AD: Be protected against “Pass the Hash” attacks

Resources materials: AD Security: Preventing mimikatz attacks: Mimikatz and Active Directory Kerberos Attacks:    / Scripts: Domain lockdown: Microsoft resources:   Pass the Hash – isolation technique: Implementing Tier-zones model on Active Directory: Mitigate Credential theft with Administrative Tier Model      Continue reading “AD: Be protected against “Pass the Hash” attacks”

Free Tools for System and Network or DB Administrators

Free tools for Windows sysadmin   – Find string if files on Windows: using findstr /s /i findstr /s /i /C:”provider=sqloledb” d:\dir\*.* Find and replace string in file (Find and Replace == fnr) : other tool requiring also JAVE: FAR – Test SSL and TLS: _Well-known online tools for network engineers: reading “Free Tools for System and Network or DB Administrators”

How to configure Windows Event forwarding (WEF) ?

Introduction: In summary: Windows Event Forwarding allows for event logs to be sent, either via a push or pull mechanism, to one or more centralized Windows Event Collector (WEC) servers. WEF is agent-free, and relies on native components integrated into the operating system. WEF is supported for both workstation and server builds of Windows. WEFContinue reading “How to configure Windows Event forwarding (WEF) ?”

Windows forensic: Sysmon

Download sysmon: NEW: Sysmon 10.42 is available ! : and how to use it: WMI detections: MITRE framework – sysmon coverage: Installation and usage: List of web resources concerning Sysmon: Motiba: Sysmon events table: Mark russinovitch’s RSA conference:!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow Sysmon config files explained: Hide sysmon fromContinue reading “Windows forensic: Sysmon”

Detecting hackers (or intrusions) using Windows event log monitoring

The NSA released a PDF entitled “Spotting the Adversary with Windows Event Log Monitoring” earlier this year. The good news is it’s probably one of the most detailed documents I’ve seen in a long time. Everything from setting up Event Subscriptions, to a hardened use of Windows Remote Management, including the use of authentication andContinue reading “Detecting hackers (or intrusions) using Windows event log monitoring”

Event Logging policy settings in Windows Server/Computer

Converting .cer to .pem etc…

How to create and deploy a client certificate for MAC: Transforming .cer to .pem or vice-versa: using openssl to convert a certificate format to another format: Exporting a private key:    

Monitoring Event ID with Powershell or SCOM

Using Powershell: Using SCOM:        

Slow boots and slow logons – How to use Xperf,Xbootmgr, Procmon, WPA?

Troubleshooting slow logons: Logon process: Tools for troubleshooting: And powershell: Analyze GPOs load time:   How to use Xperf, Xbootmgr, Procmon, WPA? xperf;xbootmgr;xperfview comes from Windows ADK (Windows performance toolkit sub part). Procmon is a sysinternal tool. Other interesting articles:  Continue reading “Slow boots and slow logons – How to use Xperf,Xbootmgr, Procmon, WPA?”