Category: Core Server


Resources materials:

AD Security:

https://adsecurity.org/?p=1684

https://digital-forensics.sans.org/blog/2013/06/20/overview-of-microsofts-best-practices-for-securing-active-directory

Mimikatz and Active Directory Kerberos Attacks:

https://adsecurity.org/?p=556

https://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf

https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf

http://www.gentilkiwi.com/mimikatz    /   http://blog.gentilkiwi.com/

Scripts:

https://github.com/iadgov/Pass-the-Hash-Guidance
https://github.com/iadgov/Event-Forwarding-Guidance

Domain lockdown: https://github.com/curi0usJack/activedirectory

Microsoft resources:

http://www.microsoft.com/pth

http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf

http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspx

 

Pass the Hash – isolation technique:

passTheHash

 

Advertisements

How to create and deploy a client certificate for MAC: http://blogs.technet.com/b/configmgrteam/archive/2013/04/05/how-to-create-and-deploy-a-client-cert-for-mac-independently-from-configmgr.aspx

Transforming .cer to .pem or vice-versa: https://www.sslshopper.com/ssl-converter.html

using openssl to convert a certificate format to another format: https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

Exporting a private key: https://technet.microsoft.com/en-us/library/cc754329.aspx

 

 

Using Powershell:

http://msexchange.me/2014/06/05/monitoring-event-id-thru-powershell/

http://community.spiceworks.com/topic/282720-powershell-event-log-monitor-email-alert-script-central-monitor

https://vijredblog.wordpress.com/2014/03/21/task-scheduler-event-log-trigger-include-event-data-in-mail/

Using SCOM:

http://jimmoldenhauer.blogspot.fr/2013/03/scom-2012-how-to-generate-alerts-from.html

http://scomandplus.blogspot.fr/2013/02/creating-rules-to-monitor-security-logs.html

http://thoughtsonopsmgr.blogspot.fr/2013/11/windows-event-log-monitoring-how-to-get.html

http://opsmgradmin.blogspot.fr/2011/05/scom-monitoring-windows-event-logs.html

 

 

 

 

Troubleshooting slow logons:

http://blogs.technet.com/b/askds/archive/2009/09/23/so-you-have-a-slow-logon-part-1.aspx

http://blogs.technet.com/b/askds/archive/2009/09/24/so-you-have-a-slow-logon-part-2.aspx

Logon process: http://fr.slideshare.net/ControlUp/understanding-troubleshooting-the-windows-logon-process

Tools for troubleshooting:

http://social.technet.microsoft.com/wiki/contents/articles/10128.tools-for-troubleshooting-slow-boots-and-slow-logons-sbsl.aspx

http://social.technet.microsoft.com/wiki/contents/articles/10123.troubleshooting-slow-operating-system-boot-times-and-slow-user-logons-sbsl.aspx

And powershell:

http://blogs.citrix.com/2015/08/05/troubleshooting-slow-logons-via-powershell/

Analyze GPOs load time: http://www.controlup.com/script-library/Analyze-GPO-Extensions-Load-Time/ee682d01-81c4-4495-85a7-4c03c88d7263/

 

How to use Xperf, Xbootmgr, Procmon, WPA?

xperf;xbootmgr;xperfview comes from Windows ADK (Windows performance toolkit sub part). Procmon is a sysinternal tool.

http://superuser.com/questions/594625/how-can-i-analyze-performance-issues-before-during-the-logon-process

http://blogs.technet.com/b/askpfeplat/archive/2012/06/09/slow-boot-slow-logon-sbsl-a-tool-called-xperf-and-links-you-need-to-read.aspx

http://social.technet.microsoft.com/wiki/contents/articles/10128.tools-for-troubleshooting-slow-boots-and-slow-logons-sbsl.aspx

Other interesting articles:

http://blogs.technet.com/b/askpfeplat/archive/2014/10/27/becoming-an-wpa-xpert-part-11-troubleshooting-long-group-policy-processing.aspx

https://www.autoitconsulting.com/site/performance/windows-performance-toolkit-simple-boot-logging/

https://randomascii.wordpress.com/2012/09/04/windows-slowdown-investigated-and-identified/

https://randomascii.wordpress.com/2013/04/20/xperf-basics-recording-a-trace-the-easy-way/

 

Windows Performance Analyzer (wpa.exe) youtube: https://www.youtube.com/watch?v=HGTlc_gWH_c

Xperf data collection tool: https://xperf123.codeplex.com/releases/view/66888

 

For boot tracing:

http://www.msfn.org/board/topic/140247-trace-windows-7-bootshutdownhibernatestandbyresume-issues/

xbootmgr -trace boot -traceFlags BASE+CSWITCH+POWER -resultPath C:\TEMP

with boot phases:
xbootmgr -trace boot -traceflags base+latency+dispatcher -stackwalk profile+cswitch+readythread 
       -notraceflagsinfilename -postbootdelay 120 -resultPath C:\TEMP
 

For shutdown tracing:

xbootmgr -trace shutdown -noPrepReboot -traceFlags BASE+CSWITCH+DRIVERS+POWER -resultPath C:\TEMP

For Standby+Resume:

xbootmgr -trace standby -traceFlags BASE+CSWITCH+DRIVERS+POWER -resultPath C:\TEMP

For Hibernate+Resume:

xbootmgr -trace hibernate -traceFlags BASE+CSWITCH+DRIVERS+POWER -resultPath C:\TEMP

replace C:\TEMP with any temp directory on your machine as necessary to store the output files

Analyses of the boot trace:

Boot_MainPathBoot.png

To start create a summary xml file, run this command (replace the name with the name of your etl file)

xperf /tti -i boot_BASE+CSWITCH+POWER_1.etl -o summary_boot.xml -a boot

Analyses of the shutdown trace:

The shutdown is divided into this 3 parts:

Shutdown_picture.png

To generate an XML summary of shutdown, use the -a shutdown action with Xperf:

xperf /tti -i shutdown_BASE+CSWITCH+DRIVERS+POWER_1.etl -o summary_shutdown.xml -a shutdown

 

 

How to list and to install Windows feature from Powershell ?

Import-Module servermanager

Get-WindowsFeature | Where-Object {$_.installed} | Format-Table -AutoSize

Get-WindowsFeature | Where-Object {$_.Installed -match “True”} | Select-Object -Property Name

Get-WindowsFeature | Where-Object {$_.Installed -match “True”} | Select-Object -Property Name | Out-File d:\Temp\Features.txt

To install the features:

Add-WindowsFeature NetFx2-ServerCore
Add-WindowsFeature NetFx2-ServerCore-WOW64
Add-WindowsFeature NetFx3-ServerCore
Add-WindowsFeature NetFx3-ServerCore-WOW64

To automate a little bit more:

On the source server (master):

Get-WindowsFeature | Where-Object { $_.Installed } | Where-Object { $_.SubFeatures.Count -eq 0 } | Export-Clixml d:\temp\features.xml
Copy-Item d:\temp\features.xml \\remoteserver\d$\temp

On the remote server (target):

$file = Import-Clixml d:\temp\features.xml

$file | Add-WindowsFeature

Restart-Computer

Finding remote session connected to your computer?
who is running a (hidden) remote PowerShell on your machine? Here’s a simple one-liner:
Get-WSManInstance -ConnectionURI (‘http://{0}:5985/wsman’ -f $env:computername) -ResourceURI shell -Enumerate
It will return anyone connecting via port 5985 to your machine. However, if you’re not running in a domain environment,
you first have to enable non-Kerberos connections
(remember that without Kerberos, you no longer know for sure that the target computer really is the computer it pretends
to be):
Set-Item WSMan:\localhost\Client\TrustedHosts * -Force

wusa <update>.msu /quiet /norestart /log

example: wusa d:\hotfixes\Windows8.1-KB29456426.msu /quiet /norestart

You can use the Windows Management Instrumentation Command-line (WMIC) to view the installed updates on your computer:

wmic qfe list

Caption CSName Description FixComments HotFixID InstallDate InstalledBy InstalledOn Name ServicePackInEffect Status

Else If the WMIC output is difficult to read, you can use Systeminfo instead, as follows:

systeminfo | findstr /i /c:”KB29456426″

[18]: KB29456426

How to use WUSA with Powershell?

Get-Item .\* | %{Expand-ZipFile -FilePath $_.FullName -OutputPath d:\hotfixes}

Get-Item d:\hotfixes\* | foreach {WUSA “”$_.FullName /quiet /norestart””;while(get-process wusa){Write-Host “Installing $_.Name”}}

Get-HotFix | Where Description -match hotfix
(Get-HotFix | Where Description -match hotfix).count

IP Address Management (IPAM) in Windows Server 2012 is a framework for discovering, monitoring, managing and auditing IP address space on a corporate network. IPAM provides the following features:

  • Automatic IP address infrastructure discovery
  • Highly customizable IP address space display, reporting, and management
  • Configuration change auditing for DHCP and IPAM services
  • Monitoring and management of DHCP and DNS services
  • IP address lease tracking

Web resources:

http://technet.microsoft.com/en-us/library/jj878339.aspx

http://blogs.technet.com/b/canitpro/archive/2013/08/15/step-by-step-setup-windows-server-2012-ipam-in-your-environment.aspx

 

 

Reference:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx

When using dynamic volumes, the following considerations apply:

  • Installing Windows Server 2003 operating systems. You can perform a fresh installation of Windows Server 2003 operating systems on a dynamic volume only if that volume was converted from a basic boot volume or basic system volume. If the dynamic volume was created from unallocated space on a dynamic disk, you cannot install Windows Server 2003 operating systems on that volume. This setup limitation occurs because Setup for Windows Server 2003 recognizes only dynamic volumes that have an entry in the partition table. You can, however, extend the volume (if it is a simple or spanned volume).Do not convert basic disks to dynamic disks if they contain multiple installations of Windows 2000, Windows XP Professional, or Windows Server 2003 operating systems. After the conversion, it is unlikely that you will be able to start the computer using that operating system.For information about basic volumes, see Basic disks and volumes.
  • Portable computers and removable media. Dynamic disks are not supported on portable computers, removable disks, detachable disks that use Universal Serial Bus (USB) or IEEE 1394 (also called FireWire) interfaces, or on disks connected to shared SCSI buses. If you are using a portable computer and right-click a disk in the graphical or list view in Disk Management, you will not see the option to convert the disk to dynamic.
  • Boot and system partitions. You can convert a basic disk containing the system or boot partitions to a dynamic disk. After the disk is converted, these partitions become simple system or boot volumes (after restarting the computer). You cannot mark an existing dynamic volume as active. You can convert a basic disk containing the boot partition (which contains the operating system) to a dynamic disk. After the disk is converted, the boot partition becomes a simple boot volume (after restarting the computer).
  • Mirroring the boot and system volumes. If you convert the disk containing the boot and system partitions to a dynamic disk, you can mirror the boot and system volumes onto another dynamic disk. Then, if the disk containing the boot and system volumes fails, you can start the computer from the disk containing the mirrors of these volumes. For more information, see Create and test a mirrored system or boot volume.
  • To copy disk to disk you can use robocopy:Robocopy /???

    Example:
    Robocopy e:\ f:\ *.* /mir /sec /copyall /z /r:3 /w:3 /eta /log:output.txt

  • Shadow copies storage area. If you are using a basic disk as a storage area for shadow copies and you intend to convert the disk into a dynamic disk, it is important to take the following precaution to avoid data loss. If the disk is a non-boot volume and is a different volume from where the original files reside, you must first dismount and take offline the volume containing the original files before you convert the disk containing shadow copies to a dynamic disk. You must bring the volume containing the original files back online within 20 minutes, otherwise, you will lose the data stored in the existing shadow copies. If the shadow copies are located on a boot volume, you can convert the disk to dynamic without losing shadow copies.You can use the mountvol command with the /p option to dismount the volume and take it offline. You can mount the volume and bring it online using the mountvol command or the Disk Management snap-in.

Main question is: How do I know if I have been hacked?

Sysmon 6: https://technet.microsoft.com/en-us/sysinternals/sysmon  and how to use it: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

http://blog.crowdstrike.com/sysmon-2/

http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html

additional resources on this blog: http://wp.me/p15Zft-od

and some other links:  http://www.computerforensicsworld.com/, http://www.forensics.nl/links

The first step is to scan your computer with a Rootkit detector. Our download section has numerous Rootkit scanners available with some being listed below:

Toolkit to help you:

– Volatility: http://www.volatilityfoundation.org/

– Crowdstrike: http://www.crowdstrike.com/community-tools/index.html

– McAfee foundstone free tools: http://www.mcafee.com/us/downloads/free-tools/index.aspx

– Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics

– Powershell windows forensics: https://github.com/gfoss/PSRecon

-Powershell windows forensics: https://github.com/davehull/Kansa

http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

– forensic toolkits: http://www.sleuthkit.org/, http://sourceforge.net/projects/autopsy/

– online scanning: http://www.virustotal.com

-Windows event logs

– Windows safe mode ! (autoruns from sysinternals to detect not well known application/services)

– autoruns,procexp,procmon,tcpview,handles,psloggedon  (http://www.microsoft.com/sysinternals)

– treesize pro (http://www.jam-software.com/treesize/)

– closethedoor (http://sourceforge.net/projects/closethedoor/)

– Wireshark (https://www.wireshark.org/download.html) or Microsoft Message Analyzer (http://www.microsoft.com/en-us/download/details.aspx?id=40308)

– nmap: http://nmap.org/download.html#windows

– traceroute: http://www.net.princeton.edu/traceroute.html