Skip to main content

Posts

Understanding Machine Account Password Rotation Failures in Windows Failover Clusters

I recently encountered an interesting issue involving a two-node Windows Failover Cluster consisting of SVR1 and SVR2. The environment occasionally experienced service startup failures following a failover operation, resulting in unexpected downtime. During troubleshooting, I discovered recurring machine account password update errors on the cluster nodes. This led me down a path of understanding how machine account passwords work in Active Directory, why they are important, and how failures in this area can affect clustered workloads. One important lesson from this investigation is that machine account passwords are often overlooked because they are managed automatically by Windows. However, they play a critical role in maintaining trust between domain-joined systems and Active Directory. When that trust begins to break down, the symptoms may not appear immediately. Instead, problems often surface during authentication-intensive operations such as cluster failovers, service startups, ...
Read more
Recent posts

Kerberos Authenication Explained.

Imagine you’re planning a huge day at Universal Studios Singapore (USS). To make the park run smoothly and keep everyone safe, they use a super-smart "Secret Ticket" system so you don't have to carry your passport around to every single ride. The Master Guest List (Active Directory) Before you even leave your house, your parents go online and register you for the park. They create a profile with your name and a Secret Password. The park’s main computer (the Master Ledger) saves your name and a "scrambled" version of your password. Because USS has many different gates and offices, they "sync" this list to every single computer in the park. This ensures that no matter which entrance you walk toward, the staff there already knows your name and has a copy of your secret handshake. The Front Gate (The Authentication Service) When you arrive at the USS entrance, you don't actually tell the staff your password—because if a "bad guy" is standing ...
Read more

What Happens When You Run GPUpdate?

When you run gpupdate on a server, it looks like a simple command. But in the background, the server is actually following a strict seven-step process to get its new settings from the Domain Controller (DC). Here is exactly what happens. 1. Starting the Service When you type the command, it wakes up a specific background task called the Group Policy Client. If you just run gpupdate, the server only asks for settings that have changed. If you run gpupdate /force, the server ignores its history and re-downloads every single setting. 2. Finding a Domain Controller The server needs to find a "source" for its settings. It checks your network’s DNS to find a Domain Controller. Once it finds one, it proves who it is (authenticates) using its computer account. 3. Figuring Out Which Policies Apply The server asks the Domain Controller for a list of all Group Policy Objects (GPOs). It checks several things to see which ones it should actually use: Location: Is the GPO linked to the se...
Read more

Boundary Marker | Extracting images from a PCAP file

A boundary marker is a delimiter used in multipart data transmissions, particularly in HTTP responses, to separate individual sections within a stream. This technique is commonly used in MJPEG video feeds, live image transmissions, and multi-part file uploads where multiple objects need to be sent over a single HTTP connection. The boundary marker is explicitly defined in the HTTP headers and serves as a way to identify the start and end of each transmitted object within the stream. To identify a boundary marker, you first need to look for Content-Type: multipart/x-mixed-replace in the HTTP headers. This indicates that the response contains multiple segments, each separated by a predefined boundary. Within the headers, you will typically see an entry like boundary=BoundaryString , where "BoundaryString" is the separator between individual content parts. When analysing the TCP stream, these boundary markers will appear before each image or file segment, commonly formatted as...
Read more

Microsoft Sentinel : KQL extend operator

Used to extend the current dataset to columns as per the requirement. In this example, a new column named “ BootSince_newColumn ” is added to the output using the extend operator. This new variable calculates the time difference since boot time and now.   The output shows the newly added column  BootSince_newColumn with the value 2342, which is the number of hours since the boot time. For a more commonly applicable real world example, extend operator can be used to calculate the number of days since the last login date.
Read more

Microsoft Sentinel : KQL project operator

Project operator is used to customize the query result output as per your needs. This doesn't remove or modify any logs. It only affects how it is presented for that particular query, for that particular run. To keep only one particular column details instead of all available columns. If you wish to remove only a column and keep all other available columns, then use project-away   project-rename option can be used to rename the column name. Here in this example, the column with name "Computer" is renamed to "device". To reorder the columns, use project-reorder To summarize, Operator Description project Determines the columns to include, rename, or drop, and insert new computed columns. project-away Determines which columns from the input should be excluded from the output. project-keep Determine what columns from the input to keep in the output using a column name pattern match. project-rename Renames columns in the output project-reorder Reorder columns in the ...
Read more

Microsoft Sentinel : KQL search query with examples

Search operator To search for all logs that contain a particular keyword. This is useful when you are unsure about a table. search “keyword” And, or combining with the search operator. search “admin” and “login” search “admin” and (“login” or “logout”) To search only on particular tables. search in (SigninLogs ,SecurityEvent) "failed" Typically the search is case insensitive. To Search with case sensitive, use search kind=case_sensitive “admin” Lets try another case sensitive search, Return no result as intended. We can also use wildcards (*) if we are unsure about the exact table name. Performing more granular search. Look for particular keywords in specific columns in a table. search UserName contains “admin” or UserName contains “admin”
Read more

Free resources to learn Kusto Query Language (KQL) for Microsoft Sentinel

  Free resources to learn Kusto Query Language (KQL) for Microsoft Sentinel 1) Must learn KQL This repository from Rod-Trent contains the code, queries, and a free eBook included as part of the Must Learn KQL series.There is also a YouTube playlist related to this.  https://github.com/rod-trent/MustLearnKQL 2) Udemy: Learn KQL for Microsoft Sentinel An Udemy free course created by Samik Roy, designed to refresh your KQL learning and help you to boost your application for Sentinel   https://www.udemy.com/course/learn-kql-for-microsoft-sentinel/ 3) SC-200: Create queries for Microsoft Sentinel using Kusto Query Language (KQL) Microsoft Learn path. Write Kusto Query Language (KQL) statements to query log data to perform detections, analysis, and reporting in Microsoft Sentinel. This learning path will focus on the most used operators. The example KQL statements will showcase security related table queries.   https://learn.microsoft.com/en-us/training/paths/sc-200-u...
Read more

Unauthenticated Remote Code Execution in Erlang/OTP SSH (CVE-2025-32433)

Erlang, a programming language for building scalable real-time systems with high availability, forms a powerful ecosystem with the Open Telecom Platform (OTP) framework. Erlang/OTP SSH, an implementation of the SSH protocol, enables secure shell access and file transfers within Erlang-based systems. On April 16, 2025, a critical vulnerability in the Erlang/OTP SSH server was disclosed. This vulnerability could allow an unauthenticated, remote attacker to perform remote code execution (RCE) on an affected device. CVE-2025-32433 is rated with a severity level 10/10. If upgrade is not possible, then disable SSH as a temporary workaround. PoC Exploit URL : https://github.com/ProDefense/CVE-2025-32433 In this PoC, the payload is harmless. It creates the file lab.txt with the contents being pwned. If needed to create a more serious payload or RCE, it must be written in Erlang language.  For example, for having a netcat reverse shell payload, use the following comment (by editing the PoC...
Read more

Ingest Data in Microsoft Sentinel

After deploying Sentinel by creating/assigning a Log Analytics Workspace, next phase is to ingest logs in to Log Analytics Workspaces using data connectors. Data connectors are used to get logs from various sources. This includes the cloud native sources as well as third party sources. Microsoft Sentinel Content hub enables you to discover and install out of the box solutions for Sentinel. This solution is like a package that includes analytics rules, data connectors, playbooks etc pertaining to that particular product or solution. So, when a solution is deployed from the content hub, these associated components will also get installed. If the entire contents are not required then we can opt for a stand-alone content source. Lets install Microsoft Entra ID solution from Content hub. Click on Install. We can see, there are 64 analytics rules, 1 data connector, 11 playbooks and 2 workbooks in this solution. Click on Manage to configure. We can click on each content and configure separate...
Read more

Log Analytics Workspace and Microsoft Sentinel

Log Analytics workspaces is a type of Azure service where the logs can be collected and stored for analysis and retention. Logs from various sources can be piped to the Log Analytics Workspace and it is one of the crucial components for Microsoft Sentinel. Log Analytics Workspace serves as the centralised repository for the logs. The logs are piped using connectors and agents. A retention policy can be set on Log Analytics workspace for compliance requirements. The logs are then used for analysis using Kusto Query Language (KQL). KQL helps to query, filter data to identify patterns, anomalies and potential threats in the environment. In addition to log storage, Log Analytics workspaces offers dashboards and data visualisation options using queries and metrics. Log Analytics can be integrated with Microsoft Sentinel and with Microsoft Defender for Cloud. Sentinel utilises the data stored in Log Analytics workspaces to perform analysis, threat detection, threat hunting and for incident i...
Read more

About Microsoft Sentinel

A Security Operations Centre is a centralised unit that monitors traffic, triage alerts, participates in incident response, perform threat hunting and often performs vulnerability assessments. The individuals who work in a SOC are often referred to as SOC analysts. When it comes to Microsoft Azure SOC, the analysts work predominantly on Microsoft Security, Compliance and identity products and solutions such as Microsoft 365, Defender for Cloud, Microsoft 365 Defender, Sentinel etc. Let's go through the top two products that are critical for a SOC. SIEM and SOAR. A SIEM or Security Information and Event Management provides a centralised management and a holistic view of all events happening in the organisation by collecting and analysing logs from different sources across. SIEM uses correlation to detect anomalies and create alerts based on the conditions. Whereas a SOAR or Security Orchestration Automation and Response helps to handle incidents efficiently and automatically by inte...
Read more

CREST CPSA Exam resources

CREST Practitioner Security Analyst (CPSA) As exam candidates, it might be quite difficult to prepare for the CREST CPSA certification exam as there is no official courseware from CREST. Though there are recommendations from CREST, it is cumbersome to go through each one for the preparation. Therefore, I have written a book on CREST CPSA, aligned with the exam syllabus, covering all knowledge groups. The book is available from Amazon as both Paperbook and eBook format.  Amazon link : https://www.amazon.com/CREST-Practitioner-Security-Analyst-CPSA-ebook/dp/B0F2YGQJQB/ Feel free to check the showcase page cpsaexam.com I am also working on a practice test based on the exam syllabus and the exam study guide. This is scheduled to be released on April 2025.  
Read more

Passed the CompTIA CloudNetX Certification

Last July 2024, I participated in the CompTIA CloudNetX Certification Beta Exam (CNX-001)and today I received my results and I passed!. As of Feb 2025, the exam is not yet available for purchase and is expected to be open by next month (Q1 2025). Comptia recommends A minimum of ten years of experience in the IT field and five years of experience in a network architect role, with experience in the hybrid cloud environment. Network+, Security+, and Cloud+ or equivalent experience. As per the exam description, The CompTIA CloudNetX certification exam will certify the successful candidate has the knowledge and skills required to: Analyze business requirements to design and configure secure network architecture for on-premises and cloud environments. Analyze requirements to design for network security, availability, Zero Trust, and identity and access management technologies. Apply and configure concepts and tools related to network monitoring and performance, automation, and scripting. Tro...
Read more