Allen Ryerson

Just another drowsy Systems Administrator

Read this first

Scripts to Remove the Zoom Client

lookwhatyoudid

Given the increased amount of Zoom vulnerabilities, one of my clients wanted to remove any and all Zoom installations from their domain workstations. So, naturally, PowerShell to the rescue!

<
    .SYNOPSIS
        Downloads the CleanZoom.exe removal tool, if it doesn't already exist. Then runs the uninstaller


>

try
{

    $filecheck = Get-ChildItem C:\Windows\Temp\CleanZoom.exe -ErrorAction Stop
    Write-Output "File Exists"
    C:\Windows\Temp\CleanZoom.exe

}

catch [System.Management.Automation.ItemNotFoundException]
{

    Write-Output "Downloading File"
    Invoke-WebRequest "https://support.zoom.us/hc/en-us/article_attachments/360033082431/CleanZoom.exe" -OutFile "C:\Windows\Temp\CleanZoom.exe"
    C:\Windows\Temp\CleanZoom.exe

}
catch
{

    Write-Output $error[0]

}

What this will do is go out and download the official Zoom client uninstaller, CleanZoom.exe, to the...

Continue reading →


BECS - An Office 365 Incident Response Tool

Gosh golly, another blog post

Woah


I seem to have found myself doing a lot of incident response (IR) engagements here lately. I mean, I’m not complaining; it’s bittersweet in that I have a lot of fun during these engagements, but also sad because they negatively impact businesses that have better things to do.

Several times now, I’ve needed to do some sort of DFIR in Office 365, where I just manually grabbed whatever data I needed at the time. But for the sake of automation (being lazy), tooling, and giving back to the community, I though gee, I should make a tool. With that, BECS was born, which is available on my GitHub:


    ---------------------------------------------

    ______       _____       _____       _____   
    | ___ \     |  ___|     /  __ \     /  ___|  
    | |_/ /     | |__       | /  \/     \ `--.   
    | ___ \     |  __|      | |          `--. \  
    | |_/ /
...

Continue reading →


Blue Teaming - Defending Against Responder.py

Oh no, we at it again

Alright then


Isn’t it just nice that when you plug in your PC to the network, it can start discovering your local printers, shares and even other workstations? Yea, your red team thinks so, too.

During a pentest engagement, one easy thing to have running in the background is Responder. Formally maintained by SpiderLabs, now by lgandx, Responder is a project based off python to poison LLMNR, NBT-NS and MDNS requests within a network.

What makes Responder so effective, and so dangerous, is when a user either types in a server name incorrectly, or more commonly does a Google search straight from the URL bar of their web browser (come on, we all do it). Your PC will first check its local DNS server for an address, and if nothing was found it’ll then do a local LLMNR and NetBIOS Server Name Broadcast, which an attacker’s PC will be listening for via Responder. When a...

Continue reading →


Import BIND zones to Azure DNS

One of my customers was using BIND to handle their public facing DNS. In a effort to remove technical debt, minimize their infrastructure footprint, and to make it easier for staff, I was tasked to look for a cloud alternative to BIND

Introducing Azure DNS

Azure has a DNS hosting solution that has recently been slapped with a 100% SLA. Given this SLA and the fact that it’s dirt cheap, there’s no reason why you shouldn’t be using Azure DNS!

Importing the BIND Zones

Now on to the task at hand, getting the zones imported into Azure DNS. Using Azure CLI, we can very easily import the zone files directly to Azure!

 az network dns zone import --resource-group ResourceGroupName --name NameOfZone.com --file-name C:\Path\to\your\db.domain.com

Once you kick that off, you should start seeing it importing each record:
BindImport.png

Shout out to Microsoft for making it straight forward. The only quirk...

Continue reading →


Search Exchange Online for a missing calendar

“Someone deleted our shared calendar!”

Welp, here I go..

yikes

Once in a blue moon, we would get a panicked email about an important shared calendar mysteriously going MIA. What would end up happening is during some cleanup, an end user would inadvertently delete the entire shared calendar, then going about their business, causing a panic to other users. We need to somehow find this missing calendar, however before we do we first need a brief overview of the structure of an Exchange Mailbox.

Exchange Mailbox Dissection

To find a missing calendar (or any calendar really), we need to know the structure of a mailbox using, PowerShell.

Connect to your Exchange Online environment and type in the following cmdlet:

Get-MailboxFolderStatistics -Identity Taylor.Swift@sleepysysadmin.com | gm 

There are a couple important properties here:

  • Name
    • Name of the Folder
  • Folder Path
    • An actual...

Continue reading →


Is this thing on?

Why am I doing a blog? I don’t know, couple reasons:

  • To stay relevant, keep up with technology, etc.
  • There have been many late nights, standing over a broken server/puddle of my own tears, deep into some random blog post hoping to find the right fix for my problem. This is my little way of paying back to the community and to help any other overworked sysadmin out there.
  • I’m pulled in so may directions that half the time I cant tell which way is up. This is my little way of recording neat fixes I find for me to look back to later, while helping the tech community at the same time!
  • Self promotion, my little way of trying to stand out in the massive pool of technology professionals.

I hope this blog helps some poor schmuck someday find a solution they have been looking for, inspires someone to try something new, or to also contribute to the tech community it their own way.

Cheers!

Continue reading →