Microsoft Security compliance toolkit / Windows hardening / GPO settings

Microsoft security compliance toolkit: Il remplace Security Compliance Manager. Cet outil permet de planifier, créer, et monitorer des baselines de sécurité pour vos postes clients. Le remplacement a été choisi par Microsoft du fait de la complexité de SCM et de la difficulté à maintenir l’outil pour chaque version de Windows. Aujourd’hui, SCT ne supporteContinue reading “Microsoft Security compliance toolkit / Windows hardening / GPO settings”

AD – Securing Domain Controllers / hardening Windows domain and computers

Reference articles to secure a Windows domain: https://www.cert.ssi.gouv.fr/uploads/guide-ad.html https://github.com/PaulSec/awesome-windows-domain-hardening Pingcastle: to audit an AD domain https://www.pingcastle.com/ AD explorer (sysinternals): https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer Microsoft audit Policy settings and recommendations: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations Sysinternals sysmon: to audit and control changes https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow On ADsecurity.org: Beyond domain admins: https://adsecurity.org/?p=3700 Gathering AD data with PowerShell: https://adsecurity.org/?p=3719 Hardening Windows computers, secure Baseline check list: https://adsecurity.org/?p=3299Continue reading “AD – Securing Domain Controllers / hardening Windows domain and computers”

Microsoft Message Analyzer resources

Basic network capture methods: https://blogs.technet.microsoft.com/askpfeplat/2016/12/27/basic-network-capture-methods/ Network Monitor 3.4 (Netmon) – https://www.microsoft.com/en-us/download/details.aspx?id=4865 (NOTE: Network Monitor is no longer under active development) Wireshark (v 2.2.2 as of 11/16/16) – https://wireshark.org/#download Netsh Trace – built-in to operating system Microsoft Message Analyzer (MMA) (v 1.4 as of 6/13/16) – https://www.microsoft.com/en-us/download/details.aspx?id=44226 Message analyzer operating guide: http://technet.microsoft.com/en-us/library/jj649776.aspx How to message analyzerContinue reading “Microsoft Message Analyzer resources”

Windows – Windows Admin Center

Windows Admin Center: https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/understand/windows-admin-center Installation: You can install Windows Admin Center on the following Windows operating systems: Version Installation mode Windows 10, version 1709 or newer Desktop mode Windows Server Semi-Annual Channel Gateway mode Windows Server 2016 Gateway mode Windows Server 2019 Gateway mode Desktop mode: Launch from the Start Menu and connect to theContinue reading “Windows – Windows Admin Center”

Understanding and Troubleshooting MS RPC

Overview: A very brief summary of how the protocol works: There is an “endpoint mapper” that runs on TCP port 135. You can bind to that port on a remote computer anonymously and enumerate all the various RPC services available on that computer.  The services may be using named pipes or TCP/IP.  Named pipes willContinue reading “Understanding and Troubleshooting MS RPC”

AD: Be protected against “Pass the Hash” attacks

Resources materials: AD Security: Preventing mimikatz attacks: https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5 https://adsecurity.org/?p=1684 https://digital-forensics.sans.org/blog/2013/06/20/overview-of-microsofts-best-practices-for-securing-active-directory Mimikatz and Active Directory Kerberos Attacks: https://adsecurity.org/?p=556 https://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf http://www.gentilkiwi.com/mimikatz    /   http://blog.gentilkiwi.com/ Scripts: https://github.com/iadgov/Pass-the-Hash-Guidance https://github.com/iadgov/Event-Forwarding-Guidance Domain lockdown: https://github.com/curi0usJack/activedirectory Microsoft resources: http://www.microsoft.com/pth http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspx   Pass the Hash – isolation technique: Implementing Tier-zones model on Active Directory: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material Mitigate Credential theft with Administrative Tier Model      Continue reading “AD: Be protected against “Pass the Hash” attacks”

How to determine which version of .net framework is installed?

Reference: http://support.microsoft.com/kb/318785 Microsoft .net Framework is a software package that is used by many applications, it runs in a software environment as opposed to hardware environment. Free program called .NET Version Detector ( download here ). PowerShell: how to get version of .net framework on a remote computer: https://gallery.technet.microsoft.com/scriptcenter/Detect-NET-Framework-120ec923 To query the local Registry usingContinue reading “How to determine which version of .net framework is installed?”

Windows forensics: have I been hacked?

Main question is: How do I know if I have been hacked? Hacking mind map: https://www.marcolancini.it/2018/blog-hacker-playbook-mindmap/ Detecting lateral movement using event logs: http://blog.jpcert.or.jp/.s/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.html Sysmon 6: https://technet.microsoft.com/en-us/sysinternals/sysmon  and how to use it: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow http://blog.crowdstrike.com/sysmon-2/ http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html additional resources on this blog: http://wp.me/p15Zft-od and some other links:  http://www.computerforensicsworld.com/, http://www.forensics.nl/links The first step is to scan your computer with a RootkitContinue reading “Windows forensics: have I been hacked?”

Free Tools for System and Network or DB Administrators

Free tools for Windows sysadmin   – Find string if files on Windows: using findstr /s /i findstr /s /i /C:”provider=sqloledb” d:\dir\*.* Find and replace string in file (Find and Replace == fnr) : http://findandreplace.io/download other tool requiring also JAVE: FAR https://sourceforge.net/projects/findandreplace/ – Test SSL and TLS: https://www.qualys.com/sslchecker _Well-known online tools for network engineers: https://dnschecker.org https://www.whois.net/ https://mxtoolbox.com/ https://whatismyipaddress.com/ http://ping-test.org/ https://www.portcheckers.com/Continue reading “Free Tools for System and Network or DB Administrators”

How to configure Windows Event forwarding (WEF) ?

Introduction: In summary: Windows Event Forwarding allows for event logs to be sent, either via a push or pull mechanism, to one or more centralized Windows Event Collector (WEC) servers. WEF is agent-free, and relies on native components integrated into the operating system. WEF is supported for both workstation and server builds of Windows. WEFContinue reading “How to configure Windows Event forwarding (WEF) ?”