AD: Be protected against “Pass the Hash” attacks

Resources materials: AD Security: Preventing mimikatz attacks: https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5 https://adsecurity.org/?p=1684 https://digital-forensics.sans.org/blog/2013/06/20/overview-of-microsofts-best-practices-for-securing-active-directory Mimikatz and Active Directory Kerberos Attacks: https://adsecurity.org/?p=556 https://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf http://www.gentilkiwi.com/mimikatz    /   http://blog.gentilkiwi.com/ Scripts: https://github.com/iadgov/Pass-the-Hash-Guidance https://github.com/iadgov/Event-Forwarding-Guidance Domain lockdown: https://github.com/curi0usJack/activedirectory Microsoft resources: http://www.microsoft.com/pth http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspx   Pass the Hash – isolation technique: Implementing Tier-zones model on Active Directory: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material Mitigate Credential theft with Administrative Tier Model      Continue reading “AD: Be protected against “Pass the Hash” attacks”

Free Tools for System and Network or DB Administrators

Free tools for Windows sysadmin   – Find string if files on Windows: using findstr /s /i findstr /s /i /C:”provider=sqloledb” d:\dir\*.* Find and replace string in file (Find and Replace == fnr) : http://findandreplace.io/download other tool requiring also JAVE: FAR https://sourceforge.net/projects/findandreplace/ – Test SSL and TLS: https://www.qualys.com/sslchecker _Well-known online tools for network engineers: https://dnschecker.org https://www.whois.net/ https://mxtoolbox.com/ https://whatismyipaddress.com/ http://ping-test.org/ https://www.portcheckers.com/Continue reading “Free Tools for System and Network or DB Administrators”

How to configure Windows Event forwarding (WEF) ?

Introduction: In summary: Windows Event Forwarding allows for event logs to be sent, either via a push or pull mechanism, to one or more centralized Windows Event Collector (WEC) servers. WEF is agent-free, and relies on native components integrated into the operating system. WEF is supported for both workstation and server builds of Windows. WEFContinue reading “How to configure Windows Event forwarding (WEF) ?”

Windows forensic: Sysmon

Download sysmon: NEW: Sysmon 10.42 is available ! : https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon and how to use it: WMI detections: https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-persistence/ MITRE framework – sysmon coverage: https://attack.mitre.org/ Installation and usage: https://github.com/olafhartong/sysmon-modular https://github.com/ion-storm/sysmon-config https://github.com/SwiftOnSecurity/sysmon-config List of web resources concerning Sysmon: https://github.com/MHaggis/sysmon-dfir Motiba: https://blogs.technet.microsoft.com/motiba/2017/12/07/sysinternals-sysmon-suspicious-activity-guide/ Sysmon events table: https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-events-table/ Mark russinovitch’s RSA conference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow Sysmon config files explained: https://www.bsk-consulting.de/2015/02/04/sysmon-example-config-xml/ Hide sysmon fromContinue reading “Windows forensic: Sysmon”

Detecting hackers (or intrusions) using Windows event log monitoring

The NSA released a PDF entitled “Spotting the Adversary with Windows Event Log Monitoring” earlier this year. The good news is it’s probably one of the most detailed documents I’ve seen in a long time. Everything from setting up Event Subscriptions, to a hardened use of Windows Remote Management, including the use of authentication andContinue reading “Detecting hackers (or intrusions) using Windows event log monitoring”

Event Logging policy settings in Windows Server/Computer

http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx

Converting .cer to .pem etc…

How to create and deploy a client certificate for MAC: http://blogs.technet.com/b/configmgrteam/archive/2013/04/05/how-to-create-and-deploy-a-client-cert-for-mac-independently-from-configmgr.aspx Transforming .cer to .pem or vice-versa: https://www.sslshopper.com/ssl-converter.html using openssl to convert a certificate format to another format: https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them Exporting a private key: https://technet.microsoft.com/en-us/library/cc754329.aspx    

Monitoring Event ID with Powershell or SCOM

Using Powershell: http://msexchange.me/2014/06/05/monitoring-event-id-thru-powershell/ http://community.spiceworks.com/topic/282720-powershell-event-log-monitor-email-alert-script-central-monitor https://vijredblog.wordpress.com/2014/03/21/task-scheduler-event-log-trigger-include-event-data-in-mail/ Using SCOM: http://jimmoldenhauer.blogspot.fr/2013/03/scom-2012-how-to-generate-alerts-from.html http://scomandplus.blogspot.fr/2013/02/creating-rules-to-monitor-security-logs.html http://thoughtsonopsmgr.blogspot.fr/2013/11/windows-event-log-monitoring-how-to-get.html http://opsmgradmin.blogspot.fr/2011/05/scom-monitoring-windows-event-logs.html        

Slow boots and slow logons – How to use Xperf,Xbootmgr, Procmon, WPA?

Troubleshooting slow logons: http://blogs.technet.com/b/askds/archive/2009/09/23/so-you-have-a-slow-logon-part-1.aspx http://blogs.technet.com/b/askds/archive/2009/09/24/so-you-have-a-slow-logon-part-2.aspx Logon process: http://fr.slideshare.net/ControlUp/understanding-troubleshooting-the-windows-logon-process Tools for troubleshooting: http://social.technet.microsoft.com/wiki/contents/articles/10128.tools-for-troubleshooting-slow-boots-and-slow-logons-sbsl.aspx http://social.technet.microsoft.com/wiki/contents/articles/10123.troubleshooting-slow-operating-system-boot-times-and-slow-user-logons-sbsl.aspx And powershell: http://blogs.citrix.com/2015/08/05/troubleshooting-slow-logons-via-powershell/ Analyze GPOs load time: http://www.controlup.com/script-library/Analyze-GPO-Extensions-Load-Time/ee682d01-81c4-4495-85a7-4c03c88d7263/   How to use Xperf, Xbootmgr, Procmon, WPA? xperf;xbootmgr;xperfview comes from Windows ADK (Windows performance toolkit sub part). Procmon is a sysinternal tool. http://superuser.com/questions/594625/how-can-i-analyze-performance-issues-before-during-the-logon-process http://blogs.technet.com/b/askpfeplat/archive/2012/06/09/slow-boot-slow-logon-sbsl-a-tool-called-xperf-and-links-you-need-to-read.aspx http://social.technet.microsoft.com/wiki/contents/articles/10128.tools-for-troubleshooting-slow-boots-and-slow-logons-sbsl.aspx Other interesting articles: http://blogs.technet.com/b/askpfeplat/archive/2014/10/27/becoming-an-wpa-xpert-part-11-troubleshooting-long-group-policy-processing.aspx https://www.autoitconsulting.com/site/performance/windows-performance-toolkit-simple-boot-logging/ https://randomascii.wordpress.com/2012/09/04/windows-slowdown-investigated-and-identified/ https://randomascii.wordpress.com/2013/04/20/xperf-basics-recording-a-trace-the-easy-way/  Continue reading “Slow boots and slow logons – How to use Xperf,Xbootmgr, Procmon, WPA?”