Skip to content

Stefan van Bruggen Posts

[Ransomware] WanaCrypt0r, how does it behave during an infection?

Ooops, your day may have been ruined!


Well, I don’t think this one needs a lot of introduction because the chances that you haven’t heard about this latest ransomware problem are pretty slim.

So, assuming we all know what it is and what ransomware does, how many people have observed the process in detail?
Sounds like it’s time to take a closer look at what actually happens when a system gets infected.

(Don’t forget to click the screenshots if you want to read the details)

How the test was performed.

In this scenario, I created a Windows 10 Virtual Machine, planted a few decoy files and installed some common applications like Microsoft Office 2016, Mozilla Firefox and 7Zip.

Now, of course we aren’t going to infect this machine and just shut it down again, we want to monitor it and have a way to reclaim control over the VM. To achieve this I used the next-gen AV solution SentinelOne.

SentinelOne is different than regular AV solutions because it does not only look at the hash of the malware files, but instead looks at what it does.

I won’t go into the technical details, perhaps in a future blogpost, so to keep it short: Imagine opening a Word file and the second you do that, it starts creating new processes, modifies registry entries, etc. SentinelOne monitors this behavior and when a certain threshold of suspicious behavior is reached it kills the process and rolls back the changes made by the malware.

Results: What happens when you execute the malware?

I executed the WannaCry ransomware on the VM and configured SentinelOne to only alert instead of killing the process. SentinelOne keeps monitoring the VM and auto-creates a nifty report in the management console.
Keep in mind that at this point, the entire VM has been encrypted and these nice people are offering me the decryption key for bitcoins.

So, this entire process resulted in a .CSV report featuring a small amount of… 17288 rows! I selected a few interesting parts to highlight in this post, let’s start by taking a look at who this bad boy tries to talk to.

Friends in Germany and the USA, so no Russian/North-Korean/Chinese/Mordor influence so far.

Onwards to the ‘installation’ of the ransomware, the creators took their time to provide proper customer service and included translations for 28(!) languages to show the payment instructions in:

Next, it downloads the readme-file, the background.jpg to replace the users wallpaper with, the decryptor-tool to fill in the key with after payment, and multiple .bin.gz files.

Not visible in this screenshot but interesting nevertheless, it even downloads a TOR browser for you! How nice of them.

Of course, the process would not be complete without deleting shadow copies, stopping services and acquiring persistence on the machine:

And now it starts wreaking havoc, in a time-span of barely two minutes (you read that correct, two. minutes.) it encrypts everything it can find on the machine rendering it completely out of order until the ransom is paid.


Because SentinelOne is running on the machine, getting rid of the infection was quite simple by issuing a Rollback-command from the management console.
By using this option, SentinelOne rolls back all the changes made by the ransomware and notifies the user that the system has to be rebooted.

After the reboot, the machine is back in it’s original pre-infected state and the infected files are cleaned up.

Of course, in a production environment you would configure SentinelOne to kill the process right away to prevent further damage. You also have the option to disconnect the machine’s network connection and notify the other clients about the infection’s behavior so that they can prevent getting infected themselves as an auto-immune response.

If you are interested in the report containing the raw data, contact me on Twitter (@SvanBr) or shoot me an E-mail.

Disclaimer: I am not sponsored by SentinelOne in any way.


[Microsoft] Hands-on Labs – Quick Review

I’ve waited for this moment for so long… *wipes away tear

Last week, Microsoft finally launched the ‘new and improved’ version of TechNet Labs (found here) called Hands-on Labs.

In these labs, Microsoft provides you with an Azure-powered live environment  you can use to practice their new and current products without the risk of messing up your own systems.
Currently, they provide a pretty wide range of options including Server 2016, Azure, SQL Server and many more. (note: For some reason sorting the labs by newest places the newer products at the last page instead of the first).

Let’s get started, fire up those VMs!

So, let’s start with a randomly chosen lab to see how it all works, shall we? First we pick a lab and view the details:

Looks interesting enough, time to launch the lab and let Azure do it’s magic..

When launching the lab, we get redirected to a new webpage and you get to see a progress window, just to let you know it’s working hard to start your lab. (Wouldn’t want people to think Azure is taking it easy, would we?)


First impressions

Creating and booting up the required VMs was faster than I expected, within a few minutes you are greeted by a short introduction of the lab objective and you are ready to get that knowledge flowing into your mind.

Is it any good?

Based on the short time I spent clicking through a few of the labs, I have to say that I’m very positive about the Hands-on Labs.

The process of launching the labs, creating the VMs and working with the labs is very straightforward and works pretty smooth. I expected this process to take a lot longer, but Microsoft does a good job of providing their users with a fully functioning environment in a very short time.

If they manage to provide new labs before or shortly after the release of new products or product versions, I can see this becoming a must-use tool for exam preparations and a very handy tool to get some hands-on experience with the products you are planning to implement in your own environment.
Conclusion: Very positive first experience, with a lot of potential uses.

[Rant] LinkedIn Recruiters..

Dear Steven,

Apologies for the direct approach, but after reading your LinkedIn profile I just had to show you this perfect oppertunity at one of my clients!
My client is a young/dynamic/rockstar/IT-ninja/growing/etc. organisation who’s growing fast and is looking for a young/dynamic/rockstar/IT-ninja/superstar/talented [INSERT JOB TITLE].

Now I was wondering if you value career growth, more money, a brand-new car and yourself? Because if you do, you are the one they need.

Let’s talk about this offer over a cup of coffee sometime, I’ll hear from you soon! 🙂


Ricky Recruiter
Recruiting Rockstar
Recruiting Inc.

Sounds familiar, doesn’t it?

It seems like it’s hunting season again for IT recruiters all over the Netherlands, because these kind of messages have become a daily occurrence.

Of course, spelling my name wrong and showing me a job offer that has nothing to do with my experience (I’ve even received an offer for a job as an Oracle Administrator…. really?) is a clear giveaway that they spam multiple people with a copy+paste message.

*Sigh* .. anyway, at least I have a good idea of my market value thanks to these people.

[Server 2016] 70-740 exam (MCSA 2016)

So, after endless delays and procrastination I finally started the path to getting my MCSA certification. (I know, about time after working in IT for almost 9 years..)

Today, I passed the new 70-740 Installation, Storage, and Compute with Windows Server 2016 exam!

It wasn’t easy, the exams for MCSA 2016 just got out of beta so there is an extreme lack of study material available. If you are planning to take this exam soon, I can recommend using the following resources:

  • Exam Ref 70-740 Installation, Storage and Compute with Windows Server 2016 by Craig Zacker (I used the eBook)
  • Pluralsight video courses by Greg Shields

And of course some hands-on experience if possible.

The exam itself has a lot of focus on Hyper-V configuration and Failover Clustering, in my case about 75% of the questions were about these subjects.

All in all, I appreciated that the exam focused on plausible scenario’s instead of knowing dry facts and PowerShell commands. Do not take this exam lightly though, because it is definitely not easy.

[Veeam] Manually remove restore points

Veeam does not have a built-in function to remove restore points manually, it took me a while but after trying a lot of different ways and scripts I have found a way to do it. (Please note that this is a last resort, Veeam should clean-up old restore points by itself)

  1. Go to Backup & Replication -> Backups.
  2. Right-click the job you want to edit and click ‘Remove from configuration’ (Do not delete from disk!).
  3. Open the Windows Explorer and browse to the job’s folder in the backup repository.
  4. Delete the restore points you want to remove, and delete the .VBM file.
  5. Re-import the most recent .VBK file in the Veeam.
  6. Run the following script using the Veeam Powershell to generate a new .VBM file:
  7. Remove the imported backup from Veeam
  8. Re-scan the backup repository (Backup Infrastructure -> Backup Repositories)
  9. Go to the associated backup job and re-map the backup. You can do this by editing the job, going to the Storage-tab and click Map backup.

And that’s it! Now you’ve reclaimed the disk space you needed, removed corrupted backups, or whatever reason you had for removing the restore points.

[Certifications] Nutanix Platform Professional

There we go! Nailed the NPP exam last friday.

The exam itself was pretty good, most questions were relevant to real life situations instead of the usual stuff like “Our product is the best, please mark the answer that says we are the best”.

The only downside is that the training for this exam is not nearly enough, you definitely need some experience working with Nutanix to be able to achieve a high enough score to get the certification.

Anyway, onwards to the next couple of certs: Windows Server 2016!

[Veeam] Repeatedly failing replica-jobs, fixed!

So, let’s take a break from all the Powershell creativity and take a look at everybody’s favourite thing in IT: Backups! Failed backups!

(The screenshots are unclear and censored to protect customer information)

The problem here is that Veeam’s replication jobs started failing, stating that an ‘Invalid Snapshot Configuration’ was the problem. Sounds easy, right?
Well, it turns out that this can cause a lot of work to get this fixed, so to save you some time I documented the solution for you.

First I tried consolidation the snapshots, but it greeted me with the following error:


A CID mismatch.. not on my watch! Let’s check this out and start an SSH connection to the ESX-host where these VMs are placed and run some checks:

So, for some reason the snapshots have registered themselves as the parent CID instead of the actual base disk:

We can fix this! Open the .vmdk-files using VIM and simply edit the parent CID to the CID of the base disk.

Now consolidate the snapshots again, restart your replica jobs, problem solved!

[Powershell] Corrupt Userprofiles – Quick fix via Powershell

Customer X had a long ongoing problem with userprofiles getting corrupted due to their antivirus solution holding the ntuser.dat file hostage. It took a while before we found the cause of this problem so we had to think of a quick fix to keep things running.
Another problem was that the locally stored corrupted profile was getting synced to the profile server, causing trouble for users on multiple workstations.

To save time and to give the sysadmins an easy way to clean these corrupted profiles, I automated the process with this (admittedly messy) script.

I’ve also added some workarounds that start the required services used in this script, because in some cases these are not enabled (WinRM, Remote Registry, etc.)

Note: The text in the popup is in Dutch.



[WSUS] Cleaning up superseded updates

Sadly, the WSUS cleanup wizard neglects to clean up updates that were approved in the past but have been superseded since.

Because these updates tend to use a lot of diskspace, I use a short Powershell script that checks all updates for superseded updates and declines them. After this, the WSUS cleanup wizard can be run again to clear up diskspace.

Stefan van Bruggen - 2017