The problem? Those leftover admin rights don’t go away on their own. Over time, they quietly pile up and turn into a serious security risk, which most monitoring tools never bother to check. If you don’t know who’s in the local Administrators group, you’re basically trusting luck.

In this guide, I’ll walk you trough how to use Intune and Log Analytics to get a clear, reliable report of who actually has local admin access on every device in your environment.

Solution Overview

We use a proactive approach to ensure no local admins stay hidden:

1. Detection: A PowerShell script runs daily on every machine to query the administrators group.
2. Ingestion: Data is sent to a custom table in our Log Analytics Workspace.
3. Analysis: KQL queries filter out authorized local administrator accounts to highlight outliers.

1. The PowerShell Collection Script

This script gathers members of the local admin group and sends the data to Azure. By running this via Intune, we get a fresh snapshot of the local admins on each PC every 24 hours.

Prerequisite 1: Get the $CustomerID from the log analytics workspace Overview tab.

Prerequisite 2: To get the $SharedKey, use this AZ CLI query.

az monitor log-analytics workspace get-shared-keys \
   --resource-group xxxxx \
   --workspace-name xxxxxx \
   --query "primarySharedKey"

# --------------------------------------------------------------------------
# PowerShell Script: Send Local Administrator Group Members to Log Analytics
# --------------------------------------------------------------------------

# ======================
# 1. Configuration
# ======================
$CustomerID = "<your-customer-id>"
$SharedKey  = "<your-shared-key>"
$LogType    = "LocalAdminReport"

# ======================
# 2. Data Collection
# ======================
$DeviceName = $env:COMPUTERNAME

try {
    $AdminMembers = Get-LocalGroupMember -Group "Administrators"
} catch {
    Write-Error "Error retrieving local group members: $($_.Exception.Message)"
    exit 1
}

$DataToSend = @()
foreach ($Member in $AdminMembers) {
    $MemberName = $Member.Name
    $MemberSource = $Member.PrincipalSource
    if (-not [string]::IsNullOrEmpty($MemberName)) {
        $DataToSend += [PSCustomObject]@{
            DeviceName = $DeviceName
            AdminName  = $MemberName
            PrincipalSource = $MemberSource
            TimeGenerated = (Get-Date -Format s)
        }
    }
}

if ($DataToSend.Count -eq 0) {
    Write-Host "No members found in the Administrators group. Skipping log submission."
    exit 0
}

$JsonPayload = $DataToSend | ConvertTo-Json -Depth 5

# ======================
# 3. Build Request and Signature
# ======================
$Bytes         = [System.Text.Encoding]::UTF8.GetBytes($JsonPayload)
$ContentLength = $Bytes.Length
$APIVersion    = "2016-04-01"
$Date          = (Get-Date).ToUniversalTime().ToString("r")
$ResourcePath  = "/api/logs"

# Build the string for signature (see MS Docs)
$SignatureString = "POST`n$ContentLength`napplication/json`nx-ms-date:$Date`n$ResourcePath"

# Decode Shared Key and calculate signature
try {
    $KeyBytes   = [Convert]::FromBase64String($SharedKey)
    $HMACSHA256 = New-Object System.Security.Cryptography.HMACSHA256
    $HMACSHA256.Key = $KeyBytes
    $Hash = $HMACSHA256.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($SignatureString))
    $Signature = [Convert]::ToBase64String($Hash)
} catch {
    Write-Error "Failed to create signature: $($_.Exception.Message)"
    exit 1
}

$Authorization = "SharedKey ${CustomerId}:$Signature"
$URI = "https://$CustomerID.ods.opinsights.azure.com/api/logs?api-version=$APIVersion"

# ======================
# 4. Send Data
# ======================
$Headers = @{
    "Authorization"        = $Authorization
    "x-ms-date"            = $Date
    "Content-Type"         = "application/json"
    "Log-Type"             = $LogType
    "x-ms-log-type"        = $LogType
    "time-generated-field" = "TimeGenerated"
}

try {
    Write-Host "Sending data to Log Analytics ($LogType)..."
    Write-Host "Target URI: $URI"
    $Response = Invoke-RestMethod -Uri $URI -Method Post -Headers $Headers -Body $JsonPayload
    Write-Host "Successfully sent log data."
} catch {
    Write-Error "Failed to send log data. Error: $($_.Exception.Message)"
    if ($_.Exception.Response) {
        try {
            $Reader = New-Object System.IO.StreamReader($_.Exception.Response.GetResponseStream())
            $Details = $Reader.ReadToEnd()
            Write-Error "Azure Response: $Details"
        } catch { }
    }
    exit 1
}

exit 0

2. Running the Script Daily via Intune

To force the check daily, we deploy an Intune remediation script.

1. Go to https://intune.microsoft.com.
2. Navigate to Devices > Scripts and remediations > Create.
3. Enter the above script as the Detection Script and leave the Remediation Script empty.

3. Analyzing the Local Administrator Report

Once the data is in our log analytics workspace, we use Kusto (KQL) to audit the results. The goal is to separate legitimate domain accounts from unauthorized user accounts that still have the local admin right.

Compliance Summary

This query counts the number of devices where a user is in the administrators group but does not have “admin” in their name (filtering out the built-in administrator and domain admins).

let allDevices = LocalAdminReport_CL | summarize by DeviceName_s;
let offenderDevices = LocalAdminReport_CL
    | where isnotempty(AdminName_s)
    | where AdminName_s !contains "Admin"
    | summarize by DeviceName_s;
let totalOffenders = offenderDevices 
    | summarize Count = count() 
    | extend Category = "Devices with Local Admin Access";
let compliantDevices = (allDevices
    | join kind=leftanti offenderDevices on DeviceName_s
    | summarize Count = count()
    | extend Category = "Compliant Devices"
);
totalOffenders
| union compliantDevices
| project Category, Count
| order by Category asc

Detailed Account Audit

Use this query to select and list every specific account that has been granted local admin permissions in the last 90 days across your computer fleet.

LocalAdminReport_CL
| where TimeGenerated > ago(90d)
| where isnotempty(AdminName_s)
| where AdminName_s !contains "Admin"
| summarize LatestSeen = max(TimeGenerated) by DeviceName_s, AdminName_s
| order by DeviceName_s asc

Implementation Tips

• Intune Deployment: Set the script to run daily using Devices > Remediations. This ensures that if a user is added and then removed, your logs stay accurate.
• Filtering: Adjust the !contains "Admin" logic if your organization uses a different naming standard for authorized admin accounts.
• Workbook Visuals: In Azure Workbooks, use the “Pie Chart” renderer for the first query to get an immediate view of your environment’s health.

Summary

Good security isn’t about saying “no” to everything. It’s about knowing what’s actually happening in your environment. With this script and report in place, you get a clear audit trail that shows exactly when someone is added as a local administrator. That way, “temporary” access doesn’t quietly turn into a permanent problem, and you stay in control instead of playing cleanup later.

The post Local Admin Report with Intune and Log Analytics appeared first on Cyberillo.

This guide’s got you covered. We’ll go through the steps of capturing a customized Windows image, as well as the most common issues you’ll encounter.

1. Get Your Windows 11 Ready

To start, you’ll need a Windows 11 ISO.

• If you’re working with volume licensing, grab your Windows 11 Enterprise ISO from the Microsoft 365 Admin Center.
• If not, you can download the Windows 11 ISO from here.

2. Set Up Your Build Environment

We’ll be building this image inside a virtual machine. So, enable the Hyper-V feature on your workstation.

• Navigate to the control panel and select Programs > Turns Windows features on or off.
• Tick the Hyper-V feature and click on OK.

You’ll need to restart your PC for the Hyper-V feature to be installed.

N.B. You also need to have virtualization enabled in your system BIOS to use Hyper-V, VMWare, VirtualBox, etc.

After restarting your workstation, create your new virtual machine in Hyper-V and make sure TPM is turned on… Windows 11 insists on it.

3. Install Windows and Your Essential Apps

Now, install Windows 11 as you normally would within your virtual machine. Then, add all the software you want pre-installed in your custom Windows Image.

N.B. If you want to make any AppData changes to all user profiles that will be using the customized Windows installation, apply the changes to C:\Users\Default\AppData\Roaming.

After getting all your core applications installed, take a moment to tidy up. Uninstall any bloatware you don’t need, like Xbox or Solitaire.

4. Generalize Your Windows Installation with Sysprep

Sysprep is the tool that prepares our Windows setup for capturing. It essentially makes the installation generic, so it can be deployed on different machines.

• Open Command Prompt as an Administrator.
• Change directory to Sysprep: cd C:\Windows\System32\Sysprep
• Run the Sysprep command: sysprep.exe /oobe /generalize /shutdown

You might hit a snag if your OS drive is encrypted… This is typical on Windows 11 installations. If Sysprep throws an error, check the log file; it will likely point to the encryption.

To fix this, turn off BitLocker by running this command in CMD: manage-bde -off C:

You’ll see a message that decryption is underway. You can keep an eye on its progress with: manage-bde -status

Once your OS drive is fully decrypted, give that Sysprep command another go.

Another common hiccup happens if one of the Windows Store apps is installed for one user but not set up for all users. The Sysprep log will clue you in on which app is causing the trouble.

To remove it, open an elevated PowerShell session and type:

Remove-AppxPackage -Package <<packagenamegoeshere>>

You might need to repeat this for a couple of apps until Sysprep runs through without a hitch.

5. Capture Your Master Image

After Sysprep works its magic and shuts down the virtual machine, it’s time to capture our customized image.

• Attach an empty VHD to your virtual machine.
• Boot up your VM using Hiren’s Boot CD or a WinPE environment.
• In the boot environment, make sure your Windows installation is mounted as C:\ and your empty VHD as E:\.
• Now, capture your image and save it to E:\ with this DISM command:

DISM /capture-image /imagefile:E:\install.wim /capturedir:C:\ /name:"Win11" /compress:fast

6. Personalize Your Windows 11 ISO

Now that you have your install.wim file, you’ll integrate it into a Windows 11 ISO. Using a tool like AnyBurn, open the ISO, navigate to the sources folder, remove the original install.wim, and drop in your newly captured install.wim file.

7. Create a Bootable USB

Last but not least, we need to make a bootable USB stick from our new custom ISO. Grab Rufus (or your preferred tool). Select your USB stick (double-check you don’t have anything important on it, as it will be wiped), pick your custom ISO, and hit start.

A Quick Note on Windows 11 24H2

Heads up! When using Windows 11 24H2 as my base ISO, I bumped into the below installation error, which seems to be related to the new Windows setup interface.

As a workaround, you can either use Windows 11 23H2 as your base ISO or select Previous Version of Setup during the installation wizard.

That’s it! I hope you found this guide helpful. Feel free to reach out if you need any help setting up your custom Windows image. I’m always happy to help!

The post How to Create a Windows Image for Deployment appeared first on Cyberillo.

Chill! Read this guide – you’ll be back in your ESXi host in no time. Well, maybe a few hours – no more than a day – promise .

The Problem

Just to state the obvious… The problem here is that we can’t get into the root account on our ESXi host. In addition:

• We have no other administrator accounts
• The ESXi host is a standalone and is not managed through vCenter
• We have no SSH key pair with which to access the server

N.B. The host in question had ESXi 7.0.3 installed – This probably works for other versions as well. Furthermore, it seems that earlier versions of ESXi were less secure, so the option mentioned in the What doesn’t work section below could work in earlier versions.

Broadcom, you’re not helpful

The official answer from Broadcom is that…

If the host is standalone and not managed by vCenter, then re-installing ESXi is the only option.

LIEESSSSSS!

What a lame reply. I’ll admit, what I’m about to show you is a very shady way to get back into your ESXi host, hackish, to say the least – but if it works, it works.

What doesn’t work

Stop! If you’re in a rush – which I assume you are – skip this section altogether. You’re not getting into your host by reading it. It’s just me venting .

There are quite a few guides on the interwebs, claiming that just like with any other Linux distro, you can

1. Create a bootable Linux ISO – Ubuntu, Arch – you name it
2. Mount the ESXi OS partition in a temporary directory – sudo mount /dev/sda5 /mnt/sda5
3. Find state.tgz and extract it – tar -xzf /mnt/sda5/state.tgz -C /tempstate
4. From the extracted contents, extract local.tgz as well – tar -xzf /tempstate/local.tgz -C /templocal
5. Edit the shadow file from the extracted local.tgz to delete the hash for the root account – vi /templocal/etc/shadow
6. Pack the shadow file in the local.tgz and then into state.tgz, move the state.tgz back into /mnt/sda5 to replace the old one
7. Unmount the ESXi OS partition, reboot
8. Voila! You got the root account with a blank password

Right? Nope

This may have worked for earlier versions of ESXi, but save your time and don’t even try for ESXi 7.0.3.

Why doesn’t it work?

For starters, trying to mount the OS partition on a bootable Linux ISO will fail. This isn’t any regular ext4 partition. No, no. This is vmfs.

Okay, no worries there’s the vmfs-tools package, which can mount vmfs partitions. One problem, it doesn’t come pre-installed on your typical Linux install media. And no, I didn’t have an internet connection in my case. So I couldn’t just install it from the repos.

Doesn’t matter – I created a Linux installation media (based on Linux Mint) with vmfs-tools preinstalled. I used Cubic. I won’t get into the details, but it’s a pretty easy to use tool. Anyways, around one (or two) hours later, I got my installation media with vmfs-tools preinstalled and to no surprise – vmfs: unsupported version 6. You wouldn’t believe it! vmfs-tools currently supports up to vmfs version 5, so if you’re trying to mount a partition formatted with vmfs 6 (which is used by newer versions of VMware ESXi), it won’t work.

No worries, I thought (being overly optimistic and all), I’ll re-create the bootable Linux media with vmfs6-tools installed. Surely, that would do it. Oh how I hoped .

How wrong I was! Reading the vmstorage and datastore partitions worked with the vmfs6-tools installed, but there was no getting to the precious state.tgz. I kept getting the error fsinfo invalid magic number 0x2fabf15f. Not only that, I read about the vmfs6-tools package and found that “Only read access is available at the moment, but write access is under works. Multiple extents are supported.” So, even if somehow I managed to access the state.tgz from my bootable Linux media, I was surely not going to replace it with the modified one.

I’ll be honest, optimistic as I usually am, this was still a battle I had considered lost. Worst part of it all? I had strung along 5 friends on this wild good chase. After looking like an absolute fool getting locked out of the ESXi host in the first place, I had wasted 6 hours of their day trying to get back in, as they offered their ideas, research, solutions, and moral support.

I won’t even get into the part where I tried to insert the raided OS disks into another ESXi host .

Let’s get on to the solution…

The Solution

When all hope was almost lost, we came across this gold mine of an article on Mwyann’s Weblog. Damn you Google for not putting this in my face sooner!

In a nutshell, what this fellow did, and what we copied… and essentially, what I’m showing you here is:

1. Install ESXi on another server (or virtual machine).
2. Use the ESXi installation media to boot on the original host (the one you’re locked out of).
3. Go to the BOOTBANK volume and extract the state.tgz. This is encrypted.
4. Copy the encryption.info and the local.tgz.ve files to a USB.
5. Go to the new ESXi host and extract state.tgz from the BOOTBANK.
6. Decrypt state.tgz and replace the encryption.info file with the encryption.info file from the original host.
7. Repack the state.tgz and copy it to the BOOTBANK and reboot. This will trick the new host into using the encryption key from the original host.
8. Decrypt the local.tgz.ve of the original host from the new host. This is possible since it now has the original host’s encryption key.
9. Generate a public/private key pair to SSH into the locked out server.
10. Add the public key to the authorized_keys file under the /etc/ssh/keys-root folder (from local.tgz).
11. Add /etc/rc.local.d/local.sh containing a command to start the SSH service on ESXi boot.
12. Repack the local.tgz and state.tgz and transfer to the original host via USB.
13. Connect to the original host via SSH through the private key.
14. Reset the root password .

1. Install ESXi on another server

Just create a bootable USB for this – You can use Rufus, but I personally prefer Ventoy. Note that you may need to disable secure boot on your server (or enroll the MOK to the list of trusted keys).

I had a tough time finding the ESXi ISO from Broadcom’s site. So I’ll save you the hassle – God bless the Internet Archive !

2. Access the locked host through the ESXi installation media

Boot your original host (the one you’re locked out of) using the ESXi installation media you created in the previous step. At the ESXi installation screen hit Alt + F1 to enter into a shell. Enter username root and hit enter when prompted for the password. It’s blank.

When you list the volumes (ls /vmfs/volumes) you’ll see your BOOTBANK1, BOOTBANK2, OSDATA_xxxxx, datastore1 – plus some additional volumes you may have created. That’s right you can view the volumes from the old host when you boot on it with an ESXi installation media.

In our case, we only had to work on BOOTBANK1, but you might need to repeat this procedure on both bootbanks if they were both being used in your case. For simplicity, I will continue the rest of the guide with BOOTBANK1.

3. Extract state.tgz from the locked host

mkdir /mylosthost
tar xzf /vmfs/volumes/BOOTBANK1/state.tgz -C /mylosthost
ls /mylosthost

You’ll see that when extracting the state.tgz from the BOOTBANK we don’t get the expected local.tgz, but rather an encrypted local.tgz.ve together with an encryption.info file.

You would typically decrypt the local.tgz.ve using the below command, but since we’re booted from the ESXi installation media, we won’t be able to decrypt it.

crypto-util envelope extract --aad ESXConfiguration local.tgz.ve local.tgz

So, the solution is to trick the new host to use the encryption.info from the locked host such that it’s able to decrypt the local.tgz.ve file.

4. Copy local.tgz.ve and encryption.info to USB

Okay, so insert a USB drive into the locked out host. Format it as FAT32 not NTFS – ESXi is more friendly with FAT. You should be able to see it in the list of volumes (ls /vmfs/volumes).

Copy the encryption.info and local.tgz.ve files to the USB drive. Remember we have them in a temporary directory we created /mylocalhost.

cp -r /mylosthost /vmfs/volumes/MYUSBDRIVE/mylosthost

5. Extract state.tgz from the new ESXi host

cp -r /vmfs/volumes/MYUSBDRIVE/mylosthost /vmfs/volumes/BOOTBANK1/mylosthost

Boot up the new ESXi host and hit F2 to customize the system. Enter the password you set during the installation and then go to Troubleshooting Options. From here, you can enable shell access.

Then, hit Alt + F1 to open up a shell. Logon with the root account and navigate to the bootbank via either /vmfs/volumes/BOOTBANK1 or /bootbank. We need to extract its state.tgz file.

mkdir /mynewhost
tar xzf /vmfs/volumes/BOOTBANK1/state.tgz -C /mynewhost
ls /mynewhost

You see the encryption.info and local.tgz.ve files. Differently from step 3, we can decrypt the local.tgz.ve file because we’re logged in to our host properly (not from the bootable installation media).

6. Decrypt state.tgz and replace encryption.info

Okay, now decrypt the local.tgz.ve file to get the local.tgz file. Then, delete the local.tgz.ve file and encryption.info files and copy the encryption.info file from the locked host (remember that we transferred it to this host via USB in the previous bonus step).

cd /mynewhost
crypto-util envelope extract --aad ESXConfiguration local.tgz.ve local.tgz
rm -f local.tgz.ve
rm -f encryption.info
cp /vmfs/volumes/BOOTBANK1/mylosthost/encryption.info /mynewhost/encryption.info
ls /mynewhost

In the /mynewhost directory you should now have a local.tgz file (from the new host) and the encryption.info file (from the old host).

7. Trick the new host to use the locked host’s encryption key

This part is very important, so please pay close attention to the next steps.

At this step of the process, we’re booted on the new host. The next step is to trick it to use the locked host’s encryption key, but we cannot do this while booted into it, we have to be booted via the ESXi installation media.

Trust me, don’t try to do it, because the state will be overwritten on reboot and it won’t work.

But if we shut off now, we won’t be able to access the /mynewhost directory from the ESXi installation media. So, let’s copy this folder to the BOOTBANK1 volume which will still be accessible while booted from the installation media.

cp -r /mynewhost /vmfs/volumes/BOOTBANK1/mynewhost

Okay, now we’ll restart the new host, boot up from the ESXi installation media, and open up a shell with Alt + F1. As before, we’ll login with username root and a blank password.

As you recall from the previous step, in the /vmfs/volumes/BOOTBANK1/mynewhost directory you should now have a local.tgz file (from the new host) and the encryption.info file (from the old host).

Let’s pack them back into state.tgz and replace the new host’s state.tgz with this new updated state (that uses the original host’s encryption.info file)

rm -f /vmfs/volumes/BOOTBANK1/state.tgz
cd /vmfs/volumes/BOOTBANK1/mynewhost
tar czf /vmfs/volumes/BOOTBANK1/state.tgz encryption.info local.tgz

Now that the state.tgz of the new host has been replaced, we can reboot into the new ESXi. Now the new host is using the original host’s encryption key so we’ll be able to decrypt the local.tgz.ve file that we copied over from the locked host via USB.

8. Decrypt the locked host’s local.tgz.ve

Back into the shell of the new host, we can navigate to the directory in which we copied the locked host’s local.tgz.ve and decrypt it. This time, it will work because we are using the old host’s encryption key on the new host.

cd /vmfs/volumes/BOOTBANK1/mylosthost
crypto-util envelope extract --aad ESXConfiguration local.tgz.ve local.tgz
tar xzf local.tgz
ls

Awesome! You can see that we extracted the etc directory (and some other directories) from the locked host’s local.tgz. Unfortunately, the shadow file is nowhere to be found in the etc directory, so this won’t be as simple as deleting the root account’s hash from the shadow file.

What we’ll do instead is create a public/private key pair and add the public key to the authorized_keys in /etc/ssh/keys-root. This will enable us to SSH into the locked host.

9. Generate public/private key pair for SSH

On a separate Linux machine generate the SSH key pair using ssh-keygen.

ssh-keygen -t rsa -b 4096

Optionally, set a passphrase on your private key… Make sure you don’t forget this one .

I also renamed the public key from mypublickey.pub to authorized_keys. This made the next step easier for me, because I could copy the file directly to /etc/ssh/keys-root (that will be packed to the state of the locked host). So your authorized_keys file should look as follows with a single public key (the one you just generated). Make sure to update the user at the end of the public key to root@thenameofyourlockedhost.

10. Add the authorized_keys file to /etc/ssh/keys-root

Copy the authorized_keys file to your FAT32 formatted USB drive and then transfer it to the new host. You might need to boot from the ESXi installation media if the USB is not visible in /vmfs/volumes.

From the USB drive, we need to copy the authorized_keys to the /etc/ssh/keys-root directory. In my case I needed to create the keys-root directory because it was not present in the /etc/ssh folder.

mkdir /vmfs/volumes/BOOTBANK1/mylosthost/etc/ssh/keys-root
cp /vmfs/volumes/MYUSBDRIVE/authorized_keys /vmfs/volumes/BOOTBANK1/mylosthost/etc/ssh/keys-root/authorized_keys

11. Add /etc/rc.local.d/local.sh to start SSH service on ESXi boot

This step could be optional for you, but if you’re not sure, follow along because it’s a small step relative to the entire process.

For added security, we prefer to keep the SSH service switched off on our ESXi hosts. With SSH disabled, it won’t be possible to access the locked host via the SSH private key we generated earlier. So what we need to do is instruct the locked host to start the SSH service as it boots up. We do this by modifying the local.sh and packing it into the state.tgz that we’ll transfer to the locked host.

So, on the new host:

mkdir /vmfs/volumes/BOOTBANK1/mylosthost/etc/rc.local.d
vi /vmfs/volumes/BOOTBANK1/mylosthost/etc/rc.local.d/local.sh

Your local.sh should look as follows:

#!/bin/sh

/etc/init.d/SSH start

exit 0

12. Transfer the modified state to the locked host

Now, that we have our public key in the authorized_keys file and the /etc/init.d/SSH start command in the local.sh file, we can repack everything and transfer the modified state to the locked host.

In my case, in addition to /etc, I had another 2 directories that were extracted from local.tgz. I made sure to repack them as well in the final tgz file, although I’m not sure if it makes a difference.

cd /vmfs/volumes/BOOTBANK1/mylosthost
tar czf /vmfs/volumes/MYUSBDRIVE/local.tgz etc dir1 dir2
tar czf /vmfs/volumes/MYUSBDRIVE/state.tgz /vmfs/volumes/MYUSBDRIVE/local.tgz

With the updated state in the USB drive, we need to reboot the locked host one last time from the ESXi installation media. Enter a shell and transfer state.tgz to the BOOTBANK.

rm -f /vmfs/volumes/BOOTBANK1/state.tgz
cp /vmfs/volumes/MYUSBDRIVE/state.tgz /vmfs/volumes/BOOTBANK1/state.tgz

Okay, we updated the state of the locked host. Time for a reboot… Hold your breath!

Remember – you may need to repeat the above steps for both BOOTBANK1 & BOOTBANK2 if they were both being used by your locked ESXi host. If your BOOTBANK2 only contains a boot.cfg file, you’re in luck it’s not being used by your locked host.

13. SSH into the locked host using the private key

If all went well, your locked host should be up and running after the reboot. The SSH service should be started as well. So, the next step is to connect to it using the private key.

ssh -i myprivatekey root@mylockedhost

At long last, you should now be logged on to your ESXi host with the root account.

You may stop holding your breath .

14. Reset root password

You’ve gotten this far. One final step is to reset the root password – don’t lose it this time!

passwd

That’s All Folks

I hope this guide has been helpful to get you back into your ESXi host. If you’re still clueless, or need help with some of the steps, feel free to reach out. I’ll be happy to help.

The post How to Reset ESXi Root Password on a Standalone Host appeared first on Cyberillo.

Microsoft’s attack simulation training module in the Security Center makes it simple to run realistic phishing tests that don’t just show you who’s at risk but help them get better. This guide breaks down how to set up a phishing campaign step by step, so you can start building a team that’s sharp and ready for whatever’s lurking in their inbox.

1. Go to https://security.microsoft.com.
2. Navigate to Email & Collaboration > Attack Simulation training > Simulations. Here you can find a list of previously created campaigns. To create a new phishing campaign, click on Launch a simulation.

3. The attack simulation training module offers various social engineering techniques to choose from, like Credential Harvest, Malware Attachment, Link in Attachment, Link to Malware, Drive-by URL, and Oauth Consent Grant. Choose the preferred technique for your phishing campaign and select Next.

4. Give a friendly name to your campaign, and optionally write a description.

5. The next step is to determine the payload that you want to deliver. As with any other phishing campaign software the attack simulator allows you to create custom payloads with personalised email text and attachments. You can do this by clicking on Tenant payloads > Create a payload. Alternatively, you may select one of the ready-made payloads designed by Microsoft from the Global payloads tab.

6. Each payload designed by Microsoft comes with a nice little metric – Predicted Compromise Rate (%). This serves as an indication of the result to expect when using the predesigned payload & login page. To preview the design of the email and login page, click on the title of the payload (not the checkbox).

7. If you’re happy with the payload and login page, move to the next step and select the target users for the campaign. You can restrict the scope to named users or groups, or target the entire organisation. I like to test the campaign on a small group first before a full rollout to the entire organisation.

8. Based on your company policy, you may require victims of the campaign to attend a phishing awareness training session. The attack simulator allows you to bake this right into the campaign. You may redirect users to a custom URL to schedule their training session, or opt for the Microsoft training experience. In case of the latter, you may handpick training modules from Microsoft’s catalog to train your users or let Microsoft automatically assign training courses based on the user’s previous campaign results and training experiences.

9. With regards to the post-phish landing page experience, some prefer to be more harsh than others. It’s up to you to determine what works best in your organisation. You may choose a pre-designed landing page from Microsoft’s catalog or design one yourself.

10. Next, you can configure whether to send user notifications associated with this campaign.
    • Positive reinforcement notification (to thank users who report the phish)
    • Training reminder notification (if you linked training in the previous steps)

11. The last thing to configure is the scheduled date for the attack simulation and the length of the campaign. Once you’re ready, review the details you configured and submit the simulation.

12. From my observations, the reporting on the campaign is real-time and the figures are updated every minute (more or less). At a glance, you can get a quick summary of the outcome, with key metrics such as the number of users who:
    • were compromised
    • reported the message
    • read the message
    • opened attachments

You also get a tabular view listing all users targeted by the campaign together with some key information such as:

• the actions they took
• whether they reported
• whether they were compromised
• whether they attended the scheduled training

Running phishing simulations isn’t just about catching people out—it’s about giving them the tools to improve. With the attack simulation training in Microsoft Security Center, you can run smart, effective tests that actually make a difference. The goal is to raise awareness, build confidence, and reduce the chances of a mistake turning into a disaster. Keep running these simulations, keep learning from them, and you’ll be well on your way to a team that’s not just prepared but proactive when it comes to phishing threats.

The post How to Create a Phishing Campaign in the Microsoft Security Center appeared first on Cyberillo.

In this post, I’ll show you how to use the DSInternals PowerShell module to test Active Directory password quality and identify flaws in your AD security posture. Then, we’ll create a Power BI report to get a quick glance at the number of password quality issues, together with a list of users affected by each issue.

Complete PowerShell Script

## Active Directory Password Quality Data Export ##
#░█████╗░██╗░░░██╗██████╗░███████╗██████╗░██╗██╗░░░░░██╗░░░░░░█████╗░
#██╔══██╗╚██╗░██╔╝██╔══██╗██╔════╝██╔══██╗██║██║░░░░░██║░░░░░██╔══██╗
#██║░░╚═╝░╚████╔╝░██████╦╝█████╗░░██████╔╝██║██║░░░░░██║░░░░░██║░░██║
#██║░░██╗░░╚██╔╝░░██╔══██╗██╔══╝░░██╔══██╗██║██║░░░░░██║░░░░░██║░░██║
#╚█████╔╝░░░██║░░░██████╦╝███████╗██║░░██║██║███████╗███████╗╚█████╔╝
#░╚════╝░░░░╚═╝░░░╚═════╝░╚══════╝╚═╝░░╚═╝╚═╝╚══════╝╚══════╝░╚════╝░

# Define Variables
$dictionary = ".\Dictionary.txt"
$domain = "dc=contoso,dc=com"
$dc = "10.10.10.1"

# Retrieve AD Accounts and Test Password Quality
$data = Get-ADReplAccount -All -Server $dc -NamingContext $domain |
        Test-PasswordQuality -WeakPasswordsFile $dictionary -IncludeDisabledAccounts

# Define the Password Quality Criteria
$qualityCriteria = @(
    "ClearTextPassword",
    "LMHash",
    "EmptyPassword",
    "WeakPassword",
    "SamAccountNameAsPassword",
    "DefaultComputerPassword",
    "PasswordNotRequired",
    "PasswordNeverExpires",
    "AESKeysMissing",
    "PreAuthNotRequired",
    "DESEncryptionOnly",
    "Kerberoastable",
    "DelegatableAdmins",
    "SmartCardUsersWithPassword",
    "DuplicatePasswordGroups"
)

# Initialize an array to store expanded data
$expandedData = @([pscustomobject]@{
                    "ClearTextPassword" = ""
                    "LMHash" = ""
                    "EmptyPassword" = ""
                    "WeakPassword" = ""
                    "SamAccountNameAsPassword" = ""
                    "DefaultComputerPassword" = ""
                    "PasswordNotRequired" = ""
                    "PasswordNeverExpires" = ""
                    "AESKeysMissing" = ""
                    "PreAuthNotRequired" = ""
                    "DESEncryptionOnly" = ""
                    "Kerberoastable" = ""
                    "DelegatableAdmins" = ""
                    "SmartCardUsersWithPassword" = ""
                    "DuplicatePasswordGroups" = ""
                })

# Iterate through each account and expand the criteria into separate rows
foreach ($account in $data) {
    foreach ($criterion in $qualityCriteria) {
        # Check if the criterion contains values
        if ($account.PSObject.Properties[$criterion].Value -and $account.$criterion.Count -gt 0) {
            # Expand each item in the collection into a new row
            foreach ($user in $account.$criterion) {
                $expandedData += [pscustomobject]@{
                    "$Criterion"   = $user
                }
            }
        }
    }
}

# Export all expanded data into a single CSV
$expandedData | Export-Csv -Path "PasswordQuality.csv" -NoTypeInformation

Write-Host "Exported expanded data to PasswordQuality.csv with $($expandedData.Count) records."

Script Breakdown

We’ll start with the PowerShell script that gathers all the information we need from Active Directory.

Here’s what it does:

1. Pulls AD account information from your domain controller (DC).
2. Checks password quality based on various criteria, like whether the password is weak, missing, or stored improperly.
3. Expands the data into a more readable format.
4. Exports the results to a CSV file for analysis.

1. Setting Up Your Variables

# Define Variables
$dictionary = ".\Dictionary.txt"
$domain = "dc=contoso,dc=com"
$dc = "10.10.10.1"

You need to define a few things at the start: where the script can find a list of weak passwords (Dictionary.txt), your domain name, and the IP address of your domain controller. Change these to match your environment.

You can customize the dictionary as needed, but a good starting point can be found here.

2. Getting AD Accounts and Testing Password Quality

$data = Get-ADReplAccount -All -Server $dc -NamingContext $domain |
        Test-PasswordQuality -WeakPasswordsFile $dictionary -IncludeDisabledAccounts

This section uses the Get-ADReplAccount and Test-PasswordQuality cmdlets from the DSInternals PowerShell module.

It retrieves all the accounts in your domain and checks their password quality. We’re looking for things like weak passwords, missing encryption, or even accounts that use their username as a password (yikes!). This script can also include disabled accounts—because even they can be a security risk if left unchecked.

3. Defining Password Quality Criteria

$qualityCriteria = @(
    "ClearTextPassword", "LMHash", "EmptyPassword", "WeakPassword", 
    "SamAccountNameAsPassword", "DefaultComputerPassword", "PasswordNotRequired", 
    "PasswordNeverExpires", "AESKeysMissing", "PreAuthNotRequired", 
    "DESEncryptionOnly", "Kerberoastable", "DelegatableAdmins", 
    "SmartCardUsersWithPassword", "DuplicatePasswordGroups"
)

This part sets the criteria we care about—whether the password is empty, weak, or stored as an old LMHash, just to name a few. These are the key things that pose risks, and the Test-PasswordQuality cmdlet checks for all of them.

4. Storing and Expanding the Data

$expandedData = @()
foreach ($account in $data) {
    foreach ($criterion in $qualityCriteria) {
        if ($account.PSObject.Properties[$criterion].Value -and $account.$criterion.Count -gt 0) {
            foreach ($user in $account.$criterion) {
                $expandedData += [pscustomobject]@{ "$criterion" = $user }
            }
        }
    }
}

This portion of the script is all about organizing the data in a way that’s easy to analyze and visualize later on, especially when we move the data into Power BI. Let’s break it down step-by-step:

A) Initializing the Expanded Data Array

$expandedData = @()

• Purpose: Here, we’re creating an empty array called $expandedData. This array will store each password quality issue we find, structured in a consistent format.
• Why It Matters: By initializing an empty array, we ensure that we have a clean slate to start adding our processed data. This helps in avoiding any unintended data carryover from previous runs or other parts of the script.

B) Looping Through Each AD Account

foreach ($account in $data) {
    ...
}

• Purpose: This outer loop goes through each account retrieved earlier by the Get-ADReplAccount cmdlet.
• Why It Matters: We need to evaluate each account individually to check for any password-related issues. This ensures that no account is overlooked in our analysis.

C) Checking Each Password Quality Criterion

foreach ($criterion in $qualityCriteria) {
    ...
}

• Purpose: For every account, we loop through each password quality criterion defined in the $qualityCriteria array.
• Why It Matters: Each criterion represents a specific type of password issue (e.g., weak password, empty password). By iterating through each one, we can systematically check for all possible vulnerabilities associated with the account.

D) Confirm Existence of Password Quality Issues

if ($account.PSObject.Properties[$criterion].Value -and $account.$criterion.Count -gt 0) {
    ...
}

• Purpose: This if statement checks two things:
  1. $account.PSObject.Properties[$criterion].Value: Ensures that the current criterion has a value, meaning that there is at least one instance of this issue for the account.
  2. $account.$criterion.Count -gt 0: Confirms that the number of issues under this criterion is greater than zero.
• Why It Matters: We only want to record criteria that are actually present. This prevents our final data set from being cluttered with empty or irrelevant entries, making our analysis cleaner and more focused on real issues.

E) Expanding Each Issue into a New Row

foreach ($user in $account.$criterion) {
    $expandedData += [pscustomobject]@{ "$criterion" = $user }
}

• Purpose: For each issue found under the current criterion, we create a new custom PowerShell object and add it to the $expandedData array.
  • [pscustomobject]@{ "$criterion" = $user }: This creates a new object with a property named after the current criterion and assigns it the value of the specific issue ($user).
  • $expandedData += ...: This appends the newly created object to the $expandedData array.
• Why It Matters: By expanding each issue into its own row, we transform our data into a flat, tabular format that’s ideal for analysis and visualization. This structure is especially useful when importing the data into Power BI, as it allows for easy creation of filters, charts, and other visuals based on specific criteria.

F) Putting It All Together

Let’s visualize what’s happening with an example:

• Suppose we have an AD account, jdoe, with the following password issues:
  • WeakPassword: password123
  • PasswordNeverExpires: Enabled
• Processing Steps:
  1. First Loop ($account): Processes the jdoe account.
  2. Second Loop ($criterion): Checks each criterion for jdoe.
     • WeakPassword:
       • Condition Check: True (since password123 is listed in the dictionary)
       • Inner Loop: Adds a new object { "WeakPassword" = "jdoe" } to $expandedData.
     • PasswordNeverExpires:
       • Condition Check: True (since it’s enabled)
       • Inner Loop: Adds another object { "PasswordNeverExpires" = "jdoe" } to $expandedData.
     • Other Criteria: If jdoe doesn’t have issues like EmptyPassword or LMHash, those criteria are skipped and no new rows are created.

This flattened structure makes it straightforward to create visuals in Power BI, such as:

• Bar Charts: Showing the number of accounts with each type of password issue.
• Tables: Listing all accounts alongside their specific vulnerabilities.
• Pie Charts: Representing the proportion of each issue relative to the total number of issues.

G) Why Use This Approach?

• Simplicity: By expanding each issue into its own row, the data becomes easier to work with, especially when dealing with multiple criteria across numerous accounts.
• Flexibility: This format allows you to filter, sort, and visualize the data with little extra data manipulation.
• Scalability: As your organization grows and the number of AD accounts increases, this method remains efficient and manageable.

5. Exporting to CSV

$expandedData | Export-Csv -Path "PasswordQuality.csv" -NoTypeInformation
Write-Host "Exported expanded data to PasswordQuality.csv with $($expandedData.Count) records."

Finally, all the findings get exported to a CSV file, which we’ll use as a data source to create our Power BI report. The CSV will contain the password quality issues as columns, and one user per row (under the appropriate column). One user can have multiple rows in the CSV if his account has more than one password quality issue.

Create a Power BI Report

Now that we have the data in PasswordQuality.csv, it’s time to visualize it in Power BI. This will help you spot trends and focus on the biggest security risks.

Steps:

1. Open Power BI and go to Home -> Get Data -> Text/CSV.

2. Browse to your exported PasswordQuality.csv and click Transform Data.

3. In the Power Query editor, click on Use First Row as Headers.

4. Then, click on Replace Values.

5. Leave Value to find blank and enter null in the Replace With field. Then, click on OK. This will take care of the blank values in our data.

6. Save the Power Query changes by clicking on Close & Apply.

7. This next step is crucial. We will use our data to create a new table with two columns, User and Issue. This will make it easier to visualize and filter the data. Go to Modeling -> New table.

8. In the DAX query, type the following code:

Issues = 
VAR _AESKeysMissing =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[AESKeysMissing],
        "Issue", "AESKeysMissing"
    )
VAR _ClearTextPassword =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[ClearTextPassword],
        "Issue", "ClearTextPassword"
    )
VAR _DESEncryptionOnly =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[DESEncryptionOnly],
        "Issue", "DESEncryptionOnly"
    )
VAR _DefaultComputerPassword =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[DefaultComputerPassword],
        "Issue", "DefaultComputerPassword"
    )
VAR _DelegatableAdmins =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[DelegatableAdmins],
        "Issue", "DelegatableAdmins"
    )
VAR _DuplicatePasswordGroups =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[DuplicatePasswordGroups],
        "Issue", "DuplicatePasswordGroups"
    )
VAR _EmptyPassword =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[EmptyPassword],
        "Issue", "EmptyPassword"
    )
VAR _Kerberoastable =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[Kerberoastable],
        "Issue", "Kerberoastable"
    )
VAR _LMHash =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[LMHash],
        "Issue", "LMHash"
    )
VAR _PasswordNeverExpires =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[PasswordNeverExpires],
        "Issue", "PasswordNeverExpires"
    )
VAR _PasswordNotRequired =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[PasswordNotRequired],
        "Issue", "PasswordNotRequired"
    )
VAR _PreAuthNotRequired =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[PreAuthNotRequired],
        "Issue", "PreAuthNotRequired"
    )
VAR _SamAccountNameAsPassword =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[SamAccountNameAsPassword],
        "Issue", "SamAccountNameAsPassword"
    )
VAR _SmartCardUsersWithPassword =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[SmartCardUsersWithPassword],
        "Issue", "SmartCardUsersWithPassword"
    )
VAR _WeakPassword =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[WeakPassword],
        "Issue", "WeakPassword"
    )

RETURN
    DISTINCT (
        UNION (
            _AESKeysMissing,
            _ClearTextPassword,
            _DESEncryptionOnly,
            _DefaultComputerPassword,
            _DelegatableAdmins,
            _DuplicatePasswordGroups,
            _EmptyPassword,
            _Kerberoastable,
            _LMHash,
            _PasswordNeverExpires,
            _PasswordNotRequired,
            _PreAuthNotRequired,
            _SamAccountNameAsPassword,
            _SmartCardUsersWithPassword,
            _WeakPassword
        )
    )

9. Now, you can visualize the data as needed. A report which I find convenient is a donut chart with the Issue column as the legend, and the count of the User column as the values. This shows the most common password quality issues in the domain. The list of users affected by each issue can be filtered by clicking on the different donut slices.

Wrapping Up

And that’s it! You’ve now used a PowerShell script to gather AD password quality data and created a Power BI report to visualize it. This is a powerful way to stay on top of password security, spot potential vulnerabilities, and make sure your organization’s accounts are protected.

Remember, scheduling the script at regular intervals (and refreshing the report data) can help you stay ahead of any security risks related to weak passwords. And with Power BI, you can easily share the findings and keep the rest of your team in the loop.

Let me know if you have any questions or if you’d like to see more advanced Power BI visuals. Stay secure!

The post Active Directory Password Quality Report in Power BI appeared first on Cyberillo.

Installing Kali Linux on Windows is a straightforward process that lets you access one of the most popular Linux distributions for cybersecurity and penetration testing directly from your Windows machine. Whether you’re a security professional, an ethical hacker, or someone looking to explore digital forensics, getting Kali Linux up and running on your Windows 10 or 11 system offers a powerful toolset right at your fingertips.

This tutorial will guide you through two methods to install Kali Linux: via the Windows Subsystem for Linux (WSL) and using Hyper-V. Both approaches allow you to integrate a Linux environment into Windows, but each offers its unique advantages. If you’re more interested in lightweight integration, WSL might be your best bet. If you prefer running Kali in a virtual machine with more control, Hyper-V is the way to go. Let’s dive into the details.

Method 1: How to Install Kali Linux on WSL (Windows Subsystem for Linux)

To begin, you’ll need to enable the Windows Subsystem for Linux (WSL) and the Virtual Machine Platform features. These components are necessary to ensure your system can run a Linux kernel directly on Windows.

1. Navigate to the control panel and select Programs > Turns Windows features on or off.

2. Enable the Virtual Machine Platform & Windows Subsystem for Linux features.
   
   Using the Windows Subsystem Linux feature on Windows 11 or 10 allows you to run a Linux environment natively, with deep integration into the Windows file system. It’s user-friendly, making it ideal for those who want to install Kali Linux without dealing with a full virtual machine setup.

3. Click on OK and reboot your machine for the changes to take effect. After rebooting, your system will be ready to install Linux distributions, including Kali Linux.
4. Then, open up the Windows Store and search for Kali Linux.

5. Select the first search result and click on Get.
   
   This process may take a few minutes depending on your internet connection and system performance.

6. Once the download is complete, click on Open. This will install and register the Kali Linux distribution in WSL.
7. When prompted, enter a username and password for your account.

8. Congratulations! You’ve successfully installed Kali Linux on your Windows 11 machine using WSL. You can now launch it directly from the Start menu, and start using Kali’s powerful tools for cybersecurity and penetration testing.

Method 2: How to Install Kali Linux on Hyper-V

For users who prefer using a virtual machine, installing Kali Linux via Hyper-V offers a more isolated and robust environment. This method is ideal for those who want a virtualized instance of Kali Linux, running as a separate machine on your Windows operating system.

First, we’ll need to download the Kali Linux Virtual Machine image. On the official Kali Linux website, under the Pre-built Virtual Machines section, you’ll find options for various virtualization platforms like VMware and VirtualBox, but for this guide, we’re focusing on Hyper-V.

1. Head over to the Kali Linux download page and click on the Virtual Machines option.

2. Under the Pre-built Virtual Machines page, select Hyper-V. Make sure you choose the correct version of Kali Linux for your system. If you’re using a 64-bit Windows system (which most users are), select the 64-bit version.

3. Once the download is complete extract the .7z archive using 7-zip or a similar tool.
4. Open PowerShell with administrator rights and use the command line to navigate to where you extracted the archive. This will allow you to execute the script to create the virtual machine.

cd path/to/your/extracted/archive

5. Create the Kali Linux virtual machine by running the PowerShell script.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
.\create-vm.ps1

6. Once the script completes, you can open Hyper-V Manager and locate your newly created Kali Linux virtual machine. Hyper-V gives you more control over the virtual environment, with options to allocate memory, processors, and more.
7. Double-click to connect to the VM and then click on Start.

8. After the Virtual Machine boots up, you can log in to your Kali Linux environment with the default credentials.

• Username: kali
• Password: kali

9. Congratulations! Your Kali Linux virtual environment is fully set up, and you can start using it for penetration testing, cybersecurity tasks, and more.

Frequently Asked Questions

What is the Windows Subsystem for Linux (WSL)?
WSL allows you to run a full Linux distribution on your Windows machine without the need for a virtual machine. It integrates Linux tools directly into the Windows environment, making it ideal for lightweight tasks and software development.

Can I install Kali Linux on both Windows 10 and Windows 11?
Yes, you can install Kali Linux on both Windows 10 and 11 using WSL. However, WSL 2 is recommended for better performance, which is natively supported in Windows 11 and can be manually enabled on Windows 10.

How do I enable the Windows Subsystem for Linux?
Go to the Control Panel, navigate to “Programs > Turn Windows features on or off,” and enable both the Windows Subsystem for Linux and Virtual Machine Platform features. After enabling them, reboot your system to apply the changes.

What are the default credentials for logging into Kali Linux?
If you’re using the Hyper-V method, the default username and password are both kali. For WSL, you will be prompted to create your own username and password during the installation process.

What are the main differences between WSL and Hyper-V for running Kali Linux?
WSL offers seamless integration into Windows and uses fewer system resources, making it ideal for quick access to Linux tools. Hyper-V provides a full virtual machine with isolated resources, which is better suited for more complex tasks that require a dedicated environment.

How much disk space does Kali Linux require on WSL?
The initial installation of Kali Linux on WSL will require around 2-3 GB of space, but this can grow depending on the tools you install. Make sure to have enough disk space available on your system.

Do I need to reboot after enabling WSL features?
Yes, after enabling the WSL and Virtual Machine Platform features, you need to restart your machine for the changes to take effect.

Can I use VirtualBox or VMware instead of Hyper-V to run Kali Linux?
Yes, you can use VirtualBox or VMware to install Kali Linux as a virtual machine. However, this guide specifically focuses on Hyper-V, which is built into Windows and doesn’t require third-party software.

How do I update Kali Linux once installed?
Once Kali Linux is installed, open the terminal and run the following command to update all packages:

sudo apt update && sudo apt upgrade

This will ensure your system has the latest security updates and software.

Can I dual boot Kali Linux and Windows?
While this guide focuses on using WSL and Hyper-V, you can also dual boot Kali Linux with Windows. This method requires partitioning your hard drive and installing Kali Linux as a separate operating system. Dual booting is more complex but offers the advantage of running Linux natively.

I want to learn penetration testing. Is Kali Linux the right tool for me?
Yes, Kali Linux is widely used by cybersecurity professionals and ethical hackers for penetration testing and digital forensics. It comes pre-installed with a wide range of tools like nmap, Metasploit, and Wireshark, which are essential for these tasks.

What if I encounter errors during the installation process?
If you run into any issues during installation, common troubleshooting steps include:

• Verifying that your Windows version supports WSL 2 or Hyper-V.
• Ensuring you’ve enabled the necessary features (WSL, Virtual Machine Platform, or Hyper-V).
• Checking your internet connection during the download phase.
  For more specific issues, consult the Kali Linux documentation or community forums.

How do I start using Kali Linux after installation?
After installing via WSL, you can launch Kali Linux by searching for “Kali” in the Start menu. For Hyper-V, you’ll use Hyper-V Manager to start the virtual machine. Once started, you can use the terminal for all Linux commands and tools.

Is using Kali Linux on WSL or Hyper-V suitable for production environments?
For most users, running Kali Linux on WSL or Hyper-V is ideal for learning, development, and testing purposes. However, production environments often require more robust virtualization or dedicated systems, especially for security-critical operations.

Can I install additional Linux tools after setting up Kali Linux?
Absolutely! You can use the terminal in Kali Linux to install additional tools. For example, to install nmap, run:

sudo apt install nmap

Kali Linux is highly flexible and customizable for any additional tools you may need.

This FAQ should help clarify any questions you may have during the process of installing Kali Linux on your Windows machine.

Conclusion

Both methods allow you to install Kali Linux on your Windows machine, but the choice depends on how you want to use the operating system. WSL offers a lighter, more integrated approach with the Windows environment, ideal for users who want quick access to Linux tools and a simplified setup. Meanwhile, Hyper-V provides a more controlled, virtualized instance of Kali Linux, making it a solid choice for those who want full isolation and greater flexibility in managing resources.

No matter which method you choose, you’ll have Kali Linux ready to go, with access to its full suite of ethical hacking and cybersecurity tools, from nmap to Metasploit. Whether you’re looking to perform digital forensics, test network security, or simply familiarize yourself with the Linux environment, Kali Linux on Windows provides a versatile platform to start exploring.

With either installation method, you’ll have access to a robust Debian-based Linux distribution, widely regarded as one of the best options for cybersecurity and penetration testing. Now, it’s time to start using Kali Linux and dive into the world of ethical hacking and digital security right from your Windows machine!

The post How to Install Kali Linux on Windows 11 (2 Easy Ways) appeared first on Cyberillo.

How to Delete an Empty Directory in Linux

If you need to delete an empty directory, the rmdir command is your best option. This command is designed to remove a directory in Linux as long as it contains no files or subdirectories.

Here’s the command to remove an empty folder:

rmdir directory_name

For example, if you have a folder called backup_folder and it’s empty, you can delete it by running the following command:

rmdir backup_folder

How to Delete a Non-Empty Directory

When a directory contains files or other subdirectories, you can’t use rmdir. Instead, the rm command with the -r or -rf flags will recursively delete a directory and its contents. The -r flag tells the system to recursively remove not only the directory but all the files and subdirectories within it.

The syntax to delete a directory and its contents is:

rm -r directory_name

Let’s say you want to delete backup_folder and it contains files. The rm command with the -r flag will handle it:

rm -r backup_folder

If you need to delete the folder without any prompts, add the -f flag, which forces the system to delete everything without asking for confirmation even if the files in the directory are write-protected!

rm -rf backup_folder

Using rm -rf allows users to delete directories and their contents in a Linux system. This is a powerful command, so always double-check to avoid deleting the wrong files, especially if you’re dealing with critical files. A case of accidental deletion is hard to reverse.

Removing Multiple Directories in Linux Using Wildcards

In Linux distributions, you can use wildcards to remove several directories at once. For instance, if you have multiple folders that begin with the same prefix, such as backup_, you can remove them all with this Linux command:

rm -r backup_*

This command will delete all directories and their contents that match the pattern. This is particularly useful if you want to clear out old backup directories or redundant folders.

Using Sudo and Root Access

In some cases, you may need root access to delete certain directories, especially if they are system directories or write-protected. To delete a directory with elevated permissions, you can use sudo:

sudo rm -rf /path/to/directory

Be cautious when using sudo rm -rf, as it can permanently remove directories and files without the chance of recovery.

Avoid Accidental Deletion

If you’re concerned about accidentally deleting important files, you can create an alias for the rm command that always prompts for confirmation. Add this to your .bashrc or .bash_profile:

alias rm='rm -i'

This forces rm to ask for confirmation before deleting files or directories, adding an extra layer of safety.

Deleting Directories in a Graphical Environment (GUI)

For those using a graphical interface, most Linux systems come with file managers that allow users to manage and delete directories with just a few clicks. Though the command line offers more control, the GUI is convenient for basic tasks like removing a folder or deleting a file in Linux.

The post How to Delete a Directory in Linux appeared first on Cyberillo.

Complete Script

## How to Bulk Add Devices to Azure AD Group Using PowerShell ##
#░█████╗░██╗░░░██╗██████╗░███████╗██████╗░██╗██╗░░░░░██╗░░░░░░█████╗░
#██╔══██╗╚██╗░██╔╝██╔══██╗██╔════╝██╔══██╗██║██║░░░░░██║░░░░░██╔══██╗
#██║░░╚═╝░╚████╔╝░██████╦╝█████╗░░██████╔╝██║██║░░░░░██║░░░░░██║░░██║
#██║░░██╗░░╚██╔╝░░██╔══██╗██╔══╝░░██╔══██╗██║██║░░░░░██║░░░░░██║░░██║
#╚█████╔╝░░░██║░░░██████╦╝███████╗██║░░██║██║███████╗███████╗╚█████╔╝
#░╚════╝░░░░╚═╝░░░╚═════╝░╚══════╝╚═╝░░╚═╝╚═╝╚══════╝╚══════╝░╚════╝░

# Import the AzureAD module
Import-Module AzureAD

# Login to Azure AD
Connect-AzureAD

# Path to your CSV file
$csvFilePath = "C:\path\to\your\devices.csv"

# Security Group Name
$securityGroupName = "Your-Security-Group-Name"

# Get the Security Group Object ID from the group name
$securityGroup = Get-AzureADGroup -SearchString $securityGroupName
if ($securityGroup -eq $null) {
    Write-Host "Security group not found: $securityGroupName"
    exit
}

$securityGroupId = $securityGroup.ObjectId

# Import the CSV file
$devices = Import-Csv -Path $csvFilePath

# Loop through each device in the CSV
foreach ($device in $devices) {
    $deviceName = $device.DeviceName

    # Get the Device Object ID from the device name
    $deviceObject = Get-AzureADDevice -SearchString $deviceName
    if ($deviceObject -eq $null) {
        Write-Host "Device not found: $deviceName"
        continue
    }

    $deviceId = $deviceObject.ObjectId

    try {
        # Add the device to the security group
        Add-AzureADGroupMember -ObjectId $securityGroupId -RefObjectId $deviceId
        Write-Host "Successfully added Device: $deviceName to the group."
    } catch {
        Write-Host "Failed to add Device: $deviceName. Error: $_"
    }
}

# Disconnect from Azure AD
Disconnect-AzureAD

Overview of the Script

So, what does the script do?

1. Import devices from a CSV file.
2. Search for these devices in Azure AD.
3. Add the devices to a specified security group.
4. Report success or errors for each device.

Prerequisites

Before running the script, ensure the following:

• You have the AzureAD PowerShell module installed.
• The script is executed by a user with permissions to manage devices and groups in Azure AD.
• A CSV file containing device names is available.
• The correct security group already exists in Azure AD.

Step-by-Step Breakdown

1. Import the Azure AD Module

The script starts by loading the AzureAD module, which contains cmdlets to manage Azure AD resources from PowerShell.

Import-Module AzureAD

This step is necessary for interacting with Azure AD using PowerShell. If you don’t have the module installed, run:

Install-Module AzureAD

2. Authenticate with Azure AD

Before performing any Azure AD operations, the script requires the user to authenticate:

Connect-AzureAD

This prompts the user to enter credentials or use existing session credentials to connect to Azure AD.

3. Specify the CSV File Path and Security Group

You’ll need a CSV file that lists the devices to be added. The CSV should contain a column titled DeviceName, which holds the names of the devices you want to add.

$csvFilePath = "C:\path\to\your\devices.csv"
$securityGroupName = "Your-Security-Group-Name"

Here, $csvFilePath points to the CSV file and $securityGroupName is the name of the Azure AD security group you want to add the devices to.

4. Retrieve the Security Group Object ID

Azure AD uses unique object IDs for each resource, including security groups. To add devices to a group, the script must first retrieve the Object ID of the target security group:

$securityGroup = Get-AzureADGroup -SearchString $securityGroupName
if ($securityGroup -eq $null) {
    Write-Host "Security group not found: $securityGroupName"
    exit
}

If the group isn’t found, the script exits with an appropriate message. Otherwise, the script proceeds to store the Object ID of the group in $securityGroupId:

$securityGroupId = $securityGroup.ObjectId

5. Import the CSV File

The devices from the CSV file are imported into a variable $devices:

$devices = Import-Csv -Path $csvFilePath

Each device is stored as a record, and the script processes each device by looping through the records.

6. Loop through Devices and Add to Group

For each device, the script:

• Retrieves the device’s Object ID from Azure AD using the DeviceName from the CSV.
• Adds the device to the specified security group.
• Logs the outcome for each device.

foreach ($device in $devices) {
    $deviceName = $device.DeviceName
    $deviceObject = Get-AzureADDevice -SearchString $deviceName
    if ($deviceObject -eq $null) {
        Write-Host "Device not found: $deviceName"
        continue
    }

    $deviceId = $deviceObject.ObjectId

    try {
        Add-AzureADGroupMember -ObjectId $securityGroupId -RefObjectId $deviceId
        Write-Host "Successfully added Device: $deviceName to the group."
    } catch {
        Write-Host "Failed to add Device: $deviceName. Error: $_"
    }
}

If the device isn’t found in Azure AD, a message is displayed, and the script moves on to the next device. If an error occurs during the addition process, it’s caught and logged.

7. Disconnect from Azure AD

After processing all the devices, the script disconnects from Azure AD:

Disconnect-AzureAD

This closes the session and ensures no lingering connections remain.

The post How to Bulk Add Devices to Azure AD Group Using PowerShell appeared first on Cyberillo.

1. The Plugin Route: Swift and Simple

For most people, the easiest way to put your site into maintenance mode is by using a plugin. Think of it as flipping a switch—no code, no fuss. If you’re looking for a quick fix, plugins like Maintenance (by WebFactory Ltd) are an excellent choice.

Here’s how to do it.

1. Install and Activate the Plugin: Head over to your WordPress dashboard, navigate to Plugins > Add New Plugin and type “maintenance” in the search bar. Find the Maintenance plugin and click on Install Now. Activate the plugin, and you’re good to go. Easy as pie. Note that Maintenance mode is automatically turned on after you activate the plugin.

2. Customize Your Maintenance Mode Page: After activation, it’s time to design the maintenance mode page. Whether you want a simple “We’ll be back soon” message or a full-blown custom maintenance mode page with social links, this plugin’s got you covered. Note that the free version of the plugin only offers limited customization options. The PRO version offers beautiful ready-made themes for a more professional look.

3. Activate Maintenance Mode: This plugin comes with a straightforward toggle. Turn it on, and your WordPress site is officially in maintenance mode. Visitors will now see your customized page, rather than your unfinished website.

Here’s an example of how a customized Maintenance Mode page designed with this plugin looks like.

2. The Hands-On Approach: DIY Maintenance Mode

If you’re feeling a bit more daring or prefer not to rely on plugins, you can manually put your WordPress website in maintenance mode. This involves adding a code snippet to your theme’s functions.php file. It’s a little more technical, but it gives you greater control.

Follow these steps to try it yourself.

1. Access Your Theme Files: Go to Appearance > Theme File Editor.
2. If this is your first time editing theme files, you will get a popup warning you that you are directly editing theme files, which could break your site (if you do something wrong). Click on I understand. I recommend creating a child theme from your active theme, setting it as the active theme, and modifying it instead of directly modifying the parent theme files.

3. Open the functions.php file of your active theme.

4. Add the Maintenance Mode Code: Insert the following code at the end of your functions.php file:

function wp_maintenance_mode() {
  if (!current_user_can("edit_themes") || !is_user_logged_in()) {
    wp_die(
      "<h1>Under Maintenance</h1><p>Our site is currently undergoing maintenance. Please check back soon!</p>",
    );
  }
}
add_action("get_header", "wp_maintenance_mode");

5. Save Your Changes: Once the code is in place, save the file by clicking on the Update File button. Your site is now in maintenance mode, displaying a simple “Under Maintenance” message to visitors. Only you and other admins can bypass this and access the site normally.

6. Delete the code or comment it out to take the site out of maintenance mode.

3. Built-In Maintenance Mode: The .maintenance File Method

There’s another way to put your WordPress site into maintenance mode, and it’s one that’s built right into WordPress itself. This method involves creating a .maintenance file in your site’s root directory. It’s a more minimalist approach but gets the job done without any extra plugins.

Here’s how:

1. Create the .maintenance File: Using an FTP client or the File Manager app in cPanel, create a .maintenance file in the root directory of your WordPress installation.

2. Add a Simple Script: Open the file and add the following code: <?php $upgrading = time();. This will put your site in maintenance and the below message will be shown to visitors.

3. Remove the File When Done: Once you’ve completed your updates, simply delete the .maintenance file to bring your site back online.

Dealing with the Dreaded “Stuck in Maintenance Mode” Issue

It happens. Sometimes your site can get stuck in maintenance mode, usually because an update didn’t finish properly. If your WordPress website is stuck in maintenance mode, don’t panic. Just delete the .maintenance file from your site’s root directory, and everything should return to normal. I cover this topic in more detail here.

Wrapping Up: Bring Your Site Back Online

When you’re done with updates, and your site is ready for visitors again, you’ll need to disable maintenance mode. For those using a plugin, simply toggle it off in the plugin settings. If you used a code snippet, remove it from functions.php, or if you opted for the .maintenance file method, just delete the file.

Your WordPress site should be back to its regular self, and your visitors none the wiser about the work that went on behind the scenes.

Maintenance mode is a simple yet powerful tool to keep your WordPress website looking sharp, even when you’re busy with updates and changes. Whether you go the plugin route or prefer a more hands-on approach, putting your site in maintenance mode ensures your visitors only see the best version of your site.

The post How to Put WordPress Site in Maintenance Mode appeared first on Cyberillo.

You forgot, didn’t you? That password you set on your zipped folder with all your precious files. Wishing you didn’t set it in the first place?

When you encounter a locked zip file, it can be frustrating. Whether you’ve forgotten the password or inherited a protected zip archive, recovering access is essential. Fortunately, there are various methods and tools available for zip password recovery that can help you regain access to your files.

How to crack a zip file password?

You’re in luck, John the Ripper has a tool made just for this purpose.

1. Download the ZipRipper tool from GitHub by clicking on Code and then Download ZIP.

2. Extract the downloaded ZIP file.
3. Launch the password cracker by double-clicking on ZipRipper.cmd from the extracted archive.

4. Microsoft Defender SmartScreen might block the program. When, prompted that Windows Protected your PC, click on More info and then, Run anyway.

5. Click on Start once the ZipRipper GUI pops up.

6. Select the password protected ZIP file you would like to decrypt, and click on Open.

7. The password cracker will get to work – make sure you have an active Internet connection if using it in online mode.
8. When asked whether or not to split the word list, select No.

9. Simple passwords will be cracked in a matter of seconds, whereas more complex passwords may take minutes, days, weeks … You get it.
10. Once the password is successfully cracked, you get a popup showing the cracked password/s. A file with the cracked passwords is also saved to the desktop.

11. Congratulations, you can now open your password protected ZIP file.

What is a Zip File and Why Protect It?

A zip file is a compressed archive that can contain one or more files or folders. These archives are often password protected to ensure that sensitive data remains secure. Password protection uses encryption to prevent unauthorized access, making it crucial to remember or securely store the password. If you lose the password, you’ll need to recover it to access the files within.

Understanding Zip Password Recovery

Zip password recovery involves retrieving the lost or forgotten password to unlock an encrypted zip file. This process can be done using specialized software known as a password recovery tool. These tools employ various techniques, such as brute force, dictionary attacks, and mask attacks, to find the password.

Popular Methods for Zip Password Recovery

1. Brute Force Attack: This method systematically tries every possible combination of characters until the correct password is found. While it can be effective, it may take a long time, depending on the password length and complexity.
2. Dictionary Attack: This technique uses a pre-defined list of potential passwords. The tool runs through the list and checks each one until the right password is found. This method is faster than brute force but relies on the password being within the dictionary.
3. Mask Attack: If you remember part of the password or have an idea of its structure, a mask attack can be useful. You can set parameters like password length, character set, or specific characters to narrow down the search, making the recovery process quicker.

Alternative Tools for Recovering Zip Passwords

ZipRipper aside, there are several other apps and tools available that can assist with zip password recovery:

• WinZip: A popular archiver that offers built-in tools for password recovery and decryption. While it’s a paid app, you can find free downloads of its demo version, which might include limited password recovery functionality.
• Zip Password Unlocker: This tool is designed specifically for recovering passwords from encrypted zip archives. It supports various versions of popular archivers and offers an easy-to-use interface.
• RAR Password Recovery Tool: Though primarily for RAR files, this tool also supports zip file recovery. It uses advanced algorithms to find the password efficiently.

How to Use a Zip Password Recovery Tool

1. Download and Install: Choose a zip password recovery tool that suits your needs and download the latest version. Install it on your Windows computer.
2. Upload Your File: Open the tool and upload your encrypted zip file. Most tools will allow you to drag and drop the file directly into the interface.
3. Set Parameters: If using a mask attack, set your parameters such as the password length or character set. For dictionary attacks, upload your dictionary file.
4. Start the Recovery Process: Initiate the password recovery. The tool will begin searching for the correct password. The time taken will depend on the chosen method and the password’s complexity.
5. Recover and Copy the Password: Once the tool finds the password, it will display it on the screen. Copy the password and use it to unlock your protected zip file.

Legal Considerations

It’s important to affirm that using zip password recovery tools should only be done when you have the legal right to access the data. Recovering passwords for files obtained without authorization or through other illegal means may constitute theft and can lead to criminal prosecution. Always ensure you are the rightful owner of all files or have explicit permission from the owner to perform these operations.

Conclusion

Zip password recovery is a necessary skill when dealing with protected archives, especially if you’ve lost access to sensitive files. With the right tool and approach, you can recover your password and regain access to your data. Remember to use these tools responsibly and within the bounds of the law to avoid any legal repercussions.

The post ZIP Password Recovery: How to Crack ZIP Password in 2024 appeared first on Cyberillo.