How to configure Windows Event forwarding (WEF) ?

Introduction: In summary: Windows Event Forwarding allows for event logs to be sent, either via a push or pull mechanism, to one or more centralized Windows Event Collector (WEC) servers. WEF is agent-free, and relies on native components integrated into the operating system. WEF is supported for both workstation and server builds of Windows. WEFContinue reading “How to configure Windows Event forwarding (WEF) ?”

Windows forensic: detecting lateral movement using event logs

To detect lateral movement on Windows infrastructure I recommend to collect the following events: Hacking mind map: https://www.marcolancini.it/2018/blog-hacker-playbook-mindmap/ It’s based on events (4648 + 4672 from member servers, 8004 from DCs) + network traffic (AS/TGS). Regarding both event 4648 (A logon was attempted using explicit credentials) and event 4672 (Special privileges assigned to new logon): => CollectContinue reading “Windows forensic: detecting lateral movement using event logs”

What if PSRemoting and Unrestricted Execution are disabled?

Remotely enable PSRemoting and Unrestricted PowerShell Execution using PsExec and PSSession, then run PSRecon Option 1 — WMI: PS C:\> wmic /node:”10.10.10.10″ process call create “powershell -noprofile -command Enable-PsRemoting -Force” -Credential Get-Credential Option 2 – PsExec: PS C:\> PsExec.exe \\10.10.10.10 -u [admin account name] -p [admin account password] -h -d powershell.exe “Enable-PSRemoting -Force” Next… PSContinue reading “What if PSRemoting and Unrestricted Execution are disabled?”

Windows Forensics: WinRM – who is connected to your computer?

Finding remote session connected to your computer? who is running a (hidden) remote PowerShell on your machine? Here’s a simple one-liner: Get-WSManInstance -ConnectionURI (‘http://{0}:5985/wsman’ -f $env:computername) -ResourceURI shell -Enumerate It will return anyone connecting via port 5985 to your machine. However, if you’re not running in a domain environment, you first have to enable non-KerberosContinue reading “Windows Forensics: WinRM – who is connected to your computer?”

How to access Dell ActiveRoles server or use Powershell behind a Firewall?

If you want target Dell (Quest) ARS service using powershell v2 and you are located behind a firewall: Web Site Config Wizard not only connects to IIS to create new IIS site, but also connects to ARS Admin Service and improts new customization settings. To do that it need to connect to remote  ARS  Admin Service viaContinue reading “How to access Dell ActiveRoles server or use Powershell behind a Firewall?”

Powershell remoting how-to ?

How to use Powershell remoting ? Main reference: About remoting http://technet.microsoft.com/en-us/library/dd347744.aspx WinRM is the ‘server’ component and WinRS is the ‘client’ that can remotely manage the machine with WinRM configured. Differences you should be aware of: WinRM 1.1 Vista and Server 2008 Port 80 for HTTP and Port 443 for HTTPS WinRM 2.0 Windows 7Continue reading “Powershell remoting how-to ?”