Sysinternals New Tool Sysmon (System Monitor)

The new tool in the Sysinternal Suite released recently by Mark Rusinovich is called Sysmon (System Monitor) http://technet.microsoft.com/en-us/sysinternals/dn798348 . The tool installs a service and a driver that allows for logging of activity of a system in to the Windows event log. The activity it monitors are:

  • Process Creation with full command line for both current and parent processes. In addition it will record the hash of the process image using either MD5, SHA1 or SHA256. In addition it will record the process GUID when it is created for better correlation since Windows may reuse a process PID.
  • Network connection from the host to another. It records source process, IP addresses, port numbers, hostnames and port names for TCP/UDP connections.
  • Changes to the file creation time of a file.
  • Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.
Read More

PowerShell Tip: Validating IP Address as a Parameter

I find myself many times writing an Advanced Function that takes as its parameters only IP Addresses. A quick way I found for validating that an IP Address was passed is using the [IPAddress] Type Accelerator and the parameter option of [ValidateScript()] if we look at the type accelerator it self if we pass a valid IPv4 or IPv6 Address we get an IPAddress object:

PS C:\Windows\system32> [ipaddress]"192.168.1.1"


Address            : 16885952
AddressFamily      : InterNetwork
ScopeId            : 
IsIPv6Multicast    : False
IsIPv6LinkLocal    : False
IsIPv6SiteLocal    : False
IsIPv6Teredo       : False
IsIPv4MappedToIPv6 : False
IPAddressToString  : 192.168.1.1

Lets try passing a none valid IPv4 Address:

PS C:\Windows\system32> [ipaddress]"260.0.0.1"
Cannot convert value "260.0.0.1" to type "System.Net.IPAddress". Error: "An invalid IP address was specified."
At line:1 char:1
+ [ipaddress]"260.0.0.1"
+ ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvalidCastParseTargetInvocation

As we can see it generated an error that says that the value provided is an invalid IP address.

Here is an example function where we can see how we would set the paramter:

function Test-IPaddress
{
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$true,
                   ValueFromPipelineByPropertyName=$true,
                   Position=0)]
        [ValidateScript({$_ -match [IPAddress]$_ })]  
        [string]
        $IPAddress
    )

    Begin
    {
    }
    Process
    {
        [ipaddress]$IPAddress
    }
    End
    {
    }
}

And this is how it would look when used:

PS C:\Windows\system32> Test-IPaddress -IPAddress "192.168.1.1"


Address            : 16885952
AddressFamily      : InterNetwork
ScopeId            : 
IsIPv6Multicast    : False
IsIPv6LinkLocal    : False
IsIPv6SiteLocal    : False
IsIPv6Teredo       : False
IsIPv4MappedToIPv6 : False
IPAddressToString  : 192.168.1.1




PS C:\Windows\system32> Test-IPaddress -IPAddress "260.0.0.1"
Test-IPaddress : Cannot validate argument on parameter 'IPAddress'. Cannot convert value "260.0.0.1" to type "System.Net.IPAddress". Error: "An 
invalid IP address was specified."
At line:1 char:27
+ Test-IPaddress -IPAddress "260.0.0.1"
+                           ~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Test-IPaddress], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Test-IPaddress


PowerShell Tip: Working with Systme.Enum

Many times I find myself working with enumerators in .Net like System.Diagnostics.EventLogEntryType http://msdn.microsoft.com/en-us/library/vstudio/system.diagnostics.eventlogentrytype to het the names of the member one would simplyuse System.Enum to get the names using the GetValues() method like

PS C:\Windows\system32> [System.Enum]::GetValues([System.Diagnostics.EventLogEntryType])
Error
Warning
Information
SuccessAudit
FailureAudit

We ca even use the GetValues() method on the object itself:

PS C:\Windows\system32> [System.Diagnostics.EventLogEntryType]::GetValues([System.Diagnostics.EventLogEntryType])
Error
Warning
Information
SuccessAudit
FailureAudit

Review of Rogue Code by Mark Russinovich

This is the third book in what is now called the Jeff Aiken Series that Mark has written the previous ones where Zero Day and Trojan Horse. Mark works for Microsoft as a Technical Fellow in the Cloud and Enterprise Division. In the technical and security world he is known to most as the author of the Sysinternal tools many sysadmins and security professionals use on a daily basis in their work. He is also known for his Windows Internals series of books from Microsoft Press. 

Read More

Why I hate the "I can't" phrase

Let me share some personal details about my life so you can have a bit of context on why I hate the "Can't do" phrase. When I was born in the late 70s my umbilical cord was wrapped around my neck several times cutting oxygen from my brain. After hours of labor the Dr decided to do a c-section and discovered what was happening, I was already cyanotic and suffered some brain damage. As I grew older it was evident I was not learning as fast as other kids in school, the part of my brain that helps me concentrate was affected and learning something took twice the effort and time for me that the other kids, it still takes me a while and re-reading something several times to get it to sink in.

Thankfully I have a mother that never gave up and did not take the advice from the Drs and kept me in a regular school. Every day she could she would sit down with me, remove all distractions from the area as much as she could and we would go thru the lessons of the day several times over, she would make me re-write the notes, recite them and when I fought it a leather belt came in to play to get me back on track (She feels like she mistreated me by spanking me but without it I would not be where I am today). I suffered from Leukemia as a child and had to be in a hospital for a long time getting chemotherapy and my parents where always there thru it supporting, making my days fun and making sure I read and rehearsed my school fundamentals.
She made sure I participated on all sports, activities and organizations she could find and make me stick with them. Being from a military family where several of the males on my fathers side served I had a fascination with it, so my father let me subscribe to the Military Book Club, I bought each month 2 books that I would pay for by doing extra chores around the house and I would read them again and again until I had the whole picture, that feed my appetite for learning. As I grew her lessons and fundamentals have stuck with me specially the part of not giving up and the hard lesson that without action there is no reward.

To this day a lot of my life is like someone having control of a TV remote and changing the channel constantly with new pictures appearing in front of my eyes, my mind wonders and starts thinking of a lot of thing minus what I have in front and requieres me to refocus again. It is a constant battle that I have learned to managed and control. So when I see a person tell me "I cant", "It is to difficult" or any other like it, it makes me angry. The main reason it makes me angry is because they are not spent at the end of a day of keeping my attention and focus on track and still I have to say I'm proud of all I have achieved and them without the same problem complain. Don't complain without trying, catch your self and stop saying negative stuff, you are sabotaging yourself. Don't do it.

Look at it this way if a guy like me can be decent at his profession, contribute a bit to tech communities and be happy you do a lot more than me.

Let me share the lessons I learned from my parents and the community:

  • Think positive.
  • Don't complain without having tackling the issue first.
  • Don't cut corners and try to do things right.
  • Practice the basics of what you what to master constantly.
  • Teach and share with joy and not for ego.
  • Get out of your confort zone and push your self.

So don't sabotage your self.