Category: Core Server


Main question is: How do I know if I have been hacked?

Detecting lateral movement using event logs: http://blog.jpcert.or.jp/.s/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.html

Sysmon 6: https://technet.microsoft.com/en-us/sysinternals/sysmon  and how to use it: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

http://blog.crowdstrike.com/sysmon-2/

http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html

additional resources on this blog: http://wp.me/p15Zft-od

and some other links:  http://www.computerforensicsworld.com/, http://www.forensics.nl/links

The first step is to scan your computer with a Rootkit detector. Our download section has numerous Rootkit scanners available with some being listed below:

Toolkit to help you:

– Volatility: http://www.volatilityfoundation.org/

– Crowdstrike: http://www.crowdstrike.com/community-tools/index.html

– McAfee foundstone free tools: http://www.mcafee.com/us/downloads/free-tools/index.aspx

– Powershell windows forensics: https://github.com/WiredPulse/PoSh-R2

– Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics

– Powershell windows forensics: https://github.com/gfoss/PSRecon

-Powershell windows forensics: https://github.com/davehull/Kansa

http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

– forensic toolkits: http://www.sleuthkit.org/, http://sourceforge.net/projects/autopsy/

– online scanning: http://www.virustotal.com

-Windows event logs

– Windows safe mode ! (autoruns from sysinternals to detect not well known application/services)

– autoruns,procexp,procmon,tcpview,handles,psloggedon  (http://www.microsoft.com/sysinternals)

– treesize pro (http://www.jam-software.com/treesize/)

– closethedoor (http://sourceforge.net/projects/closethedoor/)

– Wireshark (https://www.wireshark.org/download.html) or Microsoft Message Analyzer (http://www.microsoft.com/en-us/download/details.aspx?id=40308)

– nmap: http://nmap.org/download.html#windows

– traceroute: http://www.net.princeton.edu/traceroute.html

Advertisements

Free tools for Windows sysadmins:

– Registry editor and comparison, replace: regedt33.exe: https://sourceforge.net/projects/regedt33/

– AD security: adsecurity.org  ; http://www.dsinternals.com ; http://www.pingcastle.com

– Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics  and  https://github.com/gfoss/PSRecon and https://github.com/davehull/Kans

– Memory forensics: http://www.volatilityfoundation.org/

– Crowdstrike free tools: http://www.crowdstrike.com/community-tools/index.html

– McAfee foundstone free tools: http://www.mcafee.com/us/downloads/free-tools/index.aspx

– Trousse de secours Windows sur cle USB: http://wp.me/p15Zft-wU

– Net tools and forensic tools for windows : http://www.nirsoft.net/utils/ipnetinfo.html
– System and performance: CCleaner,recuva,defragler,speccy from pirisoft: https://www.piriform.com/products
– Windows 8 or Server  2012 start menu (GUI): http://www.classicshell.net/
– New Microsoft network monitor called MESSAGE ANALYZER (GUI): http://www.microsoft.com/en-us/download/details.aspx?id=40308
– ESET Sysinspector: http://www.eset.com/us/download/utilities/ (is a convenient utility for the tool box of every IT expert and first responder)
– Qualys browsercheck: https://browsercheck.qualys.com/  (check internet browser vulnerabilities)
– Secunia personal inspector: http://secunia.com/vulnerability_scanning/personal/download_psi/ (scanner application’s vulnerabilities)
– TrueCrypt. Is disk encryption software: http://www.truecrypt.org/
– Keepass. To remember passwords: http://keepass.info/
– Putty, FileZilla, WinSCP, XMing (free Xserver), MobaXterm (free Xserver and SSH): Unix tools for Windows
– Remote Desktop managers: mRemoteNG, Remote Desktop manager
– Ophcrack is a free Windows password cracker based on rainbow tables: http://ophcrack.sourceforge.net/
– Anti-malware free Malwarebytes (GUI): http://www.malwarebytes.org/
– Inventory tool that performs hardware scanning, software scanning, and Active Directory (AD) reporting (GUI):  www.lansweeper.com
– DNSdataview (GUI): www.nirsoft.net/utils/dns_records_viewer.html
– WinDirStat (GUI): http://windirstat.info
– Archiving and compression 7-zip  (GUI): www.7-zip.com
– Compare content files: ExamDiff  (GUI):  www.prestosoft.com/edp_examdiff.asp
– File Recovery (GUI): PC inspector File recovery   and    easeUS data recovery
– System Information for Windows and benchmarks (Gathers detailed information about a computer’s system properties, settings, and displays, benchmarks):
        – SIW  (GUI)
        – AIDA  (GUI)
        – Everest  (GUI):
– HDTune: GUI – simple disk IO utility
– Unlock DLL: GUI to unlock DLLs in use (c.f unlocker utility on internet)
– AD queries builder with powershell and powershell editor  (GUI): http://www.powergui.org
– AD reports and ldap builder (GUI): http://www.maxpowersoft.com/
– AD change reporter (GUI): www.tinyurl.com/cph99tu
– AD object restore wizard (GUI): www.tinyurl.com/kv83sh9
– Inactive users tracker (GUI): www.tinyurl.com/xv83dsf
– Netmork Monitoring (GUI): http://www.spiceworks.com/, or quest scriptlogic free utility called sl360
– Disk space monitor (GUI): www.tinyurl.com/zksfuw
– Bulk password reset (GUI): www.tinyurl.com/cxc3t4d
– Windows service monitor (GUI): www.tinyurl.com/dakjw32
– Vmware change reporter (GUI): www.tinyurl.com/dsdz44
– File server change reporter (GUI): www.tinyurl.com/bhd3k2b
– Password expiration notifier (GUI): www.tinyurl.com/kbwu34z
– USB blocker (GUI): www.tinyurl.com/awqc4p3
– Free disk analysis tool (Gui): www.northern-utilities.com  ; Find out how much of your storage capacity is being wasted on unwanted files
– Netbook Hardware control (GUI): www.pbus-167.com
– Sysinternal Tools (CMD/GUI): www.microsoft.com/sysinternals
 – www.joeware.net (CMD)
www.netikus.com (CMD/GUI)
www.solarwinds.com
– OpenSSH (Gui, Cmd: www.openssh.com )
– OpenVPN (GUI, Cmd: http://openvpn.net )
– Microsoft Security Essentials: Antivirus/Anti-malware free: www.microsoft.com/security_essentials
– Microsoft Resource Kits
– ClamAV: Antivirus
– AVast: Antivirus
– Free download manager: IE download manager
– Daemontools or Virtual Clone Drive (GUI)
– Tree size free: Directory or disk usage and statistics (GUI): http://www.jam-software.com/freeware/
– CDex: transform CD in MP3… (GUI)
– Desktop Restore. Records the position of desktop icons and restores desktop layouts.
– InfraRecorder. Burns ISO images and creates data and audio CDs and DVDs: http://infrarecorder.org/
– Notepad++. Is a text and code editor.
– NTFS Undelete. Recovers deleted files that are no longer in the recycle bin.
– Paint.NET. Manipulates images.
– PING. Makes a sector-based image copy of a disk partition.
-Windows Preinstallation Environment (WinPE). Lets you make a Windows command-line boot recovery DVD.
– XML Notepad. Is a specialized XML editor.
– ZoomIt. Magnifies portions of a screen and lets you draw on and annotate the screen (c.f www.microsoft.com/sysinternals).
– BareTail. Monitors log files in real time.
– Wireshark. Is a protocol analyzer: http://www.wireshark.org
– FileZilla. Is a GUI FTP client.
– Winscp. Is a GUI sftp client.
– Ngrep. Is a packet sniffer based on finding matching text strings.
– NeWT. Is a vulnerability scanner. (If you’re interested in obtaining this software after reading about it, go to http://cgi.tenablesecurity.com/tenable/requestForm.php.)
– OpenSSH. Creates secure, encrypted shell sessions.
– WinDump. Is a command-line packet sniffer. (If you’re interested in obtaining this software after reading about it, go to http://www.winpcap.org/windump/default.htm.)
– Winfingerprint. Is a network scanner.
– LocatePC. Emails you whenever any private or public IP address in your system changes.
– Open Computers and Software Inventory (OCS Inventory NG). Provides detailed inventory data for an entire network of computers as well as deploys packages. (If you’re interested in obtaining this software after reading about it, go to http://sourceforge.net/projects/ocsinventory.)
– PRTG Traffic Grapher. Is a network monitor.
– SyncBack. Backs up or synchronizes files to another location: http://www.2brightsparks.com/freeware/freeware-hub.html
– Wink. Builds screencast recordings. (The write-up for this tool isn’t in the main article but rather its sidebar “Screencasting with Wink”. If you’re interested in obtaining this software after reading about it, go to http://www.debugmode.com/wink.)
– CamStudio. Builds screencast recordings.
– CDBurnerXP. Burns CD-ROMs, DVDs, audio CDs, and ISO images.
– Comodo Firewall Pro. Is a firewall and antivirus application.
– DriveImage XML. Is a program for imaging and backing up partitions and logical drives.
– GParted LiveCD. Manages partitions on systems. (You can also find information about GParted in “Tool Time: Repartition Windows Servers with GParted”.)
– PageDefrag. Determines how fragmented your paging files and registry hives are, and defragments them (c.f www.microsoft.com/sysinternals)
– JkDefrag. Defragments and optimizes disks.
– TestDisk. Recovers damaged partitions, makes non-bootable disks bootable again, and repairs damaged boot sectors.

Free Virtualization tools:

– Free Tools for hyperV: http://social.technet.microsoft.com/wiki/contents/articles/2325.hyper-v-top-free-programs.aspx

-If you work with virtual machines (VMs), check out the following 29 tools:
“Virtualization on the Cheap”
1. Catbird Compliance Enforcer. Analyzes existing virtual infrastructures, then highlights rogue VMs, quarantines suspect VMs, and generates compliance and security reports.
2. Citrix XenServer. Is a virtualization platform.
3. ConfigCheck. Evaluates an ESX Server installation to see whether it’s configured properly and in accordance with VMware’s best practices, particularly with regard to security guidelines.
4. EasyVMX. Lets you create web-based VMs.
5. Hyper-V. Is a virtualization platform.
6. Microsoft Assessment and Planning Toolkit. Searches out computers in a network, then generates a detailed inventory using Windows Management Instrumentation (WMI), SNMP, or Remote Registry Service.
7. Microsoft Virtual PC 2007. Is a virtualization platform.
8. OpsCheck. Troubleshoots configuration problems that might cause VMware VMotion to encounter problems.
9. PlateSpin Recon Inventory Edition. Profiles and analyzes data centers, then gathers information about traffic, workload, asset inventory, and application services.
10. Veeam Monitor Free Edition. Monitors VMware ESX and ESXi environments in real-time.
11. Virtual Iron Single Server Edition. Is a virtualization platform.
12. VirtualBox. Is a virtualization platform.
13. Vizioncore vOptimizer FreeWare. Squeezes Microsoft and VMware VMs into more manageable sizes.
14. VMware ESXi. Is a virtualization platform.
15. VMware Player. Loads and run VMs created by other virtualization products.
16. V-Scout. Aggregates and organizes information from up to two VMware VirtualCenter installations.
“More Free Virtualization Tools”
17. PHD Virtual.com website. Offers several free VMware utilities (e.g., VMNetBac, SnapHunter).
18. VM Explorer (VMX). Powers VMs on or off as well as backs up and restores VMs.
19. Xtravirt.com website. Offers several free virtualization utilities (e.g., GetVMwareDocs, Visio Action Pack).
“Free Virtualization Utilities”
20. ISO Recorder. Creates and burns ISO images.
21. Ultimate-P2V. Converts physical systems to VMs.
22. VHD Resizer. Expands and shrinks .vhd files.
23. VHDMount. Mounts a .vhd file as a local drive.
24. Virtual Floppy Drive. Mounts a virtual floppy drive from a VM.
25. Virtual Machine Remote Control Client Plus (VMRCplus). Manages, configures, and connects to Microsoft VMs.
26. VMDK to VHD Converter. Converts VMware images to Microsoft images.
27. VMmark. Benchmarks applications running in VMware VMs.
28. VMware Converter. Converts physical machines or Microsoft VMs to VMware VMs.
29. VMware Workstation 5.5 Disk Mount Utility. Mounts a VMware.vhd file on a Windows host.
Note that you can find more information about Hyper-V, VMware ESXi, and Citrix XenServer in “Free Hypervisors Extend Your IT Resources”.

Free Scripting tools:

No matter whether you write scripts or not, you’ll likely find many of the 14 tecommendations in “Script Writers’ Favorite Free Utilities” helpful:
1. Blat. A command-line utility that uses SMTP to send email or uses Network News Transfer Protocol (NNTP) to post to Usenet.
2. AutoIt v3 and SciTE Is a scripting language (AutoIt) and editor (SciTE).
3. CodeKeep Add-In. Is a code snippet manager for Visual Studio (VS).
4. DumpSec. Is a Windows security auditing program.
5. Joeware website. Offers many command-line utilities to automate AD tasks (e.g., AdQueueLoop, Unlock) and other tasks (e.g., DNSSrvRec, SidToName).
6. MD5WIN. Computes and compares Message-Digest algorithm 5 (MD5) digest strings.
7. NirSoft website. Offers numerous utilities for monitoring networks, managing passwords, retrieving Internet-related data, and performing other system-management tasks.
8. Notepad++. Is a text and code editor.
9. PSPad. Is a text and code editor.
10. Python. Is a programming/scripting language that you can use to automate tasks.
11. Regular Expression Laboratory. Lets you create regular expressions and test them against arbitrary text.
12. VIM. Is a text and code editor.
13. WinZip Command Line Support Add-On. Lets you use WinZip directly from the command line and from scripts.
14. Powershell editor and Gui powershell code builder: http://www.powergui.org
check also the powerpacks (like plug-ins for powergui, to manage other windows applications).

Free tools for Sharepoint:

Freebies that might be of interest to SharePoint administrators include the following:
“SharePoint Freebies Someone You Might Know Might Want”
1. Document Connection for Mac. Aids in accessing and browsing Mac documents in SharePoint.
2. Free Technology for Microsoft SharePoint User Groups. Is a program to provide free add-ons and other products to community-organized SharePoint user groups.
3. Persian Language Pack for Windows SharePoint Services (WSS) 3.0.
“More SharePoint Freebies Someone You Might Know Might Want”
4. Discovery Wizard for SharePoint. Gathers SharePoint inventory data and displays it in HTML reports.
5. DocAve SQL Restore Controller. Provides item-level, site-level, and site collection-level restores from active SQL Server databases and from SQL Server backups.
6. Idera SharePoint performance monitor. Monitors SharePoint performance counters and sends email alerts when problems arise.
“Free SharePoint Archiving Tool Aims to Cut Bloat”
7. Metalogix Archiving Express for SharePoint. Archives SharePoint content.

Free tools for Exchange:

Some helpful freebies when working with Microsoft Exchange include:
“Top 10 Exchange Server 2007 Troubleshooting Tools”
1. Database Recovery Management Tool. Analyzes a database store and specifies the steps needed to mount it.
2. Database Troubleshooter. Analyzes database and transaction logs and their entries and reports on problems that might prevent you from recovering the database.
3. Dcdiag. Analyzes the state of domain controllers in a forest or enterprise and reports any problems.
4. Event Viewer. Lets you view Exchange-related events.
5. Mail Flow Troubleshooter. Identifies and repairs mail flow holdups.
6. Message Tracking. Reveals a message’s path through the Exchange Server organization when messages get lost in mail flow transit.
7. Nslookup. Helps troubleshoot DNS problems.
8. Performance Monitor. Analyzes counters associated with various aspects of system performance to see whether those counters fall within a designated range.
9. Performance Troubleshooter. Analyzes three RPC performance problems.
10. Queue Viewer. Lets you view and interact with mail flow queues.
“Two Exchange Server Tools You Should Know About”
11. Performance Analysis of Logs (PAL). Analyzes a performance monitor counter log analyzes and puts its findings in an HTML report.
12. ‘Rough and Tough’ Guide to Identifying Patterns in Transaction Logs. Provides a set of tools and associated processes for figuring out what’s happening on an Exchange server given a set of transaction log files.

Free tools for SQL Server:

If your IT duties include working with SQL Server, check out “The Mega Guide to Free SQL Server Tools”. This guide includes 80 tools, so the list is too long to print here. You can find out what those tools are at http://www.sqlmag.com/Articles/ArticleID/102244/102244.html.
At SQL Server Magazine, we’re all about helping DBAs and developers do their jobs faster and more efficiently—especially now, when they’re being expected to do more with less staff and funding. That’s why, when we realized just how many free SQL Server tools are available, we decided to bring them to your attention. You might recognize some of these tools from Kevin Kline’s Tool Time or Michael Otey’s Back Page, and many of these tools can be found on Microsoft’s CodePlex website. These tools were created by in-the-trenches DBAs and developers, as well as third-party SQL Server product vendors, to solve specific SQL Server problems or to fill holes in SQL Server’s functionality. There are so many free SQL Server tools that we couldn’t test them all, so be sure to test them yourself before running them in production.
Administration
• Data Scripter Add-in for Management Studio—This add-in lets you script data for SQL Server tables through SQL Server Management Studio (SSMS) (sqlblogcasts.com/blogs/seanprice/archive/2007/08/28/data-scripter-add-in-for-management-studio.aspx)
• Iometer—This tool measures and characterizes I/O subsystems in single and clustered servers (www.iometer.org)
• Microsoft SQL Server 2005 Upgrade Advisor—This tool analyzes your SQL Server 2000 and SQL Server 7.0 instances to find features and configuration changes that could affect an upgrade to SQL Server 2005 (www.microsoft.com/downloads/details.aspx?FamilyID=1470e86b-7e05-4322-a677-95ab44f12d75)
• mRemote—You can use this tool (which supports both RDP and VNC) to manage your remote server connections from a central GUI (www.mremote.org/wiki)
• MSSQL Blocks—This tool collects information from multiple SQL Server 2005 and 2000 instances about locked or blocked processes and stores this information in XML files for later analysis (sqlblocks.narod.ru)
• Orphan Finder—You can use Orphan Finder to find records in your SQL Server 2005 databases in which there are values in a foreign key column that aren’t in the parent table (http://www.spi.hr/EnglishaboutLC/tabid/470/Default.aspx)
• Partition Management—This tool uses the Sliding Window technique to remove data from one partition and place it into a staging table, and creates a staging table that’s used to load data into partitions (www.codeplex.com/SQLPartitionMgmt)
• Quest Software’s Toad for SQL Server Freeware—Toad for SQL Server Freeware offers a code and data editor, a data grid for modifying tables, and a database browser that lets you view and manage database objects graphically (www.toadsoft.com/toadsqlserver/toad_sqlserver.htm)
• SortSQLFilesInProject—You can use this tool to sort the SQL files contained in an SSMS project or the packages in a SQL Server Integration Services (SSIS) project (www.sqldbatips.com/showarticle.asp?ID=78)
• SQLDBSize 1.0—This tool graphically displays size information about your databases, tables, indexes, and more (www.sqldbtools.com/Tools.aspx?ProductId=3)
• SQL Management Studio Snapshot Add-In—This utility adds the Create Snapshot option to context menus in SSMS, enabling you to create a database snapshot (sqlblogcasts.com/blogs/seanprice/archive/2007/07/15/sql-management-studio-snapshot-add-in.aspx)
• SQLRecon—SQLRecon finds all of your SQL Server and Microsoft SQL Server Desktop Engine (MSDE) systems by performing active and passive scans on your network (www.specialopssecurity.com/labs/sqlrecon)
• SQL Server 2008 Extended Events Manager—This tool lets you create, delete, modify, start, and stop Extended Events sessions and metadata files in SQL Server 2008 (www.codeplex.com/ExtendedEventManager)
• SQL Server Automation Scripts—This tool provides SQL Server Agent jobs that you can use to perform automated maintenance tasks (download.microsoft.com/download/4/0/C/40CBAD9A-D990-450B-8785-F288CEBFB448/AITScripts.zip)
• SQL Server Database Copy Tool—With this utility, you can copy databases from one SQL Server system to another (dbcopytool.codeplex.com)
• SQL Server Express Utility—You can use this command-line utility to perform various SQL Server maintenance tasks (www.microsoft.com/downloads/details.aspx?FamilyID=fa87e828-173f-472e-a85c-27ed01cf6b02)
• SQL Server Health and History Tool (SQLH2) Performance Collector—This tool collects performance counter data from your SQL Server systems and stores it in a repository (www.microsoft.com/downloads/details.aspx?familyid=64983AF0-7902-427E-9B41-7C2E8FDCC140)
• SQL Server Health and History Tool (SQLH2) Reports—Prevent performance problems by using this tool to collect and store change and trending information (www.microsoft.com/downloads/details.aspx?familyid=A4B837C7-A1FA-4F25-840B-FEF15E917F18)
• YourSQLDba—You can use this T-SQL stored procedure to automate routine database maintenance tasks such as database and log backups and consistency checks (www.grics.qc.ca/YourSqlDba)
Backup and Recovery
• Idera’s SQL safe Freeware Edition—This utility lets you back up and compress multiple databases of any size and offers a scriptable interface (www.idera.com/Products/Free-Tools/SQL-safe-Freeware-Edition)
• AppAssure’s DocRetreiver Lite—This free tool lets you restore individual documents back to a SharePoint farm from a SQL Server backup (www.appassure.com/applications/free-tools/docretriever-lite-for-sharepoint/)
Best Practice and Compliance
• Best Practices Analyzer Tool for Microsoft SQL Server 2000 1.0—You can use this tool to verify whether your SQL Server 2000 systems are managed and operated according to Microsoft’s SQL Server best practices (www.microsoft.com/downloads/details.aspx?FamilyID=b352eb1f-d3ca-44ee-893e-9e07339c1f22)
• Microsoft SQL Server 2005 Assessment Configuration Pack for Sarbanes-Oxley Act (SOX)—This configuration pack audits SQL Server systems to see if they meet the SOX configuration requirements (www.microsoft.com/downloads/details.aspx?familyid=976df931-a3cf-40e3-802e-3281b1451835)
• SQL Server 2005 Best Practices Analyzer—This utility checks your databases for potential problems by using SQL Server 2005 best practices configurations (www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63)
• SQL Server FineBuild—FineBuild lets you install SQL Server 2008 and 2005 with one click, and provides best practice configurations as well (www.codeplex.com/SQLServerFineBuild)

Free tools for business intelligence and DB admins:

 • BIDS Helper—This Visual Studio .NET add-in enhances SQL Server 2008 and 2005’s Business Intelligence Development Studio (BIDS) (www.codeplex.com/bidshelper)
• DTLoggedExec—With DTLoggedExec, each step executed by SSIS packages is logged, which makes configuring and troubleshooting SSIS packages fast and easy (dtloggedexec.codeplex.com/Release/ProjectReleases.aspx?ReleaseId=21219)
• Microsoft SQL Server 2005 Data Mining Add-ins for Microsoft Office 2007—These add-ins let you use SQL Server 2005’s predictive analysis features in Microsoft Excel 2007 and Microsoft Visio 2007 (www.microsoft.com/downloads/details.aspx?FamilyID=7c76e8df-8674-4c3b-a99b-55b17f3c4c51)
• Microsoft SQL Server Metadata-Driven ETL Management Studio (MDDE)—You can use MDDE to quickly generate SSIS packages (sqlservermddestudio.codeplex.com)
• Reporting Services Scripter—This .NET Windows Forms application offers the ability to easily move SQL Server Reporting Services (SSRS) reports and catalog item properties between multiple servers (www.sqldbatips.com/showarticle.asp?ID=62)
• RSBuild—You can use this SSRS deployment tool to execute database scripts with ADO.NET and publish reports and data sources to SSRS (rsbuild.codeplex.com)
• SQL Nexus—This front-end visualization tool is used to load and analyze performance data that was collected by SQLDiag and PSSDiag (www.codeplex.com/sqlnexus)
Change Management
• SQLDBSearch 2.0—With SQLDBSearch 2.0, you can find objects that could be affected by a soon-to-be implemented database change (www.sqldbtools.com/Tools.aspx?ProductId=2)
• Tarantino Database Change Management—This utility makes it easier to apply database schema and database changes to multiple SQL Server systems (code.google.com/p/tarantino/wiki/DatabaseChangeManagement)
Code Formatters
• ApexSQL Refactor—This SQL Server Management Studio add-in offers 43 customizable options for formatting your SQL code and lets you preview your changes before you save them (www.apexsql.com/sql_tools_refactor.asp)
• Instant SQL Formatter—This tool not only reformats your SQL code but also turns your formatted SQL code into HTML code and translates your SQL code into other coding languages such as C# and Java (www.wangz.net/gsqlparser/sqlpp/sqlformat.htm)
• Manoli C# Code Format—You can use this tool to format code to the HTML 4.01 specification for a website or blog (www.manoli.net/csharpformat)
• Simple-Talk Code Prettifier—This tool converts your ASCII source code into HTML code so that you can paste it into an online element such as a blog or website (www.simple-talk.com/prettifier/default.php)
• SQLinForm—With this SQL code formatter, SQL statements aren’t transferred over the Internet and there’s nothing to install (www.sqlinform.com)
Database Comparison
• CompareData—This utility uses ODBC drivers to compare and synchronize data between two SQL Server databases (www.zidsoft.com)
 • Open DBDiff—This database schema comparison tool provides you with a report showing the differences between two database schemas and includes a synchronization script that you can use to update the databases (www.codeplex.com/OpenDBiff)
• SQL Accord Community Edition for Microsoft SQL Server—This tool offers schema comparison features via an interactive GUI (www.sqleffects.com/Articles/Product/sqlAccordInfo/aboutSqlAccordCommunityEd.html)
• SQLDBDiff—You can use this tool to compare and synchronize SQL Server 2005 and 2000 database schemas (www.sqldbtools.com)
• TableDiff.exe GUI—With TableDiff.exe GUI, you no longer have to run the TableDiff.exe table comparison tool (found in SQL Server 2005) from the command line (weblogs.sqlteam.com/mladenp/archive/2007/08/10/60279.aspx)
Database Security
• Devenius SQL Encryption Assistant Basic Edition—You can use this SQL Server Management Studio add-in to manage your encryption keys (www.devenius.com/sql_server_tools/sql_encryption_assistant/SEA.aspx)
• Idera’s SQL permissions—You can use this tool to move or copy SQL Server login information and permissions setting between servers (www.idera.com/Products/Free-Tools/SQL-permissions)
• Lockdown.sql—Your SQL Server systems are locked down to the most secure configuration, letting you deploy systems that have only required functionality enabled (www.sqlsecurity.com/Tools/LockdownScript/tabid/64/Default.aspx)
• Microsoft Baseline Security Analyzer 2.1—This tool performs vulnerability assessment checks on your SQL Server systems to verify their security (technet.microsoft.com/en-us/security/cc184923.aspx)
• SQLPing 3.0—SQLPing scans your network to find new and unprotected SQL Server and MSDE instances (www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx)
Development
• DbFit—You can use DbFit to run Framework for Integrated Testing (FIT) tests directly against databases, making it easier to perform integration testing on databases (www.fitnesse.info/dbfit)
• ScriptDB—This application scripts database objects using SQL Server Management Objects (SMO) (www.codeplex.com/ScriptDB)
• SpatialViewer—This utility lets you view spatial data easily (www.codeplex.com/SpatialViewer)
• SQL Server PowerShell Extensions (SQLPSX)—This tool helps make working with SMO from PowerShell easier by offering PowerShell functions around SMO objects (sqlpsx.codeplex.com)
• SQL Spatial Tools—SQL Spatial Tools includes two tools: Shape2SQL, which you use to upload ESRI files to SQL Server Spatial, and SQLSpatial Query Tool, which queries SQL Server 2008 and displays the geometry output via a Windows Presentation Foundation map (www.sharpgis.net/page/SQL-Server-2008-Spatial-Tools.aspx)
• SQLCLRProject—With SQLCLRProject, you can use MSBUILD tasks to deploy .NET assemblies to SQL Server 2008 and 2005 (www.codeplex.com/sqlclrproject)
• SQLIO Disk Subsystem Benchmark Tool—With this tool, you could find out what the I/O capacity of a SQL Server configuration is (www.microsoft.com/downloads/details.aspx?familyid=9a8b005b-84e4-4f24-8d65-cb53442d9e19)
• SQLScripter—This command-line utility automates schema generation and scripts SQL Server 2005 databases (www.valinor.co.il/tools-sqlscripter.asp)
• SQLsharp—This free tool offers a CLR library of useful functions that you can use to write better SQL code in SQL Server 2008/2005 (www.sqlsharp.com)
• SSMS Tools Pack—This suite of tools enhances SSMS’s functionality with features such as a query template tool and a CRUD procedure-generation tool (www.ssmstoolspack.com)
• Stored Procedure Generator—This tool generates the stored procedures necessary to access tables in SQL Server (spgen.codeplex.com)
• tsqlt—As a unit testing framework for T-SQL, tsqlt helps isolate functionality to be tested (sourceforge.net/projects/tsqlt)

Free tools for DB job management or sysadmin performance monitoring:

Stress test tool, Heavy Load free tool from JAM software: https://www.jam-software.de

• Idera’s SQL job manager—With SQL job manager, you can view and manage SQL Server Agent jobs across multiple SQL Server systems from a central administration console (www.idera.com/Products/Free-Tools/SQL-job-manager)
• JAMS Monitor—With JAMS Monitor, you can manage Windows Task Scheduler and SQL Server jobs and ensure that they’re running successfully from a centralized management console (www.mvpsi.com/FreeMonitor.aspx)
Log Management
• Log Parser 2.2—You can use this tool to access text-based data (e.g., log files, XML files), as well as data sources in Windows (e.g., Active Directory, the event log) (www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07)
• PSSDIAG Data Collection Utility—This diagnostic data collector can be used to gather logs and data files (www.microsoft.com/downloads/details.aspx?familyid=5564386A-28C2-4483-8293-76FFF67B9EB3)
Performance and Monitoring
• ClearTrace—You can use this graphical display tool to summarize query performance data from server-side trace and SQL Server Profiler sessions (www.cleardata.biz/cleartrace/default.aspx)
• DMVStats 1.01—You can use this tool to collect, analyze, and report on performance data from SQL Server 2005 Dynamic Management Views (DMVs) (www.codeplex.com/sqldmvstats)
• Idera’s SQL check—This tool runs as a secure screensaver and monitors your SQL Server systems, as well as offers a look at processes, error logs, and SQL Server Agent jobs (www.idera.com/Products/Free-Tools/SQL-check)
• Internals Viewer for SQL Server—You can use this tool to see how data is allocated, organized, and stored in the SQL Server storage engine (internalsviewer.codeplex.com)
• MDX Script Performance Analyser—You can use this tool to identify which statements in your SQL Server Analysis Services (SSAS) MDX script are negatively affecting MDX query performance (www.codeplex.com/mdxscriptperf)
• Performance Analysis of Logs (PAL) Tool—PAL automates the collection and analysis of performance counters in the Performance Monitor Counter log (www.codeplex.com/PAL)
• Quest Discovery Wizard for SQL Server (beta)—You can use this tool to monitor your network for changes and find all your SQL Server instances (www.quest.com/discovery-wizard-for-sql-server)
• RML Utilities for SQL Server (x86)—With this tool, you can monitor SQL Server performance by processing SQL Server trace files and viewing reports, and test how a specific change will affect your SQL Server systems (www.microsoft.com/downloads/details.aspx?FamilyId=7EDFA95A-A32F-440F-A3A8-5160C8DBE926)
• SQLIOSim—SQLIOSim replicates SQL Server’s types and patterns of I/O requests on a disk subsystem and verifies data similarly to how SQL Server would in a production environment (blogs.msdn.com/sqlserverstorageengine/archive/2006/10/06/SQLIOSim-available-for-download.aspx)
• SQLQueryStress—This tool is helpful when performance stress testing T-SQL queries because it collects data about whether your queries will run under load, and each query’s resource usage (www.datamanipulation.net/sqlquerystress)
• SQL Server 2005 Performance Dashboard Reports—These reports help you quickly identify performance bottlenecks and provide the information necessary to resolve them (www.microsoft.com/downloads/details.aspx?FamilyId=1d3a4a0d-7e0c-4730-8204-e419218c1efc)
• SQL Server Cache Manager—Find out what is being stored in the SQL Server cache and if the cache is being used efficiently with this free tool (www.codeplex.com/sqlservercache)
• SQL Server DBA Dashboard—This tool uses graphs and reports, which are integrated with SSMS, to identify what is using your SQL Server systems’ resources (www.sqlserverexamples.com/v2/Products/tabid/76/Default.aspx)
Prevent SQL Server Injection Attacks
• bsqlbf-v2—This Perl script lets you extract data from blind SQL injections (code.google.com/p/bsqlbf-v2)
• HP Scrawlr—This scanner tool crawls your web pages, checking for SQL injection vulnerabilities (www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx)
• Microsoft Source Code Analyzer for SQL Injection—You can use this tool to find SQL injection vulnerabilities in ASP code (support.microsoft.com/kb/954476)
• URLScan—URLScan restricts the type of HTTP requests Microsoft IIS will process (learn.iis.net/page.aspx/473/using-urlscan)
Web Administration
• SQL Server Hosting Toolkit—The SQL Server Hosting Toolkit offers two tools: the Database Publishing Wizard, which you can use to upload your databases to a hosting environment, and the Database Publishing Services, which offers ASP.NET web services that can make it easier for you to deploy databases (sqlhost.codeplex.com)
• SQL Server Web Tools—This web-based administration tool lets you perform management tasks, including administering accounts, managing databases and tables, and creating and running queries and stored procedures (sqlwebtools.codeplex.com)
• SQL Web Data Administrator—This SQL Server management tool lets you create and edit databases, export and import database schema and data, and more (www.codeplex.com/SqlWebAdmin)
Who Says Nothing in Life Is Free?
Although this list includes dozens of free SQL Server tools, it doesn’t include them all. If you know about a free SQL Server utility that’s not on this list, we want to hear about it: You can email me at mkeller@sqlmag.com. Also, please share your feedback about the tools included in this list in the Tool Time forum at www.sqlmag.com/forums. For even more free tools, see the sidebars “Free SQL Server Projects and Samples” and “Free PowerShell Scripts for SQL Server.”

Introduction:

Event forwarding (also called SUBSCRIPTIONS) is a mean to send Windows event log entries from source computers to a collector. A same computer can be a collector or a source.

There are two methods available to complete this challenge – collector initiated and source initiated:

Parameter Collector Initiated (PULL) Source Initiated (PUSH)
Socket direction (for firewall rules) Collector –> Source Collector –> Source
Initiating machine Collector Source
Authentication Type Kerberos Kerberos / Certificates

This technology uses WinRM (HTTP protocol on port TCP 5985 with WinRM 2.0) . Be careful with the Window firewall and configure it to allow WinRM incoming requests.

WinRM is the ‘server’ component and WinRS is the ‘client’ that can remotely manage the machine with WinRM configured.

Differences you should be aware of:

WinRM 1.1 (obsolete)
Vista and Server 2008
Port 80 for HTTP and Port 443 for HTTPS

WinRM 2.0
Windows 7 and Server 2008 R2, 2012 R2 …
Port 5985 for HTTP and Port 5986 for HTTPS

Reference for WEF and event forwarding:

Deploying WinRM using Group Policy: http://www.vkernel.ro/blog/how-to-enable-winrm-http-via-group-policy

Microsoft official document well documented:

https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

Fresh How-to from Intrusion detection perspective:

https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f

How-to easy to follow from Intrusion detection perspective:

https://www.root9b.com/sites/default/files/whitepapers/R9B_blog_005_whitepaper_01.pdf

https://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html same than previous one but more appendix

From Intrusion detection perspective:

https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4 help to manage error of WEF deployment

Basic configuration:

on source computers and collector computer:  winrm quickconfig     and add the collector computer account to the local administrators group

To verify a listener has been created type winrm enumerate winrm/config/listener

WinRM Client Setup

Just to round off this quick introduction to WinRM, to delete a listener use winrm delete winrm/config/listener?address=*+Transport=HTTP

on collector computer: wecutil qc. Add the computer account of the collector computer to the Event Log Readers Group on each of the source computers

on collector computer: create a new subscription from event viewer (follow the wizard)

WinRS: WinRS (Windows Remote Shell) is the client that connects to a WinRM configured machine (as seen in the first part of this post). WinRS is pretty handy, you’ve probably used PSTools or SC for similar things in the past. Here are a few examples of what you do.

Connecting to a remote shell
winrs -r:http://hostnameofclient "cmd"
Stop / Starting remote service
winrs -r:http://hostnameofclient "net start/stop spooler"
Do a Dir on the C drive
winrs -r:http://hostnameofclient "dir c:\"

WinRS

Forwarded Event Logs:

This is configured using ‘subscribers’, which connect to WinRM enabled machines.

To configure these subscribers head over to event viewer, right click on forwarded events and select properties. Select the 2nd tab along subscriptions and press create.

This is where you’ll select the WinRM enabled machine and choose which events you would like forwarded.

Subscriptions

Right click the subscription and select show runtime status.

Error 0x80338126

Now it took me a minute or two to figure this one out. Was it a firewall issue (this gives the same error code), did I miss some configuration steps? Well no, it was something a lot more basic than that. Remember earlier on we were talking about the port changes in WinRM 1.1 to 2.0?

That’s right, I was using server 2008 R2 to set the subscriptions which automatically sets the port to 5985. The client I configured initially was server 2008 so uses version 1.1. If you right click the subscription and click properties -> advanced you’ll be able to see this. I changed this to port 80 and checked the runtime status again.

[DC2.domain.local] – Error – Last retry time: 03/02/2011 20:20:30. Code (0x5): Access is denied. Next retry time: 03/02/2011 20:25:30.”

Head back to the advanced settings and change the user account from machine account to a user with administrative rights. After making these changes the forwarded events started to flow.

Subscriptions Advanced

Additional considerations:

In a workgroup environment, you can follow the same basic procedure described above to configure computers to forward and collect events. However, there are some additional steps and considerations for workgroups:

  • You can only use Normal mode (Pull) subscriptions
  • You must add a Windows Firewall exception for Remote Event Log Management on each source computer.
  • You must add an account with administrator privileges to the Event Log Readers group on each source computer. You must specify this account in the Configure Advanced Subscription Settings dialog when creating a subscription on the collector computer.
  • Type winrm set winrm/config/client @{TrustedHosts="<sources>"} at a command prompt on the collector computer to allow all of the source computers to use NTLM authentication when communicating with WinRM on the collector computer. Run this command only once. Where <sources> appears in the command, substitute a list of the names of all of the participating source computers in the workgroup. Separate the names by commas. Alternatively, you can use wildcards to match the names of all the source computers. For example, if you want to configure a set of source computers, each with a name that begins with “msft”, you could type this command winrm set winrm/config/client @{TrustedHosts="msft*"} on the collector computer. To learn more about this command, type winrm help config.

If you configure a subscription to use the HTTPS protocol by using the HTTPS option in Advanced Subscription Settings , you must also set corresponding Windows Firewall exceptions for port 443. For a subscription that uses Normal (PULL mode) delivery optimization, you must set the exception only on the source computers. For a subscription that uses either Minimize Bandwidth or Minimize Latency (PUSH mode) delivery optimizations, you must set the exception on both the source and collector computers.

If you intend to specify a user account by using the Specific User option in Advanced Subscription Settings when creating the subscription, you must ensure that account is a member of the local Administrators group on each of the source computers in step 4 instead of adding the machine account of the collector computer. Alternatively, you can use the Windows Event Log command-line utility to grant an account access to individual logs. To learn more about this command-line utility, type wevtutil sl -? at a command prompt.

References:

http://blogs.technet.com/b/jepayne/archive/2015/11/24/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem.aspx

http://blogs.technet.com/b/jepayne/archive/2015/11/20/what-should-i-know-about-security-the-massive-list-of-links-post.aspx

https://technet.microsoft.com/en-us/library/cc748890.aspx

http://windowsitpro.com/security/q-what-are-some-simple-tips-testing-and-troubleshooting-windows-event-forwarding-and-collec

http://technet.microsoft.com/en-us/library/cc749140.aspx

http://blogs.technet.com/b/askperf/archive/2010/09/24/an-introduction-to-winrm-basics.aspx

http://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx

Video:

Tutorials:

1st: Event forwarding between computers in a Domain

http://tutorial.programming4.us/windows_7/Forwarding-Events-(part-1)—How-to-Configure-Event-Forwarding-in-AD-DS-Domains.aspx

2nd: Event forwarding between computers in workgroup

http://tutorial.programming4.us/windows_7/Forwarding-Events-(part-2)—How-to-Troubleshoot-Event-Forwarding—How-to-Configure-Event-Forwarding-in-Workgroup-Environments.aspx

Additional article talking about Event forwarding too:

http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html

 

Some interesting sites:

Reference articles to secure a Windows domain:

https://github.com/PaulSec/awesome-windows-domain-hardening

Microsoft audit Policy settings and recommendations:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

Sysinternals sysmon:

https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

On ADsecurity.org:

Beyond domain admins: https://adsecurity.org/?p=3700

Gathering AD data with PowerShell: https://adsecurity.org/?p=3719

Hardening Windows computers, secure Baseline check list: https://adsecurity.org/?p=3299

Hardening Windows domain, secure Baseline check list:

Securing Domain Controllers to Improve Active Directory Security

 

Download sysmon:

NEW: Sysmon 6.20 is available ! : https://technet.microsoft.com/en-us/sysinternals/sysmon  and how to use it:

NEW: WMI detections: https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-persistence/

Installation and usage:

List of web resources concerning Sysmon: https://github.com/MHaggis/sysmon-dfir

Motiba: https://blogs.technet.microsoft.com/motiba/2017/12/07/sysinternals-sysmon-suspicious-activity-guide/

Sysmon events table: https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-events-table/

Mark russinovitch’s RSA conference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

Sysmon config files explained:

https://github.com/SwiftOnSecurity/sysmon-config

https://github.com/ion-storm/sysmon-config/blob/master/sysmonconfig-export.xml

https://www.bsk-consulting.de/2015/02/04/sysmon-example-config-xml/

View story at Medium.com

Else other install guides:

Sysinternals Sysmon unleashed

http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon

 

Detecting APT with Sysmon:

https://www.rsaconference.com/writable/presentations/file_upload/hta-w05-tracking_hackers_on_your_network_with_sysinternals_sysmon.pdf

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

https://www.root9b.com/sites/default/files/whitepapers/R9B_blog_005_whitepaper_01.pdf

Sysmon with Splunk:

http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/

https://securitylogs.org/tag/sysmon/

Sysmon log analyzer/parsing sysmon event log:

https://github.com/CrowdStrike/Forensics/blob/master/sysmon_parse.cmd

https://digital-forensics.sans.org/blog/2014/08/12/sysmon-in-malware-analysis-lab

https://github.com/JamesHabben/sysmon-queries

http://blog.crowdstrike.com/sysmon-2/

WEF: https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

logparser: http://www.microsoft.com/en-us/download/confirmation.aspx?id=24659

logparser GUI: http://lizard-labs.com/log_parser_lizard.aspx

The NSA released a PDF entitled “Spotting the Adversary with Windows Event Log Monitoring” earlier this year. The good news is it’s probably one of the most detailed documents I’ve seen in a long time. Everything from setting up Event Subscriptions, to a hardened use of Windows Remote Management, including the use of authentication and firewalls, this document tells you how to securely setup an environment where you can natively consolidate and monitor event log based entries. In addition, the NSA goes onto cover a number of areas that should be monitored – complete with event IDs:

http://www.redblue.team/2015/09/spotting-adversary-with-windows-event.html

http://www.redblue.team/2015/09/spotting-adversary-with-windows-event_21.html

Event forwarding guidance: https://github.com/iadgov/Event-Forwarding-Guidance

Malware archeology cheat sheets: http://www.malwarearchaeology.com/cheat-sheets/

Machine-specific issues – which can be indications of malicious activity

  • Application Crashes
  • System or Service Failures
  • Kernel and Device Signing
  • The Windows Firewall

Administrator Activity – specific actions performed that may be suspect

  • Clearing of Event Logs
  • Software and Service Installation
  • Remote Desktop Logon
  • Account Usage

The bad news is you’re still left to sort out a TON of event log detail and interpret whether the entries are a problem or not.

Additionally: Changes to Group Policy only show up in the events as a change to the policy, but lack detail on exactly what was changed within the Group Policy.

To truly have a grasp on whether you have an “adversary” within or not and, if so, what that adversary is doing, you’re going to require a solution that not only collects events, but can correlate them into something intelligent. Your solution should:

  • Consolidate events
  • Focus on the events you are concerned about
  • Provide comprehensive detail about the changes to your systems, security and data

Three software solutions:

  • Netwrix Auditor for AD
  • Dell change auditor for AD
  • IBM QRadar (SIEM)

Splunk (SIEM)  : Splunk Windows Auditing using the NSA guide: https://github.com/anthonygtellez/windows_auditing

MS white-paper best practices to secure AD: http://aka.ms/bpsadtrd

MS Advanced threat analytics (MS ATA): https://www.microsoft.com/en-us/server-cloud/products/advanced-threat-analytics/

Windows Event IDs useful for intrusion detection:

Windows Vista events and above

Category Event ID Description
User Account Changes 4720 Created
4722 Enabled
4723 User changed own password
4724 Privileged User changed this user’s password
4725 Disabled
4726 Deleted
4738 Changed
4740 Locked out
4767 Unlocked
4781 Name change
Domain Controller Authentication Events 4768 TGT was requested
4771 Kerberos pre-auth failed
4772 TGT request failed
Logon Session Events 4624 Successful logon
4647 User initiated logoff
4625 Logon failure
4776 NTLM logon failed
4778 Remote desktop session reconnected
4779 Remote desktop session disconnected
4800 Workstation locked
4801 Workstation unlocked
Domain Group Policy 4739 Domain GPO changed
5136 GPO changed
5137 GPO created
5141 GPO deleted
Security 1102 Event log cleared
Software and Service Installation 6 New Kernel Filter Driver
7045 New Windows Service
1022, 1033 New MSI File Installed
903, 904 New Application Installation
905, 906 Updated Application
907, 908 Removed Application
4688 New Process Created
4697 New Service Installed
4698 New Scheduled Task
External Media Detection 43 New Device Information
400 New Mass Storage Installation
410 New Mass Storage Installation
Group Changes Created Changed Deleted Members
Added Removed
Security Local 4731 4737 4734 4732 4733
Global 4727 4735 4730 4728 4729
Universal 4754 4755 4758 4756 4757
Distribution Local 4744 4745 4748 4746 4747
Global 4749 4750 4753 4751 4752
Universal 4759 4760 4763 4761 4762

Remotely enable PSRemoting and Unrestricted PowerShell Execution using PsExec and PSSession, then run PSRecon

Option 1 — WMI:
PS C:\> wmic /node:”10.10.10.10″ process call create “powershell -noprofile -command Enable-PsRemoting -Force” -Credential Get-Credential

Option 2 – PsExec:
PS C:\> PsExec.exe \\10.10.10.10 -u [admin account name] -p [admin account password] -h -d powershell.exe “Enable-PSRemoting -Force”

Next…

PS C:\> Test-WSMan 10.10.10.10
PS C:\> Enter-PSSession 10.10.10.10
[10.10.10.10]: PS C:\> Set-ExecutionPolicy Unrestricted -Force

Then…

Option 1 — Execute locally in-memory, push evidence to a share, and lock the host down:
[10.10.10.10]: PS C:\> IEX (New-Object Net.WebClient).DownloadString(‘https://github.com/gfoss/PSRecon/psrecon.ps1&#8217;)
[10.10.10.10]: PS C:\> Copy-Item PSRecon_* -Recurse [network share]
[10.10.10.10]: PS C:\> rm PSRecon_* -Recurse -Force
[10.10.10.10]: PS C:\> Invoke-Lockdown; exit

Option 2 — Exit PSSession, execute PSRecon remotely, send the report out via email, and lock the host down:
[10.10.10.10]: PS C:\> exit
PS C:\> .\psrecon.ps1 -remote -target 10.10.10.10 -sendEmail -smtpServer 127.0.0.1 -emailTo greg.foss[at]logrhythm.com -emailFrom psrecon[at]logrhythm.com -lockdown

Be careful! This will open the system up to unnecessary risk!!
You could also inadvertently expose administrative credentials when authenticating to a compromised host.
If the host isn’t taken offline, PSRemoting should be disabled along with disallowing Unrestricted PowerShell execution following PSRecon

 Obviously, you need to find a hack before you can take measures to stop the attack and recover from it. Where do you begin? Every hack is unique, but you should always check certain places first. Here are the key locations in which to start your search.

Registry subkeys. If you suspect that a particular machine has been hacked, check the Run subkeys in that machine’s registry first. Look for any unfamiliar programs that load from these subkeys. Not only do attackers favor the Run subkeys as a launching point for rogue programs, but intruders can launch viruses from those subkeys as well. The subkeys apply to Windows Server 2003, Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x. The specific subkeys to check are:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

If you’re running Windows 2003, XP, Win2K, or NT systems, you also need to check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\Explorer\Run subkey.

Any program that you don’t recognize is a potential hacking program. Use Google or a similar search engine to search the Internet for the program name and determine whether the program is legitimate. You should be especially suspicious of programs that load from C:, C:\windows, and C:\windows\system32. I strongly suggest that you make a habit of regularly reviewing these registry keys so you become familiar with all the programs that are set to automatically load on your computers.

The following subkeys are less commonly used to launch hacking programs, but you need to check them also. These subkeys apply to all Windows OSs. If the default registry key contains a value other than “%1” %*, the program is most likely a hacker program.

  • HKEY_CLASSES_ROOT\batfile\shell\open\command
  • HKEY_CLASSES_ROOT\comfile\shell\open\command
  • HKEY_CLASSES_ROOT\exefile\shell\open\command
  • HKEY_CLASSES_ROOT\htafile\shell\open\command
  • HKEY_CLASSES_ROOT\piffile\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htafila\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command

Services. Review the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry subkey on all Windows OSs. The entries under this subkey specify the services that are defined on your computer. I suggest that you look directly in the registry instead of using Windows’ Services GUI because some services (e.g., Type 1 services) don’t show up in the Services GUI. Again, check for programs you don’t recognize. If possible, compare the Services subkey entries and values to a machine that you know is hack-free and investigate any differences you find.

Startup Folder. Check the C:\Documents and Settings\All Users\Start Menu\Programs\Startup and C:\Documents and Settings\user_name>\Start Menu\Programs\Startup folders for unfamiliar programs and hidden files. To display a list of hidden files in the current folder and any subfolders, at a command prompt, enter

dir /a h /s

Task Scheduler. Check the C:\windows\tasks folder for unauthorized tasks. Investigate any scheduled task that you don’t recognize.

Win.ini. Malicious users can load hacking programs automatically from C:\windows\win.ini. Look in the following section of the win.ini file:

\[windows\]                              Run=                              Load=

Any program listed after Run= or Load= will load automatically when Windows starts.

System.ini. Intruders can use shell commands to load programs in C:\windows\system.ini. Search system.ini for:

\[boot\]                              shell=explorer.exe

Any program listed after explorer.exe will load automatically when Windows starts.

Other locations exist from which a hacker can automatically load programs to launch when Windows starts. Sysinternals’ Autoruns freeware utility shows you which programs are configured to load during startup on NT and later systems. You can download the tool from http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml.

Open Ports and Unauthorized Users
After you’ve run your initial key-locations check for hacking activity, look for unexpected or suspicious open ports.

Here are my recommendations to secure your computers and your domain:

Configuration\Windows Setting\Security Settings leaf.

Rename the Local Administrator Account: If the bad guy doesn’t know the name of your Administrator account, he’ll have a much harder time hacking it.

Disable the Guest Account: One of the worst things you can do is to enable this account. It grants a fair amount of access on a Windows computer and has no password. Enough said!

Disable LM and NTLM v1: The LM (LAN Manager) and NTLMv1 authentication protocols have vulnerabilities. Force the use of NTLMv2 and Kerberos. By default, most Windows systems will accept all four protocols. Unless you have really old, unpatched systems (that is, more than 10 years old), there’s rarely a reason to use the older protocols.

Disable LM hash storage: LM password hashes are easily convertible to their plaintext password equivalents. Don’t allow Windows to store them on disk, where a hacker hash dump tool would find them.

Minimum password length: Your minimum password size should be 12 characters or more. Don’t bellyache if you only have 8-character passwords (the most common size I see). Windows passwords aren’t even close to secure until they are 12 characters long — and really you want 15 characters to be truly secure. Fifteen is a magic number in the Windows authentication world. Get there, and it closes all sorts of backdoors. Anything else is accepting unnecessary risk.

Maximum password age: Most passwords should not be used longer than 90 days. But if you go to 15 characters (or longer), one year is actually acceptable. Multiple public and private studies have proven that passwords of 12 characters or longer are relatively secure against password cracking to about that length of time.

Event logs: Enable your event logs for success and failure. As I’ve covered in this column many times, the vast majority of computer crime victims might have noticed the crime had they had their logs on and been looking.

Disable anonymous SID enumeration: SIDs (Security Identifiers) are numbers assigned to each user, group, and other security subject in Windows or Active Directory. In early OS versions, non-authenticated users could query these numbers to identify important users (such as Administrators) and groups, a fact hackers loved to exploit.

Don’t let the anonymous account reside in the everyone group: Both of these settings, when set incorrectly, allow an anonymous (or null) hacker far more access on a system than should be given. These have been disabled by default since 2000, and you should make sure they stay that way.

Enable User Account Control: Lastly, since Windows Vista, UAC has been the No. 1 protection tool for people browsing the Web. I find that many clients turn it off due to old information about application compatibility problems. Most of those problems have gone away, and many of the remaining ones can be solved with Microsoft’s free application compatibility troubleshooting utility. If you disable UAC, you’re far closer to Windows NT security than you are a modern operating system.

Here’s the best part: Each of these settings is set correctly by default in Windows Vista/Server 2008 (and later). Most of my Windows security books were all about the settings I wanted you to more securely harden. These days, my best advice is don’t muck it up. When I see problems, it’s because people go out of their way to weaken them, and that’s never good.

Concretely:

  • Accounts: Rename administrator account — not highly effective but another security layer nonetheless (define a new name)
  • Accounts: Rename guest account (define a new name)
  • Interactive logon: Do not display last user name (set to “Enabled”)
  • Interactive logon: Do not require last user name (set to “Disabled”)
  • Interactive logon: Message text for users attempting to log on (define banner text for users to see – something along the lines of This is a private and monitored system…you abuse this system, you’re toast — just run it by your lawyer first)
  • Interactive logon: Message title for users attempting to log on — something along the lines of WARNING!!!
  • Network access: Do not allow enumeration of SAM accounts and shares (set to “Enabled”)
  • Network access: Let “Everyone” permissions apply to anonymous users (set to “Disabled”)
  • Network security: Do no store LAN Manager hash value on next password change (set to “Enabled”)
  • Microsoft Network client: send unencrypted password to third-party SMB servers (Set to “Disabled”)
  • Network security: LAN Manager authentication level (set to “Send NTLMv2 responses only. Refuse LM & NTLM”)
  • Shutdown: Allow system to be shut down without having to log on (set to “Disabled”)
  • Shutdown: Clear virtual memory pagefile (set to “Enabled”)

How to improve Windows DNS security (hardening):

Resources:

DNS logging (audit and analytics): https://technet.microsoft.com/en-us/library/dn800669(v=ws.11).aspx

Secure DNS Deployment Guide: https://technet.microsoft.com/en-us/library/ee649266%28v=ws.10%29.aspx

DNS security part 1: http://www.windowsecurity.com/articles-tutorials/misc_network_security/DNS-Security-Part-1.html

DNS security part 2: http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS-Security-Part2.html

Understand man in the middle attack: http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding-Man-in-the-Middle-Attacks-ARP-Part2.html

External DNS Server Hardening: https://technet.microsoft.com/en-us/library/ee649266%28v=ws.10%29.aspx

Note: Root hints are used to let the DNS server know where to start the recursion process. Root hints normally point to the Internet root DNS servers so that you can resolve public host names using recursion.

However, if you don’t need to resolve public host names, you can edit the root hints file so that it only contains DNS servers on your intranet. By doing this, you can avoid sending private information about possible internal host names to public DNS servers.

Securing DNS with DNSSEC: http://www.windowsecurity.com/articles-tutorials/misc_network_security/Securing-DNS-Connections-Windows-Server-2008-R2-DNSSEC.html

 

Mitigating DNS security weakness :

Low-Level Security

Low-level security is a standard DNS deployment without any security precautions configured. You should deploy this level of DNS security only in network environments where there is no concern for the integrity of your DNS data or in a private network where there is no threat of external connectivity:

  • The DNS infrastructure of your organization is fully exposed to the Internet.
  • Standard DNS resolution is performed by all DNS servers in your network.
  • All DNS servers are configured with root hints pointing to the root servers for the Internet.
  • All DNS servers permit zone transfers to any server.
  • All DNS servers are configured to listen on all of their IP addresses.
  • Cache pollution prevention is disabled on all DNS servers.
  • Dynamic update is allowed for all DNS zones.
  • User Datagram Protocol (UDP) and TCP/IP port 53 is open on the firewall for your network for both source and destination addresses.

Medium-Level Security

Medium-level security uses the DNS security features that are available without running DNS servers on domain controllers and storing DNS zones in Active Directory:

  • The DNS infrastructure of your organization has limited exposure to the Internet.
  • All DNS servers are configured to use forwarders to point to a specific list of internal DNS servers when they cannot resolve names locally.
  • All DNS servers limit zone transfers to servers that are listed in the name server (NS) resource records in their zones.
  • DNS servers are configured to listen on specified IP addresses.
  • Cache pollution prevention is enabled on all DNS servers.
  • Dynamic update that is not secure is not allowed for any DNS zones.
  • Internal DNS servers communicate with external DNS servers through a firewall with a limited list of allowed source addresses and destination addresses.
  • External DNS servers in front of the firewall are configured with root hints that point to the root servers for the Internet.
  • All Internet name resolution is performed by using proxy servers and gateways.

High-Level Security

High-level security uses the same configuration as medium-level security. It also uses the security features that are available when the DNS Server service is running on a domain controller and DNS zones are stored in Active Directory. In addition, high-level security completely eliminates DNS communication with the Internet. This is not a typical configuration, but it is recommended whenever Internet connectivity is not required:

  • The DNS infrastructure of your organization has no Internet communication by means of internal DNS servers.
  • Your network uses an internal DNS root and namespace, where all authority for DNS zones is internal.
  • DNS servers that are configured with forwarders use internal DNS server IP addresses only.
  • All DNS servers limit zone transfers to specified IP addresses.
  • DNS servers are configured to listen on specified IP addresses.
  • Cache pollution prevention is enabled on all DNS servers.
  • Internal DNS servers are configured with root hints that point to the internal DNS servers that host the root zone for your internal namespace.
  • All DNS servers are running on domain controllers. A discretionary access control list (DACL) is configured on the DNS Server service to allow only specific individuals to perform administrative tasks on the DNS server.
  • All DNS zones are stored in Active Directory. A DACL is configured to allow only specific individuals to create, delete, or modify DNS zones.
  • DACLs are configured on DNS resource records to allow only specific individuals to create, delete, or modify DNS data.
  • Secure dynamic update is configured for DNS zones except the top-level zones and root zones, which do not allow dynamic updates at all.