By kind invite of the organising committee I had the pleasure of presenting at the CITC 2025 conference at the RAF Museum Hendon. Shaking things up even more from last year I not only presented from a GitHub repo but also managed to convince screen recording on my iPad mini to work to capture the slides. I’ve had to exclude the Q&A section from this recording to maintain confidentiality but I hope everyone enjoys the presentation contents.
GitHub repo: https://github.com/jamesfed/LoggingForDisaster/
In having a play with a general purpose way to get CSVs and other log data into Graylog with PowerShell I’ve been converting the files contents into JSON to then import over RAW HTTP – hardly the most speedy way but as a proof of concept it works.
However, after configuring a JSON extractor (System > Inputs > (your input) > Manage extractors), I was finding that many fields were just ‘missing’ in the message stream, in importing data from Windows Defender EDR just the Sha256 and Sha1 fields were present but with everything else seemingly skipped over.
The solution was simple – although the ‘Try’ function in Graylog displays a full set of expected fields this feature appears ever so slightly bugged in that it permits the use of whitespace characters in the key extraction example but then without ticking the ‘Replace whitespace in keys’ box it then doesn’t extract those keys with whitespaces in actual use.
Simply put – tick that ‘Replace whitespace in keys’ box, enter your chosen replacement and you’ll be good to go.
In investigating issues with users on GlobalProtect VPN not being able to connect to Citrix VDA servers I bumped into this forum post. In investigating I first disabled the Packet Based Attack Protection > IP Drop > Fragmented traffic at Network > Network Profiles > Zone Protection > Profiles for GlobalProtect and the zone hosting the Citrix application.
While this didn’t solve the issue performing a packet capture of the client attempting to connect to the host did now populate the ‘drop’ capture with Fragmented IP protocol traffic as shown in the screenshot below.
This confirmed that the issue was MTU related and backed up the mention in the forum post about changing the MTU size in the ICA file that is pushed to the client.
Following this article How to configure MSS when using EDT on networks with non-standard MTU with the MTU set to 1384 allowed the connection to go through as expected, the IP Drop for Fragmented traffic was re-enabled and the client continued to be able to connect as expected.
Something new for this year’s presentation at CITC, instead of your classic PowerPoint slides I’ve produced a GitHub repo with the intent on building out the knowledge and ideas presented overtime.
GitHub repo: https://github.com/jamesfed/0DayMitigations/
An interesting issue that was discovered after deploying security certificates for Remote Desktop Authentication into the TPM of desktop computers and some (physical) servers, after go live with the security certificate clients could no longer connect with the error below being displayed in the Remote Desktop Services log on the server.
The server security layer detected an error (0x80090304) in the protocol stream and the client (Client IP: <IP ADDRESS>) has been disconnected.
After chasing many red herrings around cryptography, schannel implementation, and the likes the root cause seems to be an issue with the storage within the TPM itself – as a workaround the certificate can be stored in the ‘traditional manner’ instead. An ideal fix would probably involve a firmware upgrade on the TPM.
After how woefully lacking in detail for the novice in OS 10 switches the Dell documentation is below is a little snippet that can be used to configure your switches with what appears to be enough permission for PRTG (or a similar SNMP monitoring system) to keep an eye on them.
After entering configuration mode a readonly view with a base OID is set (I’d be grateful for some feedback on this!), then a group (prtg) is created to contain the user and defines readonly permissions, finally a user (prtguser) is created, assigned to the group (prtg) and the relevant password and privacy encryption strings set.
configure snmp-server view readonly 1.3.6.1.2.1 included snmp-server group prtg 3 priv read readonly snmp-server user prtguser prtg 3 auth sha LONGANDSTRONGAUTH priv aes LoNGANDSTRONGPRIV exit write memory
Logs from the FreeIPA server can be used with the Syslog receiver function of a PAN NGFW to send username to IP address mappings into User-ID and in turn be used to create policies based on the users identity. To extract the data from the logs you will need the parser shown below.
I could only find a log that matched up with a login (nothing for a logout) and it’s worth a mention that you may need to exclude some servers (like mail servers and file servers) from User-ID as you will see multiple logins from multiple users over a very short period of time.
In recently deploying the Captive Portal feature of a Palo Alto Networks Next Generation Firewall (NGFW) in testing we were finding Apple Macs take 120+ seconds to load the sign-in page. First thoughts jumped to the Apple Captive Network Assistance (CNA) feature not functioning correctly however this appeared to be a dead end. Some time and a few packet captures later showed that the Mac wasn’t even trying to reach out to the Captive Portal in a timely manner, after much head scratching the customer I was working with suggested that their Sophos Endpoint agent (Intercept X) might be the cause of this problem.
Disabling the agent didn’t seem to resolve the issue however uninstalling it did – the Captive Portal page appeared nearly instantly. In reviewing the packet captures again it was clear the Sophos agent was trying to reach out to a reputation service which was being blocked by the authentication profile on the firewall, it just took a really long time for the agent to stop trying and allow access to the Captive Portal.
To work around this issue the domains listed in the link below were added to an authentication bypass policy on the NGFW, with this in place the Captive Portal loaded promptly. If anything it makes sense to allow unauthenticated access to such services (including Windows Update and the likes) to ensure a client has the ability to update itself regardless of authentication status.
This presentation covers the MITRE ATT&CK matrix and it’s application in an Oxford or Cambridge College (or indeed any intuition) to gain increased awareness of exposure to cyber attacks and what can be done about them. Note, it looks like OBS captured the audio from the videos that wasn’t played back to the audience – sorry for talking over them!
My thanks to the CITC committee for the invite to return and present and I’m looking forwards to seeing everyone again in 2024!
CITC 2023 Presentation (3.9 MiB, 8,247 hits)
When setting up Passwordless security key sign-in Windows and attempting to sign-in to the first machine you have setup (although it could be any machine!) you may encounter the error:
Your credentials couldn’t be verified. (code: 0x000006d, 0x0)
This error message appears even though you can sign-in with the key to AzureAD and other web services.
The cause is likely to be the account you are testing with is a member of the Domain Admins (or a similar) privileged security group, I keep bumping into this one but can’t find the source article where I first read this. If I manage to find the article I’ll post a link!
UPDATE 31/01/2024: It appears there is a way to overcome this issue with a modification of Active Directory objects described at: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-faqs#fido2-security-key-sign-in-isnt-working-for-my-domain-admin-or-other-high-privilege-accounts-why
Has this page helped you? Was it worth the cost of a Coffee? If so click here to donate £4.00 to the myworldofit.net coffee fund via PayPal.