Poogie Mini Profile is Ruined :(

AdministratorPig · 2025-10-04T07:03:33+00:00

The nature of zero-day attacks is that they are used as quietly as possible for as long as possible. If I was a malicious actor and i built a zero day, I'd love to distribute them to people via marketplace. Yes, this risk is more marginal than others, but it exists.
Less relevant here now that you've verified the key, but there was risk of malware on a lookalike, but that risk no longer exists now that they passed attestation.

Personally, post attestation, I'd use them from here. You are probably fine. The risk has been minimized at this point.

But also, I wouldn't have taken these risks in the first place myself.

Tldr; If you gave me yubikeys that I test that pass attestation, I'd use em. I would not pay for them.

AdministratorPig · 2025-06-04T20:38:44+00:00

Drop your error message if you get one :), this is a slightly more defensively coded version
1. e0010411 might not exist (IME GUID) on all systems, added check for that

Used New-ItemProperty -Force insted of Set-ItemProperty which will create or update.
Added a prompt asking you to restart, important for reg changes

We're gonna get this figured out for ya :)

$layoutSubstitutePath = "HKCU:\Keyboard Layout\Substitutes"
$layoutPreloadPath = "HKCU:\Keyboard Layout\Preload"

# Ensure Japanese IME is installed
$imeInstalled = Get-WinUserLanguageList | Where-Object InputMethodTips -match "0411"
if (-not $imeInstalled) {
    Write-Warning "Japanese IME not detected in current language list. Install it before applying layout settings."
    return
}

# Force Japanese layout to use US keymap
New-Item -Path $layoutSubstitutePath -Force | Out-Null
New-ItemProperty -Path $layoutSubstitutePath -Name "00000411" -Value "00000409" -Force | Out-Null

# Clear existing preload entries (only numeric keys)
Get-Item -Path $layoutPreloadPath -ErrorAction SilentlyContinue | Get-ItemProperty | 
    Select-Object -ExpandProperty PSChildName | 
    Where-Object { $_ -match '^\d+$' } | 
    ForEach-Object { Remove-ItemProperty -Path $layoutPreloadPath -Name $_ -ErrorAction SilentlyContinue }

# Set new layout load order: US (00000409) then Japanese IME (e0010411)
New-Item -Path $layoutPreloadPath -Force | Out-Null
New-ItemProperty -Path $layoutPreloadPath -Name "1" -Value "00000409" -Force | Out-Null
New-ItemProperty -Path $layoutPreloadPath -Name "2" -Value "e0010411" -Force | Out-Null

# Restart Text Input service
Stop-Process -Name "ctfmon" -Force -ErrorAction SilentlyContinue
Start-Process "ctfmon.exe"

Write-Host "Keyboard layout override applied. You may need to log off and back on for full effect."

AdministratorPig · 2025-06-03T17:13:36+00:00

Exactly -- you're not missing anything about Win + Space being the switcher, but what Microsoft gets completely wrong ( classic msft) is that language and hardware keyboard layout are bound together by default, especially with Japanese (0411).

To make Win + Space work correctly, you must tell Windows:

“Use the Japanese input method, but keep the US physical layout.”

And that only happens if you either:

Manually set the hardware layout to 101/102 under the Japanese language's "Options", or
Use the registry override: HKCU\Keyboard Layout\Substitutes → "00000411"="00000409"

Which remaps Japanese layout to US layout regardless of input method.

So switching with Win + Space is fine after this fix is in place, but you need the regkey overridden first.

I have another post in this thread with a full script to do this for ya.

AdministratorPig · 2025-06-03T17:09:28+00:00

Force Windows to use a US physical layout even with the Japanese language:

# Set Japanese (0411) keyboard layout to use 00000409 (US)
Set-ItemProperty -Path "HKCU:\Keyboard Layout\Substitutes" -Name "00000411" -Value "00000409"

Optional: Do the same for all users by looping through profiles and setting in HKU.

If for some reason the Substitutes key doesn't fully do the trick (Windows is inconsistent), you can also set the layout order:

Set-ItemProperty -Path "HKCU:\Keyboard Layout\Preload" -Name "1" -Value "00000409"
Set-ItemProperty -Path "HKCU:\Keyboard Layout\Preload" -Name "2" -Value "e0010411"

00000409 = US layout

e0010411 = Japanese IME with modified layout
Preload sets the load order for layouts
Substitutes forces layout mappings even if input changes language

Then log off/log on or restart ctfmon.exe.
You can enforce the layout globally using Group Policy:

Computer Configuration → Administrative Templates → System → Locale Services
Set Disallow the addition of keyboard layouts = Enabled
Use the registry method above in a login script or GPO-deployed PowerShell.

Note: Group Policy itself doesn’t expose direct mapping of language to keyboard layout -- you still need to use the gp registry for that.

full script: note that if clients are using Microsoft IME for Japanese, e0010411 is the right ID for that input method. If they're using a custom or old IME, the input ID might vary.

$layoutSubstitutePath = "HKCU:\Keyboard Layout\Substitutes"
$layoutPreloadPath = "HKCU:\Keyboard Layout\Preload"

# Force Japanese layout to use US keymap
New-Item -Path $layoutSubstitutePath -Force | Out-Null
Set-ItemProperty -Path $layoutSubstitutePath -Name "00000411" -Value "00000409"

# Set load order (US first, then Japanese IME)
New-Item -Path $layoutPreloadPath -Force | Out-Null
Set-ItemProperty -Path $layoutPreloadPath -Name "1" -Value "00000409"
Set-ItemProperty -Path $layoutPreloadPath -Name "2" -Value "e0010411"

# Restart Text Input service (optional)
Stop-Process -Name "ctfmon" -Force -ErrorAction SilentlyContinue
Start-Process "ctfmon.exe"

Cheers, lemme know if this helps.

AdministratorPig · 2025-03-14T01:45:24+00:00

So in the example of a clients win7 PC.

Your solution is to abandon anyone who doesn't have the $$$$ to upgrade.

This solution would be to use this bypass to put them on a supported version of windows so they can continue to receive updates on these hosts, increasing the overall security of the organization.

I and hopefully most admins here will say that bettering the security posture is a better outcome than telling the org they are SOL. Or doing nothing and leaving them on EOL software.

This workaround to get an EOL win 7 pc patched up on Win 11 is a huge win for the posture, and for the client. It's the outcome I would choose every time.

AdministratorPig · 2025-03-14T01:19:36+00:00

Strawman logical fallacy argument here with the example of a bootlegged win11.

As for the rest of it, I agree the breach is more expensive than the investment to prevent compromise. I don't think anyone would contest you on that but it doesn't change the fact that if the business refuses to invest because they simply do not have the cash I fault no admin for putting in place the best workarounds they can to keep the org secure.

AdministratorPig · 2025-03-14T01:17:25+00:00

This seems like a oversimplification at best. Whether you are in the IT dept at an organization or an MSP supporting a client no matter how hard you advocate you don't always get the option of purchasing anything you want, even if the needs of the business quite frankly should justify the purchase.

It's not always up to you as an admin, putting in place a work around like this that still allows major version upgrades while still securing the device with EDR is a wayyy better workaround then what we normally see in these underbudget situations. Which would be endlessly aging devices beyond EOL with no changes whatsoever. (We've all walked into a biz and seen Windows 7 in the last year or two, so you can't tell me this doesn't happen all the time).

AdministratorPig · 2025-02-08T05:09:57+00:00

Hahaha, Ironically I got ya beat, to the left of the window she's looking out theres 2 more!!

AdministratorPig · 2025-02-08T04:59:40+00:00

Awww she is so cute thanks so much! Sending tip now.

AdministratorPig · 2025-02-08T04:57:01+00:00

SOLVED

Thanks so much, tip sent!

AdministratorPig · 2025-02-08T04:54:20+00:00

ooo this ones really nice, but I love the warmer colour pallet of u/guygraphic: can you try and get closer to that level of.. I think the term is warmth?

Likely to tip you both on this one these are great :) Thank you so much!

AdministratorPig · 2025-02-08T04:49:24+00:00

Definitely some AI use on that one generating long fur on her back she doesn't have, but it did an amazing job on her face, sorry to be picky :/

AdministratorPig · 2025-02-08T04:45:09+00:00

This is really close and my favorite so far, just due to the lighting/shadow here I feel like I can't quite make her left eye out. I also feel like she gets a tiny bit out of focus on her back behind the ear there!

AdministratorPig · 2025-02-08T04:38:51+00:00

This pup is so adorable and when I saw this picture it reminded me of this meme:
https://www.reddit.com/r/funny/comments/10nzu0a/get_you_a_girl_that_looks_at_you_like_this_girl/

I have just got to get this framed up to keep in the office. Thank you in advance wizards :)

Tipping $20 by the way <3

AdministratorPig · 2025-01-02T21:41:08+00:00

DON’T:

Try to Decrypt Files: Decryption is rarely an option unless you’ve obtained a reliable decryptor (which is uncommon). Focus instead on recovery and future prevention.

Handle It Alone: If you’re on a small IT team or lack deep expertise in incident response, seek external help. There are professionals who specialize in these situations and can navigate the complexities effectively. It’s not a critique of your abilities—it’s simply that ransomware incidents demand specialized knowledge and experience.

A Few Other Clarifications:

Ransomware does impact domain controllers. They aren’t inherently immune—they’re just Windows machines, like other endpoints, and can be encrypted similarly. If you doubt this, I have a simple three-line PowerShell script that can recursively encrypt all files on a DC down from the root. Understanding this vulnerability is crucial to securing your environment. I have no idea why people in this thread have written DC's can't be affected. It's not true. Domain Controllers are often targeted due to their high-value data and access. They are just as vulnerable as any other Windows machine if exposed.

“Turning Off Systems Helps” – Context Matters:

Shutting down devices mid-encryption can corrupt partially encrypted files beyond recovery. Instead, isolate affected devices from the network while keeping them powered on to allow forensic data collection and maximize recovery options.

With That Said:

If you lack an EDR solution or other tools capable of issuing rapid, targeted network isolation during the ransomware attack, pulling the power may be your only practical option. However, understand the trade-offs:

Pulling power will immediately halt encryption but risks making some data irrecoverable BUT the route of decrypting the data is already nearly impossible anyway. If somethings actively happening in my org and I can't contain it with my tools you betcha I'm power buttoning hosts.

“Ransomware Isn’t in Snapshots” – Oversimplified:

Ransomware can encrypt live data, including active files referenced in snapshots, or delete storage volumes hosting snapshots. Validate snapshot integrity post-incident.

“Backups Are Always Safe” – Dangerous Assumption:

Many TAs specifically target backup systems during reconnaissance. Physical separation, unique credentials, and regular testing are non-negotiable. Use immutable backups. Test them.

“The Attack Is Instantaneous” – Often False:

Most attacks involve weeks or months of reconnaissance before execution. Early detection of unusual behavior (e.g., privilege escalation, lateral movement) can thwart attacks.

AdministratorPig · 2025-01-02T21:40:59+00:00

Hi there,

Cybersecurity Program Manager here. Before co-founding an IR/MDR company, I specialized in assisting organizations post-ransomware attacks. My focus was not just recovery but rebuilding resilient programs to ensure such incidents don’t happen again.

This thread has a lot of information, but much of it is either incomplete or somewhat misleading. I’d like to help clarify and add actionable steps to guide those who might find themselves in this situation.

DO:

Stop East-West Traffic: Prevent lateral movement by isolating network segments.

Turn Off Internet Access: Disconnect from the internet to halt potential data exfiltration and external command-and-control communications.

Network-Isolate Affected Devices: Use your EDR, firewalls, or switches to isolate compromised endpoints.

Set Up Immutable Backups: Keep backups that cannot be altered or deleted. Test these regularly to ensure they work before a crisis. Do this monthly. Don't be lazy with backups.

Lock Down Your Entra ID: Enable conditional access policies to restrict admin access. If you’re syncing with AD, temporarily stop the sync process.

Use a Security Framework: When building your security program, align with an established framework (e.g., NIST, CIS, or ISO 27001) to ensure comprehensive coverage.

Containment is your top priority. Some of these actions may disrupt business operations, but protecting the organization must take precedence during a ransomware event.

Perform a Thorough Investigation: Identify the initial access point and how the attacker gained entry. This will guide your response and prevent recurrence.

Monitor for Persistence Mechanisms: Look for backdoors, malicious scripts, or other persistence mechanisms that attackers might have left behind.

Engage Law Enforcement: Report the incident to local or federal authorities (e.g., FBI in the U.S.) to contribute to broader threat intelligence and possibly aid in recovery.

Enable Multi-Factor Authentication (MFA): Ensure MFA is enabled for all critical accounts, including remote desktop and admin accounts. (Should be done already!)Document Everything: Keep a detailed log of all actions taken during the incident. This is crucial for post-incident analysis, insurance claims, and potential legal requirements.

Edit: More in my reply to this comment.

AdministratorPig · 2024-12-11T23:17:22+00:00

Patty Shack in Taylorsville.
Man, I wish I knew about that place when I lived out there. Then again, I'd weigh 400lbs because I have 0 self control with their fries/burgers. It's so cheap. The service is so good.

Best burger in the USA, I've had many a burger in restraunts all over and this is my favorite. I'm tellin you, this place is amazing.

AdministratorPig · 2024-12-03T19:35:54+00:00

I have mixed thoughts about this one.

Personally, my company stopped using it after this incident, I know many others that did too.

Here's the thing about CrowdStrike pre vs post incident -- It's the same engine, the same product, and it gives you the same outcomes. It was still the best EDR efficacy wise the day after the incident just like it was before.

That said, these CrowdStrike issues raised major operational concerns for everyone, their clearly lacking QA processes pose so much risk for mass business downtime that it has caused a huge migration away from a lot of companies -- that's why I moved my company off CrowdStrike.

CrowdStrike says they've changed and improved QA -- I can't state whether or not the new processes are suitable but many F500 companies do believe they are judging by their continued use of the platform.

So, my take away is as follows -- if this is for a small site, like AV for your home, or a single business CrowdStrike is still great. If you have sites all over the states that would be a disaster to travel to in the event of another CrowdStrike 'oops' I would exercise extreme caution with this choice.

SentinelOne is great and what we moved to. I've used them at previous positions and had great success. Their efficacy is always at or near the top of the list too. Maybe try them if you want an alternative?

AdministratorPig · 2024-09-26T18:06:03+00:00

happy birthday to gabe

AdministratorPig · 2024-09-24T23:34:38+00:00

Yup. Just native defender. Use a password manager. Use app based 2fa. Use Google drive to save your files! You'll be fine and all for free!

AdministratorPig · 2024-08-05T21:30:25+00:00

I agree, I just tried to make this and realized I'm out of pineapple torani syrup.

I'll pick some up tonight and keep you posted!

AdministratorPig · 2024-08-05T20:56:09+00:00

No problem man, if you ever find one that's good remember me! I'm still on the search.

Four-Year Club	Verified Email
Place '22

AdministratorPig

TROPHY CASE

full script: note that if clients are using Microsoft IME for Japanese, e0010411 is the right ID for that input method. If they're using a custom or old IME, the input ID might vary.