Audit windows files

Windows file system auditing is an important mean to keep your security high, Article: https://www.varonis.com/blog/windows-file-system-auditing/  PowerShell script: https://gallery.technet.microsoft.com/scriptcenter/How-to-audit-changed-39afba72 Extract: First, you need to enable File system auditing using GPO setting: In the Group Policy editor, click through to Computer Configuration -> Policies -> Windows Settings -> Local Policies. Click on Audit Policy. You can add many auditing options toContinue reading “Audit windows files”

Security : Systems forensics and free tools

Based on my 25 years experience as sysadmin, I recommend you the free tools below for forensic analysis and systems assessment: Repair tools: http://trinityhome.org/Home Windows privilege escalation: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ Blog hacker playbook mindmap (poster): https://www.marcolancini.it/2018/blog-hacker-playbook-mindmap/ SANS DFIR hunting evil Windows map (poster): Windows systems: https://digital-forensics.sans.org/media/DFPS_FOR508_v4.3_12-18.pdf Linux privilege escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ Blogs and web sites: 51 Tools for Security AnalystsContinue reading “Security : Systems forensics and free tools”

Microsoft Security compliance toolkit / Windows hardening / GPO settings

Microsoft security compliance toolkit: Il remplace Security Compliance Manager. Cet outil permet de planifier, créer, et monitorer des baselines de sécurité pour vos postes clients. Le remplacement a été choisi par Microsoft du fait de la complexité de SCM et de la difficulté à maintenir l’outil pour chaque version de Windows. Aujourd’hui, SCT ne supporteContinue reading “Microsoft Security compliance toolkit / Windows hardening / GPO settings”

How to deploy latest Windows GPO ?

The Central Store. To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a Windows domain controller. The Central Store is a file location that is checked by the Group Policy tools by default. The Group Policy tools use all .admx files that are inContinue reading “How to deploy latest Windows GPO ?”

How to with Regular expressions

Hi, if you are using regular expressions, I recommend you the following tools and sites: Regex tools to learn, build, test regular expressions: https://regexper.com/ https://regex101.com/ https://regexr.com http://regex.lumadis.be/test_regex.php?lang=fr Tutorials about regexp: http://en.wikipedia.org/wiki/Regular_expression http://www.regular-expressions.info/quickstart.html http://www.expreg.com/   Examples: .at matches any three-character string ending with “at”, including “hat”, “cat”, and “bat”. [hc]at matches “hat” and “cat”. [^b]at matchesContinue reading “How to with Regular expressions”

Security baseline for Windows Operating system

Security baseline reference article: Download the latest version: https://www.microsoft.com/en-us/download/details.aspx?id=55319 Introduction: Download the content. As usual, the content includes GPO backups, GPO reports, scripts to apply settings to local GPO, Policy Analyzer rules files for each baseline and for the full set, and spreadsheets documenting all available GPOs and our recommended settings, settings that are new toContinue reading “Security baseline for Windows Operating system”

Hacking and Securing Active Directory

Hacking techniques for AD: “state of the art” (but scary!) with possible mitigation (when possible) + a few new methods… https://adsecurity.org/wp-content/uploads/2015/08/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf https://github.com/infosecn1nja/AD-Attack-Defense https://specterops.io/resources/research-and-development https://github.com/wavestone-cdt/AD-security-workshop https://www.labofapenetrationtester.com/ https://github.com/fireeye/commando-vm For GPO Audit : https://github.com/l0ss/Grouper2 Spraykatz: https://www.slideshare.net/sylvaincortes/spraykatz-installation-basic-usage https://github.com/aas-n/spraykatz ReverseTCP shell: https://www.youtube.com/watch?v=T9qb4DIAXTg&feature=youtu.be https://github.com/ZHacker13/ReverseTCPShell Securing AD: AD Explorer: https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer https://digital-forensics.sans.org/blog/2013/06/20/overview-of-microsofts-best-practices-for-securing-active-directory http://video.ch9.ms/sessions/teched/na/2014/DCIM-B213.pptx https://www.pingcastle.com/ AD Authentication silos and more: https://www.sstic.org/user/abordes MS white-paper best practicesContinue reading “Hacking and Securing Active Directory”

Authentication Silos and policies

Reference: To use Authenticated silos, you need a 2012 R2 Domain functional level on the forest. Their are part of the configuration partition (so, at the forest level), replicated on all domain controllers https://www.sstic.org/2017/presentation/administration_en_silo/ https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos.md https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos#BKMK_HowKerbUsed   Videos:

AD – Securing Domain Controllers / hardening Windows domain and computers

Reference articles to secure a Windows domain: https://www.cert.ssi.gouv.fr/uploads/guide-ad.html https://github.com/PaulSec/awesome-windows-domain-hardening Pingcastle: to audit an AD domain https://www.pingcastle.com/ AD explorer (sysinternals): https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer Microsoft audit Policy settings and recommendations: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations Sysinternals sysmon: to audit and control changes https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow On ADsecurity.org: Beyond domain admins: https://adsecurity.org/?p=3700 Gathering AD data with PowerShell: https://adsecurity.org/?p=3719 Hardening Windows computers, secure Baseline check list: https://adsecurity.org/?p=3299Continue reading “AD – Securing Domain Controllers / hardening Windows domain and computers”

Troubleshooting Account locked out; EventID 4740,4625,4771

Troubleshooting Account Lockouts has become an IT admin routine nowadays; You can find more possible root causes in our Account Lockout Troubleshooting Guide – https://community.spiceworks.com/how_to/113387-account-lockout-troubleshooting. Possible root causes: Persistent drive mappings with expired credentials Mobile devices using domain services like Exchange mailbox Service Accounts using cached passwords Scheduled tasks with expired credentials Programs using storedContinue reading “Troubleshooting Account locked out; EventID 4740,4625,4771”