crypt1″,”How_to_decrypt_your_files.jpg”,”How_to_restore_files.hta”,”*.cerber3″,”*.a5zfn”,”*.purge”,”*.fantom”,”*.cerber2″,”!readme.*”,”Como descriptografar seus arquivos.txt”,”*.C0rp0r@c@0Xr@”,”*.domino”,”*cerber2″,”*.cawwcca”,”how_to_unlock*.*”,”!Recovery_*.txt”,”Read_this_file.txt”,”*.legion”,”*.encoderpass”,”*.cryptolocker”,”*.7z.encrypted”,”ATTENTION!!!.txt”,”HELP_DECRYPT.lnk”,”how to decrypt aes files.lnk”,”restore_files.txt”,”HowDecrypt.txt”,”$RECYCLE.BIN.{*-*-*-*}”,”*.heisenberg”,”*.breaking bad”,”*.razy”,”*.Venusf”,”.~”,”*.payfornature@india.com.crypted”,”winclwp.jpg”,”wie_zum_Wiederherstellen_von_Dateien.txt”,”tox.html”,”strongcrypt.bmp”,”qwer2.html”,”qwer.html”,”pronk.txt”,”paycrypt.bmp”,”maxcrypt.bmp”,”how_decrypt.gif”,”how to get data.txt”,”help_recover_instructions*.txt”,”help_recover_instructions*.html”,”help_recover_instructions*.bmp”,”help-file-decrypt.enc”,”enigma_encr.txt”,”enigma.hta”,”default432643264.jpg”,”default32643264.bmp”,”decypt_your_files.html”,”de_crypt_readme.txt”,”de_crypt_readme.html”,”de_crypt_readme.bmp”,”cryptinfo.txt”,”crjoker.html”,”_how_recover*.txt”,”_how_recover*.html”,”_Locky_recover_instructions.bmp”,”_H_e_l_p_RECOVER_INSTRUCTIONS*.txt”,”_H_e_l_p_RECOVER_INSTRUCTIONS*.png”,”_H_e_l_p_RECOVER_INSTRUCTIONS*.html”,”_HELP_instructions.txt”,”_HELP_instructions.bmp”,”_DECRYPT_INFO_*.html”,”Your files encrypted by our friends !!! txt”,”Your files are locked !.txt”,”Your files are locked !!.txt”,”Your files are locked !!!.txt”,”Your files are locked !!!!.txt”,”YOUR_FILES_ARE_LOCKED.txt”,”YOUR_FILES_ARE_ENCRYPTED.TXT”,”YOUR_FILES_ARE_ENCRYPTED.HTML”,”YOUGOTHACKED.TXT”,”UNLOCK_FILES_INSTRUCTIONS.txt”,”UNLOCK_FILES_INSTRUCTIONS.html”,”SIFRE_COZME_TALIMATI.html”,”SHTODELATVAM.txt”,”Read Me (How Decrypt) !!!!.txt”,”RESTORE_FILES_*.txt”,”RESTORE_FILES_*.*”,”READ_THIS_TO_DECRYPT.html”,”README_HOW_TO_UNLOCK.TXT”,”README_HOW_TO_UNLOCK.HTML”,”README_DECRYPT_UMBRE_ID_*.txt”,”README_DECRYPT_UMBRE_ID_*.jpg”,”README_DECRYPT_HYRDA_ID_*.txt”,”READ ME FOR DECRYPT.txt”,”READ IF YOU WANT YOUR FILES BACK.html”,”Payment_Instructions.jpg”,”ONTSLEUTELINGS_INSTRUCTIES.html”,”OKSOWATHAPPENDTOYOURFILES.TXT”,”MENSAGEM.txt”,”KryptoLocker_README.txt”,”Instructionaga.txt”,”ISTRUZIONI_DECRITTAZIONE.html”,”INSTRUCTIONS_DE_DECRYPTAGE.html”,”INSTRUCCIONES_DESCIFRADO.html”,”INSTALL_TOR.URL”,”IMPORTANT.README”,”IMPORTANT READ ME.txt”,”Howto_RESTORE_FILES.html”,”How to decrypt your data.txt”,”How to decrypt LeChiffre files.html”,”Help Decrypt.html”,”Hacked_Read_me_to_decrypt_files.html”,”HOW_TO_UNLOCK_FILES_README_*.txt”,”HOW_TO_RESTORE_FILES.html”,”HOW_DECRYPT.URL”,”HOW_DECRYPT.TXT”,”HOW_DECRYPT.HTML”,”HOWTO_RECOVER_FILES_*.*”,”HOW TO DECRYPT FILES.txt”,”HELP_YOUR_FILES.html”,”HELP_YOUR_FILES.PNG”,”HELP_TO_SAVE_FILES.bmp”,”HELP_RESTORE_FILES_*.*”,”HELP_DECRYPT.URL”,”HELP_DECRYPT.PNG”,”HELP_DECRYPT.HTML”,”GetYouFiles.txt”,”File Decrypt Help.html”,”FILES_BACK.txt”,”ENTSCHLUSSELN_HINWEISE.html”,”DecryptAllFiles*.txt”,”DESIFROVANI_POKYNY.html”,”DECRYPT_YOUR_FILES.txt”,”DECRYPT_YOUR_FILES.HTML”,”DECRYPT_ReadMe1.TXT”,”DECRYPT_INSTRUCTIONS.html”,”DECRYPT_INSTRUCTION.URL”,”DECRYPT_INSTRUCTION.HTML”,”DECRYPTION_HOWTO.Notepad”,”Comment d\u00e9bloquer mes fichiers.txt”,”BUYUNLOCKCODE.txt”,”AllFilesAreLocked*.bmp”,”4-14-2016-INFECTION.TXT”,”*_ryp”,”*_HELP_instructions.html”,”*.xcrypt”,”*.unavailable”,”*.szf”,”*.porno.pornoransom”,”*.plauge17″,”*.neitrino”,”*.kimcilware.locked”,”*.iwanthelpuuu”,”*.herbst”,”*.helpdecrypt@ukr.net”,”*.h3ll”,”*.gws.porno”,”*.fuckyourdata”,”*.encrypted.locked”,”*.cryptz”,”*.crypttt”,”*.cripttt”,”*.criptokod”,”*.criptiko”,”*.btc.kkk.fun.gws”,”*.aga”,”*._ryp”,”*.Where_my_files.txt”,”*.Read_Me.Txt”,”*.RSplited”,”*.KEYZ.KEYH0LES”,”*.How_To_Get_Back.txt”,”*.How_To_Decrypt.txt”,”*.Contact_Here_To_Recover_Your_Files.txt”,”*.31392E30362E32303136_*”,”# DECRYPT MY FILES #.vbs”,”# DECRYPT MY FILES #.txt”,”# DECRYPT MY FILES #.html”,”!Where_are_my_files!.html”,”!!!README!!!*.rtf”,”!!!-WARNING-!!!.txt”,”!!!-WARNING-!!!.html”,”*.magic_software_syndicate”,”*maestro@pizzacrypts.info”,”*.crypt”,”*.bitstak”,”*.wflx”,”*.CRRRT”,”howtodecryptaesfiles.txt”,”!satana!.txt”,”*.akaibvn”,”*.cRh8″,”*.YTBL”,”*.krypted”,”*.tzu”,”*.6FKR8d”,”*.sshxkej”,”*.eclr”,”*.epic”,”*.paybtcs”,”*.AFD”,”*.paymst”,”*.payms”,”*.isis”,”*.zepto”,”*.bart.zip”,”*.kratos”,”*.31342E30362E32303136*”,”*.SecureCrypted”,”*.crptrgr”,”*.rtyrtyrty”,”!DMALOCK3.0*”,”*.evil”,”*.crypt38″,”*.asdasdasd”,”*.ded”,”*.bloccato”,”*.canihelpyou”,”*.crypz”,”decrypt-instruct*.*”,”*files_are_encrypted.*”,”*decryptmyfiles*.*”,”help_instructions.*”,”*-recover-*.*”,”de_crypt_readme.*”,”*!recover!*.*”,”*recover}-*.*”,”*rec0ver*.*”,”_help_instruct*.*”,”*_recover_*.*”,”*+recover+*.*”,”*warning-!!*.*”,”*decrypt my file*.*”,”help_file_*.*”,”recovery+*.*”,”readme_for_decrypt*.*”,”install_tor*.*”,”readme_decrypt*.*”,”howtodecrypt*.*”,”howto_restore*.*”,”how_to_recover*.*”,”how_recover*.*”,”how_to_decrypt*.*”,”how to decrypt*.*”,”help_restore*.*”,”help_your_file*.*”,”help_recover*.*”,”help_decrypt*.*”,”decrypt_instruct*.*”,”cryptolocker.*”,”*recover_instruction*.*”,”*.hydracrypt_ID*”,”*gmail*.crypt”,”*.cryptotorlocker*”,”*.xxx”,”*.xyz”,”*.xtbl”,”*.xort”,”*.xrtn”,”*.vvv”,”*.vscrypt”,”*.trun”,”*.ttt”,”*.surprise”,”*.troyancoder@qq_com”,”*.sport”,”*.scl”,”*.ryp”,”*.sanction”,”*.RRK”,”*.rokku”,”*.remind”,”*.relock@qq_com”,”*.RDM”,”*.RADAMANT”,”*.R5A”,”*.R4A”,”*.PoAr2w”,”*.pizda@qq_com”,”*.p5tkjw”,”*.oplata@qq_com”,”*.oshit”,”*.oor”,”*.one-we_can-help_you”,”*.OMG!”,”*.nochance”,”*.nalog@qq_com”,”*.micro”,”*.LOL!”,”*.locky”,”*.locked”,”*.LeChiffre”,”*.kraken”,”*.korrektor”,”*.kkk”,”*.kimcilware”,”*.KEYZ”,”*.keybtc@inbox_com”,”*.KEYHOLES”,”*.justbtcwillhelpyou”,”*.infected”,”*.helpdecrypt@ukr_net”,”*.hb15″,”*.ha3″,”*.gruzin@qq_com”,”*.gws”,”*.fun”,”*.fucked”,”*.enigma”,”*.encryptedped”,”*.encryptedRSA”,”*.encryptedAES”,”*.Encrypted”,”*.encrypt”,”*.encedRSA”,”*.EnCiPhErEd”,”*.dyatel@qq_com”,”*.czvxce”,”*.darkness”,”*.ctbl”,”*.CrySiS”,”*.CryptoTorLocker2015!”,”*.crypted”,”*.cry”,”*.crjoker”,”*.crinf”,”*.crime”,”*.coverton”,”*.code”,”*.clf”,”*.chifrator@qq_com”,”*.cerber”,”*.cbf”,”*.btcbtcbtc”,”*.btc-help-you”,”*.btc”,”*.bloc”,”*.better_call_saul”,”*.AES256″,”*.{CRYPTENDBLACKDC}”,”*.73i87A”,”*.zzz”,”*.abc”,”*.aaa”,”vault.txt”,”vault.key”,”recovery_key.txt”,”vault.hta”,”message.txt”,”recovery_file.txt”,”confirmation.key”,”enc_files.txt”,”last_chance.txt”,”*.vault”,”*want your files back.*”,”*.frtrss”,”*.exx”,”*.ezz”,”*.ecc”,”*help_restore*.*”,”*how_to_recover*.*”,”*restore_fi*.*”,”*ukr.net*”,”*qq_com*”,”*keemail.me*”,”*decipher*”,”*install_tor*.*”,”*@india.com*”,”*@gmail_com_*”,”*.*obleep”,”*.*exx”,”*.*locked”,”*.*nochance”,”*.*kraken”,”*.*kb15″,”*.*darkness”,”*.*crypto”,”*.*cry”,”_Locky_recover_instructions.txt”,”help_recover_instructions+*.txt”,”recoverfile*.txt”,”Howto_Restore_FILES.TXT”,”recoveryfile*.txt”,”_how_recover.txt”,”howrecover+*.txt”,”restorefiles.txt”,”howto_recover_file.txt”,”HowtoRESTORE_FILES.txt”,”RECOVERY_FILE*.txt”,”RECOVERY_FILES.txt”,”help_decrypt_your_files.html”,”HELPDECYPRT_YOUR_FILES.HTML”,”IHAVEYOURSECRET.KEY”,”SECRET.KEY”,”SECRETIDHERE.KEY”,”READTHISNOW!!!.TXT”,”IAMREADYTOPAY.TXT”,”HELLOTHERE.TXT”,”FILESAREGONE.TXT”,”DECRYPT_ReadMe.TXT”,”Read.txt”,”About_Files.txt”,”_secret_code.txt”,”ReadDecryptFilesHere.txt”,”Coin.Locker.txt”,”HOW_TO_DECRYPT_FILES.TXT”,”DECRYPT_INSTRUCTION.TXT”,”encryptor_raas_readme_liesmich.txt”,”Help_Decrypt.txt”,”YOUR_FILES.url”,”How_To_Recover_Files.txt”,”YOUR_FILES.HTML”,”INSTRUCCIONES_DESCIFRADO.TXT”,”DECRYPT_INSTRUCTIONS.TXT”,”HELP_TO_SAVE_FILES.txt”,”DecryptAllFiles.txt”,”HELP_RECOVER_FILES.txt”,”HELP_RESTORE_FILES.txt”,”HELP_TO_DECRYPT_YOUR_FILES.txt”,”HELP_YOUR_FILES.TXT”,”HELPDECRYPT.TXT”,”*.CTB2″,”*.SUPERCRYPT”,”*.magic”,”*.1999″,”*.toxcrypt”,”*.bleep”,”*.0x0″,”*.good”,”*.R16M01D05″,”*.pzdc”,”*.XRNT”,”*.crypto”,”*.ccc”,”*.da_vinci_code”,”*.payransom”,”*.KEYH0LES”,”oor.*”,”*.zyklon”,”*.zcrypt”,”*.Z81928819″,”*.Silent”,”*.RSNSlocked”,”*.RAD”,”*.porno”,”*.pornoransom”,”*.odcodc”,”_ryp”,”*.helpdecrypt@ukr*.net”,”*.only-we_can-help_you”,”*.cryp1″,”*.fileiscryptedhard”,”*.blocatto”,”*.8lock8″,”*.777″]}

Posted in microsoft | Leave a comment

Windows 10 Build – Feature Reference

This article goal is to list all new feature per Windows 10 Build



Build 16226 – 22 June 2017

Build 16215 – 8 June 2017

– Edge : X always available to close a tab (16226)

– Edge : Cookie and setting more easy to migrate from another browser like Chrome (16226)

– Edge : Now allow copy and ask in Cortana (16226)

– Edge : Favorite handling improved, gooing back to IE look and now allow easy editing like IE. Now allow pushing favorite for IT Admin, likein IE. (16226)

– Emoji 5.0 added (16226)

– OneDrive : Added setting Settings > Privacy > App-requested downloads (16226)

– OneDrive : File on demand feature added with a new onedrive client (On the Settings tab, select the Save space and download files as you use them box.) (16215)

– Touch Keyboard : Multiple tweak (16226)

– Core : GPU tab in taskmgr.exe added and you can display the process grouped per apps. (16226)

– Core : SMB1 removal for enterprise edition, depriciated for home edition (16226)

– Settings : Added Delete your previous versions of Windows straight from Storage Sense (16226)

– Settings : Remote Desktop new settings tab (16226)

– File Explorer : Share with update to Give access to (16226)

– Calculator : Added currency converter (16226)

– HyperV : VM Share option added, new file formt to support the feature ; .vmcz (16226)

Posted in microsoft | Leave a comment

Windows Server 2016 RS3 stop FRS support

Hi everyone

A small update, now we must be sure FRS SYSVOL share are migrated to DFRS to allow a 2016 DC RS3 to be able to dcpromo.


https://support.microsoft.com/en-us/help/4025991/windows-server-2016-rs3-no-longer-supports-frs

Windows Server 2016 RS3 can no longer be added as an Active Directory domain controller (DC) to an existing domain that is still using File Replication Service (FRS) for replication of the SYSVOL share.

Posted in microsoft | Leave a comment

Hard Exchange Migration (2007 to 2016)

Hi everyone

Today I will discuss a nonstandard way to migrate a Exchange 2007 to a Exchange 2016.

As we know it, we must say goodbye to Exchange 2007 because it mo longer receive support

The bestpractice is to install a 2010 to do a two step migration, but in some case if you can’t, you could do a one step migration (for small customer)

That imply this;

You have to save all users email in PST. 

  • On the server by exporting all data via the Exchange CLI.
  • or, PC by PC by exporting each account. 

I suggest to go PC by PC if you want to backup the Outlook autocomplete cache

There will be a downtime in the email flow.

The step;

  1. Do a good backup
  2. Redirect the SMTP port to the new server, even if it does bot exist yet. The goal is to stop new email receiving.
  3. Backup all users email, don’t forget shared room/ressource mailbox.
  4. Uninstall Exchange 2007
  5. Install Exchange 2016
  6. Re-add all user to the new server from Exchange ECP
  7. Enable circular logging. (for the restoration step)
  8. Restore all user email by importing their PST.

The good side;

  • Uninstalling the Exchange does not remove the user email alias, thus its easy to readd all user back if you happen to not have a name policy for the alias.
  • Mailing list and contact stay in your Active Dirwctory after the uninstall.

The bad side;

  • To unistall I had to flush the public database link from adsiedit, as you can’t uninstall even if the public database is empty.
  • For all my contact and mailing list I had to take back the ownership of those object in the Active Directory to see them back in Exchange.

Thanks, that resume how to do 🙂
Picture took from; https://www.codetwo.com/admins-blog/time-to-say-goodbye-to-exchange-2007/

    Posted in microsoft | Leave a comment

    New baby !

    Hi everyone

    I wanted to share a good new. Iam now a father of twin 🙂 !

    All went good, now you can wish me good luck for my night! hehe

    Posted in Uncategorized | Leave a comment