Security : Systems forensics and free tools

Based on my 25 years experience as sysadmin, I recommend you the free tools below for forensic analysis and systems assessment: Repair tools: http://trinityhome.org/Home Windows privilege escalation: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ Blog hacker playbook mindmap (poster): https://www.marcolancini.it/2018/blog-hacker-playbook-mindmap/ SANS DFIR hunting evil Windows map (poster): Windows systems: https://digital-forensics.sans.org/media/DFPS_FOR508_v4.3_12-18.pdf Linux privilege escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ Blogs and web sites: 51 Tools for Security AnalystsContinue reading “Security : Systems forensics and free tools”

AD – Securing Domain Controllers / hardening Windows domain and computers

Reference articles to secure a Windows domain: https://www.cert.ssi.gouv.fr/uploads/guide-ad.html https://github.com/PaulSec/awesome-windows-domain-hardening Pingcastle: to audit an AD domain https://www.pingcastle.com/ AD explorer (sysinternals): https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer Microsoft audit Policy settings and recommendations: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations Sysinternals sysmon: to audit and control changes https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow On ADsecurity.org: Beyond domain admins: https://adsecurity.org/?p=3700 Gathering AD data with PowerShell: https://adsecurity.org/?p=3719 Hardening Windows computers, secure Baseline check list: https://adsecurity.org/?p=3299Continue reading “AD – Securing Domain Controllers / hardening Windows domain and computers”

Troubleshooting Account locked out; EventID 4740,4625,4771

Troubleshooting Account Lockouts has become an IT admin routine nowadays; You can find more possible root causes in our Account Lockout Troubleshooting Guide – https://community.spiceworks.com/how_to/113387-account-lockout-troubleshooting. Possible root causes: Persistent drive mappings with expired credentials Mobile devices using domain services like Exchange mailbox Service Accounts using cached passwords Scheduled tasks with expired credentials Programs using storedContinue reading “Troubleshooting Account locked out; EventID 4740,4625,4771”

AD – How to audit weak passwords?

Behind this catchy title is a real need. As a system administrator, it may be worthwhile to audit all of your organization’s Active Directory accounts to assess the level of security for user accounts. Let’s see how we do it! Web resources and Methods: Part1: https://www.dionach.com/blog/active-directory-password-auditing ntdsutil ntdsutil: activate instance ntds ntdsutil: ifm ifm: createContinue reading “AD – How to audit weak passwords?”

AD: Be protected against “Pass the Hash” attacks

Resources materials: AD Security: Preventing mimikatz attacks: https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5 https://adsecurity.org/?p=1684 https://digital-forensics.sans.org/blog/2013/06/20/overview-of-microsofts-best-practices-for-securing-active-directory Mimikatz and Active Directory Kerberos Attacks: https://adsecurity.org/?p=556 https://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf http://www.gentilkiwi.com/mimikatz    /   http://blog.gentilkiwi.com/ Scripts: https://github.com/iadgov/Pass-the-Hash-Guidance https://github.com/iadgov/Event-Forwarding-Guidance Domain lockdown: https://github.com/curi0usJack/activedirectory Microsoft resources: http://www.microsoft.com/pth http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspx   Pass the Hash – isolation technique: Implementing Tier-zones model on Active Directory: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material Mitigate Credential theft with Administrative Tier Model      Continue reading “AD: Be protected against “Pass the Hash” attacks”

Windows forensics: have I been hacked?

Main question is: How do I know if I have been hacked? Hacking mind map: https://www.marcolancini.it/2018/blog-hacker-playbook-mindmap/ Detecting lateral movement using event logs: http://blog.jpcert.or.jp/.s/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.html Sysmon 6: https://technet.microsoft.com/en-us/sysinternals/sysmon  and how to use it: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow http://blog.crowdstrike.com/sysmon-2/ http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html additional resources on this blog: http://wp.me/p15Zft-od and some other links:  http://www.computerforensicsworld.com/, http://www.forensics.nl/links The first step is to scan your computer with a RootkitContinue reading “Windows forensics: have I been hacked?”

Hacking: Windows forensics

Windows forensics: Hacking mind map: https://www.marcolancini.it/2018/blog-hacker-playbook-mindmap/ Detecting lateral movement: http://blog.jpcert.or.jp/.s/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.html Powershell windows forensics: https://github.com/WiredPulse/PoSh-R2 Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics Powershell windows forensics: https://github.com/gfoss/PSRecon Powershell windows forensics: https://github.com/davehull/Kansa http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/ Ref: http://windowsir.blogspot.fr/ Situation The situation was pretty straight-forward; a system (Win7SP1) had been identified as having been infected with malware at one point.  What had been determined from theContinue reading “Hacking: Windows forensics”

Free Tools for System and Network or DB Administrators

Free tools for Windows sysadmin   – Find string if files on Windows: using findstr /s /i findstr /s /i /C:”provider=sqloledb” d:\dir\*.* Find and replace string in file (Find and Replace == fnr) : http://findandreplace.io/download other tool requiring also JAVE: FAR https://sourceforge.net/projects/findandreplace/ – Test SSL and TLS: https://www.qualys.com/sslchecker _Well-known online tools for network engineers: https://dnschecker.org https://www.whois.net/ https://mxtoolbox.com/ https://whatismyipaddress.com/ http://ping-test.org/ https://www.portcheckers.com/Continue reading “Free Tools for System and Network or DB Administrators”

Windows forensic: Sysmon

Download sysmon: NEW: Sysmon 10.42 is available ! : https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon and how to use it: WMI detections: https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-persistence/ MITRE framework – sysmon coverage: https://attack.mitre.org/ Installation and usage: https://github.com/olafhartong/sysmon-modular https://github.com/ion-storm/sysmon-config https://github.com/SwiftOnSecurity/sysmon-config List of web resources concerning Sysmon: https://github.com/MHaggis/sysmon-dfir Motiba: https://blogs.technet.microsoft.com/motiba/2017/12/07/sysinternals-sysmon-suspicious-activity-guide/ Sysmon events table: https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-events-table/ Mark russinovitch’s RSA conference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow Sysmon config files explained: https://www.bsk-consulting.de/2015/02/04/sysmon-example-config-xml/ Hide sysmon fromContinue reading “Windows forensic: Sysmon”