Press "Enter" to skip to content

Posts published in “Threat Hunting”

Vulnerability Remediation – QID: 91017 and QID: 100269


One of my servers has been found two urgent (severity 5) vulnerabilities. Qualys scan report does give lots of details about those vulnerabilities such as solutions, patches, links etc. Applied Patch Unfortunately, even I have download the right patches and applied to this server. It is still showing those vulnerabilities. Microsoft Group Policy Remote Code Execution Vulnerability (MS15-011) Microsoft Internet Explorer Cumulative Security Update (MS15-124) You can find out details about them at the end…

PID 4 listening on Port 80 or Port 12345


It was interesting during one of our Vulnerability Scanning. There are lots of machines listening on port 12345, and it does has lots of connection on it. Also, PID is 4, which is system process or service. Same thing also found on http port 80. Here are netstat command outputs. Symptoms C:\Windows\system32>netstat -tabno | find “:80”   TCP                 LISTENING     …

Vulnerability: SSL/TLS use of weak RC4(Arcfour) cipher port 3389/tcp over SSL


Recent during a vulnerability scan , there is RC4 cipher found using on SSL/TLS connection at port 3389. The solution in the Qualys report is not clear how to fix. This post is going to record some searching results found online how to fix this SSL/TLS RC4 Cipher Vulnerability.

SSL/TLS use of weak RC4(Arcfour) cipher port 3389/tcp over SSL

QID: 38601
Category: General remote services
CVE ID: CVE-2013-2566, CVE-2015-2808
Vendor Reference: -
Bugtraq ID: 91787, 58796, 73684
Service Modified: 05/10/2019
User Modified: -
Edited: No
PCI Vuln: Yes

Bulk IP Reputation Check using Security Websites and Open Source Scripts


This topic has been haunted in my mind for quite a while. As an information security guy, we got tons of reports about end point activities. One of them is the website ip or urls they were accessing. A typical network abnormal behaviour for an infected or compromised end point is huge amount of accessing malicious ip or bad reputation websites.

For many investigations, I can generate an ip list but how to quickly find out the ip reputation is a challenge for me.

That is why I am writing this post today. I am still checking those websites or scripts, hopefully I can get a good understanding then comes out my own script to do this job.

Find Real IP of a Website Behind CDN


There are more and more websites using CDN (Content Delivery Network) to help deliver their contents to end users. It is faster, safer and more reliable. At the same time, CDN such as cloudflare company hides your real ip behind their public ip. Is there a way we can bypassing CDN and find out those websites' real ip addresses.

Windows Remote Command Line Troubleshooting Tips and Tricks


Here are some scripts and methods to do remote troubleshooting or running some commands in remote machines. I found they are very useful especially in a enterprise environment if you have your domain admin account.
Prerequisites to run remote commands:

  • Install .NET Framework 4.5.2 from \\shareserver\it\$Install\Scripting prerequisites\NDP452-KB2901907-x86-x64-AllOS-ENU.exe
  • or from
  • Install Windows Management Framework
    •  copy the folder \\shareserver\it\$Install\Scripting prerequisite\Windows Management Framework 5.1 to your C drive or download from
    •  Open PowerShell as an administrator,
      navigate into the directory on your C drive, and run the command

    • .\Install-Wmf.ps1
    • Install Microsoft Visual C++ 2017 redistributable from \\shareserver\it\$Install\Scripting prerequisite\VC_redist.x64.exe
    • Download from
  • From a PowerShell prompt running as an administrator, run the command
    • Set-ExecutionPolicy Unrestricted -Force
  • From a PowerShell prompt running as
    an administrator, run the command
    • winrm quickconfig

    Sysinternals Tool Sysmon Usage Tips and Tricks


    Microsoft Sysinternals tool Sysmon is a service and device driver, that once installed on a system, logs indicators that can greatly help track malicious activity in addition to help with general troubleshooting.
    Sysinternals from Web Browser:

    Basic Sysmon Usage commands:

    sysmon -i -accepteula [options]

    • Extracts binaries into %systemroot%
    • Registers event log manifest
    • Enables default configuration