Get statistics from Direct Access server(s)

    • Context

During this COVID period, your Direct Access servers is a good nice-to-have solution for remoting.
However, there’s a limit on the maximum number of connexions it can handle.
You should keep an eye on this limit and get an idea of the current workload.
You may as well report these figures to your boss.

    • Issue

The RemoteAccess module provides a cmdlet to get statistics 🙂

Get-RemoteAccessConnectionStatisticsSummary
Measure-Command {
Get-RemoteAccessConnectionStatisticsSummary
}


As you can see, it’s damn slow. It took about 31 seconds to get the result 😦

    • Solution

You can actually use the WMI repository directly to get a result more quickly

$HT = @{
 Namespace = 'root/Microsoft/Windows/RemoteAccess/Server'
 ClassName = 'PS_RemoteAccessAccountingStatisticsSummary'
 MethodName = 'GetByActiveStatistics'
 ErrorAction = 'Stop'
}
(Invoke-CimMethod @HT).cmdletoutput


As you can see it takes a few milliseconds and not seconds to get the result 😎

If you wonder how I found this, here are the steps I followed:

# Identify the module and what type of command
gcm  Get-RemoteAccessConnectionStatisticsSummary
# Check the content of the function
gc Function:\Get-RemoteAccessConnectionStatisticsSummary
# Once you have identified the relevant Namespace
# You can list classes and their methods
gwmi -ns root/Microsoft/Windows/RemoteAccess/Server -List | ogv

# Once you've the Class, you can query the methods:
Get-CimClass -Namespace `
root/Microsoft/Windows/RemoteAccess/Server `
-ClassName PS_RemoteAccessAccountingStatisticsSummary | 
Select -expand CimClassMethods

Get a DeepBlue analysis

At RSA Conference 2020, in this video The 5 Most Dangerous New Attack Techniques and How to Counter Them, Ed Skoudis presented a way to look for log anomalies – DeepBlueCLI by Eric Conrad, et al. as one of the C2 (Command&Control) defenses available.

I forked the original version from the commit made in Christmas 2019.

My intent is to make the DeepBlueCli:

    • available as a PowerShell module contained in a single .psm1 file
    • expose a single function with many parameters (instead of editing the original .ps1 file to change them)
    • more aligned with what PowerShell can do and other PowerShell coding style standards

Of course, you should first start reading what the original DeepBlueCLI can do in its README

I found the Deepblue.ps1 script great for various reasons:

    • First, it can analyze a live running Windows computer. It reads by default the Security event log.
      However, it’s not scalable because it loads regular expressions used for analyzing commands content from its side regexes.txt file.
    • Sencondly, it can analyze an exported .evtx file either from the ‘Application’, ‘System’, ‘Security’, ‘Applocker’, ‘Sysmon’ or ‘PowerShell’ event logs. That makes it cross-platform. You can use the script on Linux computer running PowerShell 7 🙂
    • Third, it’s a very fast way to find out indicators of compromise. It will tell you if a new account has been added, how many times an account was used to log on, if there are suspicious well known commands…
    • Last but not least, Eric Conrad stores many sample .evtx files in his GH repo.

Let’s see it in action!

I launched a Windows 10 Pro 1809 VM in Azure and ran the following:

# Install PowerShell 7 (msi x64), click, click...
iex "& { $(irm https://aka.ms/install-powershell.ps1) } -UseMSI"
# Open PS7
saps pwsh

In the new PowerShell 7 console, I ran:

# Download
iwr 'https://github.com/p0w3rsh3ll/DeepBlue/archive/master.zip' -OutFile ~/downloads/DeepBlue-master.zip -Verbose
# Unzip
Expand-Archive ~/downloads/DeepBlue-master.zip ~/downloads/DeepBlue-master
cd  ~/downloads/DeepBlue-master/DeepBlue-master
# Verify
$HT = @{
    CatalogFilePath = "./DeepBlue.cat"
    Path = "./"
    Detailed = $true
    FilesToSkip = 'README.md'
}
Test-FileCatalog @HT
Set-ExecutionPolicy RemoteSigned -Scope Process -Force -Verbose
# Import
Import-Module .\DeepBlue.psd1 -Force -Verbose
# Run the function
Get-DeepBlueAnalysis

I also downloaded that the original DeepBlueCLI script and repo from Eric Conrad and ran the same commands to see the difference between my forked version and his:


NB: Notice the tab completion for the Log parameter in my version 😉

# Capture results in a variable
$r = Get-DeepBlueAnalysis -File `
..\DeepBlueCLI-master\DeepBlueCLI-master\evtx\many-events-security.evtx

# Just to get an idea of what DeeBlueCli is able to report:
$r | group  Results -noEl| ft -Wrap -AutoSize

# Show other sample events:
$r[0]
$r | ? Results -match 'Meterpreter' | select -First 1

Nice, isn’t it?

What’s next? If I get Eric Conrad’s approval, I’ll digitally sign my forked version named DeepBlue and push it to the PowerShell Gallery so that you can do:

# Either Save...
Find-Module -Name DeepBlue -Repository PSGallery
Save-Module -Name DeepBlue -Repository PSGallery -Path ~/Downloads

#...or Install
Install-Module -Name DeepBlue -Verbose -Repository PSGallery

If you want to see what I did since the fork, all the changes are available on this page 😎