DRIF wyliczenie hash rekursywnie w windows

13 August 2018



current folder: dir | Get-FileHash

current folder and subfolders: dir -recurse | Get-FileHash

exclude *.log files: dir -recurse -exclude *.log | Get-FileHash

Note, default hashing algorithm is SHA256. You can use any of: MD5, SHA1, SHA256 (default), SHA384, SHA512, MACTripleDES, RIPEMD160:

dir -recurse -exclude *.log | Get-FileHash -Algorithm SHA512

more details: Get-Help Get-FileHash

current folder and subfolders: long line wrap:  dir -recurse | Get-FileHash | Format-Table -Wrap

Pisanie niestandardowych zasobów DSC z MOF

15 June 2018

Pisanie niestandardowych zasobów DSC z MOF

DSC i MOF - power shell

https://docs.microsoft.com/pl-pl/powershell/dsc/authoringresourcemof

Kategorie Power Shell, Windows

Windows Defender Device Guard

10 June 2018

https://demo.wd.microsoft.com/?ocid=cx-wddocs-testground

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard

https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control

Audit Windows Infrastructre

10 June 2018

WINSpect script provides audit checks and enumeration

  • Checking for installed security products.
  • Checking for DLL hijackability (Authenticated Users security context).
  • Checking for User Account Control settings.
  • Checking for unattended installs leftovers.
  • Enumerating world-exposed local filesystem shares.
  • Enumerating domain users and groups with local group membership.
  • Enumerating registry autoruns.
  • Enumerating local services that are configurable by Authenticated Users group members.
  • Enumerating local services for which corresponding binary is writable by Authenticated Users group members.
  • Enumerating non-system32 Windows Hosted Services and their associated DLLs.
  • Enumerating local services with unquoted path vulnerability.
  • Enumerating non-system scheduled tasks

https://github.com/A-mIn3/WINspect

https://isc.sans.edu/forums/diary/Windows+Auditing+with+WINspect/22810/

Ciekawy materiał do poszukiwania

4 June 2018

Detecting Lateral Movement through Tracking Event Logs (japan CERT)

https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf

Silent windows 10 for Malware Analysis

9 May 2018

sc stop DiagTrack

sc stop diagnosticshub.standardcollector.service

sc stop dmwappushservice

sc stop WMPNetworkSvc

sc stop WSearch

sc stop wuauserv

 

sc config DiagTrack start= disabled

sc config diagnosticshub.standardcollector.service start= disabled

sc config dmwappushservice start= disabled

sc config WMPNetworkSvc start= disabled

sc config WSearch start= disabled

sc config wuauserv start= disabled

 

 

schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable

schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable

schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable

schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" /Disable

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyUpload" /Disable

schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /Disable

schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /Disable

schtasks /Change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /Disable

 

schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable

schtasks /Change /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /Disable

schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable

schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable

 

@rem *** Telemetry i Data Collection ***

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v PreventDeviceMetadataFromNetwork /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d 0 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d 0 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d 0 /f

 

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f

reg add "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f

 

reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 0 /f

 

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU " /v NoAutoUpdate /t REG_DWORD /d 1 /f

reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU"     /f /v AUOptions /t reg_dword /d 2

 

REM reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 1 /f

 

REM reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d 1 /f

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t  REG_DWORD /d 0 /f

reg add HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU     /f /v ScheduledInstallDay /t reg_dword /d 0

 

 

REM *** usunięcie OneDrive ***

start /wait "" "%SYSTEMROOT%\SYSWOW64\ONEDRIVESETUP.EXE" /UNINSTALL

rd C:\OneDriveTemp /Q /S >NUL 2>&1

rd "%USERPROFILE%\OneDrive" /Q /S >NUL 2>&1

rd "%LOCALAPPDATA%\Microsoft\OneDrive" /Q /S >NUL 2>&1

rd "%PROGRAMDATA%\Microsoft OneDrive" /Q /S >NUL 2>&1

reg add "HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder" /f /v Attributes /t REG_DWORD /d 0 >NUL 2>&1

reg add "HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder" /f /v Attributes /t REG_DWORD /d 0 >NUL 2>&1

start /wait TASKKILL /F /IM explorer.exe

start explorer.exe

 

 

security Windows

7 May 2018
https://www.sans.org/reading-room/whitepapers/microsoft/securing-windows-10-giac-enterprise-endpoint-ise-m-6100-security-project-practicum-technical-paper-36592

Events to Monitor

Windows | 10 February 2018

source: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

Appendix L: Events to Monitor

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Appendix L: Events to Monitor

The following table lists events that you should monitor in your environment, according to the recommendations provided in Monitoring Active Directory for Signs of Compromise. In the following table, the "Current Windows Event ID" column lists the event ID as it is implemented in versions of Windows and Windows Server that are currently in mainstream support.

The "Legacy Windows Event ID" column lists the corresponding event ID in legacy versions of Windows such as client computers running Windows XP or earlier and servers running Windows Server 2003 or earlier. The "Potential Criticality" column identifies whether the event should be considered of low, medium, or high criticality in detecting attacks, and the "Event Summary" column provides a brief description of the event.

A potential criticality of High means that one occurrence of the event should be investigated. Potential criticality of Medium or Low means that these events should only be investigated if they occur unexpectedly or in numbers that significantly exceed the expected baseline in a measured period of time. All organizations should test these recommendations in their environments before creating alerts that require mandatory investigative responses. Every environment is different, and some of the events ranked with a potential criticality of High may occur due to other harmless events.

       
Current Windows Event ID Legacy Windows Event ID Potential Criticality Event Summary
4618 N/A High A monitored security event pattern has occurred.
4649 N/A High A replay attack was detected. May be a harmless false positive due to misconfiguration error.
4719 612 High System audit policy was changed.
4765 N/A High SID History was added to an account.
4766 N/A High An attempt to add SID History to an account failed.
4794 N/A High An attempt was made to set the Directory Services Restore Mode.
4897 801 High Role separation enabled:
4964 N/A High Special groups have been assigned to a new logon.
5124 N/A High A security setting was updated on the OCSP Responder Service
N/A 550 Medium to High Possible denial-of-service (DoS) attack
1102 517 Medium to High The audit log was cleared
4621 N/A Medium Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.
4675 N/A Medium SIDs were filtered.
4692 N/A Medium Backup of data protection master key was attempted.
4693 N/A Medium Recovery of data protection master key was attempted.
4706 610 Medium A new trust was created to a domain.
4713 617 Medium Kerberos policy was changed.
4714 618 Medium Encrypted data recovery policy was changed.
4715 N/A Medium The audit policy (SACL) on an object was changed.
4716 620 Medium Trusted domain information was modified.
4724 628 Medium An attempt was made to reset an account's password.
4727 631 Medium A security-enabled global group was created.
4735 639 Medium A security-enabled local group was changed.
4737 641 Medium A security-enabled global group was changed.
4739 643 Medium Domain Policy was changed.
4754 658 Medium A security-enabled universal group was created.
4755 659 Medium A security-enabled universal group was changed.
4764 667 Medium A security-disabled group was deleted
4764 668 Medium A group's type was changed.
4780 684 Medium The ACL was set on accounts which are members of administrators groups.
4816 N/A Medium RPC detected an integrity violation while decrypting an incoming message.
4865 N/A Medium A trusted forest information entry was added.
4866 N/A Medium A trusted forest information entry was removed.
4867 N/A Medium A trusted forest information entry was modified.
4868 772 Medium The certificate manager denied a pending certificate request.
4870 774 Medium Certificate Services revoked a certificate.
4882 786 Medium The security permissions for Certificate Services changed.
4885 789 Medium The audit filter for Certificate Services changed.
4890 794 Medium The certificate manager settings for Certificate Services changed.
4892 796 Medium A property of Certificate Services changed.
4896 800 Medium One or more rows have been deleted from the certificate database.
4906 N/A Medium The CrashOnAuditFail value has changed.
4907 N/A Medium Auditing settings on object were changed.
4908 N/A Medium Special Groups Logon table modified.
4912 807 Medium Per User Audit Policy was changed.
4960 N/A Medium IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
4961 N/A Medium IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
4962 N/A Medium IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
4963 N/A Medium IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
4965 N/A Medium IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
4976 N/A Medium During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4977 N/A Medium During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4978 N/A Medium During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4983 N/A Medium An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
4984 N/A Medium An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
5027 N/A Medium The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
5028 N/A Medium The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
5029 N/A Medium The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
5030 N/A Medium The Windows Firewall Service failed to start.
5035 N/A Medium The Windows Firewall Driver failed to start.
5037 N/A Medium The Windows Firewall Driver detected critical runtime error. Terminating.
5038 N/A Medium Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
5120 N/A Medium OCSP Responder Service Started
5121 N/A Medium OCSP Responder Service Stopped
5122 N/A Medium A configuration entry changed in OCSP Responder Service
5123 N/A Medium A configuration entry changed in OCSP Responder Service
5376 N/A Medium Credential Manager credentials were backed up.
5377 N/A Medium Credential Manager credentials were restored from a backup.
5453 N/A Medium An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
5480 N/A Medium IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
5483 N/A Medium IPsec Services failed to initialize RPC server. IPsec Services could not be started.
5484 N/A Medium IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
5485 N/A Medium IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
6145 N/A Medium One or more errors occurred while processing security policy in the Group Policy objects.
6273 N/A Medium Network Policy Server denied access to a user.
6274 N/A Medium Network Policy Server discarded the request for a user.
6275 N/A Medium Network Policy Server discarded the accounting request for a user.
6276 N/A Medium Network Policy Server quarantined a user.
6277 N/A Medium Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
6278 N/A Medium Network Policy Server granted full access to a user because the host met the defined health policy.
6279 N/A Medium Network Policy Server locked the user account due to repeated failed authentication attempts.
6280 N/A Medium Network Policy Server unlocked the user account.
- 640 Medium General account database changed
- 619 Medium Quality of Service Policy changed
24586 N/A Medium An error was encountered converting volume
24592 N/A Medium An attempt to automatically restart conversion on volume %2 failed.
24593 N/A Medium Metadata write: Volume %2 returning errors while trying to modify metadata. If failures continue, decrypt volume
24594 N/A Medium Metadata rebuild: An attempt to write a copy of metadata on volume %2 failed and may appear as disk corruption. If failures continue, decrypt volume.
4608 512 Low Windows is starting up.
4609 513 Low Windows is shutting down.
4610 514 Low An authentication package has been loaded by the Local Security Authority.
4611 515 Low A trusted logon process has been registered with the Local Security Authority.
4612 516 Low Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
4614 518 Low A notification package has been loaded by the Security Account Manager.
4615 519 Low Invalid use of LPC port.
4616 520 Low The system time was changed.
4622 N/A Low A security package has been loaded by the Local Security Authority.
4624 528,540 Low An account was successfully logged on.
4625 529-537,539 Low An account failed to log on.
4634 538 Low An account was logged off.
4646 N/A Low IKE DoS-prevention mode started.
4647 551 Low User initiated logoff.
4648 552 Low A logon was attempted using explicit credentials.
4650 N/A Low An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
4651 N/A Low An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
4652 N/A Low An IPsec Main Mode negotiation failed.
4653 N/A Low An IPsec Main Mode negotiation failed.
4654 N/A Low An IPsec Quick Mode negotiation failed.
4655 N/A Low An IPsec Main Mode security association ended.
4656 560 Low A handle to an object was requested.
4657 567 Low A registry value was modified.
4658 562 Low The handle to an object was closed.
4659 N/A Low A handle to an object was requested with intent to delete.
4660 564 Low An object was deleted.
4661 565 Low A handle to an object was requested.
4662 566 Low An operation was performed on an object.
4663 567 Low An attempt was made to access an object.
4664 N/A Low An attempt was made to create a hard link.
4665 N/A Low An attempt was made to create an application client context.
4666 N/A Low An application attempted an operation:
4667 N/A Low An application client context was deleted.
4668 N/A Low An application was initialized.
4670 N/A Low Permissions on an object were changed.
4671 N/A Low An application attempted to access a blocked ordinal through the TBS.
4672 576 Low Special privileges assigned to new logon.
4673 577 Low A privileged service was called.
4674 578 Low An operation was attempted on a privileged object.
4688 592 Low A new process has been created.
4689 593 Low A process has exited.
4690 594 Low An attempt was made to duplicate a handle to an object.
4691 595 Low Indirect access to an object was requested.
4694 N/A Low Protection of auditable protected data was attempted.
4695 N/A Low Unprotection of auditable protected data was attempted.
4696 600 Low A primary token was assigned to process.
4697 601 Low Attempt to install a service
4698 602 Low A scheduled task was created.
4699 602 Low A scheduled task was deleted.
4700 602 Low A scheduled task was enabled.
4701 602 Low A scheduled task was disabled.
4702 602 Low A scheduled task was updated.
4704 608 Low A user right was assigned.
4705 609 Low A user right was removed.
4707 611 Low A trust to a domain was removed.
4709 N/A Low IPsec Services was started.
4710 N/A Low IPsec Services was disabled.
4711 N/A Low May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine applied Active Directory storage IPsec policy on the computer.PAStore Engine applied local registry storage IPsec policy on the computer.PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply local registry storage IPsec policy on the computer.PAStore Engine failed to apply some rules of the active IPsec policy on the computer.PAStore Engine failed to load directory storage IPsec policy on the computer.PAStore Engine loaded directory storage IPsec policy on the computer.PAStore Engine failed to load local storage IPsec policy on the computer.PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected no changes.
4712 N/A Low IPsec Services encountered a potentially serious failure.
4717 621 Low System security access was granted to an account.
4718 622 Low System security access was removed from an account.
4720 624 Low A user account was created.
4722 626 Low A user account was enabled.
4723 627 Low An attempt was made to change an account's password.
4725 629 Low A user account was disabled.
4726 630 Low A user account was deleted.
4728 632 Low A member was added to a security-enabled global group.
4729 633 Low A member was removed from a security-enabled global group.
4730 634 Low A security-enabled global group was deleted.
4731 635 Low A security-enabled local group was created.
4732 636 Low A member was added to a security-enabled local group.
4733 637 Low A member was removed from a security-enabled local group.
4734 638 Low A security-enabled local group was deleted.
4738 642 Low A user account was changed.
4740 644 Low A user account was locked out.
4741 645 Low A computer account was changed.
4742 646 Low A computer account was changed.
4743 647 Low A computer account was deleted.
4744 648 Low A security-disabled local group was created.
4745 649 Low A security-disabled local group was changed.
4746 650 Low A member was added to a security-disabled local group.
4747 651 Low A member was removed from a security-disabled local group.
4748 652 Low A security-disabled local group was deleted.
4749 653 Low A security-disabled global group was created.
4750 654 Low A security-disabled global group was changed.
4751 655 Low A member was added to a security-disabled global group.
4752 656 Low A member was removed from a security-disabled global group.
4753 657 Low A security-disabled global group was deleted.
4756 660 Low A member was added to a security-enabled universal group.
4757 661 Low A member was removed from a security-enabled universal group.
4758 662 Low A security-enabled universal group was deleted.
4759 663 Low A security-disabled universal group was created.
4760 664 Low A security-disabled universal group was changed.
4761 665 Low A member was added to a security-disabled universal group.
4762 666 Low A member was removed from a security-disabled universal group.
4767 671 Low A user account was unlocked.
4768 672,676 Low A Kerberos authentication ticket (TGT) was requested.
4769 673 Low A Kerberos service ticket was requested.
4770 674 Low A Kerberos service ticket was renewed.
4771 675 Low Kerberos pre-authentication failed.
4772 672 Low A Kerberos authentication ticket request failed.
4774 678 Low An account was mapped for logon.
4775 679 Low An account could not be mapped for logon.
4776 680,681 Low The domain controller attempted to validate the credentials for an account.
4777 N/A Low The domain controller failed to validate the credentials for an account.
4778 682 Low A session was reconnected to a Window Station.
4779 683 Low A session was disconnected from a Window Station.
4781 685 Low The name of an account was changed:
4782 N/A Low The password hash an account was accessed.
4783 667 Low A basic application group was created.
4784 N/A Low A basic application group was changed.
4785 689 Low A member was added to a basic application group.
4786 690 Low A member was removed from a basic application group.
4787 691 Low A nonmember was added to a basic application group.
4788 692 Low A nonmember was removed from a basic application group.
4789 693 Low A basic application group was deleted.
4790 694 Low An LDAP query group was created.
4793 N/A Low The Password Policy Checking API was called.
4800 N/A Low The workstation was locked.
4801 N/A Low The workstation was unlocked.
4802 N/A Low The screen saver was invoked.
4803 N/A Low The screen saver was dismissed.
4864 N/A Low A namespace collision was detected.
4869 773 Low Certificate Services received a resubmitted certificate request.
4871 775 Low Certificate Services received a request to publish the certificate revocation list (CRL).
4872 776 Low Certificate Services published the certificate revocation list (CRL).
4873 777 Low A certificate request extension changed.
4874 778 Low One or more certificate request attributes changed.
4875 779 Low Certificate Services received a request to shut down.
4876 780 Low Certificate Services backup started.
4877 781 Low Certificate Services backup completed.
4878 782 Low Certificate Services restore started.
4879 783 Low Certificate Services restore completed.
4880 784 Low Certificate Services started.
4881 785 Low Certificate Services stopped.
4883 787 Low Certificate Services retrieved an archived key.
4884 788 Low Certificate Services imported a certificate into its database.
4886 790 Low Certificate Services received a certificate request.
4887 791 Low Certificate Services approved a certificate request and issued a certificate.
4888 792 Low Certificate Services denied a certificate request.
4889 793 Low Certificate Services set the status of a certificate request to pending.
4891 795 Low A configuration entry changed in Certificate Services.
4893 797 Low Certificate Services archived a key.
4894 798 Low Certificate Services imported and archived a key.
4895 799 Low Certificate Services published the CA certificate to Active Directory Domain Services.
4898 802 Low Certificate Services loaded a template.
4902 N/A Low The Per-user audit policy table was created.
4904 N/A Low An attempt was made to register a security event source.
4905 N/A Low An attempt was made to unregister a security event source.
4909 N/A Low The local policy settings for the TBS were changed.
4910 N/A Low The Group Policy settings for the TBS were changed.
4928 N/A Low An Active Directory replica source naming context was established.
4929 N/A Low An Active Directory replica source naming context was removed.
4930 N/A Low An Active Directory replica source naming context was modified.
4931 N/A Low An Active Directory replica destination naming context was modified.
4932 N/A Low Synchronization of a replica of an Active Directory naming context has begun.
4933 N/A Low Synchronization of a replica of an Active Directory naming context has ended.
4934 N/A Low Attributes of an Active Directory object were replicated.
4935 N/A Low Replication failure begins.
4936 N/A Low Replication failure ends.
4937 N/A Low A lingering object was removed from a replica.
4944 N/A Low The following policy was active when the Windows Firewall started.
4945 N/A Low A rule was listed when the Windows Firewall started.
4946 N/A Low A change has been made to Windows Firewall exception list. A rule was added.
4947 N/A Low A change has been made to Windows Firewall exception list. A rule was modified.
4948 N/A Low A change has been made to Windows Firewall exception list. A rule was deleted.
4949 N/A Low Windows Firewall settings were restored to the default values.
4950 N/A Low A Windows Firewall setting has changed.
4951 N/A Low A rule has been ignored because its major version number was not recognized by Windows Firewall.
4952 N/A Low Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
4953 N/A Low A rule has been ignored by Windows Firewall because it could not parse the rule.
4954 N/A Low Windows Firewall Group Policy settings have changed. The new settings have been applied.
4956 N/A Low Windows Firewall has changed the active profile.
4957 N/A Low Windows Firewall did not apply the following rule:
4958 N/A Low Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
4979 N/A Low IPsec Main Mode and Extended Mode security associations were established.
4980 N/A Low IPsec Main Mode and Extended Mode security associations were established.
4981 N/A Low IPsec Main Mode and Extended Mode security associations were established.
4982 N/A Low IPsec Main Mode and Extended Mode security associations were established.
4985 N/A Low The state of a transaction has changed.
5024 N/A Low The Windows Firewall Service has started successfully.
5025 N/A Low The Windows Firewall Service has been stopped.
5031 N/A Low The Windows Firewall Service blocked an application from accepting incoming connections on the network.
5032 N/A Low Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033 N/A Low The Windows Firewall Driver has started successfully.
5034 N/A Low The Windows Firewall Driver has been stopped.
5039 N/A Low A registry key was virtualized.
5040 N/A Low A change has been made to IPsec settings. An Authentication Set was added.
5041 N/A Low A change has been made to IPsec settings. An Authentication Set was modified.
5042 N/A Low A change has been made to IPsec settings. An Authentication Set was deleted.
5043 N/A Low A change has been made to IPsec settings. A Connection Security Rule was added.
5044 N/A Low A change has been made to IPsec settings. A Connection Security Rule was modified.
5045 N/A Low A change has been made to IPsec settings. A Connection Security Rule was deleted.
5046 N/A Low A change has been made to IPsec settings. A Crypto Set was added.
5047 N/A Low A change has been made to IPsec settings. A Crypto Set was modified.
5048 N/A Low A change has been made to IPsec settings. A Crypto Set was deleted.
5050 N/A Low An attempt to programmatically disable the Windows Firewall using a call to InetFwProfile.FirewallEnabled(False)
5051 N/A Low A file was virtualized.
5056 N/A Low A cryptographic self test was performed.
5057 N/A Low A cryptographic primitive operation failed.
5058 N/A Low Key file operation.
5059 N/A Low Key migration operation.
5060 N/A Low Verification operation failed.
5061 N/A Low Cryptographic operation.
5062 N/A Low A kernel-mode cryptographic self test was performed.
5063 N/A Low A cryptographic provider operation was attempted.
5064 N/A Low A cryptographic context operation was attempted.
5065 N/A Low A cryptographic context modification was attempted.
5066 N/A Low A cryptographic function operation was attempted.
5067 N/A Low A cryptographic function modification was attempted.
5068 N/A Low A cryptographic function provider operation was attempted.
5069 N/A Low A cryptographic function property operation was attempted.
5070 N/A Low A cryptographic function property modification was attempted.
5125 N/A Low A request was submitted to the OCSP Responder Service
5126 N/A Low Signing Certificate was automatically updated by the OCSP Responder Service
5127 N/A Low The OCSP Revocation Provider successfully updated the revocation information
5136 566 Low A directory service object was modified.
5137 566 Low A directory service object was created.
5138 N/A Low A directory service object was undeleted.
5139 N/A Low A directory service object was moved.
5140 N/A Low A network share object was accessed.
5141 N/A Low A directory service object was deleted.
5152 N/A Low The Windows Filtering Platform blocked a packet.
5153 N/A Low A more restrictive Windows Filtering Platform filter has blocked a packet.
5154 N/A Low The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
5155 N/A Low The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
5156 N/A Low The Windows Filtering Platform has allowed a connection.
5157 N/A Low The Windows Filtering Platform has blocked a connection.
5158 N/A Low The Windows Filtering Platform has permitted a bind to a local port.
5159 N/A Low The Windows Filtering Platform has blocked a bind to a local port.
5378 N/A Low The requested credentials delegation was disallowed by policy.
5440 N/A Low The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
5441 N/A Low The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
5442 N/A Low The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
5443 N/A Low The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
5444 N/A Low The following sublayer was present when the Windows Filtering Platform Base Filtering Engine started.
5446 N/A Low A Windows Filtering Platform callout has been changed.
5447 N/A Low A Windows Filtering Platform filter has been changed.
5448 N/A Low A Windows Filtering Platform provider has been changed.
5449 N/A Low A Windows Filtering Platform provider context has been changed.
5450 N/A Low A Windows Filtering Platform sublayer has been changed.
5451 N/A Low An IPsec Quick Mode security association was established.
5452 N/A Low An IPsec Quick Mode security association ended.
5456 N/A Low PAStore Engine applied Active Directory storage IPsec policy on the computer.
5457 N/A Low PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
5458 N/A Low PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
5459 N/A Low PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
5460 N/A Low PAStore Engine applied local registry storage IPsec policy on the computer.
5461 N/A Low PAStore Engine failed to apply local registry storage IPsec policy on the computer.
5462 N/A Low PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
5463 N/A Low PAStore Engine polled for changes to the active IPsec policy and detected no changes.
5464 N/A Low PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
5465 N/A Low PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
5466 N/A Low PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
5467 N/A Low PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
5468 N/A Low PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
5471 N/A Low PAStore Engine loaded local storage IPsec policy on the computer.
5472 N/A Low PAStore Engine failed to load local storage IPsec policy on the computer.
5473 N/A Low PAStore Engine loaded directory storage IPsec policy on the computer.
5474 N/A Low PAStore Engine failed to load directory storage IPsec policy on the computer.
5477 N/A Low PAStore Engine failed to add quick mode filter.
5479 N/A Low IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
5632 N/A Low A request was made to authenticate to a wireless network.
5633 N/A Low A request was made to authenticate to a wired network.
5712 N/A Low A Remote Procedure Call (RPC) was attempted.
5888 N/A Low An object in the COM+ Catalog was modified.
5889 N/A Low An object was deleted from the COM+ Catalog.
5890 N/A Low An object was added to the COM+ Catalog.
6008 N/A Low The previous system shutdown was unexpected
6144 N/A Low Security policy in the Group Policy objects has been applied successfully.
6272 N/A Low Network Policy Server granted access to a user.
N/A 561 Low A handle to an object was requested.
N/A 563 Low Object open for delete
N/A 625 Low User Account Type Changed
N/A 613 Low IPsec policy agent started
N/A 614 Low IPsec policy agent disabled
N/A 615 Low IPsec policy agent
N/A 616 Low IPsec policy agent encountered a potential serious failure
24577 N/A Low Encryption of volume started
24578 N/A Low Encryption of volume stopped
24579 N/A Low Encryption of volume completed
24580 N/A Low Decryption of volume started
24581 N/A Low Decryption of volume stopped
24582 N/A Low Decryption of volume completed
24583 N/A Low Conversion worker thread for volume started
24584 N/A Low Conversion worker thread for volume temporarily stopped
24588 N/A Low The conversion operation on volume %2 encountered a bad sector error. Please validate the data on this volume
24595 N/A Low Volume %2 contains bad clusters. These clusters will be skipped during conversion.
24621 N/A Low Initial state check: Rolling volume conversion transaction on %2.
5049 N/A Low An IPsec Security Association was deleted.
5478 N/A Low IPsec Services has started successfully.

Note

Refer to Microsoft Support article 947226 for lists of many security event IDs and their meanings.

Run wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true to get a very detailed listing of all security event IDs

For more information about Windows security event IDs and their meanings, see the Microsoft Support articles Description of security events in Windows Vista and in Windows Server 2008 and Description of security events in Windows 7 and in Windows Server 2008 R2. You can also download Security Audit Events for Windows 7 and Windows Server 2008 R2 and Windows 8 and Windows Server 2012 Security Event Details, which provide detailed event information for the referenced operating systems in spreadsheet format.

Sysmon - DFIR

source https://github.com/MHaggis/sysmon-dfir | 10 February 2018

Sysmon - DFIR

A curated list of resources for learning about deploying, managing and hunting with Microsoft Sysmon. Contains presentations, deployment methods, configuration file examples, blogs and additional github repositories.

Sysmon Learning Resources

General

Sysmon Configuration

@SwiftOnSecurity config

Recommended.

Config will assist with bringing you up to speed in relation to critical process monitoring, network utilization, and so on. Note that the concept is to not log everything, but the most important items.

https://github.com/SwiftOnSecurity/sysmon-config

Sysmon_config.xml

Solid, detailed config. Probably one of the best ones out there in relation to completeness.

MalwareArchaeology

Sysmon-a.cfg

Basic config that will monitor critical Windows process execution. Very basic, but a good config to get used to sysmon and how things operate.

Blog post by blacklanternsecurity

Sysmon-b.cfg

Crypsis Group published config and PDF. Fairly detailed list of excludes that should assist with understanding how they work and get a configuration started.

Crypsis Group Config

Crypsis Group PDF

Sysmon-c.cfg

Great configuration to understand excludes and contains.

Decent Security Config

Sysmon-d.cfg

Solid blog post related to getting started with Sysmon. Config is nicely laid out and easy to understand.

909Research Blog

Sysmon-e.cfg

Config is specific but it provides a good foundation for capturing a lot of specific data.

https://github.com/Prevenity/sysmon

(Translated comments to english)

StartLogging.xml

Provided by https://github.com/VVard0g - Roberto Rodriguez

https://gist.github.com/VVard0g/136481552d8845e52962534d1a4b8664

Sysmoncfg_v2|31.xml

Related material from Splunking the Endpoint .conf talk by James Brodsky and Dimitri McKay.

Splunking the Endpoint - Files from presentation

Configs are optimized for Splunk.

Additional configs

Configs are updated frequently --

SwiftOnSecurity Fork by Ion-Storm

Server Config: https://gist.github.com/Neo23x0/a4b4af9481e01e749409

Client config: https://gist.github.com/Neo23x0/f56bea38d95040b70cf5

MSSQL LDAP ADSI provider

13 December 2017
CREATE TABLE #UserAccountControl
    (
      UserAccountControlValue INT
    , UserAccountControlDescription VARCHAR(1000)
    )

INSERT  #UserAccountControl
        ( UserAccountControlValue, UserAccountControlDescription )
VALUES  ( '512', 'Enabled Account' ),
        ( '514', 'Disabled Account' ),
        ( '544', 'Enabled, Password Not REQUIRED' ),
        ( '546', 'Disabled, Password Not REQUIRED' ),
        ( '66048', 'Enabled, Password Doesn''t Expire' ),
        ( '66050', 'Disabled, Password Doesn''t Expire' ),
        ( '66080', 'Enabled, Password Doesn''t Expire & Not Required' ),
        ( '66082', 'Disabled, Password Doesn''t Expire & Not Required' ),
        ( '262656', 'Enabled, Smartcard REQUIRED' ),
        ( '262658', 'Disabled, Smartcard Required' ),
        ( '262688', 'Enabled, Smartcard Required, Password Not REQUIRED' ),
        ( '262690', 'Disabled, Smartcard Required, Password Not Required' ),
        ( '328192', 'Enabled, Smartcard Required, Password Doesn''t Expire' ),
        ( '328194', 'Disabled, Smartcard Required, Password Doesn''t Expire' ),
        ( '328224',
          'Enabled, Smartcard Required, Password Doesn''t Expire & Not Required' ),
        ( '328226',
          'Disabled, Smartcard Required, Password Doesn''t Expire & Not Required' )
Kategorie Windows

The Software Update Checker

find vulnaraility software | 9 June 2017
  • FileHippo AppManager

  • Secunia Personal Software Inspector (PSI)

  • Software Update Monitor (SUMo)

Command Line Kung Fu

14 March 2017

source: http://blog.commandlinekungfu.com/p/index-of-tips-and-tricks.html

Auditing

The Advantage of "sort" to View Passwords
Avoiding LANMAN False Positives
"chage" to Get/Set Password Security Parameters
Change a User's Password to Blank
Find Accounts With Superuser Privileges
Finding Duplicate User IDs
Finding Null Passwords
Lock Out Users Remotely While Preserving Session
Lock Screen With "tsdiscon"
"net use" and The Blank Passwords
Show Account Security Settings
Show Domain-Wide Settings For Accounts
Suspicious Password Entries
Why "wmic" Remote Lock Fails?
"wmic" to Display Users' SID
Workaround to View Windows Password Hashes


Forensics

Better "find" with touch
Determine where a USB device was plugged into
Display File Creation Time
Listing Files by Inode as a Proxy for Creation Time
Remotely Pull USB info
Show USB vendor/serial number 
USB History
Watch File Count in a Directory

Network Troubleshooting

Hack to Pull Out a Specific Protocol From "netstat" Output (Linux)
Kill Process by TCP/UDP port number
Learn About Network Traffic
"netstat" vs "lsof"
Protocol Stats
"watch" vs "netstat -c" 

Penetration Testing

The Broadcast Ping
Command-Line Ping Sweeper
Detecting when a scan reaches a given target
Firewall Chains
Look at Firewall Configs
Reverse DNS Records
See the Number of Times a Firewall Rule Was Triggered
Show Ports Allowed Through Firewall
Show Programs Allowed Through Firewall
Speed Up Ping


System Administration


Aborting a System Shutdown
Browsing the Registry with Powershell  
Careful with iptables "INPUT"
Converting Unix timestamps to human-readable form 
Disable The Guest Account 
Dropping Firewall Dead
Execute a Command En Mass
"find ...| xargs ..." vs "find ... -exec ..."
"findstr /m" to Print Only File Name
Find Files That Only Contain Printable ASCII With "findstr /p" (But be Aware)
Finding Names of Files Matching a String
Having Fun with Firewall
The Importance of Putting Your System's Hostname
IPTables or The Simplified Firewall Configuration
Linking Files
Listing Files and Their Sizes
Listing the largest 100 files
Poke Holes Through The Firewall
Reboot in [N] Seconds
Remote Command Execution
Simplify Your Life With "ufw"
SSH: Using "user@host" vs "-l" 
Symlink to an Entire Directory
What is hogging up the space?
WScript to Create Link For Files and Folders

Text Manipulation

Backup Before You Change With "sed"
Build Your Own "uniq" Command on Windows
Convert Multiple-Line Output into a Single Line Using "tr"
Convert Text Formats - Dos to Unix
Extra Little File to Help
"for" loops to parse text
Have "sed" Use Extended Regular Expressions
Replacing Strings in Multiple Files
Replacing Text Powershell Way
The Single Quote, The Double Quote, and The "FOR" Loop
When "sed" is better than "awk"

 

Analiza Windows Active Directory

11 November 2016
https://gallery.technet.microsoft.com/Active-Directory-Audit-7754a877#!

CIS o windows 7

2 November 2016

Security Configuration Benchmark For

Version 1.1.0
July 30th 2010
Microsoft Windows 7

https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Benchmark_v1.1.0.pdf

ABW o windows

18 September 2016

Secure Coding Guidelines

13 March 2016

IIS - URLScan - protect IIS

13 March 2016
Kategorie Tools, Windows

Windows GPO local and doman for office 2013

8 March 2016

Admnistratve templates: 

32-bytes (11,2 MB): https://download.microsoft.com/download/5/8/C/58CA3974-1640-4CFC-A991-3904B3B8939C/admintemplates_32bit.exe
64-bytes (11,4 MB): https://download.microsoft.com/download/5/8/C/58CA3974-1640-4CFC-A991-3904B3B8939C/admintemplates_64bit.exe

extract and find admx files

local station:

  • .admx  move to C:\Windows\PolicyDefinitions
  • .adml move to C:\Windows\PolicyDefinitions\en-US

domain controler

  • .admx  move to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
  • .adml move to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US

Run gpedit.msc

MOST important setting

GPO
value
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center
Trust Access to Visual Basic Project
Disabled
VBA Macro Notification Settings
Enabled
 
Disable all without notification
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings
Automation Security
Enabled
 
Set the Automation Security Level: Use application macro security level
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings\Trust Center
Allow mix of policy and user locations
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Outlook 2013\Security\Trust Center
Apply macro security settings to macros, add-ins and additional actions
Enabled
 
Security setting for macros
Enabled
 
Security Level: Never warn, disable all
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center
Trust Access to Visual Basic Project
Disabled
VBA Macro Notification Settings
Enabled
 
Disable all without notification
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center
Trust Access to Visual Basic Project
Disabled
VBA Macro Notification Settings
Enabled
 
Disable all without notification
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled

 

Medium important setting

GPO
value
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center
Turn off trusted documents
Enabled
Turn off Trusted Documents on the network
Enabled
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center
Turn off trusted documents
Enabled
Turn off Trusted Documents on the network
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center
Turn off trusted documents
Enabled
Turn off Trusted Documents on the network
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center
Disable all application add-ins
Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them
Not configured
Require that application add-ins are signed by Trusted Publisher
Not configured
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings\Trust Center
Allow mix of policy and user locations
Disabled
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center
Disable all application add-ins
Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them
Not configured
Require that application add-ins are signed by Trusted Publisher
Not configured
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\ PowerPoint Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center
Disable all application add-ins
Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them
Not configured
Require that application add-ins are signed by Trusted Publisher
Not configured
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\ Word Options\Security\Trust Center\Trusted Locations
Allow Trusted Locations on the network
Disabled
Disable all trusted locations
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings
Disable All ActiveX
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security
Turn off file validation
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings
Turn off error reporting for files that fail file validation
Enabled
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security
Turn off file validation
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security
Turn off file validation
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center\Protected View
Do not open files from the Internet Zone in Protected View
Disabled
Do not open files in unsafe locations in Protected View
Disabled
Set document behaviour if file validation fails
Enabled
 
Block files completely
Turn off Protected View for attachments opened from Outlook
Disabled
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center\Protected View
Do not open files from the Internet Zone in Protected View
Disabled
Do not open files in unsafe locations in Protected View
Disabled
Set document behaviour if file validation fails
Enabled
 
Block files completely
Turn off Protected View for attachments opened from Outlook
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center\Protected View
Do not open files from the Internet Zone in Protected View
Disabled
Do not open files in unsafe locations in Protected View
Disabled
Set document behaviour if file validation fails
Enabled
 
Block files completely
Turn off Protected View for attachments opened from Outlook
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security
Force file extension to match file type
Enabled
 
Always match file type
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security
Force file extension to match file type
Enabled
 
Always match file type
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security
Force file extension to match file type
Enabled
 
Always match file type
User Configuration\Policies\Administrative Templates\Microsoft Excel 2013\Excel Options\Security\Trust Center\File Block Settings
dBase III / IV files
Enabled
 
File block setting: Block
Dif and Sylk files
Enabled
 
File block setting: Block
Excel 2 macrosheets and add-in files
Enabled
 
File block setting: Block
Excel 2 worksheets
Enabled
 
File block setting: Block
Excel 2007 and later add-in files
Enabled
 
File block setting: Block
Excel 2007 and later binary workbooks
Enabled
 
File block setting: Block
Excel 2007 and later macro-enabled workbooks and templates
Enabled
 
File block setting: Block
Excel 3 macrosheets and add-in files
Enabled
 
File block setting: Block
Excel 3 worksheets
Enabled
 
File block setting: Block
Excel 4 macrosheets and add-in files
Enabled
 
File block setting: Block
Excel 4 workbooks
Enabled
 
File block setting: Block
Excel 4 worksheets
Enabled
 
File block setting: Block
Excel 95 workbooks
Enabled
 
File block setting: Block
Excel 95-97 workbooks and templates
Enabled
 
File block setting: Block
Excel 97-2003 add-in files
Enabled
 
File block setting: Block
Excel 97-2003 workbooks and templates
Enabled
 
File block setting: Block
Set default file block behavior
Enabled
 
Blocked files are not opened
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security\Trust Center\File Block Settings
PowerPoint 97-2003 presentations, shows, templates and add-in files
Enabled
 
File block setting: Block
PowerPoint beta files
Enabled
 
File block setting: Block
Set default file block behavior
Enabled
 
Blocked files are not opened
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security\Trust Center\File Block Settings
Set default file block behavior
Enabled
 
Blocked files are not opened
Word 2 and earlier binary documents and templates
Enabled
 
File block setting: Block
Word 2000 binary documents and templates
Enabled
 
File block setting: Block
Word 2003 binary documents and templates
Enabled
 
File block setting: Block
Word 2007 binary and later binary documents and templates
Enabled
 
File block setting: Block
Word 6.0 binary documents and templates
Enabled
 
File block setting: Block
Word 95 binary documents and templates
Enabled
 
File block setting: Block
Word 97 binary documents and templates
Enabled
 
File block setting: Block
Word XP binary documents and templates
Enabled
 
File block setting: Block
User Configuration\Policies\Administrative Templates\Microsoft PowerPoint 2013\PowerPoint Options\Security
Make hidden markup visible
Enabled
User Configuration\Policies\Administrative Templates\Microsoft Word 2013\Word Options\Security
Make hidden markup visible
Enabled

 

LESS important setting

 

GPO
value
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Privacy\Trust Center
Allow including screenshot with Office Feedback
Disabled
Automatically receive small updates to improve reliability
Disabled
Disable Opt-in Wizard on first run
Enabled
Enable Customer Experience Improvement Program
Disabled
Send Office Feedback
Disabled
User Configuration\Policies\Administrative Templates\Microsoft Office 2013\Security Settings\Trust Center\Trusted Catalogs
Allow Unsecure Apps and Catalogs
Disabled

default dll used by powerpoint

4 March 2016

User and Computer Remote AD

19 February 2016
  1. MS tool: http://www.microsoft.com/pl-pl/download/details.aspx?id=7887
  1. Run
 

dism /online /enable-feature /featurename:RemoteServerAdministrationTools

dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles

dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD

dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-DS

dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-DS-SnapIns

  1. Run: dsa.msc
Kategorie Power Shell, Windows

Protection of system security

3 November 2015

Password dumping opensource

1 September 2015
https://github.com/quarkslab/quarkspwdump
Kategorie Cpp, Windows

mandiant free forensic tools

24 June 2015
Source: https://www.mandiant.com/resources/downloads
  • Redline ®

    Redline® is a free utility that accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis.More

  • IOC Editor

    Mandiant's IOC Editor is a free editor for Indicators of Compromise (IOCs).More

  • IOC Finder

    Mandiant's IOC Finder is a free tool for collecting host system data and reporting the presence of Indicators of Compromise (IOCs).More

  • Memoryze™

    Free memory forensics software designed to help incident responders find evil within live memory. More

  • Memoryze™ for the Mac

    Free memory forensics software designed to help incident responders find evil within live memory. More

  • Highlighter™

    Highlighter is designed to help security analysts and system administrators rapidly review log and other structured text files. More

  • Web Historian™

    Web Historian’s capabilities have been consolidated into Mandiant Redline.More

  • Research: PdbXtract™

    PdbXtract is a tool to help you explore symbolic type information as extracted from Microsoft programming database files.More

  • Research: Mandiant ApateDNS™

    Mandiant ApateDNS is a tool for controlling DNS responses though an easy to use graphical user interface (GUI).More

  • Research: Mandiant Heap Inspector™

    Mandiant Heap Inspector is a heap visualization and analysis tool. It has the ability to collect a process' heaps using both API and raw methods.More

Windows forensic - process running

21 June 2015

Możliwości inwestygacji:

  • Prefetch
  • Shimcache (https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf)
    • projekty:
      • python: https://github.com/mandiant/ShimCacheParser   (https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf)
      • C#: https://github.com/woanware/shimcacheparser
  • MUICache
  • UserAssist

 

Ciekawa prezentacja: https://digital-forensics.sans.org/summit-archives/DFIR_Summit/Johnny-AppCompatCache-the-Ring-of-Malware-Brice-Daniels-and-Mary-Singh.pdf

Przekierowanie tcpdump linux - windows

8 June 2015

Linux

ssh xdalny-linux "tcpdump -s0 -w - 'port 8080'" | wireshark -k -i -

 

windows

 

plink -ssh username@remote-host "tcpdump -s 0 -w - 'port 8080'" | wireshark -i -

 

source: https://kaischroed.wordpress.com/2013/01/28/howto-use-wireshark-over-ssh/

Data Execution Prevention

1 June 2015

Rzadko włączane zabezpieczenie którego celem jest uniemożliwienie wykonywania kodu z segmentu danych.

 

 

DEP można skonfigurować bezpośrednio zmieniając opcje w pliku Boot.ini lub korzystając z zakładki System Panelu Sterowania ewentualnie rejestr:

  1. Przez rejestr:

    wersja 32 bit
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f
    wersja 64 bit
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f /reg:64
     
  2. przez ustawienia z GUI:


     
  3. Przez ustawienia w pliku Boot.ini:

    Boot.ini : /noexecute = poziom_bezpieczeństwa, gdzie poziom_bezpieczenstwa zastępujemy jednym z wyrażeń: AlwaysOn, AlwaysOff, OptIn lub OptOut.

    OPTIN: domyślne ustawienie w systemach Windows XP oraz Windows Vista. DEP obejmuje ochroną tylko programy systemu Windows.

    OPTOUT: domyślne ustawienie w systemie Microsoft Windows Server 2003 SP1. DEP obejmuje ochroną wszystkie procesy. W zakładce System Panelu Sterowania można jednak wprowadzić listę programów, których ochrona DEP ma nie obejmować.

    ALWAYSON: Ta opcja włącza pełną ochronę DEP dla systemu. Wszystkie procesy są kontrolowane przez DEP i nie ma możliwości stworzenia wyjątków.

    ALWAYSOFF: Ta opcja powoduje wyłączenie ochrony DEP niezależnie od tego, czy jest wspierana sprzętowo czy nie.

     

 

 

 

 

 

Kategorie Windows

Wstrzykiwanie JavaScript do IE z pomocą BHO

13 May 2015

Wstrzykiwanie kodu JavaScritp można zrobić z użyciem VS express edition

przykładowy kod (projekt typu "Visual C# -> Class Library"):

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using SHDocVw;
using mshtml;
using System.IO;
using Microsoft.Win32;
using System.Runtime.InteropServices; 


namespace FE_JSinjector
{
    [
        ComVisible(true),
        InterfaceType(ComInterfaceType.InterfaceIsIUnknown),
        Guid("FC4801A3-2BA9-11CF-A229-00AA003D7352")
    ]
    public interface IObjectWithSite
    {
        [PreserveSig]
        int SetSite([MarshalAs(UnmanagedType.IUnknown)]object site);
        [PreserveSig]
        int GetSite(ref Guid guid, out IntPtr ppvSite);
    }

    public class BHOInjector : IObjectWithSite
    {
        public const string BHO_REGISTRY_KEY_NAME = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects";

        private WebBrowser webBrowser;
        public int SetSite(object site)
        {
            if (site != null)
            {
                webBrowser = (WebBrowser)site;
                webBrowser.DocumentComplete +=
                  new DWebBrowserEvents2_DocumentCompleteEventHandler(
                  this.OnDocumentComplete);
            }
            else
            {
                webBrowser.DocumentComplete -=
                  new DWebBrowserEvents2_DocumentCompleteEventHandler(
                  this.OnDocumentComplete);
                webBrowser = null;
            }

            return 0;

        }


        public int GetSite(ref Guid guid, out IntPtr ppvSite)
        {
            IntPtr punk = Marshal.GetIUnknownForObject(webBrowser);
            int hr = Marshal.QueryInterface(punk, ref guid, out ppvSite);
            Marshal.Release(punk);
            return hr;
        }

        public void OnDocumentComplete(object pDisp, ref object URL)
        {
            HTMLDocument document = (HTMLDocument)webBrowser.Document;

            if (URL.ToString().Contains("www.google.pl"))
            {
                IHTMLElement head = (IHTMLElement)((IHTMLElementCollection)
                                        document.all.tags("head")).item(null, 0);
                IHTMLScriptElement scriptObject =
                    (IHTMLScriptElement)document.createElement("script");
                scriptObject.type = @"text/javascript";
                scriptObject.text = "\nfunction hidediv(){document.getElementById" +
                                    "('myOwnUniqueId12345').style.visibility = 'hidden';}\n\n";
                ((HTMLHeadElement)head).appendChild((IHTMLDOMNode)scriptObject);

                string div = "<div id=\"myOwnUniqueId12345\" style=\"position:" +
                                "fixed;bottom:0px;right:0px;z-index:9999;width=300px;" +
                                "height=150px;\"> <div style=\"position:relative;" +
                                "float:right;font-size:9px;\"><a " +
                                "href=\"javascript:hidediv();\">close</a></div>" +
                    "My content goes here ...</div>";

                document.body.insertAdjacentHTML("afterBegin", div);
            }
        }
        #region BHO Internal Functions
        [ComRegisterFunction]
        public static void RegisterBHO(Type type)
        {
            RegistryKey registryKey =
            Registry.LocalMachine.OpenSubKey(BHO_REGISTRY_KEY_NAME, true);

            if (registryKey == null)
                registryKey = Registry.LocalMachine.CreateSubKey(BHO_REGISTRY_KEY_NAME);

            string guid = type.GUID.ToString("B");
            RegistryKey ourKey = registryKey.OpenSubKey(guid);

            if (ourKey == null)
                ourKey = registryKey.CreateSubKey(guid);

            ourKey.SetValue("NoExplorer", 1, RegistryValueKind.DWord);

            registryKey.Close();
            ourKey.Close();
        }

        [ComUnregisterFunction]
        public static void UnregisterBHO(Type type)
        {
            RegistryKey registryKey =
            Registry.LocalMachine.OpenSubKey(BHO_REGISTRY_KEY_NAME, true);
            string guid = type.GUID.ToString("B");

            if (registryKey != null)
                registryKey.DeleteSubKey(guid, false);
        }

        #endregion
    }
}

Rejestracja w systemie:

  1. Zaznacz przed kompilacją w VS "Make assembly COM-Visable" (Solution explorer -> Assembly Information... -> na dole popup'a)
  2. Dodaj własność Strong Name (Solution explorer -> Signing -> checkbox: Sign the assembly -> <new...> przejdź czarodzieja)
  3. Skopiuj do katalogu %ProgramFiles%\Internet Explorer\Wtyczki bibliotekę dll
  4. (wersja 32 bit) uruchom RegAsm /codebase na bibliotece z  Framework .Net  np: Windows\Microsoft.NET\Framework\v4.X.XXXX\RegAsm.exe
  5. (wersja 64 bit) uruchom RegAsm /codebase na bibliotece z  Framework .Net  np: Windows\Microsoft.NET\Frameworkx64\v4.X.XXXX\RegAsm.exe
  6. Uruchom w IE plugin

 

 

 

Kategorie CSharp, Windows

Lokalny administrator w rozległej sieci - rozwiazanie

Local Administrator Password Solution (LAPS) | 2 May 2015

Microsoft udostępnił rozwiązanie do zarządzania hasłami użytkowników administratorów lokalnych.

https://technet.microsoft.com/en-us/library/security/3062591

Wymagania programowe niewielkie: AD:

Active Directory:

  • Windows Server 2003 Service Pack 1 (SP1) or later.

Zarządzany sprzęt / serwery:

  • Windows Server 2003 SP2 or later, or Windows Server 2003 x64 Edition SP2 or later.

    Note Itanium-based machines are not supported

Ryzyka:

  • Jak bezbłednie zabezpieczyć scheme by dostęp do parametru hasło był faktycznie tylko dla umocowanych użytkowników.
  • Czy przesyłanie do AD hasła jest realizowane w bezpieczny sposób.

 

Zmiana wielkości partycji NTFS w pod linux'em

9 April 2015

na odmontowanym dysku:

sudo ntfsresize --info /dev/sdb2
Device name        : /dev/sdb2
NTFS volume version: 3.1
Cluster size       : 4096 bytes
Current volume size: 500000879104 bytes (500001 MB)
Current device size: 500000882688 bytes (500001 MB)
Checking filesystem consistency ...
100.00 percent completed
Accounting clusters ...
Space in use       : 42992 MB (8.6%)
Collecting resizing constraints ...
You might resize at 42991591424 bytes or 42992 MB (freeing 457009 MB).
Please make a test run using both the -n and -s options before real resizing!

 

Testy (--size określa wielkość nowej partycji):

sudo ntfsresize --no-action --size 50000M  /dev/sdb2

Jeżeli wszystko jest ok:

Device name        : /dev/sdb2
NTFS volume version: 3.1
Cluster size       : 4096 bytes
Current volume size: 500000879104 bytes (500001 MB)
Current device size: 500000882688 bytes (500001 MB)
New volume size    : 49999995392 bytes (50000 MB)
Checking filesystem consistency ...
100.00 percent completed
Accounting clusters ...
Space in use       : 42992 MB (8.6%)
Collecting resizing constraints ...
Needed relocations : 9000796 (36868 MB)
Schedule chkdsk for NTFS consistency check at Windows boot time ...
Resetting $LogFile ... (this might take a while)
Relocating needed data ...
100.00 percent completed
Updating $BadClust file ...
Updating $Bitmap file ...
Updating Boot record ...
The read-only test run ended successfully

wykonujemy polecenie w trybie zapisu:

sudo ntfsresize --size 50000M  /dev/sdb2
Device name        : /dev/sdb2
NTFS volume version: 3.1
Cluster size       : 4096 bytes
Current volume size: 500000879104 bytes (500001 MB)
Current device size: 500000882688 bytes (500001 MB)
New volume size    : 49999995392 bytes (50000 MB)
Checking filesystem consistency ...
100.00 percent completed
Accounting clusters ...
Space in use       : 42992 MB (8.6%)
Collecting resizing constraints ...
Needed relocations : 9000796 (36868 MB)
WARNING: Every sanity check passed and only the dangerous operations left.
Make sure that important data has been backed up! Power outage or computer
crash may result major data loss!
Are you sure you want to proceed (y/[n])? y
Schedule chkdsk for NTFS consistency check at Windows boot time ...
Resetting $LogFile ... (this might take a while)
Relocating needed data ...

trochę to trwa a czekamy na:

100.00 percent completed
Updating $BadClust file ...
Updating $Bitmap file ...
Updating Boot record ...
Syncing device ...
Successfully resized NTFS on device '/dev/sdb2'.
You can go on to shrink the device for example with Linux fdisk.
IMPORTANT: When recreating the partition, make sure that you
  1)  create it at the same disk sector (use sector as the unit!)
  2)  create it with the same partition type (usually 7, HPFS/NTFS)
  3)  do not make it smaller than the new NTFS filesystem size
  4)  set the bootable flag for the partition if it existed before
Otherwise you won't be able to access NTFS or can't boot from the disk!
If you make a mistake and don't have a partition table backup then you
can recover the partition table by TestDisk or Parted's rescue mode.

Zmiana wielkości partycji:

sudo fdisk /dev/sda
Command (m for help): p
Disk /dev/sdb: 465.8 GiB, 500107862016 bytes, 976773168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x14cc98c0

Device     Boot  Start       End   Sectors   Size Id Type
/dev/sdb1  *      2048    206847    204800   100M  7 HPFS/NTFS/exFAT
/dev/sdb2       206848 976771071 976564224 465.7G  7 HPFS/NTFS/exFAT

kasujemy  partycje 2 (/dev/sdb2) (opcja d)

Tworzymy nową partycje o wielkości zmniejszonej do rozmiaru + 150 M: (opcja n)

Zmieniamy typ partycji (t na 7)

wykonujemy ostateczny test:

sudo ntfsresize --info --force /dev/sdb2

 


Device name        : /dev/sdb2
NTFS volume version: 3.1
Cluster size       : 4096 bytes
Current volume size: 49999995392 bytes (50000 MB)
Current device size: 52575600640 bytes (52576 MB)
Checking filesystem consistency ...
100.00 percent completed
Accounting clusters ...
Space in use       : 42978 MB (86.0%)
Collecting resizing constraints ...
You might resize at 42977857536 bytes or 42978 MB (freeing 7022 MB).
Please make a test run using both the -n and -s options before real resizing!

 

Kategorie Windows, Linux

Wyśletlanie na pulpicie informacji dla maszyny witualnej

9 April 2015
Możliwość wyświetlania informacji cuastomizowalnej na desktopie komputer - sysinternal BgInfo
Kategorie Windows