Windows: Difference between revisions
No edit summary |
|||
| (25 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=== Windows 11 Pro === | === Windows 11 Pro License === | ||
https://www.allkeyshop.com/blog/buy-windows-11-pro-cd-key-compare-prices/ | https://www.allkeyshop.com/blog/buy-windows-11-pro-cd-key-compare-prices/ | ||
https://github.com/ntdevlabs/tiny11builder | |||
Dism /online /Set-Edition: /Set-Edition:Professional | Dism /online /Set-Edition: /Set-Edition:Professional | ||
slmgr -dli | |||
slmgr -dlv | |||
slmgr -xpr | |||
slmgr - | slmgr -upk | ||
slmgr -cpky | |||
slmgr -ipk KEY12-KEY34-KEY56-KEY78-KEY90 | |||
slmgr - | slmgr -ato | ||
https://learn.microsoft.com/en-us/windows-server/get-started/kmsclientkeys#windows-server-ltscltsb-versions | |||
=== WSL === | |||
wsl.exe --list --online | |||
wsl.exe --install Ubuntu-24.04 | |||
=== Windows Server === | |||
https://www.allkeyshop.com/blog/buy-windows-server-2022-cd-key-compare-prices/ | |||
https://info.microsoft.com/ww-landing-windows-server-2022.html | |||
Dism /online /Set-Edition:ServerStandard /ProductKey:KEY12-KEY34-KEY56-KEY78-KEY90 /AcceptEula | |||
slmgr -ato | slmgr -ato | ||
=== Windows Server 2025 === | |||
https://www.microsoft.com/en-us/evalcenter/download-windows-server-2025 | |||
For an inplace upgrade of a domain controller, you need ADPREP and FORESTPREP. | |||
Install the GUI Desktop Experience, the Cloudsync depends on graphics that are otherwise not available. Running the Core version without desktop is awesome if you can manage windows server by powershell and the occasional application. Browsers and other sync tools won't work. | |||
=== | === Windows Server 2022 on XEN === | ||
https://software-static.download.prss.microsoft.com/sg/download/888969d5-f34g-4e03-ac9d-1f9786c66749/SERVER_EVAL_x64FRE_en-us.iso | https://software-static.download.prss.microsoft.com/sg/download/888969d5-f34g-4e03-ac9d-1f9786c66749/SERVER_EVAL_x64FRE_en-us.iso | ||
| Line 44: | Line 52: | ||
vif = ['bridge=lan,model=e1000,rate=10Gb/s'] | vif = ['bridge=lan,model=e1000,rate=10Gb/s'] | ||
disk = ['phy:/dev/share/win-dc,hda,w','file:/share/SERVER_EVAL_x64FRE_en-us.iso,hdc:cdrom,r'] | disk = ['phy:/dev/share/win-dc,hda,w','file:/share/SERVER_EVAL_x64FRE_en-us.iso,hdc:cdrom,r'] | ||
Remove Role and Demote AD | Remove Role and Demote AD | ||
| Line 53: | Line 59: | ||
Move-ADDirectoryServerOperationMasterRole -Identity win-dcx -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster | Move-ADDirectoryServerOperationMasterRole -Identity win-dcx -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster | ||
=== Initial Configuration === | |||
sconfig | sconfig | ||
2 Change hostname | 2 Change hostname | ||
| Line 60: | Line 67: | ||
6 Install updates | 6 Install updates | ||
13 restart | 13 restart | ||
Test-NetConnection -ComputerName win-dc1 -Port 389 | |||
1 join domain | 1 join domain | ||
| Line 96: | Line 103: | ||
=== AD === | === AD === | ||
FSMO Forest Service Operation Master | |||
{| class="wikitable" | |||
|+ | |||
!Scope | |||
!No | |||
!Service | |||
!Protocol | |||
!Master Role | |||
! | |||
|- | |||
|Forest | |||
|3 | |||
|NTDS | |||
|LDAP | |||
|SchemaMaster | |||
|CN=Schema,CN=configuration,DC=<forest root domain> | |||
|- | |||
| | |||
|4 | |||
| | |||
|DNS | |||
|DomainNamingMaster | |||
|CN=configuration,DC=<forest root domain> | |||
|- | |||
|Domain | |||
|2 | |||
| | |||
| | |||
|InfrastructureMaster | |||
|DC=<domain> | |||
|- | |||
| | |||
|1 | |||
| | |||
| | |||
|RIDMaster | |||
|DC=<domain> | |||
|- | |||
| | |||
|0 | |||
| | |||
| | |||
|PDCEmulator | |||
|DC=<domain> | |||
|} | |||
nltest /dsgetdc:ISLIEF.COM /WRITABLE /AVOIDSELF /TRY_NEXT_CLOSEST_SITE /DS_6 | |||
nltest /dsgetdc:ISLIEF.COM /WRITABLE | |||
==== Query Master Role ==== | |||
netdom query fsmo | |||
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster | |||
Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator | |||
==== Move Master Role ==== | |||
Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole SchemaMaster –Force | |||
Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole DomainNamingMaster –Force | |||
Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole PDCEmulator –Force | |||
Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole InfrastructureMaster –Force | |||
Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole RIDMaster –Force | |||
https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/transfer-or-seize-operation-master-roles-in-ad-ds | |||
https://learn.microsoft.com/en-us/troubleshoot/windows-server/welcome-windows-server | https://learn.microsoft.com/en-us/troubleshoot/windows-server/welcome-windows-server | ||
| Line 103: | Line 179: | ||
DSREGCMD /status | DSREGCMD /status | ||
=== DFS Replication === | |||
https://learn.microsoft.com/en-us/windows-server/storage/dfs-namespaces/dfs-overview | |||
Domain controllers use a special shared folder named SYSVOL to replicate sign-in scripts and Group Policy object files to other domain controllers. | |||
dcdiag /v /c /e /q | |||
Get-DfsrBacklog -SourceComputerName "win-dc1" -DestinationComputerName "win-dc2" | |||
Get-DfsrState -ComputerName "win-dc1" | Format-Table FileName,UpdateState,Inbound,Source* -Auto -Wrap | |||
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-authoritative-recovery-sysvol | |||
https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization#how-to-perform-an-authoritative-synchronization-of-dfsr-replicated-sysvol-replication-like-d4-for-frs | |||
https://gist.github.com/RavuAlHemio/00e51d3ea64731be9d43b01eda18734f | |||
===== backup ===== | |||
wbadmin –authsysvol | |||
===== events ===== | |||
Get-WinEvent -LogName 'DFS Replication' | Where-Object ID -EQ 4602 | Format-Table -AutoSize -Wrap | |||
Install-WindowsFeature -Name RSAT-DFS-Mgmt-Con | |||
===== replication service ===== | |||
net stop dfsr | |||
net start dfsr | |||
Restart-Service DFSR -PassThru | |||
DFSRDIAG POLLAD | |||
dcdiag | |||
dfsrdiag SyncNow /Partner:win-dc1 /RGName:"Domain System Volume" /Time:120 | |||
dfsrdiag replicationstate | |||
dfsrdiag backlog /rgname:"Domain System Volume" /rfname:SYSVOL /sendingmember:win-dc1 /receivingmember:win-dc2 | |||
repadmin /syncall win-dc1 /APed | |||
repadmin /SHOWREPS win-dc1 | |||
repadmin /SHOWREPS win-dc2 | |||
asdiedit.msc | |||
msDFSR-Enabled=TRUE | |||
msDFSR-options=1 | |||
$group = "Domain System Volume" | |||
$folder = "SYSVOL" | |||
$dc = "win-dc2" # Your secondary DC name | |||
New-DfsReplicationGroup -GroupName $group -Domain islief.com | |||
New-DfsReplicatedFolder -GroupName $group -FolderName $folder -Path "C:\Windows\SYSVOL\sysvol" | |||
Get-DfsrBacklog -GroupName "Domain System Volume" -SourceComputerName win-dc1 -DestinationComputerName win-dc2 | |||
Get-EventLog -Log "DFS Replication" | where {$_.eventID -eq 4114} | fl | |||
Error: 9061 (The replicated folder has been offline for too long.) | |||
https://learn.microsoft.com/en-us/answers/questions/317003/dfsr-setting-maxofflinetimeindays-resets-rpc-port | |||
wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays = 999 | |||
takeown /F "C:\System Volume Information\DFSR" /A /R /D Y | |||
icacls "C:\System Volume Information\DFSR" /grant Administrators:F /T | |||
Remove-Item -Path "C:\System Volume Information\DFSR" -Recurse -Force | |||
takeown /F "C:\windows\SYSVOL" /A /R /D Y | |||
icacls "C:\windows\SYSVOL" /grant Administrators:F /T | |||
Remove-Item -Path "C:\Windows\SYSVOL" -Recurse -Force | |||
robocopy "\\win-dc1\C$\Windows\SYSVOL\sysvol" "C:\Windows\SYSVOL\sysvol" /MIR /COPY:DAT /R:3 /W:5 | |||
$PrimaryDCPath = "\\win-dc1\SYSVOL\islief.com" | |||
$SecondaryDCPath = "\\win-dc2\SYSVOL\islief.com" | |||
$PrimaryDCFiles = Get-ChildItem -Path $PrimaryDCPath -Recurse | Select-Object FullName, LastWriteTime, Length | |||
$SecondaryDCFiles = Get-ChildItem -Path $SecondaryDCPath -Recurse | Select-Object FullName, LastWriteTime, Length | |||
$Comparison = Compare-Object -ReferenceObject $PrimaryDCFiles -DifferenceObject $SecondaryDCFiles -Property FullName, LastWriteTime, Length | |||
if ($Comparison) { | |||
Write-Output "Differences found in SYSVOL folders between Primary and Secondary DCs:" | |||
$Comparison | Format-Table -AutoSize | |||
} else { | |||
Write-Output "SYSVOL folders are identical on both DCs." | |||
} | |||
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters | |||
Under Parameters, create a new DWORD value named SysvolReady and set it to 0 | |||
dfsrdiag pollad | |||
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Seeding SysVols[Domain name] | |||
=== MTU === | === MTU === | ||
| Line 184: | Line 350: | ||
=== HyperVisor === | === HyperVisor === | ||
Enable virtualization in UEFI | Enable virtualization in UEFI | ||
Windows Features, Hyper-V (Platform and Management Tools) | Windows Features, Hyper-V (Platform and Management Tools) | ||
| Line 197: | Line 364: | ||
Set-VMProcessor -VMName "Ubuntu 20.04" -ExposeVirtualizationExtensions $true | Set-VMProcessor -VMName "Ubuntu 20.04" -ExposeVirtualizationExtensions $true | ||
=== Security | === Security Monitoring === | ||
availability | availability | ||
| Line 204: | Line 371: | ||
report incidents | report incidents | ||
business tasks > react time | business tasks > react time | ||
Measure time not accessible | |||
Report outages | |||
Infra support | |||
capture vm ubuntu / captures one segment span port ... reachable from dmz? | capture vm ubuntu / captures one segment span port ... reachable from dmz? | ||
custom ... kali | |||
custom ... kali | |||
Network Picture / HW info | Network Picture / HW info | ||
| Line 221: | Line 388: | ||
info recon/ feedback ... yellow/red/white/blue | info recon/ feedback ... yellow/red/white/blue | ||
Access Logs | Access Logs - Elasticsearch SIEM - Syslog / Logstash Beats - winlogbeat / audit beats | ||
Elasticsearch SIEM | |||
Syslog / Logstash | > routable ... tunnel | ||
Uptime in Elasticsearch | Uptime in Elasticsearch | ||
CIS Hardening | |||
online patching | |||
... smb patching | Ansible Elastalert | ||
agents | |||
Automate everything? ansible online patching... smb patching agents | |||
scripted attacks | scripted attacks | ||
nessus? target yes scan > | defender / avast | ||
rogue vm's ... | |||
nessus? target yes scan > rogue vm's ... | |||
match list of known hosts. | match list of known hosts. / external host scans | ||
external host scans | |||
users | users / program enumerators ... ambitions / pdf reader | ||
program enumerators ... ambitions | |||
pdf reader | |||
iis ... user ... Defaced Websites? | iis ... user ... Defaced Websites? Scanner | ||
Scanner | |||
Detect Changes | Detect Changes / Guestbook...Injections attacks | ||
Guestbook... | |||
Injections attacks | |||
Host down monitoring | Host down monitoring | ||
VM outside for checking services | VM outside for checking services / Detect filechanges? | ||
Detect filechanges? | |||
Offline Patching ... WSUS Administrator user ... different passwords per hosts | |||
Integrity of windows ... FileChanges? Windows OpenSCAP? | |||
Trolling Strategy PS Binary | Trolling Strategy PS Binary | ||
advanded debugging test | advanded debugging test | ||
WINRM Do everything that was needed | WINRM Do everything that was needed. | ||
3PP Firewall Windows | 3PP Firewall Windows | ||
Netstat ... | Netstat ... | ||
Credentials / Wiki | Credentials / Wiki | ||
Scan SNMP SMTP PING | |||
Working rules with forensics team / communications team how to report. | Working rules with forensics team / communications team how to report. | ||
MISP ??? | MISP ??? | ||
Avast ask for permissions ... white team request clicks everything they can | |||
live forensics | Avast ask for permissions ... white team request clicks everything they can, live forensics / live analysis / show binary | ||
ZIG module? lateral movmebt windows | ZIG module? lateral movmebt windows | ||
RITA SYSLOG Beacon detection | RITA SYSLOG Beacon detection | ||
ActiveCM Company | ActiveCM Company | ||
The specified extrinsic Method does not exist. | The specified extrinsic Method does not exist. | ||
OpenWBEM | OpenWBEM | ||
https://file-info.xyz/31572ed38d8cc7deed7d2d7806bc88ba/storagewmi.dll.mui.html | https://file-info.xyz/31572ed38d8cc7deed7d2d7806bc88ba/storagewmi.dll.mui.html | ||
Communication Strategy. | Communication Strategy. | ||
Communication should be recordable | Communication should be recordable | ||
template / threat rep | template / threat rep | ||
Install MISP for reporting | Install MISP for reporting | ||
Cleanup reports / this ip is attacking outside ... our hosts not reported | Cleanup reports / this ip is attacking outside ... our hosts not reported | ||
report malware / compromise this file or process | |||
threat report directly by team members in the chat ... one liners tickets to the green team? | |||
==== Example issues ==== | |||
pdf view not working. news paper website / review if it makes sense? responds. | |||
user accounts | msexe wscript lolbas talos blog hunting for user accounts, function accounts with $ | ||
function accounts with $ | |||
logon types 4624 / logintype 2,3,4,5,6,7,8,9,10,11 | logon types 4624 / logintype 2,3,4,5,6,7,8,9,10,11 | ||
impersonation level | impersonation level | ||
ultimatewindowssecurity.com | ultimatewindowssecurity.com | ||
| Line 327: | Line 485: | ||
https://chrissanders.org/publications/ | https://chrissanders.org/publications/ | ||
laps | laps AdmPwd.dll SecCli.dll | ||
AdmPwd.dll | |||
SecCli.dll | |||
https://adsecurity.org/?p=3377 | https://adsecurity.org/?p=3377 | ||
Best Practice Analyzer | Best Practice Analyzer | ||
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759260(v=ws.11)?redirectedfrom=MSDN | https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759260(v=ws.11)?redirectedfrom=MSDN | ||
Remote Management with Server Manager | Remote Management with Server Manager | ||
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759202%28v%3dws.11%29 | https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759202%28v%3dws.11%29 | ||
==== Windows Removal ==== | |||
=== Windows Removal === | |||
https://www.askvg.com/gui...lt-in-apps-in-windows-10/ | https://www.askvg.com/gui...lt-in-apps-in-windows-10/ | ||
| Line 364: | Line 520: | ||
Secondary domain controller for MIL domain | Secondary domain controller for MIL domain | ||
Windows Fileserver for MIL file sharing needs | Windows Fileserver for MIL file sharing needs | ||
=== Windows update for Business === | |||
<nowiki>https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb</nowiki> | |||
<nowiki>https://learn.microsoft.com/en-us/windows/deployment/update/wufb-wsus</nowiki> | |||
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU | |||
remove the GPO that points your PC’s to WSUS server | |||
Remove-Item 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -Force -Recurse | |||
gpupdate /force | |||
Restart-Service -name "Windows Update" | |||
Group Policy: Specify source service for specific classes of Windows Updates | |||
Path: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\ | |||
<nowiki>*</nowiki>.dl.delivery.mp.microsoft.com | |||
<nowiki>*</nowiki>.windowsupdate.com | |||
<nowiki>*</nowiki>.prod.do.dsp.mp.microsoft.com | |||
<nowiki>*</nowiki>.delivery.mp.microsoft.com | |||
<nowiki>*</nowiki>.update.microsoft.com | |||
tsfe.trafficshaping.dsp.mp.microsoft.com | |||
=== WSUS === | === WSUS === | ||
| Line 370: | Line 558: | ||
https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/reindex-the-wsus-database | https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/reindex-the-wsus-database | ||
sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i wsus-reindex.sql | sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i wsus-reindex.sql | ||
sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -Q "DROP DATABASE SUSDB" | |||
The application runs on IIS as an application pool name WsusPool, with 8 sites with some exposing a SOAP interface. The webservice runs on 8531 for TLS (Microsoft still calls it SSL) and 8530 for HTTP traffic. Do not enable TLS for the top-level site. Content is transferred over HTTP only. IIS parameters must be optimized otherwise it is likely unusable. [[File:WSUS on IIS.png|thumb]] | The application runs on IIS as an application pool name WsusPool, with 8 sites with some exposing a SOAP interface. The webservice runs on 8531 for TLS (Microsoft still calls it SSL) and 8530 for HTTP traffic. Do not enable TLS for the top-level site. Content is transferred over HTTP only. IIS parameters must be optimized otherwise it is likely unusable.[[File:WSUS on IIS.png|thumb]] | ||
The service is unbearably slow if IIS is not optimized. | The service is unbearably slow if IIS is not optimized. | ||
| Line 403: | Line 592: | ||
https://www.catalog.update.microsoft.com/Search.aspx?q=windows%2011 | https://www.catalog.update.microsoft.com/Search.aspx?q=windows%2011 | ||
| Line 413: | Line 603: | ||
https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/wsus-maintenance-guide#maintain-wsus-while-supporting-configuration-manager-current-branch-version-1906-and-later-versions | https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/wsus-maintenance-guide#maintain-wsus-while-supporting-configuration-manager-current-branch-version-1906-and-later-versions | ||
https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/wsus-maintenance-guide#decline-superseded-updates | |||
=== SQL Server Maintenance === | === SQL Server Maintenance === | ||
| Line 448: | Line 640: | ||
https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/decline-superseded-updates | https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/decline-superseded-updates | ||
| Line 543: | Line 736: | ||
=== Preparation === | === Preparation === | ||
CIS hardening script | |||
Ansible playbook for: online patching | |||
Ansible playbook for: installing SIEM/HIDS agents | |||
Ansible playbook for: installing 3PP antivirus (avast free?) | |||
rules for SIEM alerts. | |||
how we retrieve, store and send malware files for malware analysis | |||
Ansible playbook for: audit local + domain users on system + removal of unneeded users | |||
Ansible playbook for: enumerating programs/processes so we can audit and remove unneeded ones (needs to include SMB) | |||
MAC hardening | |||
IIS hardening (automated) + permissions IIS user | |||
Ansible playbook for: installing + configuring 3PP firewall | |||
Offline patching as a patching 'plan B' | |||
Ansible playbook for: create special Administrator user + placing different password per host. | |||
Scan to recognize rogue hosts | |||
Strategy for logging changes to files (which ones, how to enable logging, make ansible playbook for it) | |||
Come up with a 'trolling' strategy. | Ansible playbook for running windows Openscap (and collect results somewhere) | ||
Come up with a 'trolling' strategy. aliases for certain commands? what does cobalt strike do, so we know what commands | |||
Day 0 | Day 0 | ||
Latest revision as of 10:16, 4 February 2025
Windows 11 Pro License
https://www.allkeyshop.com/blog/buy-windows-11-pro-cd-key-compare-prices/
https://github.com/ntdevlabs/tiny11builder
Dism /online /Set-Edition: /Set-Edition:Professional
slmgr -dli slmgr -dlv slmgr -xpr
slmgr -upk slmgr -cpky slmgr -ipk KEY12-KEY34-KEY56-KEY78-KEY90
slmgr -ato
WSL
wsl.exe --list --online
wsl.exe --install Ubuntu-24.04
Windows Server
https://www.allkeyshop.com/blog/buy-windows-server-2022-cd-key-compare-prices/
https://info.microsoft.com/ww-landing-windows-server-2022.html
Dism /online /Set-Edition:ServerStandard /ProductKey:KEY12-KEY34-KEY56-KEY78-KEY90 /AcceptEula
slmgr -ato
Windows Server 2025
https://www.microsoft.com/en-us/evalcenter/download-windows-server-2025
For an inplace upgrade of a domain controller, you need ADPREP and FORESTPREP.
Install the GUI Desktop Experience, the Cloudsync depends on graphics that are otherwise not available. Running the Core version without desktop is awesome if you can manage windows server by powershell and the occasional application. Browsers and other sync tools won't work.
Windows Server 2022 on XEN
lvcreate -n win-dc -L 48G share
/etc/xen/win-dc.hvm builder = "hvm" name = "win-dc" memory = "3072" viridian = 1 vcpus = 4 vif = ['bridge=lan,model=e1000,rate=10Gb/s'] disk = ['phy:/dev/share/win-dc,hda,w','file:/share/SERVER_EVAL_x64FRE_en-us.iso,hdc:cdrom,r']
Remove Role and Demote AD
Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster Move-ADDirectoryServerOperationMasterRole -Identity win-dcx -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster
Initial Configuration
sconfig 2 Change hostname 8 Set static IP 8 set dns 7 enable remote desktop 6 Install updates 13 restart
Test-NetConnection -ComputerName win-dc1 -Port 389
1 join domain
add role active directory promote to primary dc, by clicking the flag in the server manager
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Install-ADDSDomainController -CreateDnsDelegation:$false -InstallDns:$true -DomainName "domain.com" -SiteName "Default-First-Site-Name" -ReplicationSourceDC "win-dcx.domain.com" -DatabasePath "C:\Windows\NTDS" -LogPath "C:\Windows\NTDS" -SysvolPath "C:\Windows\SYSVOL" -Force:$true
Winget
$progressPreference = 'silentlyContinue' Write-Information "Downloading WinGet and its dependencies..." Invoke-WebRequest -Uri https://aka.ms/getwinget -OutFile Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle Invoke-WebRequest -Uri https://aka.ms/Microsoft.VCLibs.x64.14.00.Desktop.appx -OutFile Microsoft.VCLibs.x64.14.00.Desktop.appx Invoke-WebRequest -Uri https://github.com/microsoft/microsoft-ui-xaml/releases/download/v2.7.3/Microsoft.UI.Xaml.2.7.x64.appx -OutFile Microsoft.UI.Xaml.2.7.x64.appx Add-AppxPackage Microsoft.VCLibs.x64.14.00.Desktop.appx Add-AppxPackage Microsoft.UI.Xaml.2.7.x64.appx Add-AppxPackage Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle
Chocolatey
https://community.chocolatey.org/
Telegraf
https://www.influxdata.com/blog/using-telegraf-on-windows/
wget https://dl.influxdata.com/telegraf/releases/telegraf-1.28.2_windows_amd64.zip -UseBasicParsing -OutFile telegraf-1.28.2_windows_amd64.zip Expand-Archive .\telegraf-1.28.2_windows_amd64.zip -DestinationPath 'C:\Program Files\InfluxData\telegraf' cd 'C:\Program Files\InfluxData\telegraf\telegraf-1.28.2\' .\telegraf --config-directory 'C:\Program Files\InfluxData\telegraf\telegraf-1.28.2' --test icacls telegraf.conf /reset icacls telegraf.conf /inheritance:r /grant system:r .\telegraf --service install --config-directory 'C:\Program Files\InfluxData\telegraf\telegraf-1.28.2'
AD
FSMO Forest Service Operation Master
| Scope | No | Service | Protocol | Master Role | |
|---|---|---|---|---|---|
| Forest | 3 | NTDS | LDAP | SchemaMaster | CN=Schema,CN=configuration,DC=<forest root domain> |
| 4 | DNS | DomainNamingMaster | CN=configuration,DC=<forest root domain> | ||
| Domain | 2 | InfrastructureMaster | DC=<domain> | ||
| 1 | RIDMaster | DC=<domain> | |||
| 0 | PDCEmulator | DC=<domain> |
nltest /dsgetdc:ISLIEF.COM /WRITABLE /AVOIDSELF /TRY_NEXT_CLOSEST_SITE /DS_6
nltest /dsgetdc:ISLIEF.COM /WRITABLE
Query Master Role
netdom query fsmo
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster
Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
Move Master Role
Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole SchemaMaster –Force
Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole DomainNamingMaster –Force
Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole PDCEmulator –Force
Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole InfrastructureMaster –Force
Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole RIDMaster –Force
https://learn.microsoft.com/en-us/troubleshoot/windows-server/welcome-windows-server
https://4sysops.com/archives/active-directory-passwords-all-you-need-to-know/
DSREGCMD /status
DFS Replication
https://learn.microsoft.com/en-us/windows-server/storage/dfs-namespaces/dfs-overview
Domain controllers use a special shared folder named SYSVOL to replicate sign-in scripts and Group Policy object files to other domain controllers.
dcdiag /v /c /e /q Get-DfsrBacklog -SourceComputerName "win-dc1" -DestinationComputerName "win-dc2" Get-DfsrState -ComputerName "win-dc1" | Format-Table FileName,UpdateState,Inbound,Source* -Auto -Wrap
https://gist.github.com/RavuAlHemio/00e51d3ea64731be9d43b01eda18734f
backup
wbadmin –authsysvol
events
Get-WinEvent -LogName 'DFS Replication' | Where-Object ID -EQ 4602 | Format-Table -AutoSize -Wrap
Install-WindowsFeature -Name RSAT-DFS-Mgmt-Con
replication service
net stop dfsr net start dfsr
Restart-Service DFSR -PassThru
DFSRDIAG POLLAD
dcdiag dfsrdiag SyncNow /Partner:win-dc1 /RGName:"Domain System Volume" /Time:120 dfsrdiag replicationstate dfsrdiag backlog /rgname:"Domain System Volume" /rfname:SYSVOL /sendingmember:win-dc1 /receivingmember:win-dc2
repadmin /syncall win-dc1 /APed repadmin /SHOWREPS win-dc1 repadmin /SHOWREPS win-dc2
asdiedit.msc msDFSR-Enabled=TRUE msDFSR-options=1
$group = "Domain System Volume" $folder = "SYSVOL" $dc = "win-dc2" # Your secondary DC name New-DfsReplicationGroup -GroupName $group -Domain islief.com New-DfsReplicatedFolder -GroupName $group -FolderName $folder -Path "C:\Windows\SYSVOL\sysvol"
Get-DfsrBacklog -GroupName "Domain System Volume" -SourceComputerName win-dc1 -DestinationComputerName win-dc2
Get-EventLog -Log "DFS Replication" | where {$_.eventID -eq 4114} | fl
Error: 9061 (The replicated folder has been offline for too long.)
wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays = 999
takeown /F "C:\System Volume Information\DFSR" /A /R /D Y icacls "C:\System Volume Information\DFSR" /grant Administrators:F /T Remove-Item -Path "C:\System Volume Information\DFSR" -Recurse -Force
takeown /F "C:\windows\SYSVOL" /A /R /D Y icacls "C:\windows\SYSVOL" /grant Administrators:F /T Remove-Item -Path "C:\Windows\SYSVOL" -Recurse -Force
robocopy "\\win-dc1\C$\Windows\SYSVOL\sysvol" "C:\Windows\SYSVOL\sysvol" /MIR /COPY:DAT /R:3 /W:5
$PrimaryDCPath = "\\win-dc1\SYSVOL\islief.com"
$SecondaryDCPath = "\\win-dc2\SYSVOL\islief.com"
$PrimaryDCFiles = Get-ChildItem -Path $PrimaryDCPath -Recurse | Select-Object FullName, LastWriteTime, Length
$SecondaryDCFiles = Get-ChildItem -Path $SecondaryDCPath -Recurse | Select-Object FullName, LastWriteTime, Length
$Comparison = Compare-Object -ReferenceObject $PrimaryDCFiles -DifferenceObject $SecondaryDCFiles -Property FullName, LastWriteTime, Length
if ($Comparison) {
Write-Output "Differences found in SYSVOL folders between Primary and Secondary DCs:"
$Comparison | Format-Table -AutoSize
} else {
Write-Output "SYSVOL folders are identical on both DCs."
}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters
Under Parameters, create a new DWORD value named SysvolReady and set it to 0
dfsrdiag pollad
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Seeding SysVols[Domain name]
MTU
netsh interface ipv4 set subinterface "Ethernet" mtu=1464 netsh interface ipv6 set subinterface "Ethernet" mtu=1464
Network
netstat -na netstat -nao netstat -ab netstat -a -n -p tcp -o perfmon /res
Powershell
$PSVersionTable.PSVersion
Install-Module -Name PowerShellGet -Force Install-Module -Name Az -AllowClobber -Scope CurrentUser Install-Module -Name Az -AllowClobber -Scope AllUsers Set-ExecutionPolicy RemoteSigned Set-ExecutionPolicy Restricted
Import-Module Az.Accounts Connect-AzAccount Install-AzAksKubectl Write-Output $Env:Path Import-AzAksCredential -ResourceGroupName cluster -Name cluster
PATH
$Env:Path += ";C:\Program Files\Git\cmd\"
Diskpart
diskmgmt.msc doesn't always allow you to remove partitions
diskpart list disk select disk 1 list part delete partition override
GET-CimInstance -query "SELECT * from Win32_DiskDrive"
Get-WMIOBJECT -query "SELECT * from Win32_DiskDrive"
wsl --mount \\.\PHYSICALDRIVE2 --partition 2 --type ext4
Hardening Monitoring
NMAP/Nessus/Ports Version Checks / Updates Hardening ELK Access Logs / Firewall Logs INotify Canaries
https://github.com/0x6d69636b/windows_hardening
Windows and Active Directory administration Check existing User Accounts / Roles Update Server? Run Latest updates Check Certificates (Root) Shell Integrity. CIS Security Hardening Integrity Scans Network Sflow Rita Kansa OSquery ELK Alert Observium eventlogger
Startup Apps Services Processes
Users Performance Process list Event manager msiexec.exe
psexec CPU, Memory, Disk Space, Temperature
HyperVisor
Enable virtualization in UEFI
Windows Features, Hyper-V (Platform and Management Tools)
Hyper-V Set video
Set-VMVideo -VMName "Ubuntu 20.04" -HorizontalResolution 1920 -VerticalResolution 1080
/etc/default/grub GRUB_CMDLINE_LINUX="quiet splash video=hyperv_fb:1920x1200"
Set-VMProcessor -VMName "Ubuntu 20.04" -HwThreadCountPerCore 2
"KVM requires a CPU that supports vmx or svm" Set-VMProcessor -VMName "Ubuntu 20.04" -ExposeVirtualizationExtensions $true
Security Monitoring
availability
security
report incidents
business tasks > react time
Measure time not accessible
Report outages
Infra support
capture vm ubuntu / captures one segment span port ... reachable from dmz?
custom ... kali
Network Picture / HW info
info recon/ feedback ... yellow/red/white/blue
Access Logs - Elasticsearch SIEM - Syslog / Logstash Beats - winlogbeat / audit beats
> routable ... tunnel
Uptime in Elasticsearch
CIS Hardening
Ansible Elastalert
Automate everything? ansible online patching... smb patching agents
scripted attacks
defender / avast
nessus? target yes scan > rogue vm's ...
match list of known hosts. / external host scans
users / program enumerators ... ambitions / pdf reader
iis ... user ... Defaced Websites? Scanner
Detect Changes / Guestbook...Injections attacks
Host down monitoring
VM outside for checking services / Detect filechanges?
Offline Patching ... WSUS Administrator user ... different passwords per hosts
Integrity of windows ... FileChanges? Windows OpenSCAP?
Trolling Strategy PS Binary
advanded debugging test
WINRM Do everything that was needed.
3PP Firewall Windows
Netstat ...
Credentials / Wiki
Scan SNMP SMTP PING
Working rules with forensics team / communications team how to report.
MISP ???
Avast ask for permissions ... white team request clicks everything they can, live forensics / live analysis / show binary
ZIG module? lateral movmebt windows
RITA SYSLOG Beacon detection
ActiveCM Company
The specified extrinsic Method does not exist.
OpenWBEM
https://file-info.xyz/31572ed38d8cc7deed7d2d7806bc88ba/storagewmi.dll.mui.html
Communication Strategy.
Communication should be recordable
template / threat rep
Install MISP for reporting
Cleanup reports / this ip is attacking outside ... our hosts not reported
report malware / compromise this file or process
threat report directly by team members in the chat ... one liners tickets to the green team?
Example issues
pdf view not working. news paper website / review if it makes sense? responds.
msexe wscript lolbas talos blog hunting for user accounts, function accounts with $
logon types 4624 / logintype 2,3,4,5,6,7,8,9,10,11
impersonation level
ultimatewindowssecurity.com
https://www.sneakymonkey.net/2018/06/25/blue-team-tips/ https://chrissanders.org/publications/
laps AdmPwd.dll SecCli.dll
https://adsecurity.org/?p=3377
Best Practice Analyzer
Remote Management with Server Manager
Windows Removal
https://www.askvg.com/gui...lt-in-apps-in-windows-10/
https://www.laptopmag.com...e-windows-10-builtin-apps
https://www.howtogeek.com...nd-how-to-reinstall-them/
https://github.com/Sycnex/Windows10Debloater
Powershell -> Run as Administrator->
Get-AppxPackage -AllUsers | where-object {$_.name –notlike "*store*"} | Remove-AppxPackage
ADFS
EnableCredSSP X509Enrollment.CX509PrivateKey.1
ADFS for webservice SSO Windows-based service for file sharing Outlook Web Access WSUS server for BTs Primary Domain controller for MIL domain Secondary domain controller for MIL domain Windows Fileserver for MIL file sharing needs
Windows update for Business
https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb
https://learn.microsoft.com/en-us/windows/deployment/update/wufb-wsus
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
remove the GPO that points your PC’s to WSUS server
Remove-Item 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -Force -Recurse
gpupdate /force
Restart-Service -name "Windows Update"
Group Policy: Specify source service for specific classes of Windows Updates
Path: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\
*.dl.delivery.mp.microsoft.com
*.windowsupdate.com
*.prod.do.dsp.mp.microsoft.com
*.delivery.mp.microsoft.com
*.update.microsoft.com
tsfe.trafficshaping.dsp.mp.microsoft.com
WSUS
WSUS Windows Update Service. Used for windows updates which can be retrieved from the on-site AD. The updates are registed in the WID Windows Internal Database in a database named SUSDB. The WID is an in-built SQL Express Server. The WID database needs to be reindexed regularly. This can be done with the sqlcmd commandline (not the golang version). It depends on ODBC 17 and the C++ 2017 runtime. It can be accessed through a named pipe
sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i wsus-reindex.sql
sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -Q "DROP DATABASE SUSDB"
The application runs on IIS as an application pool name WsusPool, with 8 sites with some exposing a SOAP interface. The webservice runs on 8531 for TLS (Microsoft still calls it SSL) and 8530 for HTTP traffic. Do not enable TLS for the top-level site. Content is transferred over HTTP only. IIS parameters must be optimized otherwise it is likely unusable.
The service is unbearably slow if IIS is not optimized.
Setting name Value Queue Length 2000 (up from default of 1000) Idle Time-out (minutes) 0 (down from the default of 20) Ping Enabled False (from default of True) Private Memory Limit (KB) 0 (unlimited, up from the default of 1,843,200 KB) Regular Time Interval (minutes) 0 (to prevent a recycle, and modified from the default of 1740)
https://learn.microsoft.com/en-us/mem/configmgr/sum/get-started/software-update-point-ssl
Configure the WSUS web services to require SSL. In IIS Manager on the WSUS server, go to Sites > WSUS Administration. Expand the WSUS Administration site so you see the list of web services and virtual directories for WSUS. For each of the below WSUS web services:
ApiRemoting30 ClientWebService DSSAuthWebService ServerSyncWebService SimpleAuthWebService
Make the following changes:
Select SSL Settings. Enable the Require SSL option. Verify the Client certificates option is set to Ignore. Select Apply.
Don't set the SSL settings at the top-level "WSUS Administration" site since certain functions, such as content, these must use HTTP.
The update packages are synchronized from the microsoft catalog, the files are stored in the content directory.
https://www.catalog.update.microsoft.com/Search.aspx?q=windows%2011
A group policy attached to the clients tells them where to find the WSUS server and provides a schedule new updates for synchronization for all the products that you are interested in (for me only windows 11 and defender)
cd "C:\Program Files\Update Services\Tools"
.\WsusUtil.exe movecontent D:\ D:\move.log -skipcopy
SQL Server Maintenance
SQL Server Management Studio Express
SQLCMD
https://go.microsoft.com/fwlink/?linkid=2230791
ODBC Driver
https://go.microsoft.com/fwlink/?linkid=2249006
Visual C++ 2017
https://aka.ms/vs/17/release/vc_redist.x64.exe
\\.\pipe\MICROSOFT##WID\tsql\query sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -Q "DROP DATABASE SUSDB"
ODBC ver 17
MsSqlCmdLnUtils 15
https://go.microsoft.com/fwlink/?linkid=2230791
sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -E Select COUNT(UpdateID) from vwMinimalUpdate where IsSuperseded=1 and Declined=0; go
Decline superseded updates
https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wsus
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/aa387293(v=vs.85)
0x8024401C WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT.
Either can't reach the server, or the soap responses come too slow from the server, for instance when the database is slow
http://win-dc1:8530/ClientWebService/client.asmx
Log location
C:\Program Files\Update Services\WebServices\ApiRemoting30
C:\Windows\System32\LogFiles\HTTPERR
URL's
http://win-dc1:8530/selfupdate/iuident.cab
https://win-dc1:8531/selfupdate/iuident.cab
http://win-dc2:8530/selfupdate/iuident.cab
https://win-dc2:8531/selfupdate/iuident.cab
http://win-dc1:8530/ClientWebService/client.asmx
http://win-dc2:8530/ClientWebService/client.asmx
https://win-dc1:8531/ClientWebService/client.asmx:8531/ClientWebService/client.asmx
https://win-dc2:8531/ClientWebService/client.asmx:8531/ClientWebService/client.asmx
event viewer
SSMS
SQLCMD
WSUS Client
API for WSUS client
windows 11 22h2, english
defender
group policy
gpupdate -force
\\domain.com\SysVol\domain.com\Policies\{FC973EB5-AA57-4CDC-B184-58DD91E5CBB1}\gpt.ini
https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/
Stop-Service -Name BITS, wuauserv -Force Remove-ItemProperty -Name AccountDomainSid, PingID, SusClientId, SusClientIDValidation -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ -ErrorAction SilentlyContinue Remove-Item "$env:SystemRoot\SoftwareDistribution\" -Recurse -Force -ErrorAction SilentlyContinue Start-Service -Name BITS, wuauserv wuauclt /resetauthorization /detectnow (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow() %windir%\Logs\CBS
Failed to get visibility for package: Microsoft-OneCore-DirectX-Database-FOD-Package
C:\Program Files\Update Services\WebServices C:\Windows\System32\LogFiles\HTTPERR C:\Program Files\Update Services\LogFiles\softwaredistrution
Windows Cleanup
https://www.askvg.com/guide-how-to-remove-all-built-in-apps-in-windows-10/
https://www.laptopmag.com/articles/uninstall-restore-windows-10-builtin-apps
Powershell / Grafic Interface:
https://github.com/Sycnex/Windows10Debloater
Powershell -> Run as Administrator->
Get-AppxPackage -AllUsers | where-object {$_.name –notlike "*store*"} | Remove-AppxPackage
Preparation
CIS hardening script Ansible playbook for: online patching Ansible playbook for: installing SIEM/HIDS agents Ansible playbook for: installing 3PP antivirus (avast free?) rules for SIEM alerts. how we retrieve, store and send malware files for malware analysis Ansible playbook for: audit local + domain users on system + removal of unneeded users Ansible playbook for: enumerating programs/processes so we can audit and remove unneeded ones (needs to include SMB) MAC hardening IIS hardening (automated) + permissions IIS user Ansible playbook for: installing + configuring 3PP firewall Offline patching as a patching 'plan B' Ansible playbook for: create special Administrator user + placing different password per host. Scan to recognize rogue hosts Strategy for logging changes to files (which ones, how to enable logging, make ansible playbook for it) Ansible playbook for running windows Openscap (and collect results somewhere) Come up with a 'trolling' strategy. aliases for certain commands? what does cobalt strike do, so we know what commands
Day 0 Enable powershell/winRM everywhere. Change administrator password on all hosts. Run windows updates Audit accounts + remove unneeded ones Audit programs/processes + remove unneeded ones Install FW and AV with Ansible Install IDS/TI agents Run scans Document findings Add our trolling stuff (if we want to go that route) Run CIS hardening scripts
https://www.ultimatewindowssecurity.com/securitylog/default.aspx
https://github.com/api0cradle/LOLBAS
https://www.sneakymonkey.net/2018/01/21/laps/
https://chrissanders.org/publications/
Integrity
https://lolbas-project.github.io/#
https://github.com/LOLBAS-Project/LOLBAS
Windows Script Host, PowerShell and HTA)
https://file-info.xyz/31572ed38d8cc7deed7d2d7806bc88ba/storagewmi.dll.mui.html 643da5be13e18037f4fa484d4ccb51b9
Install-Module -Name PowerShellGet -Force
alternate data streams
test.txt:ha.exe
hidden powershell hosts
systems automation file (escape parameters)
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";alert('boom');"
https://medium.com/@fecarrara1/powershell-for-file-integrity-check-36203aef64a4 Get-ChildItem -Recurse | Get-FileHash -Algorithm MD5 | Out-File -FilePath 'C:\Users\janmg\windows-10pro.txt'
C:\windows\ServiceProfiles\NetworkService\NTUSER.DAT C:\windows\ServiceProfiles\LocalService\NTUSER.DAT