Forget the phrase "password" - it should be pass-sentence

It is unfortunate that the word "password" has the word "word" in it. That leads to people almost always use one word, add one or two numbers to it, maybe a special character and thats it:

Classic passwords:
alina11$
456peter
nadine030
target123
cowboy123
etc..

word + number (+ special char) ==> ❌very bad security

Solution

So how can that be fixed because remembering long complex passwords like oT(O§%isaB"4 is hard. Answer: Instead of using "words" in passwords, use sentences.

Example:
ilikenewyorkquitealot
natureisimportanttome
danhasbeautifuleyes
ireallylovethehow2itsecblog

=> 🔒✅ Stronger passwords
=> 🔒✅ Fast to type
=> 🔒✅ Easy to remember

Additional tipps:
1. Always use two or multi-factor-authentication (2FA/MFA)
2. Use a password-manager (like the free keepass)
3. Protect your mailaccounts! Use unique and long passwords with 2FA for them. Because that is the place were you reset your passwords.

German:

Vergessen Sie "Passwort", es sollte "Pass-Satz" heißen

Unglücklicherweise heißt es "Passwort". Darin steckt das Wort "wort". Viel besser wäre, wenn es "Pass-Satz" heißen würde. Das klassische Password sieht wie folgt aus:

alina11$
456peter
nadine030
target123
cowboy123
etc..

Wort + Zahl (+ Sonderzeichen) ==> ❌Sehr schlechte Sicherheit

Solution

Was kann man in der Praxis dagegen tun? Denn sich lange komplexe Passwörter merken wie oT(O§%isaB"4 ist schwierig. Antwort: Statt "Pass-Wörter" zu verwenden, lieber "Pass-Sätze" verwenden:

Beispiel::
ilikenewyorkquitealot
natureisimportanttome
danhasbeautifuleyes
ireallylovethehow2itsecblog

=> 🔒✅ Bessere Sicherheit
=> 🔒✅ Schnell eingetippt
=> 🔒✅ Leicht zu merken

Zusätzliche Tipps
1. Immer Zwei- oder Mehrfaktor-Authentifizierung verwenden (2FA/MFA)
2. Einen Passwort-Manager verwenden (wie das kostenfreie keepass)
3. Schützen Sie Ihre Mailaccounts! Nutzen Sie mindestens dort immer einzigartige lange Passwörter + 2FA. Denn hier werden Passwörter zurückgesetzt.

Intel NUC 10th gen running VMware ESXi 7.0

Due to growing data I had to add more storage. Therefore I bought a new Intel NUC (10th generation)  running VMware ESXi 7.0. Really helpful for the setup is again virten.net, which provides all the necessary information.

Simply installing the ESXi on the NUC using a USB stick. For creating the USB stick I used rufus. For the ESXi image use the steps from virten.net, in order to create an ESXi 7.0 image with a network interface card driver which works for Intel NUC 10th gen (otherwise an error about "No Network Adapters" is shown).

Start PowerShell (with Admin-Rights) and type in:

Add-EsxSoftwareDepot https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
Export-ESXImageProfile -ImageProfile "ESXi-7.0.0-15843807-standard" -ExportToBundle -filepath ESXi-7.0.0-15843807-standard.zip
Remove-EsxSoftwareDepot https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
Add-EsxSoftwareDepot .\ESXi-7.0.0-15843807-standard.zip
Add-EsxSoftwareDepot .\ESXi670-NE1000-32543355-offline_bundle-15486963.zip
New-EsxImageProfile -CloneProfile "ESXi-7.0.0-15843807-standard" -name "ESXi-7.0.0-15843807-NUC" -Vendor "virten.net"
Remove-EsxSoftwarePackage -ImageProfile "ESXi-7.0.0-15843807-NUC" -SoftwarePackage "ne1000"
Add-EsxSoftwarePackage -ImageProfile "ESXi-7.0.0-15843807-NUC" -SoftwarePackage "ne1000 0.8.4-3vmw.670.3.99.32543355"
Export-ESXImageProfile -ImageProfile "ESXi-7.0.0-15843807-NUC" -ExportToIso -filepath ESXi-7.0.0-15843807-NUC.iso
Export-ESXImageProfile -ImageProfile "ESXi-7.0.0-15843807-NUC" -ExportToBundle -filepath ESXi-7.0.0-15843807-NUC.zip

If there is an issue "about_Execution_Policies" (https:/go.microsoft.com/fwlink/?LinkID=135170), like:

+ Import-Module VMware.ImageBuilder
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : Sicherheitsfehler: (:) [Import-Module], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand
 

then you can help yourself using the following temporary workaround:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

❗Warning! This is a possible security issue (see MS documentation). Set this setting back to default after creating the image using:

Set-ExecutionPolicy -ExecutionPolicy Default 

Update 04.01.2021: After having problems with large file transfers from and to the ESXi or from and to VMs running on the ESXi, I've reinstalled ESXi6.7u3 on the NUC. The problems continued and large file transfers using SCP, using SFTP or HTTPS always were corrupted or broke up, no matter which application or operating system. So I decided to switch to proxmox. Proxmox and the VMs on Proxmox work fine and have no issues.

SIEM Use Case - find suspicious powershell commands

Microsofts Powershell is a very mighty tool, which can be used as LoLBin. To detect suspicious powershell commands or scripts, a SIEM use case in order to find suspicious powershell-commands can be:

Logging / Data Source

Active PowerShell Script Block Logging (Event ID 4104) OR use your Advanced Endpoint Protection AEP or Endpoint Detection and Response EDR tool like VMware Carbon Black, Microsoft Defender ATP, Crowdstrike or the other tools.

SIEM use case / fetch suspicious powershell

1. process = powershell.exe

&&

2. cmd = ToBase64String OR FromBase64String OR -e OR -en OR -enc OR -enco OR -encod OR -encode OR -encoded OR -encodedc OR -encodedco OR -encodedcom OR -encodedcomm OR -encodedcomma OR -encodedcomman OR -encodedcommand OR -ec

&&

3. not cmd = Windows\CCM\*

More very useful information

• https://attack.mitre.org/techniques/T1059/001/
  
• https://www.splunk.com/en_us/blog/security/hellsbells-lets-hunt-powershells.html
• https://www.carbonblack.com/blog/decoding-malicious-powershell-streams/  
• https://blog.talosintelligence.com/2019/11/hunting-for-lolbins.html
• https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
• https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html  
• https://github.com/redcanaryco/atomic-red-team