Posts

Add Users to a Active Directory Group with Powershell and remove them from the old group

Image
Moving a big amount of Users from one AD Group to another can be easily done with Powershell.  At first create a .txt file where you can copy all of your Users you want to remove from an old AD Group and add them to a new one. I called this "userslist.exe" and placed it under C:\Users\etc Things you need to replace are marked in RED $users = Get-Content C:\ YOUR_PATH \userslist.txt $userId = @() foreach ($user in $users) { $userId += Get-ADUser $user } #AD Group Binding $oldGroup = Get-ADGroup ' YOUR_OLD_GROUP_NAME ' $newGroup = Get-ADGroup '  YOUR_NEW_GROUP_NAME ' foreach ($user in $userId) {    Remove-ADGroupMember -Identity $oldGroup -Members $user -Confirm:$false    Add-ADGroupMember -Identity $newGroup -Members $user -Confirm:$false      } 

Wrong language in "devices and drives"

Image
One of our customers had a wrong language setup on his published explorer.exe when opening it. The hole explorer.exe was on English, Except the "Devices and drives". They were on another language.    His environment was deployed via MCS on Citrix 1912 LTSR. The Master Image, the Server and the customers devices were all on English. After checking the Master Image I did following changes to get it working: Under:  Control Panel\All Control Panel Items\Language\Advanced settings set following settings: Under copy settings the yellow marked were set in German instead of English: After copying the settings with the checkboxes everything was now in English: After rolling out the master image again everything was now like expected.

How to activate logging for Citrix Exploit 1 and 2

Image
Daniel Weppeler postet a link on how to activate Citrix Logging for Exploit 1 and 2: https://twitter.com/_DanielWep/status/1217022904073801728 #CVE201919781 #Citrix Create MessageAction: add audit messageaction MsgAct_CVE WARNING "\"CVE Attack from IP \"+CLIENT.IP.SRC+\" - URL: \"+HTTP.REQ.URL.PATH.HTTP_URL_SAFE+\" (headers: \"+HTTP.REQ.FULL_HEADER.HTTP_HEADER_SAFE+\")\"" -logtoNewnslog YES Enable userDefinedAuditlog: set audit syslogParams -logLevel ALL -userDefinedAuditlog YES set audit nslogParams -logLevel ALL -userDefinedAuditlog YES Bind #Syslog Message Action to CVE Responder Policy: set responder policy ResPol_Fix_CVE-2019-19781 -logAction MsgAct_CVE

How to check, if your NetScaler is affected by CVE-2019-19781: Citrix Exploit 1 and 2

Image
You can check if your NetScaler is affected by CVE-2019-19781 with following commands: Indicators of compromise To get an idea wether your Citrix ADC is compromised I’d recommend to perform (at least!) the following steps Template files The exploits all write files to two different directories. Scan those via: shell ls /netscaler/portal/templates/*.xml shell ls /var/tmp/netscaler/portal/templates shell ls /var/vpn/bookmark/*.xml If you find files similar to the following you are likely to be compromised Apache Log files In addition, attempts to exploit the system leave traces in the Apache httpaccess log files. Those you can validate via: shell cat /var/log/httpaccess.log | grep vpns | grep xml shell cat /var/log/httpaccess.log | grep "/\.\./" shell gzcat /var/log/httpaccess.log.*.gz | grep vpns | grep xml shell gzcat /var/log/httpaccess.log.*.gz | grep "/\.\./" The following output is found on a system that was exploited: Howev...

Additional NetScaler Vulnerabiliy to CVE-2019-19781: Citrix Exploit 2

Image
Information from Citrix Technology Professional Matthias Schlimm: Hello everybody,   An additional vulnerability was found in 2 HTTP HEADERN today, following CVE-2019-19781 from December 2019, i.e. All systems that have already passed the "Mitgation Steps from article https://support.citrix.com/article/CTX267679" cannot avoid making another change. Unfortunately, there is currently no official blog or supplement from Citrix available, so I can only share what I have received from Citrix sources here:     --snip --- There is a new attack against the CVE, it seems like it can exploit using 2 headers. You can read more about here: https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/I’ve updated my responder policy expression with:   HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS (“/ vpns /“) && (! CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS (“/../“)) || http.req.hea...