AzureAD objects enumeration

You can enumerate Azure AD objects using Microsoft Graph: BECS and beyond: Investigating and Defending Office 365 (Mandiant, APT TTP and associated logs) You cant’ hide things in AAD (Delta subscriptions for non priv users) Consent grant attack mitigationGood list of mitigation techniques I’m In Your Cloud from Dirk-jan Mollema Microsoft Graph ExplorerHow toContinue reading “AzureAD objects enumeration”

Remote desktop solutions – Tips and Tricks

Security guidance for remote desktop adoption: Windows Virtual desktop: Log analytics of WVD: Just-in-time access: Azure Bastion: RDS 2012 R2, RDS 2016 Tips and Tricks: RDS diagnostic tool: How to send a message: Sending a message to all users that are logged on to a specific terminalContinue reading “Remote desktop solutions – Tips and Tricks”

AD – Securing Domain Controllers / hardening Windows domain and computers

Reference articles to secure a Windows domain: Pingcastle: to audit an AD domain AD explorer (sysinternals): Microsoft audit Policy settings and recommendations: Sysinternals sysmon: to audit and control changes!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow On Beyond domain admins: Gathering AD data with PowerShell: Hardening Windows computers, secure Baseline check list: reading “AD – Securing Domain Controllers / hardening Windows domain and computers”

How to update group membership without logoff / logon /restart

This might be very useful for certain situations where you want to update a user’s or computer’s group membership without the need to re-logon / restart. The whole magic is behind the issued kerberos tickets after you logged on to a machine or a machine has been started. The tool “klist.exe” cannot only be usedContinue reading “How to update group membership without logoff / logon /restart”

Microsoft Message Analyzer resources

Basic network capture methods: Network Monitor 3.4 (Netmon) – (NOTE: Network Monitor is no longer under active development) Wireshark (v 2.2.2 as of 11/16/16) – Netsh Trace – built-in to operating system Microsoft Message Analyzer (MMA) (v 1.4 as of 6/13/16) – Message analyzer operating guide: How to message analyzerContinue reading “Microsoft Message Analyzer resources”

RDS – RDS licensing service configuration

Web resources: Note: Do not specify DNS alias on RDS licensing service server ( on a new RDS server ) Old articles:    

Understanding and Troubleshooting MS RPC

Overview: A very brief summary of how the protocol works: There is an “endpoint mapper” that runs on TCP port 135. You can bind to that port on a remote computer anonymously and enumerate all the various RPC services available on that computer.  The services may be using named pipes or TCP/IP.  Named pipes willContinue reading “Understanding and Troubleshooting MS RPC”

RPC server not available error when accessing Windows server 2003

Recently I am facing remote desktop login problem in on Windows 2003 Server. While I am enter user name and password server give me logon error. “The system cannot log you on due to the following error: The RPC server is unavailable. Please try again or consult your system administrator.   From another member serverContinue reading “RPC server not available error when accessing Windows server 2003”

How to repair servermanager ?

How to repair servermanager.exe on 2012 R2 ? if servermanager crash and if there is an event on application event log: Event ID: 1000 Faulting application path: C:\Windows\system32\ServerManager.exe Faulting module path: C:\Windows\system32\wmidcom.dll Solution: Rename the registry key HKLM\SOFTWARE\Microsoft\ServerManager\ServicingStorage\ServerComponentCache to HKLM\SOFTWARE\Microsoft\ServerManager\ServicingStorage\ServerComponentCache.old Reboot to take effect then if KO remove the .old registry keys  

AD: Be protected against “Pass the Hash” attacks

Resources materials: AD Security: Preventing mimikatz attacks: Mimikatz and Active Directory Kerberos Attacks:    / Scripts: Domain lockdown: Microsoft resources:   Pass the Hash – isolation technique: Implementing Tier-zones model on Active Directory: Mitigate Credential theft with Administrative Tier Model      Continue reading “AD: Be protected against “Pass the Hash” attacks”