AD – Securing Domain Controllers / hardening Windows domain and computers

Reference articles to secure a Windows domain: Les 4 piliers de la sécurité Active Directory Pingcastle: to audit an AD domain AD explorer (sysinternals): Microsoft audit Policy settings and recommendations: Sysinternals sysmon: to audit and control changes!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow On Beyond domain admins: Gathering AD data with PowerShell: reading “AD – Securing Domain Controllers / hardening Windows domain and computers”

Microsoft Message Analyzer resources

Basic network capture methods: Network Monitor 3.4 (Netmon) – (NOTE: Network Monitor is no longer under active development) Wireshark (v 2.2.2 as of 11/16/16) – Netsh Trace – built-in to operating system Microsoft Message Analyzer (MMA) (v 1.4 as of 6/13/16) – Message analyzer operating guide: How to message analyzerContinue reading “Microsoft Message Analyzer resources”

How to configure Windows Event forwarding (WEF) ?

Introduction: In summary: Windows Event Forwarding allows for event logs to be sent, either via a push or pull mechanism, to one or more centralized Windows Event Collector (WEC) servers. WEF is agent-free, and relies on native components integrated into the operating system. WEF is supported for both workstation and server builds of Windows. WEFContinue reading “How to configure Windows Event forwarding (WEF) ?”

Windows forensic: Sysmon

Download sysmon: NEW: Sysmon 12 is available (with new eventID to log copy to the clipboard)! : and how to use it: WMI detections: MITRE framework – sysmon coverage: Installation and usage: Azure Sentinel – monitor servers using Sysmon List of web resources concerning Sysmon: Motiba:Continue reading “Windows forensic: Sysmon”

Detecting hackers (or intrusions) using Windows event log monitoring

The NSA released a PDF entitled “Spotting the Adversary with Windows Event Log Monitoring” earlier this year. The good news is it’s probably one of the most detailed documents I’ve seen in a long time. Everything from setting up Event Subscriptions, to a hardened use of Windows Remote Management, including the use of authentication andContinue reading “Detecting hackers (or intrusions) using Windows event log monitoring”

What if PSRemoting and Unrestricted Execution are disabled?

Remotely enable PSRemoting and Unrestricted PowerShell Execution using PsExec and PSSession, then run PSRecon Option 1 — WMI: PS C:\> wmic /node:”″ process call create “powershell -noprofile -command Enable-PsRemoting -Force” -Credential Get-Credential Option 2 – PsExec: PS C:\> PsExec.exe \\ -u [admin account name] -p [admin account password] -h -d powershell.exe “Enable-PSRemoting -Force” Next… PSContinue reading “What if PSRemoting and Unrestricted Execution are disabled?”

Event Logging policy settings in Windows Server/Computer

How to access the disks mapped through RDP?

Windows XP/2003/2012 and greater support drive mapping back to the client workstation during a Terminal Services (Remote Desktop) session. This means you can copy files from the server to the client and vice versa. Each volume (removable, fixed or network) available on the client workstation is mapped (A for drive A:, C for drive C:,Continue reading “How to access the disks mapped through RDP?”

Converting .cer to .pem etc…

How to create and deploy a client certificate for MAC: Transforming .cer to .pem or vice-versa: using openssl to convert a certificate format to another format: Exporting a private key:    

Monitoring Event ID with Powershell or SCOM

Using Powershell: Using SCOM: