Management Security

SonicWall App Control

App Control

To restrict inbound/outbound traffic of an application:

  1. Login to your SonicWall with admin privileges
  2. Navigate to the Policy tab
  3. Expand Security Services on the left-hand pane, click App Control
  4. Turn on the switch Enable App Control, Accept to apply changes
  5. Switch to the Signatures tab within App Control
  6. Filter the app you wish to alter access for, given the provided dropdowns
  7. Hover over the application, and click the edit symbol, select the criteria that best suits your needs

Management Security

Audit 4625

Individual machines world-wide are being hacked away at everday; we are generally only aware of those attempts that are successful. However, monitoring the failed attempts will help identify potential vulnerabilities.

In order to monitor Failed Login attempts, we can take advantage of the Windows Event 4625, which signifies that a login has failed to gain access to the pc. In combination with Event Scheduler, we can automate this process into a recurring alert that emails us as soon as a failed login is detected.

See the code and procedure below:

$EventId = 4625

$A = Get-WinEvent -MaxEvent 1 -FilterHashTable @{Logname = "Security" ; ID = $EventId}
$Message = $A.Message
$EventID = $A.Id
$MachineName = $A.MachineName
$Source = $A.ProviderName

Get-WinEvent -MaxEvents 1 | foreach {
    		$sid = $_.userid;
    		if($sid -eq $null) { return; }
    		$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid);
    		$objUser = $objSID.Translate([System.Security.Principal.NTAccount]);
    		Write-Host $objUser.Value;

$EmailFrom = ""
$EmailTo = ""
$Subject ="Alert From $MachineName"
$Body = "EventID: $EventID`nSource: $Source`nMachineName: $MachineName `nMessage: $Message"
$SMTPServer = ""
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, PORT_NUM)
$SMTPClient.EnableSsl = $true
$SMTPClient.Credentials = New-Object System.Net.NetworkCredential("username", "password");
$SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body)

How to configure and run Audit_2025 Script (Automatic Alerts for Failed Login):

  1. Log onto target machine, user privileges (admin/regular) doesn’t matter

Setup Script:

  1. Navigate to the local C: drive on the computer
  2. Create a .ps1 file named “Audit_4625”
  3. Open this file in the text editor of your choice
  4. Copy and paste the “Audit_4625” script from above
  5. Confirm to: email is YOUR_EMAIL
  6. Save the file

Setup PowerShell:

  1. In the start search field, search for either PowerShell or PowerShell ISE, right-click run as administrator
  2. In the PowerShell window, run the command Get-ExecutionPolicy, if output is Restricted move to sub-step
    1. If Execution Policy is restricted, run the following command:

Set-ExecutionPolicy RemoteSigned

  1. Run the Get command again to check status update

Setup Task:

  1. Navigate to Event Viewer
  2. In Event Viewer Left-Hand Pane, select Windows Logs > Security
  3. Filter events by ID: 4625 (id for failed login)
    1. If no events are logged, filter for ID: 4624 instead (id for successful login)
  4. Right-click any event with this ID, select Attach a task to this event, a Create Basic Task Wizard will popup
  5. Rename task Security_Microsoft-Windows-Security-Auditing_4625
    1. Optional add a description of the task “Automatic email alert when failed login attempt on some user”
  6. Click next, leave default event trigger settings
    1. If Event ID is 4624, that is ok for setup, we will change later in Task Scheduler
  7. Click next, select action as Start a Program
  8. Click next, on the Action sub-menu Start a Program, enter the file path for Windows Powershell in the Program/Script field


*easiest to search/browse for file*

  1. In the Add Arguments (optional) field, type the path to script Audit_4625 in the C: Drive – C:\Audit_4625.ps1
  2. Click next, verify information, select Finish

Setup Task Scheuler:

  1. Navigate to Task Scheduler
  2. In either Active Tasks or Event Viewer Tasks, locate the new Security_Microsoft-Windows-Security-Auditing_4625 task
  3. Double-click task and task properties window will popup
  4. In general tab, select radio button Run whether user is logged on or not, select check box Run with highest privileges
  5. Confirm configuration is correct for what your machine runs with
  6. On trigger tab, double-click trigger, change Event ID to 4625, click OK
  7. On conditions tab, uncheck boxes Start the task only if the computer is on AC power and Stop if the computer switches to battery power, click OK
  8. Confirm changes and select OK, type user password if prompted to confirm changes

Test Script:

  1. Log off of user, wait for login screen to appear
  2. Type in wrong password
  3. If configured correctly, YOUR_EMAIL will receive an email alert with details of the triggered event

Known Bugs:

  1. Due to Microsoft security, if failed login attempt of user with Microsoft account, alert will fire but will not resolved SID due to it being set to NULL
  2. Event may not trigger/script will throw error if no logs associated with the id are found
Bugs Security Updates

The Windows Blues

The Issue

Last Tuesday’s Windows update for Windows 11 has brought more issues than fixes, with many users reporting Blue Screens of Death (BSODs) and other errors after successfully installing the update to their machine.

The update in question is KB5035853, which is part of the Windows 11 March 2024 Update(s). While said update includes notable improvements, the amount of issues being reported since release is starting to tip the scale the other direction.

Users that have been experiencing BSOD, are greeted by the error message THREAD STUCK IN DEVICE DRIVER, in addition to other messages, each time the screen is displayed. This error occurs immediately after user log on; it should be noted that BSOD can be attributed to many factors, including both hardware and software.

It is speculated that the underlying issue is related to Lenovo specific hardware and Bitlocker, according to the statistics of recent reports, despite other brands having experienced issues as well, including significant slowdowns and prolonged boot times.

The Fix

While it is not fully known what the cause of the bad update is, there are a few steps that you can take to try to resolve it.

  1. One option is to download WinDbg and analyze the crash dump to get more information about the cause of the BSOD.
  2. Another option is to try updating your BIOS, as some users have reported that this has helped to resolve the issue. You can check the manufacturer’s website for your specific hardware to see if there are any available BIOS updates.
  3. If you are experiencing issues with Bitlocker, you may want to try temporarily disabling it and then re-enabling it after the update has been installed.
  4. Finally, if you are still experiencing issues after trying these steps, you may want to consider uninstalling the KB5035853 update and waiting for a newer version to be released.


This is only the most recent occurrence in a string of bad updates from Microsoft, and it is expected that they will have a patch sooner rather than later. If you are having any issues related to this update, or other updates, feel free to contact Microsoft directly at their support page.

Coding Hacking Security

WordPress Password-Cracking Botnet: What to Know

Since 2018, password-cracking botnets has been targeting WordPress sites. These botnets are made of infected WordPress sites that are then being repurposed to perform brute force attacks on other WordPress sites. The active threat-actors employ the use of the native XML-RPC interface of WordPress to brute-force username/password pairs; the end-goal is to gain access to privileged accounts, and then use the enslaved computer to repeat the process on other machines.

How the Botnet Works

What is a botnet?

A botnet is a network of infected machines, that deploy tactics such as  malicious code and remote access, to help spread the infection, while originating from a sole actor.

Russian Origins

The particular botnet in question, works by using a group of four command and control (C2) servers, sending server-side requests to over 14,000 proxy servers, provided by a Russian domain called best-proxies[.]ru. However, some digital-footprints point to server existence in Romania and the Netherlands as well.

These proxy servers are used to anonymize the C2 traffic. The requests are then sent to over 20,000 infected WordPress sites, which are running an attack script. This script attacks targeted WordPress sites by attempting XML-RPC authentication to access privileged accounts.

function createFullRequest($login, $passwords){
$xml = createRequestXML();
for($i = 0; $i < count($passwords); $i++){ $xml = addElementXML($xml, $login, $passwords[$i]); } $request = $xml->saveXML();
return $request;

The script itself generates passwords pulled from publicly accessible credential patterns; once a pattern is determined, it will apply said pattern in a brute force test. For instance, if the script is attempting to log on to as the user Alice, it will utilize passwords such as Alice1, Alice2018, and so on. This tactic can be very effective when used at scale across a large number of targets.

The C2 system’s issuing instructions to the script can optionally define $startPass and $endPass variables, which tell the script to only attempt a subset of passwords on a given list, instead of running the entire set. This greatly increases the speed at which the whole system operates.

Similar Attacks

As recent as February 2024, similar attacks have been seen injecting custom malicious JavaScript into WordPress sites unknowingly, causing site visitors to be silently redirected in the background. The hidden redirection points the visitor to a malicious clone of the site, reporting a user name and list of passwords to a getTask method; as a result, the hackers are given a list of credentials that are tried against said accounts; the cycle then continues with other machines, so on and so forth, in a never ending loop of credential requests and results.

const getTaskUrl = 'hxxps://dynamic-linx[.]com/getTask.php';

const completeTaskUrl = 'hxxps://dynamic-linx[.]com/completeTask.php';

It is not yet known where the source of this modern take on the Botnet attack originates from, as the botnet is already quite large, amassing a list of approximately 1,200 effected IPs in just under four days. However, Security Specialists are working toward a solution.

Learn more about this from ars Technica!

How Do You Know?

It’s generally no small task to determine if you’ve been infected, much less the source of infection, as malware by design hides itself thoroughly. The first place to look for infection, with regards to WordPress, is your server/site logs, generally defaulted to the location: C:\inetpub\logs.

Additionally, check within your installation’s Web-Admin, Content and User folders for any recent or suspicious changes.

How to Protect Your WordPress Site

To protect your WordPress site from this type of attack, it’s important to take the following steps:

  1. Use strong, unique passwords: Make sure that you are using strong, unique passwords for all of your WordPress accounts; this will make it more difficult for the attackers to gain access to your site. Additionally, consider employing 2factor authentication methods to your users’ login.
  2. Limit login attempts: Consider using a plugin to limit the number of login attempts that can be made to your site; this will help to prevent brute force attacks. Many of these plugins offer further customization beyond limited attempts, such as lockout periods and ip blacklisting.
  3. Remove unused user accounts: If you are no longer using an account, or you believe an account may be compromised, it’s safest to remove the account entirely, as you can always recreate it later. In addition, if your site is fully setup, consider removing the default admin account as this is the first account tried by hackers in their attempts to bypass your site’s security.
  4. Keep your WordPress site up to date: Make sure that you are running the latest version of WordPress and that all of your plugins and themes are up to date. By updating on a consistent schedule, you can insure your system loads the current security patches and bug fixes that are included in the update.
  5. Use a security plugin: Consider using a security plugin to help protect your site. There are many free and paid options available that can help to prevent brute force attacks and provide other security features, such as custom reports and notifications.

We recommend the free plugin Loginizer, which includes brute-force protections and failed login attempt alerting


The recent WordPress password-cracking botnet is a serious threat to WordPress sites. However, that is only the tip of the security iceberg. As more and more computers become infected, from seemingly ‘normal’ websites, malware can travel stealthily behind the scenes. By taking proper precautions,  you can protect yourself from this type of attack, as well as countless others.

Development Hacking Security

Lazarus Group Exploits Windows Zero-Day for Privilege Escalation with FudModule Rootkit

1. Lazarus

The Lazarus group, a North Korean collective known for cyber-system sabotage, has recently been exploiting a Windows kernel privilege escalation vulnerability (CVE-2024-21338) in the form of a zero-day. This vulnerability is found within appid.sys, the core driver of AppLocker, Microsoft’s application whitelisting app; this newly discovered vulnerability earned a score of 7.8 out of 10 on the CVSS scale.

Lazarus has taken advantage of the vulnerability with the use of the FudModule rootkit, a data-only rootkit that accesses kernel read/write privileges through your machine’s drivers; the ultimate goal – bypass Windows security mechanisms.

Prior to the most recent iteration of this exploit, attackers would expose read/write privileges by attacking known vulnerabilities in third-party drivers. However, with the FudModule rootkit, hackers can deliver a special handle table entry manipulation technique to suspend PPL (Protected Process Light) protected processes.

Those AV Programs effected include, but are not limited to, Microsoft Defender, CrowdStrike Falcon, and HitmanPro.

2. FudModule

The FudModule rootkit itself is a frighteningly versatile piece of malware; it leverages kernel level read/write access to disable important features that security products rely on to detect suspicious behavior. This includes register callbacks, object callbacks, and process, thread, and image kernel callbacks.

It also is capable of removing file system minifilters used by AV Programs to monitor file operations.

This behavior is used by AV Products to find and block effected drivers; keep in mind that not all updates applied to an effected driver necessarily remove the instances of the old versions, thus leaving those weak spots open to attack.

Another additional rootkit behavior targets specific AV’s altogether, as mentioned earlier, rendering their security bypassed and non-functional.

3. Summary

The Lazarus Group is one of the most well-known and persistent threats to cybersecurity. The FudModule rootkit is only the most recent display of there technical prowess.

It is important for organizations to stay vigilant in their security; this includes taking proper precautions, addressing potential leaks/weaknesses in infrastructure, and regularly applying updates. Additionally, having monitors in place will help spot suspicious behavior before anything malicious occurs.

Staying educated, up to date, and aware will serve your system’s security in the long-term.

Development Management Security

How to Create Strong Passwords: A Comprehensive Guide

1. Password Length:

  • An ideal password should be between 12-14 characters in length

2. Use a Combination of Letters, Numbers, and Symbols:

  •  The greater the variation in characters, the harder it will be to brute-force your password
  • Use different numbers, letters, cases, and special characters like @#$^- to strengthen your password

3. Avoid Using Common Words or Phrases:

  • Many insecure passwords are too similar to every-day phrases
  • While they are easy to remember, they are easy to guess

4. Avoid Using Sequences or Patterns:

  • Don’t use repeatable sequences or patterns in your passwords
  • If a hacker is able to establish a pattern from one password, they can quickly guess all of your passwords that follow the same pattern

5. Avoid Using Personal Information:

  • Personal information is easily visible to the public via social media, account names, services, etc. thus, can be found by anyone if they know where to look

6. Use a Password Manager:

  • A password manager can help keep track of your passwords in a secure way, making it so you don’t have to memorize your passwords, thus you can make them as complex as you want
  • Most password managers include a password creation tool, as well as browser plugins to quickly grab your passwords
  • We recommend the password manager BitWarden

7. Regularly Update Your Passwords:

  • The best way to maintain security is to be proactive
  • If you think a password may have been leaked, the safest thing to do is change it
  • Don’t keep less secure passwords for more than a few months

8. Two-Factor Authentication (2FA):

  • If your account in question offers two-factor authentication, set it up
  • The use of a pin, phone-number, or recovery address greatly increases your security, while decreasing the number of successful break-ins

9. Use Unique Passwords for Each Account:

  • One of the worst things you can do is reuse passwords for multiple accounts
  • Likewise, you should not share passwords between people

10. Train Your Team:

  • If applied to a work environment, make sure your team is responsibly creating credentials
  • The best way to stay safe is to be educated

Follow these guidelines and you will be on your way to peace of mind and Fort Knox level security!

Want to create a strong password?