AD – Securing Domain Controllers / hardening Windows domain and computers

Reference articles to secure a Windows domain: Les 4 piliers de la sécurité Active Directory https://www.cert.ssi.gouv.fr/uploads/guide-ad.html https://github.com/PaulSec/awesome-windows-domain-hardening Pingcastle: to audit an AD domain https://www.pingcastle.com/ AD explorer (sysinternals): https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer Microsoft audit Policy settings and recommendations: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations Sysinternals sysmon: to audit and control changes https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow On ADsecurity.org: Beyond domain admins: https://adsecurity.org/?p=3700 Gathering AD data with PowerShell: https://adsecurity.org/?p=3719Continue reading “AD – Securing Domain Controllers / hardening Windows domain and computers”

Microsoft Message Analyzer resources

Basic network capture methods: https://blogs.technet.microsoft.com/askpfeplat/2016/12/27/basic-network-capture-methods/ Network Monitor 3.4 (Netmon) – https://www.microsoft.com/en-us/download/details.aspx?id=4865 (NOTE: Network Monitor is no longer under active development) Wireshark (v 2.2.2 as of 11/16/16) – https://wireshark.org/#download Netsh Trace – built-in to operating system Microsoft Message Analyzer (MMA) (v 1.4 as of 6/13/16) – https://www.microsoft.com/en-us/download/details.aspx?id=44226 Message analyzer operating guide: http://technet.microsoft.com/en-us/library/jj649776.aspx How to message analyzerContinue reading “Microsoft Message Analyzer resources”

How to configure Windows Event forwarding (WEF) ?

Introduction: In summary: Windows Event Forwarding allows for event logs to be sent, either via a push or pull mechanism, to one or more centralized Windows Event Collector (WEC) servers. WEF is agent-free, and relies on native components integrated into the operating system. WEF is supported for both workstation and server builds of Windows. WEFContinue reading “How to configure Windows Event forwarding (WEF) ?”

Windows forensic: Sysmon

Download sysmon: NEW: Sysmon 12 is available (with new eventID to log copy to the clipboard)! : https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon and how to use it: WMI detections: https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-persistence/ MITRE framework – sysmon coverage: https://attack.mitre.org/ Installation and usage: Azure Sentinel – monitor servers using Sysmon https://github.com/topics/sysmon https://github.com/clong/DetectionLab https://github.com/olafhartong/sysmon-modular https://github.com/ion-storm/sysmon-config https://github.com/SwiftOnSecurity/sysmon-config List of web resources concerning Sysmon: https://github.com/MHaggis/sysmon-dfir Motiba:Continue reading “Windows forensic: Sysmon”

Detecting hackers (or intrusions) using Windows event log monitoring

The NSA released a PDF entitled “Spotting the Adversary with Windows Event Log Monitoring” earlier this year. The good news is it’s probably one of the most detailed documents I’ve seen in a long time. Everything from setting up Event Subscriptions, to a hardened use of Windows Remote Management, including the use of authentication andContinue reading “Detecting hackers (or intrusions) using Windows event log monitoring”

What if PSRemoting and Unrestricted Execution are disabled?

Remotely enable PSRemoting and Unrestricted PowerShell Execution using PsExec and PSSession, then run PSRecon Option 1 — WMI: PS C:\> wmic /node:”10.10.10.10″ process call create “powershell -noprofile -command Enable-PsRemoting -Force” -Credential Get-Credential Option 2 – PsExec: PS C:\> PsExec.exe \\10.10.10.10 -u [admin account name] -p [admin account password] -h -d powershell.exe “Enable-PSRemoting -Force” Next… PSContinue reading “What if PSRemoting and Unrestricted Execution are disabled?”

Event Logging policy settings in Windows Server/Computer

http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx

How to access the disks mapped through RDP?

Windows XP/2003/2012 and greater support drive mapping back to the client workstation during a Terminal Services (Remote Desktop) session. This means you can copy files from the server to the client and vice versa. Each volume (removable, fixed or network) available on the client workstation is mapped (A for drive A:, C for drive C:,Continue reading “How to access the disks mapped through RDP?”

Converting .cer to .pem etc…

How to create and deploy a client certificate for MAC: http://blogs.technet.com/b/configmgrteam/archive/2013/04/05/how-to-create-and-deploy-a-client-cert-for-mac-independently-from-configmgr.aspx Transforming .cer to .pem or vice-versa: https://www.sslshopper.com/ssl-converter.html using openssl to convert a certificate format to another format: https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them Exporting a private key: https://technet.microsoft.com/en-us/library/cc754329.aspx    

Monitoring Event ID with Powershell or SCOM

Using Powershell: http://msexchange.me/2014/06/05/monitoring-event-id-thru-powershell/ http://community.spiceworks.com/topic/282720-powershell-event-log-monitor-email-alert-script-central-monitor https://vijredblog.wordpress.com/2014/03/21/task-scheduler-event-log-trigger-include-event-data-in-mail/ Using SCOM: http://jimmoldenhauer.blogspot.fr/2013/03/scom-2012-how-to-generate-alerts-from.html http://scomandplus.blogspot.fr/2013/02/creating-rules-to-monitor-security-logs.html http://thoughtsonopsmgr.blogspot.fr/2013/11/windows-event-log-monitoring-how-to-get.html http://opsmgradmin.blogspot.fr/2011/05/scom-monitoring-windows-event-logs.html