Windows: Difference between revisions
| Line 140: | Line 140: | ||
list part | list part | ||
delete partition override | delete partition override | ||
GET-CimInstance -query "SELECT * from Win32_DiskDrive" | |||
=== Hardening Monitoring === | === Hardening Monitoring === | ||
Revision as of 13:19, 27 December 2023
Windows 11 Pro
https://www.allkeyshop.com/blog/buy-windows-11-pro-cd-key-compare-prices/
Dism /online /Set-Edition: /Set-Edition:Professional
Dism /online /Set-Edition:ServerStandard /ProductKey:KEY12-KEY34-KEY56-KEY78-KEY90 /AcceptEula
slmgr -dli
slmgr -dlv
slmgr -xpr
slmgr -upk
slmgr -cpky
slmgr -ipk KEY12-KEY34-KEY56-KEY78-KEY90
slmgr -ato
https://learn.microsoft.com/en-us/windows-server/get-started/kmsclientkeys#windows-server-ltscltsb-versions
Windows Server
https://github.com/ntdevlabs/tiny11builder
https://info.microsoft.com/ww-landing-windows-server-2022.html
https://www.allkeyshop.com/blog/buy-windows-server-2022-cd-key-compare-prices/
Win Server 2022 on XEN
lvcreate -n win-dc -L 48G share
/etc/xen/win-dc.hvm builder = "hvm" name = "win-dc" memory = "3072" viridian = 1 vcpus = 4 vif = ['bridge=lan,model=e1000,rate=10Gb/s'] disk = ['phy:/dev/share/win-dc,hda,w','file:/share/SERVER_EVAL_x64FRE_en-us.iso,hdc:cdrom,r']
Install the GUI Desktop Experience, the Cloudsync depends on graphics that are otherwise not available. Running the Core version without graphics is awesome if you manage windows server by powershell.
Remove Role and Demote AD
Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster Move-ADDirectoryServerOperationMasterRole -Identity win-dcx -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster
sconfig 2 Change hostname 8 Set static IP 8 set dns 7 enable remote desktop 6 Install updates 13 restart
1 join domain
add role active directory promote to primary dc, by clicking the flag in the server manager
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Install-ADDSDomainController -CreateDnsDelegation:$false -InstallDns:$true -DomainName "domain.com" -SiteName "Default-First-Site-Name" -ReplicationSourceDC "win-dcx.domain.com" -DatabasePath "C:\Windows\NTDS" -LogPath "C:\Windows\NTDS" -SysvolPath "C:\Windows\SYSVOL" -Force:$true
Winget
$progressPreference = 'silentlyContinue' Write-Information "Downloading WinGet and its dependencies..." Invoke-WebRequest -Uri https://aka.ms/getwinget -OutFile Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle Invoke-WebRequest -Uri https://aka.ms/Microsoft.VCLibs.x64.14.00.Desktop.appx -OutFile Microsoft.VCLibs.x64.14.00.Desktop.appx Invoke-WebRequest -Uri https://github.com/microsoft/microsoft-ui-xaml/releases/download/v2.7.3/Microsoft.UI.Xaml.2.7.x64.appx -OutFile Microsoft.UI.Xaml.2.7.x64.appx Add-AppxPackage Microsoft.VCLibs.x64.14.00.Desktop.appx Add-AppxPackage Microsoft.UI.Xaml.2.7.x64.appx Add-AppxPackage Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle
Chocolatey
https://community.chocolatey.org/
Telegraf
https://www.influxdata.com/blog/using-telegraf-on-windows/
wget https://dl.influxdata.com/telegraf/releases/telegraf-1.28.2_windows_amd64.zip -UseBasicParsing -OutFile telegraf-1.28.2_windows_amd64.zip Expand-Archive .\telegraf-1.28.2_windows_amd64.zip -DestinationPath 'C:\Program Files\InfluxData\telegraf' cd 'C:\Program Files\InfluxData\telegraf\telegraf-1.28.2\' .\telegraf --config-directory 'C:\Program Files\InfluxData\telegraf\telegraf-1.28.2' --test icacls telegraf.conf /reset icacls telegraf.conf /inheritance:r /grant system:r .\telegraf --service install --config-directory 'C:\Program Files\InfluxData\telegraf\telegraf-1.28.2'
AD
https://learn.microsoft.com/en-us/troubleshoot/windows-server/welcome-windows-server
https://4sysops.com/archives/active-directory-passwords-all-you-need-to-know/
DSREGCMD /status
MTU
netsh interface ipv4 set subinterface "Ethernet" mtu=1464 netsh interface ipv6 set subinterface "Ethernet" mtu=1464
Network
netstat -na netstat -nao netstat -ab netstat -a -n -p tcp -o perfmon /res
Powershell
$PSVersionTable.PSVersion
Install-Module -Name PowerShellGet -Force Install-Module -Name Az -AllowClobber -Scope CurrentUser Install-Module -Name Az -AllowClobber -Scope AllUsers Set-ExecutionPolicy RemoteSigned Set-ExecutionPolicy Restricted
Import-Module Az.Accounts Connect-AzAccount Install-AzAksKubectl Write-Output $Env:Path Import-AzAksCredential -ResourceGroupName cluster -Name cluster
PATH
$Env:Path += ";C:\Program Files\Git\cmd\"
Diskpart
diskmgmt.msc doesn't always allow you to remove partitions
diskpart list disk select disk 1 list part delete partition override
GET-CimInstance -query "SELECT * from Win32_DiskDrive"
Hardening Monitoring
NMAP/Nessus/Ports Version Checks / Updates Hardening ELK Access Logs / Firewall Logs INotify Canaries
https://github.com/0x6d69636b/windows_hardening
Windows and Active Directory administration Check existing User Accounts / Roles Update Server? Run Latest updates Check Certificates (Root) Shell Integrity. CIS Security Hardening Integrity Scans Network Sflow Rita Kansa OSquery ELK Alert Observium eventlogger
Startup Apps Services Processes
Users Performance Process list Event manager msiexec.exe
psexec CPU, Memory, Disk Space, Temperature
HyperVisor
Enable virtualization in UEFI Windows Features, Hyper-V (Platform and Management Tools)
Hyper-V Set video
Set-VMVideo -VMName "Ubuntu 20.04" -HorizontalResolution 1920 -VerticalResolution 1080
/etc/default/grub GRUB_CMDLINE_LINUX="quiet splash video=hyperv_fb:1920x1200"
Set-VMProcessor -VMName "Ubuntu 20.04" -HwThreadCountPerCore 2
"KVM requires a CPU that supports vmx or svm" Set-VMProcessor -VMName "Ubuntu 20.04" -ExposeVirtualizationExtensions $true
Security issues
availability
security
report incidents
business tasks > react time 15 minutes
white time not able to access report outages information requests 'from media' communication to other blue teams
green team is infra support
white team simulated users
capture vm ubuntu / captures one segment span port ... reachable from dmz? custom ... kali
Network Picture / HW info
info recon/ feedback ... yellow/red/white/blue
Access Logs Elasticsearch SIEM Syslog / Logstash? Beats winlogbeat > routable ... tunnel auditbeats Uptime in Elasticsearch CIS Hardening ... Ansible Elastalert
automate everything? ansible online patching ... smb patching agents
scripted attacks defender avast
nessus? target yes scan > rogue vm's ...
match list of known hosts. external host scans
users program enumerators ... ambitions pdf reader
iis ... user ... Defaced Websites? Scanner
Detect Changes Guestbook... Injections attacks
Host down monitoring
VM outside for checking services Detect filechanges?
Offline Patching ... WSUS
Administrator user ... different passwords per hosts
Integrity of windows ... / ISTI Team
FileChanges?
WindowsOPenSCAP?
Trolling Strategy PS Binary
advanded debugging test
WINRM Do everything that was needed Document fidings WINRM
3PP Firewall Windows Avast / Firewall / Offline Patching
Netstat ...
Credentials / Wiki Allow white team access / Regular Access to Windows. Scoring ports : Scan SNMP SMTP PING
Working rules with forensics team / communications team how to report. During Prep MISP ??? Avast ask for permissions ... white team request clicks everything they can live forensics ... ?? / live analysis / show binary
ZIG module? lateral movmebt windows RITA SYSLOG Beacon detection ActiveCM Company
The specified extrinsic Method does not exist. OpenWBEM https://file-info.xyz/31572ed38d8cc7deed7d2d7806bc88ba/storagewmi.dll.mui.html
Communication Strategy. Communication should be recordable template / threat rep Install MISP for reporting
Cleanup reports / this ip is attacking outside ... our hosts not reported report malware / compromise this file or process =>
threat report directly by team members in the chat ... one liners tickets to the green team?
Example issues
pdf view not working news paper website / review if it makes sense? responds.
msexe wscript lolbas talos blog hunting for
user accounts function accounts with $
logon types 4624 / logintype 2,3,4,5,6,7,8,9,10,11 impersonation level ultimatewindowssecurity.com
https://www.sneakymonkey.net/2018/06/25/blue-team-tips/ https://chrissanders.org/publications/
laps AdmPwd.dll SecCli.dll
https://adsecurity.org/?p=3377
Best Practice Analyzer https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759260(v=ws.11)?redirectedfrom=MSDN
Remote Management with Server Manager https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759202%28v%3dws.11%29
Windows Removal
https://www.askvg.com/gui...lt-in-apps-in-windows-10/
https://www.laptopmag.com...e-windows-10-builtin-apps
https://www.howtogeek.com...nd-how-to-reinstall-them/
https://github.com/Sycnex/Windows10Debloater
Powershell -> Run as Administrator->
Get-AppxPackage -AllUsers | where-object {$_.name –notlike "*store*"} | Remove-AppxPackage
ADFS
EnableCredSSP X509Enrollment.CX509PrivateKey.1
ADFS for webservice SSO Windows-based service for file sharing Outlook Web Access WSUS server for BTs Primary Domain controller for MIL domain Secondary domain controller for MIL domain Windows Fileserver for MIL file sharing needs
WSUS
WSUS Windows Update Service. Used for windows updates which can be retrieved from the on-site AD. The update packages are synchronized from the microsoft catalog, the files are stored in the content directory and the updates are registed in the WID Windows Internal Database in a database named SUSDB. The WID is an in-built SQL Express Server. The application runs on IIS as an application pool name WsusPool, with 8 sites with some exposing a SOAP interface. The webservice runs on 8531 for TLS (Microsoft still calls it SSL) and 8530 for HTTP traffic. Do not enable TLS for the top-level site. Content is transferred over HTTP only. IIS parameters must be optimized otherwise it is likely unusable. A group policy attached to the clients tells them where to find the WSUS server and provides a schedule new updates for synchronization for all the products that you are interested in (for me only windows 11 and defender)
https://www.catalog.update.microsoft.com/Search.aspx?q=windows%2011
The service is unbearably slow if IIS is not optimized.
Setting name Value Queue Length 2000 (up from default of 1000) Idle Time-out (minutes) 0 (down from the default of 20) Ping Enabled False (from default of True) Private Memory Limit (KB) 0 (unlimited, up from the default of 1,843,200 KB) Regular Time Interval (minutes) 0 (to prevent a recycle, and modified from the default of 1740)
https://learn.microsoft.com/en-us/mem/configmgr/sum/get-started/software-update-point-ssl
Configure the WSUS web services to require SSL. In IIS Manager on the WSUS server, go to Sites > WSUS Administration. Expand the WSUS Administration site so you see the list of web services and virtual directories for WSUS. For each of the below WSUS web services:
ApiRemoting30 ClientWebService DSSAuthWebService ServerSyncWebService SimpleAuthWebService
Make the following changes:
Select SSL Settings. Enable the Require SSL option. Verify the Client certificates option is set to Ignore. Select Apply.
Don't set the SSL settings at the top-level "WSUS Administration" site since certain functions, such as content, these must use HTTP.
SQL Server Management Studio Express
The WID database needs to be reindexed regularly. This can be done with the sqlcmd commandline (not the golang version). It depends on ODBC 17 and the C++ 2017 runtime. It can be accessed through a named pipe
SQLCMD
https://go.microsoft.com/fwlink/?linkid=2230791
ODBC Driver
https://go.microsoft.com/fwlink/?linkid=2249006
Visual C++ 2017
https://aka.ms/vs/17/release/vc_redist.x64.exe
\\.\pipe\MICROSOFT##WID\tsql\query
ODBC ver 17
MsSqlCmdLnUtils 15
https://go.microsoft.com/fwlink/?linkid=2230791
sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -E Select COUNT(UpdateID) from vwMinimalUpdate where IsSuperseded=1 and Declined=0; go
sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i wsus-reindex.sql
Decline superseded updates
https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wsus
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/aa387293(v=vs.85)
0x8024401C WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT.
Either can't reach the server, or the soap responses come too slow from the server, for instance when the database is slow
http://win-dc1:8530/ClientWebService/client.asmx
Log location
C:\Program Files\Update Services\WebServices\ApiRemoting30
C:\Windows\System32\LogFiles\HTTPERR
URL's
http://win-dc1:8530/selfupdate/iuident.cab
https://win-dc1:8531/selfupdate/iuident.cab
http://win-dc2:8530/selfupdate/iuident.cab
https://win-dc2:8531/selfupdate/iuident.cab
http://win-dc1:8530/ClientWebService/client.asmx
http://win-dc2:8530/ClientWebService/client.asmx
https://win-dc1:8531/ClientWebService/client.asmx:8531/ClientWebService/client.asmx
https://win-dc2:8531/ClientWebService/client.asmx:8531/ClientWebService/client.asmx
event viewer
SSMS
SQLCMD
WSUS Client
API for WSUS client
windows 11 22h2, english
defender
group policy
gpupdate -force
\\domain.com\SysVol\domain.com\Policies\{FC973EB5-AA57-4CDC-B184-58DD91E5CBB1}\gpt.ini
https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/
Stop-Service -Name BITS, wuauserv -Force Remove-ItemProperty -Name AccountDomainSid, PingID, SusClientId, SusClientIDValidation -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ -ErrorAction SilentlyContinue Remove-Item "$env:SystemRoot\SoftwareDistribution\" -Recurse -Force -ErrorAction SilentlyContinue Start-Service -Name BITS, wuauserv wuauclt /resetauthorization /detectnow (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow() %windir%\Logs\CBS
Failed to get visibility for package: Microsoft-OneCore-DirectX-Database-FOD-Package
C:\Program Files\Update Services\WebServices C:\Windows\System32\LogFiles\HTTPERR C:\Program Files\Update Services\LogFiles\softwaredistrution
Preparation
Preparing an Ansible playbook for: online patching Preparing an Ansible playbook for: installing SIEM/HIDS agents Preparing an Ansible playbook for: installing 3PP antivirus (avast free?) Prepare rules for SIEM alerts. Preparing on how we retrieve, store and send malware files for malware analysis Prepare an ansible playbook for: audit local + domain users on system + removal of unneeded users Prepare ansible playbook for: enumerating programs/processes so we can audit and remove unneeded ones (needs to include SMB) Prepare the MAC hardening Preparing IIS hardening (automated) + permissions IIS user Preparing an ansible playbook for: installing + configuring 3PP firewall Prepare offline patching as a patching 'plan B' Preparing an ansible playbook for: create special Administrator user + placing different password per host. Prepare scan to recognize rogue hosts Prepare strategy for logging changes to files (which ones, how to enable logging, make ansible playbook for it) Prepare ansible playbook for running windows Openscap (and collect results somewhere) Come up with a 'trolling' strategy.. how can we make life for red-teamers harder? aliases for certain commands? what does cobalt strike do so we know what commands Prepare CIS hardening script
Day 0 Enable powershell/winRM everywhere. Change administrator password on all hosts. Run windows updates Audit accounts + remove unneeded ones Audit programs/processes + remove unneeded ones Install FW and AV with Ansible Install IDS/TI agents Run scans Document findings Add our trolling stuff (if we want to go that route) Run CIS hardening scripts
https://www.ultimatewindowssecurity.com/securitylog/default.aspx
https://github.com/api0cradle/LOLBAS
https://www.sneakymonkey.net/2018/01/21/laps/
https://chrissanders.org/publications/
Integrity
https://lolbas-project.github.io/#
https://github.com/LOLBAS-Project/LOLBAS
Windows Script Host, PowerShell and HTA)
https://file-info.xyz/31572ed38d8cc7deed7d2d7806bc88ba/storagewmi.dll.mui.html 643da5be13e18037f4fa484d4ccb51b9
Install-Module -Name PowerShellGet -Force
alternate data streams
test.txt:ha.exe
hidden powershell hosts
systems automation file (escape parameters)
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";alert('boom');"
https://medium.com/@fecarrara1/powershell-for-file-integrity-check-36203aef64a4 Get-ChildItem -Recurse | Get-FileHash -Algorithm MD5 | Out-File -FilePath 'C:\Users\janmg\windows-10pro.txt'
C:\windows\ServiceProfiles\NetworkService\NTUSER.DAT C:\windows\ServiceProfiles\LocalService\NTUSER.DAT