Security : Systems forensics and free tools

Based on my 25 years experience as sysadmin, I recommend you the free tools below for forensic analysis and systems assessment: Repair tools: Windows privilege escalation: Blog hacker playbook mindmap (poster): SANS DFIR hunting evil Windows map (poster): Windows systems: Linux privilege escalation: Blogs and web sites: 51 Tools for Security AnalystsContinue reading “Security : Systems forensics and free tools”

AD – Securing Domain Controllers / hardening Windows domain and computers

Reference articles to secure a Windows domain: Pingcastle: to audit an AD domain AD explorer (sysinternals): Microsoft audit Policy settings and recommendations: Sysinternals sysmon: to audit and control changes!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow On Beyond domain admins: Gathering AD data with PowerShell: Hardening Windows computers, secure Baseline check list: reading “AD – Securing Domain Controllers / hardening Windows domain and computers”

Troubleshooting Account locked out; EventID 4740,4625,4771

Troubleshooting Account Lockouts has become an IT admin routine nowadays; You can find more possible root causes in our Account Lockout Troubleshooting Guide – Possible root causes: Persistent drive mappings with expired credentials Mobile devices using domain services like Exchange mailbox Service Accounts using cached passwords Scheduled tasks with expired credentials Programs using storedContinue reading “Troubleshooting Account locked out; EventID 4740,4625,4771”

AD – How to audit weak passwords?

Behind this catchy title is a real need. As a system administrator, it may be worthwhile to audit all of your organization’s Active Directory accounts to assess the level of security for user accounts. Let’s see how we do it! Web resources and Methods: Part1: ntdsutil ntdsutil: activate instance ntds ntdsutil: ifm ifm: createContinue reading “AD – How to audit weak passwords?”

AD: Be protected against “Pass the Hash” attacks

Resources materials: AD Security: Preventing mimikatz attacks: Mimikatz and Active Directory Kerberos Attacks:    / Scripts: Domain lockdown: Microsoft resources:   Pass the Hash – isolation technique: Implementing Tier-zones model on Active Directory: Mitigate Credential theft with Administrative Tier Model      Continue reading “AD: Be protected against “Pass the Hash” attacks”

Windows forensics: have I been hacked?

Main question is: How do I know if I have been hacked? Hacking mind map: Detecting lateral movement using event logs: Sysmon 6:  and how to use it:!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow additional resources on this blog: and some other links:, The first step is to scan your computer with a RootkitContinue reading “Windows forensics: have I been hacked?”

Hacking: Windows forensics

Windows forensics: Hacking mind map: Detecting lateral movement: Powershell windows forensics: Powershell windows forensics: Powershell windows forensics: Powershell windows forensics: Ref: Situation The situation was pretty straight-forward; a system (Win7SP1) had been identified as having been infected with malware at one point.  What had been determined from theContinue reading “Hacking: Windows forensics”

Free Tools for System and Network or DB Administrators

Free tools for Windows sysadmin   – Find string if files on Windows: using findstr /s /i findstr /s /i /C:”provider=sqloledb” d:\dir\*.* Find and replace string in file (Find and Replace == fnr) : other tool requiring also JAVE: FAR – Test SSL and TLS: _Well-known online tools for network engineers: reading “Free Tools for System and Network or DB Administrators”

Windows forensic: Sysmon

Download sysmon: NEW: Sysmon 10.42 is available ! : and how to use it: WMI detections: MITRE framework – sysmon coverage: Installation and usage: List of web resources concerning Sysmon: Motiba: Sysmon events table: Mark russinovitch’s RSA conference:!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow Sysmon config files explained: Hide sysmon fromContinue reading “Windows forensic: Sysmon”