AzureAD objects enumeration

You can enumerate Azure AD objects using Microsoft Graph: https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/ BECS and beyond: Investigating and Defending Office 365 (Mandiant, APT TTP and associated logs) You cant’ hide things in AAD (Delta subscriptions for non priv users) Consent grant attack mitigationGood list of mitigation techniques I’m In Your Cloud from Dirk-jan Mollema Microsoft Graph ExplorerHow toContinue reading “AzureAD objects enumeration”

Remote desktop solutions – Tips and Tricks

Security guidance for remote desktop adoption: https://www.microsoft.com/security/blog/2020/04/16/security-guidance-remote-desktop-adoption/ Windows Virtual desktop: https://docs.microsoft.com/en-us/azure/virtual-desktop/overview Log analytics of WVD: https://docs.microsoft.com/en-us/azure/virtual-desktop/diagnostics-log-analytics?fbclid=IwAR1aDT2v_AQDFe0fDD6I1LIfpluYYN-r7JQLIUtpluMtp4QQcd15N38VR48#example-queries Just-in-time access: https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time Azure Bastion: https://azure.microsoft.com/en-us/services/azure-bastion/ RDS 2012 R2, RDS 2016 Tips and Tricks: https://hichamkadiri.wordpress.com/tag/remote-desktop-services-2012-r2/page/2/ https://hichamkadiri.wordpress.com/tag/remote-desktop-services-2012-r2/ RDS diagnostic tool: https://www.microsoft.com/en-us/download/confirmation.aspx?id=40890 How to send a message: Sending a message to all users that are logged on to a specific terminalContinue reading “Remote desktop solutions – Tips and Tricks”

AD – Securing Domain Controllers / hardening Windows domain and computers

Reference articles to secure a Windows domain: https://www.cert.ssi.gouv.fr/uploads/guide-ad.html https://github.com/PaulSec/awesome-windows-domain-hardening Pingcastle: to audit an AD domain https://www.pingcastle.com/ AD explorer (sysinternals): https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer Microsoft audit Policy settings and recommendations: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations Sysinternals sysmon: to audit and control changes https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow On ADsecurity.org: Beyond domain admins: https://adsecurity.org/?p=3700 Gathering AD data with PowerShell: https://adsecurity.org/?p=3719 Hardening Windows computers, secure Baseline check list: https://adsecurity.org/?p=3299Continue reading “AD – Securing Domain Controllers / hardening Windows domain and computers”

How to update group membership without logoff / logon /restart

This might be very useful for certain situations where you want to update a user’s or computer’s group membership without the need to re-logon / restart. The whole magic is behind the issued kerberos tickets after you logged on to a machine or a machine has been started. The tool “klist.exe” cannot only be usedContinue reading “How to update group membership without logoff / logon /restart”

Microsoft Message Analyzer resources

Basic network capture methods: https://blogs.technet.microsoft.com/askpfeplat/2016/12/27/basic-network-capture-methods/ Network Monitor 3.4 (Netmon) – https://www.microsoft.com/en-us/download/details.aspx?id=4865 (NOTE: Network Monitor is no longer under active development) Wireshark (v 2.2.2 as of 11/16/16) – https://wireshark.org/#download Netsh Trace – built-in to operating system Microsoft Message Analyzer (MMA) (v 1.4 as of 6/13/16) – https://www.microsoft.com/en-us/download/details.aspx?id=44226 Message analyzer operating guide: http://technet.microsoft.com/en-us/library/jj649776.aspx How to message analyzerContinue reading “Microsoft Message Analyzer resources”

RDS – RDS licensing service configuration

Web resources: https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/migrate-rds-role-services https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-client-access-license Note: Do not specify DNS alias on RDS licensing service server ( on a new RDS server ) Old articles: https://hichamkadiri.wordpress.com/tag/remote-desktop-services-2012-r2/page/2/ http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx    

Understanding and Troubleshooting MS RPC

Overview: A very brief summary of how the protocol works: There is an “endpoint mapper” that runs on TCP port 135. You can bind to that port on a remote computer anonymously and enumerate all the various RPC services available on that computer.  The services may be using named pipes or TCP/IP.  Named pipes willContinue reading “Understanding and Troubleshooting MS RPC”

RPC server not available error when accessing Windows server 2003

Recently I am facing remote desktop login problem in on Windows 2003 Server. While I am enter user name and password server give me logon error. “The system cannot log you on due to the following error: The RPC server is unavailable. Please try again or consult your system administrator.   From another member serverContinue reading “RPC server not available error when accessing Windows server 2003”

How to repair servermanager ?

How to repair servermanager.exe on 2012 R2 ? if servermanager crash and if there is an event on application event log: Event ID: 1000 Faulting application path: C:\Windows\system32\ServerManager.exe Faulting module path: C:\Windows\system32\wmidcom.dll Solution: Rename the registry key HKLM\SOFTWARE\Microsoft\ServerManager\ServicingStorage\ServerComponentCache to HKLM\SOFTWARE\Microsoft\ServerManager\ServicingStorage\ServerComponentCache.old Reboot to take effect then if KO remove the .old registry keys  

AD: Be protected against “Pass the Hash” attacks

Resources materials: AD Security: Preventing mimikatz attacks: https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5 https://adsecurity.org/?p=1684 https://digital-forensics.sans.org/blog/2013/06/20/overview-of-microsofts-best-practices-for-securing-active-directory Mimikatz and Active Directory Kerberos Attacks: https://adsecurity.org/?p=556 https://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf http://www.gentilkiwi.com/mimikatz    /   http://blog.gentilkiwi.com/ Scripts: https://github.com/iadgov/Pass-the-Hash-Guidance https://github.com/iadgov/Event-Forwarding-Guidance Domain lockdown: https://github.com/curi0usJack/activedirectory Microsoft resources: http://www.microsoft.com/pth http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspx   Pass the Hash – isolation technique: Implementing Tier-zones model on Active Directory: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material Mitigate Credential theft with Administrative Tier Model      Continue reading “AD: Be protected against “Pass the Hash” attacks”