Remove Quick Assist (and other built-in apps) across your enterprise automatically using PowerShell and Microsoft Intune

May 21, 2024May 21, 2024 by Martin Bengtsson

Introduction

Disclaimer! Following introduction has been written using Copilot, because time is of the essence and AI is or will be an inevitable thing – also in regard to writing blogs. The script and the rest of the post is written by me. 🙂

In the ever-evolving landscape of cybersecurity, staying one step ahead is crucial. Today, we delve into a PowerShell script designed to enhance your system’s security by removing the Quick Assist app from Windows 11.

As highlighted in this Microsoft Security Blog, threat actors have been misusing Quick Assist in social engineering attacks leading to ransomware. Quick Assist, a built-in remote control app in Windows 11, has been exploited by cybercriminals, notably the financially motivated group Storm-1811, known for deploying Black Basta ransomware.

To counter this threat, our featured PowerShell script, removes the Quick Assist app from your system. This script is a proactive measure to mitigate the risk of such attacks, especially for environments where Quick Assist is not in use.

In the following sections, we’ll walk you through the script and its usage with Microsoft Intune. Let’s get started!

Configure ‘Allow logon locally’ automatically using PowerShell and Microsoft Intune

May 21, 2024May 14, 2024 by Martin Bengtsson

I know Microsoft Intune has the ability to configure this particular user rights assignment natively already. At time of writing, the new security baseline for Windows 11 23H2 in Intune configure this as well, restricting local logons to the built-in groups: Users and Administrators.

This solution does something else. This solution grabs the currently logged on user and configures the ‘Allow logon locally‘ policy to ONLY allow this very user as well as Administrators to be able to log on locally. A custom group is added as well for backup reasons. If no user is logged on, the script does nothing. More details down below.

The solution is made to prevent ‘stealing’ credentials from one user/device and be able to use it on another device within the same environment.

Reduce your attack surface by disabling NetBIOS using PowerShell and Microsoft Intune

April 4, 2024April 3, 2024 by Martin Bengtsson

Introduction

If you are working with device management and IT security in general, you have probably heard about the recommendation to disable the legacy protocol NetBIOS in Windows.

If this is news to you, there’s some interesting reading for you in this article: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Sub-technique T1557.001 – Enterprise | MITRE ATT&CK

NOTE: Before disabling anything, make sure you do your due diligence and monitor your environment for NetBIOS traffic, so you don’t accidently break stuff! Wireshark can help you with this. 🙂

Uninstall any application in a jiffy using PowerShell and Microsoft Intune

December 20, 2023December 19, 2023 by Martin Bengtsson

Introduction

This post is a just a quick follow up on my previous post: Uninstall any application in a jiffy using PowerShell and Configuration Manager

I received a few questions whether the PowerShell script can be used with Microsoft Intune instead of Microsoft Configuration Manager. And sure! This post will explain one of many approaches available with Intune. 🙂

Elevate plz? Become Domain Admin in a split second via Configuration Manager

December 20, 2023December 17, 2023 by Martin Bengtsson

Introduction

Really short post, just to illustrate the possible privileges of being a Configuration Manager admin and having the ConfigMgr client installed on a Domain Controller.

While this might be stating the obvious for some people, I think it deserves a mention regardless.

This dictates a proper tiering model, especially around your Domain Controllers, making sure that Configmgr Admins does not have access to Domain Controllers and vice versa, but also to treat your ConfigMgr environment as tier0.

Uninstall any application in a jiffy using PowerShell and Configuration Manager

December 20, 2023December 17, 2023 by Martin Bengtsson

Introduction

I was recently tasked with the complete removal of Google Chrome from an environment. Google Chrome in question was installed via the default installer from Google, but also via a few custom repackaged installers, so I had multiple product IDs to consider.

Instead of manually looking for each product ID and use that with separate uninstallations, I figured to create some PowerShell code to do that for me automatically and on the fly.

This can be used to uninstall any application registered with the Windows installer, installed either as a .MSI or a select .EXE compiler.

Reduce your attack surface by uninstalling PowerShell version 2 using PowerShell and Microsoft Intune

December 15, 2023December 15, 2023 by Martin Bengtsson

Introduction

PowerShell version 2 is to this day still preinstalled on Windows 11 and all Windows Server versions with the exception of Windows Server 2022.

As the reader may know, PowerShell is a powerful tool that plays an important role in administering Windows systems. However, it also contains various features that can be leveraged by attackers with ill intentions.

If PowerShell version 2 is installed, it’s possible to bypass the constrained language mode, which normally is being enforced by application control solutions like AppLocker and similar.

PowerShell Constrained Language is a language mode of PowerShell designed to support day-to-day administrative tasks, yet restrict access to sensitive language elements that can be used to invoke arbitrary Windows APIs

If you haven’t removed PowerShell version 2 already, you should consider looking into it today as an early Christmas present. 🙂

Ps. this solution is only targeting workstations. If you need to remove PowerShell version 2 from servers, you cannot leverage Microsoft Intune. You should instead look into Configuration Manager or similar.

Automatically remove and disable unwelcome objects from privileged on-premises Active Directory groups using Microsoft Sentinel

May 24, 2024October 23, 2023 by Martin Bengtsson

Introduction

Active Directory is a prime target for attackers – and for most organizations something that’s considered the crown jewels. This is due to Active Directory still being the bread and butter for most organizations in regard to authentication and authorization.

When it comes to security, automation is your best friend and keeping a close eye on privileged group membership should be on top of your list.

This post will walk you through, how you can make sure no unwelcome objects make their way into privileged groups in on-premises AD, by leveraging Microsoft Sentinel and its option to run playbooks automated.

This breaks down to Microsoft Sentinel generating an alert, which triggers the associated Playbook, which triggers a Logic app, which triggers a Runbook in an Automation Account, which ultimately runs a PowerShell script on an on-premises server.

Big shout out to my colleague Christian Frohn Petersen who assisted in setting up the prerequisites for this solution. 🙂

How I stole my colleague’s OneDrive content and WiFi passwords using a fake iPhone cable and PowerShell

October 9, 2023October 8, 2023 by Martin Bengtsson

Introduction

Big disclaimer: This is done for educational purposes. Do not steal anyone’s OneDrive content or WiFi passwords – actually don’t steal anything at all. 🙂

Endpoint management and endpoint security are 2 sides of the same coin, which means I’m heavily invested in both worlds. I run internal attack simulations several times a year, and recently came up with a new idea in educating our users.

How about I demo how a fake iPhone cable is enough to steal their OneDrive content and password for their home WiFi?

This post will walk you through the details of doing just that. This involves the use of the infamous O.MG cable and a custom payload launching my PowerShell script directly from GitHub – and ultimately uploading the stolen loot to Dropbox.

How I enabled and tested Windows Copilot for the first time

September 29, 2023September 29, 2023 by Martin Bengtsson

Introduction

Last week, on September 21, Microsoft announced that Windows Copilot will begin to roll out to Windows 11, starting September 26.

Curious to know more on managing Windows Copilot, I dug into the various documentation on the subject, as well as researching on Twitter.

I managed to get to enable Windows Copilot on my Intune-managed Windows 11 device. Note that I’m located in Europe, and some documentation suggests that Windows Copilot isn’t available here just yet.

This post serves as notes from the field. 🙂