Category: Security


Reference:

Need 2012 R2 Domain functional level on the forest to use authentication silos/policies

Their are part of the configuration partition (so, at the forest level), replicated on all domain controllers

 

https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos.md

 

https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos#BKMK_HowKerbUsed

 

Videos:

Advertisements

There’s Something About Service Accounts

 

 

The exact command being run is: psexec.exe \\admin-pc -accepteula cmd /c (cd c:\temp ^& mimikatz.exe “privilege::debug” “sekurlsa::tickets /export” “exit”) (see the ATA playbook above) ↩︎

Full article:

https://401trg.com/an-introduction-to-smb-for-network-security-analysts/

 

Introduction:

At its most basic, SMB is a protocol to allow devices to perform a number of functions on each other over a (usually local) network. SMB has been around for so long and maintains so much backwards compatibility that it contains an almost absurd amount of vestigial functionality, but its modern core use is simpler than it seems. For the most part, today SMB is used to map network drives, send data to printers, read and write remote files, perform remote administration, and access services on remote machines.

SMB runs directly over TCP (port 445) or over NetBIOS (usually port 139, rarely port 137 or 138). To begin an SMB session, the two participants agree on a dialect, authentication is performed, and the initiator connects to a ‘tree.’ For most intents and purposes, the tree can be thought of as a network share.[1] The PCAP below, shown in Wireshark, demonstrates a simple session setup and tree connect. In this case, the machine 192.168.10.31 is connecting to the “c$” share (equivalent to the C:\ drive) on the 192.168.10.30 machine, which is called “admin-pc

 

SecOps experience news ! Unified on MCAS, Azure ATP and Azure AD identity protection:

Microsoft has three identity-centric security products offering detection capabilities across on-premise and in the cloud:

  • Azure Advanced Threat Protection (Azure ATP) identifies on-premises attacks
  • Azure Active Directory Identity Protection (Azure AD Identity Protection) detects and proactively prevents user and sign-in risks to identities in the cloud
  • Microsoft Cloud App Security (MCAS) identifies attacks within a cloud session, covering not only Microsoft products but also third-party applications

https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Unified-SecOps-Investigation-for-Hybrid-Environments/ba-p/360850

Azure ATP:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/what-is-atp

 

Latest on premise ATA version: ATA v1.9 : https://docs.microsoft.com/en-us/advanced-threat-analytics/whats-new-version-1.9

ATA forum: https://social.technet.microsoft.com/Forums/en-US/home?forum=mata

 

 

Technet resource: https://docs.microsoft.com/en-us/advanced-threat-analytics/

Suspicious activity guide: https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide

ATA simulation playbook:

https://gallery.technet.microsoft.com/ATA-Playbook-ef0a8e38

 

ATA powershell module:

https://github.com/Microsoft/Advanced-Threat-Analytics

(copied under \\ncecdlib.nce.amadeus.net\microsoft\microsoft ATA\)

News from pentesters:

https://www.slideshare.net/ChrisThompson73/ms-just-gave-the-blue-team-tactical-nukes-and-how-red-teams-need-to-adapt-defcon-25

http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html?m=1

 

What’s new in ATA version 1.8

New & updated detections

  • NEW! Abnormal modification of sensitive groups – As part of the privilege escalation phase, attackers modify groups with high privileges to gain access to sensitive resources. ATA now detects when there’s an abnormal change in an elevated group.
  • NEW! Suspicious authentication failures (Behavioral brute force) – Attackers attempt to brute force credentials to compromise accounts. ATA now raises an alert when an abnormal failed authentication behavior is detected.
  • NEW! Remote execution attempt – WMI exec – Attackers can attempt to control your network by running code remotely on your domain controller. ATA added detection for remote execution leveraging WMI methods to run code remotely.Reconnaissance using directory services queries– In ATA 1.8, a learning algorithm was added to this detection allowing ATA to detect reconnaissance attempts against a single sensitive entity and improve the results for generic reconnaissance.
  • Kerberos Golden Ticket activity ATA 1.8 includes an additional technique to detect golden ticket attacks, detecting time anomalies for Kerberos tickets.
  • Enhancements to some detections, to remove known false positives:
    • Privilege escalation detection (forged PAC)
    • Encryption downgrade activity (Skeleton Key)
    • Unusual protocol implementation
    • Broken trust

Triage

  • NEW! More actions can be made to suspicious activities during the triage process.
    • Exclude some entities from raising future suspicious activities. Prevent ATA from alerting when it detects benign true positives (i.e. an admin running remote code or using nslookup) or known false positives (don’t open a Pass-The-Ticket alert on a specific IP).
    • Suppress a reoccurring suspicious activity from alerting.
    • Delete suspicious activities from the timeline.
  • A more efficient triage – The suspicious activities time line has gone through a major process of re-design. In 1.8, a lot more suspicious activities will be visible at the same time, and will contain better information for triage and investigation purposes.

Investigate

  • NEW! Summary report. An option to see all the summarized data from ATA, including suspicious activities, health issues and more. It’s possible to define a reoccurring report.
  • NEW! Modification to sensitive groups report to see all the changes made in sensitive groups during a certain period.

Infrastructure

  • Lightweight Gateways can now read events locally, without configuring event forwarding
  • Feature flags were added for all detection, periodic tasks and monitoring alerts
  • Accessibility ramp up – ATA now stands with Microsoft in providing an accessible product, for everyone.
  • E-mail configuration for monitoring alerts and for suspicious activities are separated

Security

  • NEW! Single sign on for ATA management.
    • Gateway and Lightweight gateway silent installation scripts will use the logged on user’s context, without the need to provide credentials.
  • Local System privileges removed from Gateway process
    • You can now use virtual accounts (available on stand-alone GWs only), managed service accounts and group managed service accounts to run the ATA Gateway process.
  • Auditing logs for ATA Center and Gateways were added and all actions are now logged in the event viewer.Added support for KSP Certificates

 

Version: 1.7

Reference articles:

ATA on Technet: https://technet.microsoft.com/en-us/library/dn707706.aspx

ATA events: https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-explore/ata-threats

ATA deployment demo: https://www.youtube.com/watch?v=xvWJssUpU6w

Blog: https://social.technet.microsoft.com/Forums/security/en-US/home?forum=mata

Additional resources:

Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics

Powershell windows forensics: https://github.com/gfoss/PSRecon

Powershell windows forensics: https://github.com/davehull/Kansa

http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

 

Overview:

https://docs.microsoft.com/en-us/powershell/dsc/overview/overview

https://docs.microsoft.com/en-us/powershell/dsc/resources/resources

Blog: https://blogs.msdn.microsoft.com/powershell/2018/09/13/desired-state-configuration-dsc-planning-update-september-2018/

DSC resource kit:

https://github.com/powershell/dscresources

Troubleshooting DSC:

https://docs.microsoft.com/en-us/azure/automation/troubleshoot/desired-state-configuration

DSCEA:

https://github.com/Microsoft/DSCEA

readme: https://microsoft.github.io/DSCEA/

 

Attack surface analyzer:

https://www.microsoft.com/security/blog/2019/05/15/announcing-new-attack-surface-analyzer-2-0

 

DSC-EA:

https://github.com/Microsoft/DSCEA

documentation: https://microsoft.github.io/DSCEA/

 

Microsoft security compliance toolkit:

Il remplace Security Compliance Manager. Cet outil permet de planifier, créer, et monitorer des baselines de sécurité pour vos postes clients. Le remplacement a été choisi par Microsoft du fait de la complexité de SCM et de la difficulté à maintenir l’outil pour chaque version de Windows. Aujourd’hui, SCT ne supporte pas Desired Configuration Management de System Center Configuration Manager ou SCAP.

https://www.microsoft.com/en-us/download/details.aspx?id=55319

how to use it:

https://arnaudloos.com/2018/intro-to-policy-analyzer/

https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/security-compliance-toolkit-10.md

 

Other references:

2012 R2 hardening (CIS):

https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf

Windows 10 hardening:

https://www.asd.gov.au/publications/protect/Hardening_Win10.pdf

 

 

 

Security baseline reference article:

https://blogs.technet.microsoft.com/secguide/2019/04/24/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903/

Introduction:

Download the content here: Windows-10-1903-Security-Baseline-DRAFT. As usual, the content includes GPO backups, GPO reports, scripts to apply settings to local GPO, Policy Analyzer rules files for each baseline and for the full set, and spreadsheets documenting all available GPOs and our recommended settings, settings that are new to this Feature Update, and changes from the previous baselines.

Note that Windows Server version 1903 is Server Core only and does not offer a Desktop Experience (a.k.a., “full”) server installation option. In the past we have published baselines only for “full” server releases – Windows Server 2016 and 2019. Beginning with this release we intend to publish baselines for Core-only Windows Server versions as well. However, we do not intend at this time to distinguish settings in the baseline that apply only to Desktop Experience. When applied to Server Core, those settings are inert for all intents and purposes.

This new Windows Feature Update brings very few new Group Policy settings, which we list in the accompanying documentation. The draft baseline recommends configuring only two of those. However, we have made several changes to existing settings, and are considering other changes. Please review the changes carefully and let us know what you think.

The changes from the Windows 10 v1809 and Windows Server 2019 baselines include:

  • Enabling the new “Enable svchost.exe mitigation options” policy, which enforces stricter security on Windows services hosted in svchost.exe, including that all binaries loaded by svchost.exe must be signed by Microsoft, and that dynamically-generated code is disallowed. Please pay special attention to this one as it might cause compatibility problems with third-party code that tries to use the svchost.exe hosting process, including third-party smart-card plugins.
  • Configuring the new App Privacy setting, “Let Windows apps activate with voice while the system is locked,” so that users cannot interact with applications using speech while the system is locked.
  • Disabling multicast name resolution (LLMNR) to mitigate server spoofing threats.
  • Restricting the NetBT NodeType to P-node, disallowing the use of broadcast to register or resolve names, also to mitigate server spoofing threats. We have added a setting to the custom “MS Security Guide” ADMX to enable managing this configuration setting through Group Policy.
  • Correcting an oversight in the Domain Controller baseline by adding recommended auditing settings for Kerberos authentication service.
  • Dropping the password-expiration policies that require periodic password changes. This change is discussed in further detail below.
  • Dropping the specific BitLocker drive encryption method and cipher strength settings. The baseline has been requiring the strongest available BitLocker encryption. We are removing that item for a few reasons. The default is 128-bit encryption, and our crypto experts tell us that there is no known danger of its being broken in the foreseeable future. On some hardware there can be noticeable performance degradation going from 128- to 256-bit. And finally, many devices such as those in the Microsoft Surface line turn on BitLocker by default and use the default algorithms. Converting those to use 256-bit requires first decrypting the volumes and then re-encrypting, which creates temporary security exposure as well as user impact.
  • Dropping the File Explorer “Turn off Data Execution Prevention for Explorer” and “Turn off heap termination on corruption” settings, as it turns out they merely enforce default behavior, as Raymond Chen describes here.

 

 

 

Azure AD password protection is now generally available:

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Password-Protection-is-now-generally-available/ba-p/377487

 

Azure AD password protection – how to eliminate bad passwords:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad

Deployment:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy

 

Architecture (to cover also onprem AD domain controllers):

 

 

 

Azure Sentinel

https://docs.microsoft.com/en-us/azure/sentinel/

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.

Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft Threat Protection solutions, and Microsoft 365 sources, including Office 365, Azure AD, Azure ATP, and Microsoft Cloud App Security, and more.

In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common event format, Syslog or REST-API to connect your data sources with Azure Sentinel as well.