Server Manager Refresh Failed: Call was Cancelled by the Message Filter

Posted by Ahmed Nabil | 0 comments»
Lately I noticed that the server manager of one of the Windows 2012 R2 File servers refresh is failing continuously, a normal reboot and normal checks/scans didn't fix the problem and i ended having the below screen shot.

The details of the failure was "Call was cancelled by the message filter"

I have noticed in the event viewer that the below error is repeated all the way in the server event viewer (Event ID 1000 - Faulting application Cscript.exe)

The Server Manager wasn't the only one with error but the File Server Resource Manager (FSRM) MMC returned error when i opened it and it was unable to connect to the WMI repository.

So after extensive search the most recommended solution was to recompile and refresh the MOF files on the Windows 2012R2 server. Several people reported that it didn't work with them so i am sharing below the exact steps i did to work it out.

  1. Ensure all MMC including Server Manager is closed.                                                                                        
  2. Open Elevated CMD prompt                                                                                                                      
  3. Navigate to C:\Windows\Ssytem32\wbem\AutoRecover (Its very important to run it from the AutoRecover folder and not the wbem root.                                                                                               
  4. Type for /f %s in ('dir /b *.mof *.mfl') do mofcomp %s                                                                                       
  5. It will start Parsing the MOF files (one by one) till the end as shown in the below screenshot                                                                                                                                                                                          
  6. You should get the done confirmation after each MOF file is parsed. If it hanged on "Storing data in the repository" for long time with no action then you need to kill the "WMI Provider Host" from the Task Manager as shown below. As soon as the WMI provider task is ended the above command that was hanged will continue running without any problem.                                                                                                                                                                                                                                            
  7. Reboot the Server

After rebooting the server the Server Manager opened and refreshed its status without any problem as well as other MMC as the File Server Resource Manager.

Hopefully this might be beneficial for users facing the same issue.

Microsoft Windows Defender ATP Protection Step by Step implementation and Configuration - Part 2

Posted by Ahmed Nabil | 2 comments»
On part 1 of this series i went through the configuration of the new Windows Defender ATP service, in this blog post i will move forward and try a demo attack and how its analyzed in the ATP portal.

For more Info please check Part 1

The main goal of this article is to understand how the attacks are reported and how to analyze and move through the ATP portal. Microsoft did a good job and provided a Do IT Yourself (DIY) document for any user who is undergoing ATP trial. These are safe Scenarios with no harm to test and explore the functionality of ATP (Only to be used on test environments)

So based on this DIY attack scenario document, the attack sequence is as follows:

  1. User will receive a link in the email (Typical type of attack) that will ask him to download a normal word file. This "Fake" word document has a bad fake macro that drops malicious executable file on your machine.                                                                                                                                                                                                                                                         Few points to consider here is that the attacker will search on the best user who can click this link without hesitation. The attacker need to target specific profile users who won't take security seriously. The number one source to get this information on your users, their interests is the social media as LinkedIn and Facebook. User might be huge football fan and the whole document/process will be geared towards this interest (Targeted attacks). A very nice tool that can help you in scanning each and every link in your email is the Office 365 Advanced Threat Protection which is different that the Defender ATP as i explained in my first blog.                                                                              
  2. This executable will open a backdoor that allows the attacker to run commands on the victim machine. In our test scenario (Microsoft DIY document) it will open Power Shell.                                                                
  3. Last step will be running couple of reconnaissance commands, copying few files and getting some system info to complete the scenario. In real life scenarios this can be wiping your hard disk or encrypting it (Ransomware)

So in our case i received the file, opened it and its done, the executable will run and session will be open with the attacker server and i am completely hacked.

So let us take a look on the ATP Portal dashboard after simulating the attack.

An active alert is displayed showing that a Right to Left Override technique is used. Right to left is an encoding mechanism for those who writes from Right to Left as the Arabic Language, the problem is that you can use this method to hide something bad and show it in another state. In our case the malware was hidden in this file and using this technique it was shown to users as word file which they didn't suspect and opened it.

For more info on the RLO, please check the below link

You can click on this warning which will dive in more details on how this attack occurred and how it was triggered on the user machine and which applications were used........etc

This will give you more info on the attack and how it was triggered on the user, starting by getting it from outlook.exe, then opening the email and clicking on the attachment which opened the word file with the malware that loaded the powershell. This is a complete detailed tree of the attack process using the RLO technique.

We can also check the machines and open this suspected machines to check other event as shown below:

The machine view will display all attacks, warnings and event on this machine. Other stages of our attack scenario is listed here. The RLO technique, Hiding files, running suspicious Power shell and running some commands (The whole picture)

Of course you can configure the ATP to send you email alerts once these attacks are listed and reported.

One important thing to note about Windows Defender ATP is that its an EDR product (Endpoint Detection and Response). Its a behavior based and it takes some time to detect these attacks that other real time protection tools as Antivirus, Firewalls........etc.

Detection will vary based on the complexity of the attack. If its a simple attack it will be displayed on the ATP portal in no time. If its very complex it will take some time before it show up on the portal as it need more time for analysis.

ATP team is working hard on improving this accuracy and adding integration to other services as Office 365 and Microsoft ATA solution.

I would highly recommend going on a trial and checking this nice solution. The industry average standard to detect a breach without EDR is 146 days so definitely detecting them in few hours using ATP will add more defense to your current environment.

Hope this post was helpful and enjoy your ATP trial.