Windows
Windows 11 Pro License
https://www.allkeyshop.com/blog/buy-windows-11-pro-cd-key-compare-prices/
https://github.com/ntdevlabs/tiny11builder
Dism /online /Set-Edition: /Set-Edition:Professional
slmgr -dli slmgr -dlv slmgr -xpr
slmgr -upk slmgr -cpky slmgr -ipk KEY12-KEY34-KEY56-KEY78-KEY90
slmgr -ato
Windows Server 2022
https://www.allkeyshop.com/blog/buy-windows-server-2022-cd-key-compare-prices/
Dism /online /Set-Edition:ServerStandard /ProductKey:VDYBN-27WPP-V4HQT-9VMD4-VMK7H /AcceptEula
slmgr -ato
Windows Server 2025
https://www.microsoft.com/en-us/evalcenter/download-windows-server-2025
For an inplace upgrade of a domain controller, you need ADPREP and FORESTPREP.
Dism /online /Set-Edition:ServerStandard /ProductKey:TVRH6-WHNXV-R9WG3-9XRFY-MY832 /AcceptEula
Install the GUI Desktop Experience, the Cloudsync depends on graphics that are otherwise not available. Running the Core version without desktop is awesome if you can manage windows server by powershell and the occasional application. Browsers and other sync tools won't work.
Windows Server on XEN
lvcreate -n win-dc -L 48G share
/etc/xen/win-dc.hvm builder = "hvm" name = "win-dc" memory = "6144" viridian = 1 vcpus = 4 #boot="dnc" vif = ['bridge=lan,model=e1000,rate=10Gb/s'] disk = ['phy:/dev/share/win-dc,hda,w','file:/share/SERVER_EVAL_x64FRE_en-us.iso,hdc:cdrom,r']
WSL
wsl.exe --list --online
wsl.exe --install Ubuntu-24.04
Initial Configuration
sconfig 2 Change hostname 8 Set static IP 8 set dns 7 enable remote desktop 6 Install updates 13 restart
Test-NetConnection -ComputerName win-dc1 -Port 389
1 join domain
add role active directory promote to primary dc, by clicking the flag in the server manager
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Install-ADDSDomainController -CreateDnsDelegation:$false -InstallDns:$true -DomainName "domain.com" -SiteName "Default-First-Site-Name" -ReplicationSourceDC "win-dcx.domain.com" -DatabasePath "C:\Windows\NTDS" -LogPath "C:\Windows\NTDS" -SysvolPath "C:\Windows\SYSVOL" -Force:$true
AD
FSMO Forest Service Operation Master
| Scope | No | Service | Protocol | Master Role | |
|---|---|---|---|---|---|
| Forest | 3 | NTDS | LDAP | SchemaMaster | CN=Schema,CN=configuration,DC=<forest root domain> |
| 4 | DNS | DomainNamingMaster | CN=configuration,DC=<forest root domain> | ||
| Domain | 2 | InfrastructureMaster | DC=<domain> | ||
| 1 | RIDMaster | DC=<domain> | |||
| 0 | PDCEmulator | DC=<domain> |
nltest /dsgetdc:ISLIEF.COM /WRITABLE /AVOIDSELF /TRY_NEXT_CLOSEST_SITE /DS_6
nltest /dsgetdc:ISLIEF.COM /WRITABLE
Query Master Role
netdom query fsmo
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
Move Master Role
Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole SchemaMaster –Force Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole DomainNamingMaster –Force Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole PDCEmulator –Force Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole InfrastructureMaster –Force Move-ADDirectoryServerOperationMasterRole -Identity win-dc1 -OperationMasterRole RIDMaster –Force
https://learn.microsoft.com/en-us/troubleshoot/windows-server/welcome-windows-server
https://4sysops.com/archives/active-directory-passwords-all-you-need-to-know/
DSREGCMD /status
Remove Role and Demote AD
Move-ADDirectoryServerOperationMasterRole -Identity win-dcx -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster
Winget
$progressPreference = 'silentlyContinue' Write-Information "Downloading WinGet and its dependencies..." Invoke-WebRequest -Uri https://aka.ms/getwinget -OutFile Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle Invoke-WebRequest -Uri https://aka.ms/Microsoft.VCLibs.x64.14.00.Desktop.appx -OutFile Microsoft.VCLibs.x64.14.00.Desktop.appx Invoke-WebRequest -Uri https://github.com/microsoft/microsoft-ui-xaml/releases/download/v2.7.3/Microsoft.UI.Xaml.2.7.x64.appx -OutFile Microsoft.UI.Xaml.2.7.x64.appx Add-AppxPackage Microsoft.VCLibs.x64.14.00.Desktop.appx Add-AppxPackage Microsoft.UI.Xaml.2.7.x64.appx Add-AppxPackage Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle
Chocolatey
https://community.chocolatey.org/
Telegraf
https://www.influxdata.com/downloads/
https://www.influxdata.com/blog/using-telegraf-on-windows/
wget https://dl.influxdata.com/telegraf/releases/telegraf-1.34.4_windows_amd64.zip -UseBasicParsing -OutFile telegraf-1.34.4_windows_amd64.zip
Expand-Archive .\telegraf-1.34.4_windows_amd64.zip -DestinationPath 'C:\Program Files\InfluxData\telegraf' Expand-Archive .\telegraf-1.34.4_windows_amd64.zip -DestinationPath 'C:\Program Files\InfluxData\telegraf' wget https://dl.influxdata.com/telegraf/releases/telegraf-1.28.2_windows_amd64.zip -UseBasicParsing -OutFile telegraf-1.28.2_windows_amd64.zip Expand-Archive .\telegraf-1.28.2_windows_amd64.zip -DestinationPath 'C:\Program Files\InfluxData\telegraf' cd 'C:\Program Files\InfluxData\telegraf\telegraf-1.28.2\' .\telegraf --config-directory 'C:\Program Files\InfluxData\telegraf\telegraf-1.28.2' --test
icacls telegraf.conf /reset icacls telegraf.conf /inheritance:r /grant system:r .\telegraf --service install --config-directory 'C:\Program Files\InfluxData\telegraf\telegraf-1.28.2'
influx
> use telegraf
> show series where host='rasp4'
DFS Replication
https://learn.microsoft.com/en-us/windows-server/storage/dfs-namespaces/dfs-overview
Domain controllers use a special shared folder named SYSVOL to replicate sign-in scripts and Group Policy object files to other domain controllers.
https://www.youtube.com/watch?v=ja53C2Mz1EQ
Warning: Waiting for initial replication Message: This member is waiting for initial replication for replicated folder SYSVOL Share and is not currently participating in replication.
asdiedit.msc
DC=domain,DC=com OU=Domain Controllers CN=WIN-DC1 CN=DFSR-LocalSettings CN=Domain System Volume
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=WIN-DC1,OU=Domain Controllers,DC=islief,DC=com msDFSR-Enabled=False msDFSR-options=1 CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=WIN-DC3,OU=Domain Controllers,DC=islief,DC=com msDFSR-Enabled=False
repadmin /syncall /AdeP
stop-service dfsr enter-pssession win-dc3 stop-service dfsr
start-service dfsr
Get-EventLog -Log "DFS Replication" | where {$_.eventID -eq 4114} | fl
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=WIN-DC1,OU=Domain Controllers,DC=islief,DC=com msDFSR-Enabled=True
repadmin /syncall /AdeP
dfsrdiag pollad
Get-EventLog -Log "DFS Replication" | where {$_.eventID -eq 4602} | fl
enter-pssession win-dc3 start-service dfsr
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=WIN-DC3,OU=Domain Controllers,DC=islief,DC=com msDFSR-Enabled=True
repadmin /syncall /AdeP
enter-pssession win-dc3 dfsrdiag pollad
dcdiag /v /c /e /q Get-DfsrBacklog -SourceComputerName "win-dc1" -DestinationComputerName "win-dc2" Get-DfsrState -ComputerName "win-dc1" | Format-Table FileName,UpdateState,Inbound,Source* -Auto -Wrap
https://gist.github.com/RavuAlHemio/00e51d3ea64731be9d43b01eda18734f
backup
wbadmin –authsysvol
events
Get-WinEvent -LogName 'DFS Replication' | Where-Object ID -EQ 4602 | Format-Table -AutoSize -Wrap
Install-WindowsFeature -Name RSAT-DFS-Mgmt-Con
replication service
net stop dfsr net start dfsr
Restart-Service DFSR -PassThru
DFSRDIAG POLLAD
dcdiag dfsrdiag SyncNow /Partner:win-dc1 /RGName:"Domain System Volume" /Time:120 dfsrdiag replicationstate dfsrdiag backlog /rgname:"Domain System Volume" /rfname:SYSVOL /sendingmember:win-dc1 /receivingmember:win-dc2
repadmin /syncall win-dc1 /APed repadmin /SHOWREPS win-dc1 repadmin /SHOWREPS win-dc2
asdiedit.msc msDFSR-Enabled=TRUE msDFSR-options=1
$group = "Domain System Volume" $folder = "SYSVOL" $dc = "win-dc2" # Your secondary DC name New-DfsReplicationGroup -GroupName $group -Domain islief.com New-DfsReplicatedFolder -GroupName $group -FolderName $folder -Path "C:\Windows\SYSVOL\sysvol"
Get-DfsrBacklog -GroupName "Domain System Volume" -SourceComputerName win-dc1 -DestinationComputerName win-dc2
Get-EventLog -Log "DFS Replication" | where {$_.eventID -eq 4114} | fl
Error: 9061 (The replicated folder has been offline for too long.)
wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays = 999
takeown /F "C:\System Volume Information\DFSR" /A /R /D Y icacls "C:\System Volume Information\DFSR" /grant Administrators:F /T Remove-Item -Path "C:\System Volume Information\DFSR" -Recurse -Force
takeown /F "C:\windows\SYSVOL" /A /R /D Y icacls "C:\windows\SYSVOL" /grant Administrators:F /T Remove-Item -Path "C:\Windows\SYSVOL" -Recurse -Force
robocopy "\\win-dc1\C$\Windows\SYSVOL\sysvol" "C:\Windows\SYSVOL\sysvol" /MIR /COPY:DAT /R:3 /W:5
$PrimaryDCPath = "\\win-dc1\SYSVOL\islief.com"
$SecondaryDCPath = "\\win-dc2\SYSVOL\islief.com"
$PrimaryDCFiles = Get-ChildItem -Path $PrimaryDCPath -Recurse | Select-Object FullName, LastWriteTime, Length
$SecondaryDCFiles = Get-ChildItem -Path $SecondaryDCPath -Recurse | Select-Object FullName, LastWriteTime, Length
$Comparison = Compare-Object -ReferenceObject $PrimaryDCFiles -DifferenceObject $SecondaryDCFiles -Property FullName, LastWriteTime, Length
if ($Comparison) {
Write-Output "Differences found in SYSVOL folders between Primary and Secondary DCs:"
$Comparison | Format-Table -AutoSize
} else {
Write-Output "SYSVOL folders are identical on both DCs."
}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters
Under Parameters, create a new DWORD value named SysvolReady and set it to 0
dfsrdiag pollad
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Seeding SysVols[Domain name]
MTU
netsh interface ipv4 set subinterface "Ethernet" mtu=1464 netsh interface ipv6 set subinterface "Ethernet" mtu=1464
Network
netstat -na netstat -nao netstat -ab netstat -a -n -p tcp -o perfmon /res
Powershell
$PSVersionTable.PSVersion
Install-Module -Name PowerShellGet -Force Install-Module -Name Az -AllowClobber -Scope CurrentUser Install-Module -Name Az -AllowClobber -Scope AllUsers Set-ExecutionPolicy RemoteSigned Set-ExecutionPolicy Restricted
Import-Module Az.Accounts Connect-AzAccount Install-AzAksKubectl Write-Output $Env:Path Import-AzAksCredential -ResourceGroupName cluster -Name cluster
PATH
$Env:Path += ";C:\Program Files\Git\cmd\"
Diskpart
diskmgmt.msc doesn't always allow you to remove partitions
diskpart list disk select disk 1 list part delete partition override
GET-CimInstance -query "SELECT * from Win32_DiskDrive"
Get-WMIOBJECT -query "SELECT * from Win32_DiskDrive"
wsl --mount \\.\PHYSICALDRIVE2 --partition 2 --type ext4
Remote Desktop
With remote desktop enabled, the server uses a selfsigned certificate by default. With certifytheweb a letsencrypt certificate can be obtained and via a task the certificate can be deployed to the rdp listener.
Invoke-WebRequest https://certifytheweb.s3.amazonaws.com/downloads/archive/CertifyTheWebSetup_V6.1.5.exe -OutFile certifytheweb.exe
WMIC (does not work)
The task "Deploy to RDP Listener Service (Terminal Service)" doesn't work without WMIC. WMIC is not installed by default on Windows Server 2025 anymore.
Set-RDCertificate (does not work)
The RDP listener is a standalone RDP server to remotely connect to the Windows Desktop. In contrast to the RDP Deployment which requires a CAL license where users can use the server as a Terminal Server and get their own Desktop environment.
Set-RDCertificate is only used when the server role is deployed as terminal server
WMIObject.Put (does not work)
Get-WmiObject.Put() does not work and could have been replaced by Cim.
Set-CimInstance (does not work)
Set-CimInstance has a schema where SSLCertificateSHA1Hash is readonly
https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/set-ciminstance
(Get-CimInstance -class 'Win32_TSGeneralSetting' -namespace 'root/cimv2/terminalservices' -filter "TerminalName='RDP-Tcp'").SSLCertificateSHA1Hash
Regedit (does not work)
The registry key value pair SSLCertificateSHA1Hash as a Reg_binary with hex:54,20,00... doesn't work
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Set-WmiInstance (works!)
Add this as a PS1 file and then add the task in Certifytheweb as "Run Powershell Script"
param($result)
$pfxPath = $result.ManagedItem.CertificatePath
$pfxPassword = $result.ManagedItem.CertificatePassword
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($pfxPath, $pfxPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$thumbprint = $cert.Thumbprint.Replace(" ", "").ToUpper()
Set-WmiInstance -Path (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices) -argument @{SSLCertificateSHA1Hash=$thumbprint}
Hardening Monitoring
InvokeADCheck
NMAP/Nessus/Ports Version Checks / Updates Hardening ELK Access Logs / Firewall Logs INotify Canaries
https://github.com/0x6d69636b/windows_hardening
Windows and Active Directory administration Check existing User Accounts / Roles Update Server? Run Latest updates Check Certificates (Root) Shell Integrity. CIS Security Hardening Integrity Scans Network Sflow Rita Kansa OSquery ELK Alert Observium eventlogger
Startup Apps Services Processes
Users Performance Process list Event manager msiexec.exe
psexec CPU, Memory, Disk Space, Temperature
Living off the land
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a
- systeminfo – create comprehensive summary of device and operating system information
- ntdsutil – export contents of Active Directory
- wevtutil – delete event logs
- vssadmin – make a copy of the server’s C: drive
- ADexplorer – view, edit, and backup Active Directory Certificate Services
- schtasks – create persistence using scheduled tasks
- whoami – retrieve the name of the current user
- tasklist – retrieve the list of running processes
- hostname, arp, ssh, openssh
- net – retrieve detailed user information (and a lot more)
- wmic – Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
- cacls – modify permissions on files
- icacls – modify permissions to files and handle integrity levels and ownership
- reg – modify the system registry
HyperVisor
Enable virtualization in UEFI
Windows Features, Hyper-V (Platform and Management Tools)
Hyper-V Set video
Set-VMVideo -VMName "Ubuntu 20.04" -HorizontalResolution 1920 -VerticalResolution 1080
/etc/default/grub GRUB_CMDLINE_LINUX="quiet splash video=hyperv_fb:1920x1200"
Set-VMProcessor -VMName "Ubuntu 20.04" -HwThreadCountPerCore 2
"KVM requires a CPU that supports vmx or svm" Set-VMProcessor -VMName "Ubuntu 20.04" -ExposeVirtualizationExtensions $true
Security Monitoring
availability
security
report incidents
business tasks > react time
Measure time not accessible
Report outages
Infra support
capture vm ubuntu / captures one segment span port ... reachable from dmz?
custom ... kali
Network Picture / HW info
info recon/ feedback ... yellow/red/white/blue
Access Logs - Elasticsearch SIEM - Syslog / Logstash Beats - winlogbeat / audit beats
> routable ... tunnel
Uptime in Elasticsearch
CIS Hardening
Ansible Elastalert
Automate everything? ansible online patching... smb patching agents
scripted attacks
defender / avast
nessus? target yes scan > rogue vm's ...
match list of known hosts. / external host scans
users / program enumerators ... ambitions / pdf reader
iis ... user ... Defaced Websites? Scanner
Detect Changes / Guestbook...Injections attacks
Host down monitoring
VM outside for checking services / Detect filechanges?
Offline Patching ... WSUS Administrator user ... different passwords per hosts
Integrity of windows ... FileChanges? Windows OpenSCAP?
Trolling Strategy PS Binary
advanded debugging test
WINRM Do everything that was needed.
3PP Firewall Windows
Netstat ...
Credentials / Wiki
Scan SNMP SMTP PING
Working rules with forensics team / communications team how to report.
MISP ???
Avast ask for permissions ... white team request clicks everything they can, live forensics / live analysis / show binary
ZIG module? lateral movmebt windows
RITA SYSLOG Beacon detection
ActiveCM Company
The specified extrinsic Method does not exist.
OpenWBEM
https://file-info.xyz/31572ed38d8cc7deed7d2d7806bc88ba/storagewmi.dll.mui.html
Communication Strategy.
Communication should be recordable
template / threat rep
Install MISP for reporting
Cleanup reports / this ip is attacking outside ... our hosts not reported
report malware / compromise this file or process
threat report directly by team members in the chat ... one liners tickets to the green team?
Example issues
pdf view not working. news paper website / review if it makes sense? responds.
msexe wscript lolbas talos blog hunting for user accounts, function accounts with $
logon types 4624 / logintype 2,3,4,5,6,7,8,9,10,11
impersonation level
ultimatewindowssecurity.com
https://www.sneakymonkey.net/2018/06/25/blue-team-tips/ https://chrissanders.org/publications/
laps AdmPwd.dll SecCli.dll
https://adsecurity.org/?p=3377
Best Practice Analyzer
Remote Management with Server Manager
Windows Removal
https://www.askvg.com/gui...lt-in-apps-in-windows-10/
https://www.laptopmag.com...e-windows-10-builtin-apps
https://www.howtogeek.com...nd-how-to-reinstall-them/
https://github.com/Sycnex/Windows10Debloater
Powershell -> Run as Administrator->
Get-AppxPackage -AllUsers | where-object {$_.name –notlike "*store*"} | Remove-AppxPackage
ADFS
EnableCredSSP X509Enrollment.CX509PrivateKey.1
ADFS for webservice SSO Windows-based service for file sharing Outlook Web Access WSUS server for BTs Primary Domain controller for MIL domain Secondary domain controller for MIL domain Windows Fileserver for MIL file sharing needs
Windows update for Business
https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb
https://learn.microsoft.com/en-us/windows/deployment/update/wufb-wsus
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
remove the GPO that points your PC’s to WSUS server
Remove-Item 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -Force -Recurse
gpupdate /force
Restart-Service -name "Windows Update"
Group Policy: Specify source service for specific classes of Windows Updates
Path: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\
*.dl.delivery.mp.microsoft.com
*.windowsupdate.com
*.prod.do.dsp.mp.microsoft.com
*.delivery.mp.microsoft.com
*.update.microsoft.com
tsfe.trafficshaping.dsp.mp.microsoft.com
WSUS
WSUS Windows Update Service. Used for windows updates which can be retrieved from the on-site AD. The updates are registed in the WID Windows Internal Database in a database named SUSDB. The WID is an in-built SQL Express Server. The WID database needs to be reindexed regularly. This can be done with the sqlcmd commandline (not the golang version). It depends on ODBC 17 and the C++ 2017 runtime. It can be accessed through a named pipe
sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i wsus-reindex.sql
sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -Q "DROP DATABASE SUSDB"
The application runs on IIS as an application pool name WsusPool, with 8 sites with some exposing a SOAP interface. The webservice runs on 8531 for TLS (Microsoft still calls it SSL) and 8530 for HTTP traffic. Do not enable TLS for the top-level site. Content is transferred over HTTP only. IIS parameters must be optimized otherwise it is likely unusable.
The service is unbearably slow if IIS is not optimized.
Setting name Value Queue Length 2000 (up from default of 1000) Idle Time-out (minutes) 0 (down from the default of 20) Ping Enabled False (from default of True) Private Memory Limit (KB) 0 (unlimited, up from the default of 1,843,200 KB) Regular Time Interval (minutes) 0 (to prevent a recycle, and modified from the default of 1740)
https://learn.microsoft.com/en-us/mem/configmgr/sum/get-started/software-update-point-ssl
Configure the WSUS web services to require SSL. In IIS Manager on the WSUS server, go to Sites > WSUS Administration. Expand the WSUS Administration site so you see the list of web services and virtual directories for WSUS. For each of the below WSUS web services:
ApiRemoting30 ClientWebService DSSAuthWebService ServerSyncWebService SimpleAuthWebService
Make the following changes:
Select SSL Settings. Enable the Require SSL option. Verify the Client certificates option is set to Ignore. Select Apply.
Don't set the SSL settings at the top-level "WSUS Administration" site since certain functions, such as content, these must use HTTP.
The update packages are synchronized from the microsoft catalog, the files are stored in the content directory.
https://www.catalog.update.microsoft.com/Search.aspx?q=windows%2011
A group policy attached to the clients tells them where to find the WSUS server and provides a schedule new updates for synchronization for all the products that you are interested in (for me only windows 11 and defender)
cd "C:\Program Files\Update Services\Tools"
.\WsusUtil.exe movecontent D:\ D:\move.log -skipcopy
SQL Server Maintenance
SQL Server Management Studio Express
SQLCMD
https://go.microsoft.com/fwlink/?linkid=2230791
ODBC Driver
https://go.microsoft.com/fwlink/?linkid=2249006
Visual C++ 2017
https://aka.ms/vs/17/release/vc_redist.x64.exe
\\.\pipe\MICROSOFT##WID\tsql\query sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -Q "DROP DATABASE SUSDB"
ODBC ver 17
MsSqlCmdLnUtils 15
https://go.microsoft.com/fwlink/?linkid=2230791
sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -E Select COUNT(UpdateID) from vwMinimalUpdate where IsSuperseded=1 and Declined=0; go
Decline superseded updates
https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wsus
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/aa387293(v=vs.85)
0x8024401C WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT.
Either can't reach the server, or the soap responses come too slow from the server, for instance when the database is slow
http://win-dc1:8530/ClientWebService/client.asmx
Log location
C:\Program Files\Update Services\WebServices\ApiRemoting30
C:\Windows\System32\LogFiles\HTTPERR
URL's
http://win-dc1:8530/selfupdate/iuident.cab
https://win-dc1:8531/selfupdate/iuident.cab
http://win-dc2:8530/selfupdate/iuident.cab
https://win-dc2:8531/selfupdate/iuident.cab
http://win-dc1:8530/ClientWebService/client.asmx
http://win-dc2:8530/ClientWebService/client.asmx
https://win-dc1:8531/ClientWebService/client.asmx:8531/ClientWebService/client.asmx
https://win-dc2:8531/ClientWebService/client.asmx:8531/ClientWebService/client.asmx
event viewer
SSMS
SQLCMD
WSUS Client
API for WSUS client
windows 11 22h2, english
defender
group policy
gpupdate -force
\\domain.com\SysVol\domain.com\Policies\{FC973EB5-AA57-4CDC-B184-58DD91E5CBB1}\gpt.ini
https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/
Stop-Service -Name BITS, wuauserv -Force Remove-ItemProperty -Name AccountDomainSid, PingID, SusClientId, SusClientIDValidation -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ -ErrorAction SilentlyContinue Remove-Item "$env:SystemRoot\SoftwareDistribution\" -Recurse -Force -ErrorAction SilentlyContinue Start-Service -Name BITS, wuauserv wuauclt /resetauthorization /detectnow (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow() %windir%\Logs\CBS
Failed to get visibility for package: Microsoft-OneCore-DirectX-Database-FOD-Package
C:\Program Files\Update Services\WebServices C:\Windows\System32\LogFiles\HTTPERR C:\Program Files\Update Services\LogFiles\softwaredistrution
Windows Cleanup
https://www.askvg.com/guide-how-to-remove-all-built-in-apps-in-windows-10/
https://www.laptopmag.com/articles/uninstall-restore-windows-10-builtin-apps
Powershell / Grafic Interface:
https://github.com/Sycnex/Windows10Debloater
Powershell -> Run as Administrator->
Get-AppxPackage -AllUsers | where-object {$_.name –notlike "*store*"} | Remove-AppxPackage
Preparation
CIS hardening script Ansible playbook for: online patching Ansible playbook for: installing SIEM/HIDS agents Ansible playbook for: installing 3PP antivirus (avast free?) rules for SIEM alerts. how we retrieve, store and send malware files for malware analysis Ansible playbook for: audit local + domain users on system + removal of unneeded users Ansible playbook for: enumerating programs/processes so we can audit and remove unneeded ones (needs to include SMB) MAC hardening IIS hardening (automated) + permissions IIS user Ansible playbook for: installing + configuring 3PP firewall Offline patching as a patching 'plan B' Ansible playbook for: create special Administrator user + placing different password per host. Scan to recognize rogue hosts Strategy for logging changes to files (which ones, how to enable logging, make ansible playbook for it) Ansible playbook for running windows Openscap (and collect results somewhere) Come up with a 'trolling' strategy. aliases for certain commands? what does cobalt strike do, so we know what commands
Day 0 Enable powershell/winRM everywhere. Change administrator password on all hosts. Run windows updates Audit accounts + remove unneeded ones Audit programs/processes + remove unneeded ones Install FW and AV with Ansible Install IDS/TI agents Run scans Document findings Add our trolling stuff (if we want to go that route) Run CIS hardening scripts
https://www.ultimatewindowssecurity.com/securitylog/default.aspx
https://github.com/api0cradle/LOLBAS
https://www.sneakymonkey.net/2018/01/21/laps/
https://chrissanders.org/publications/
Integrity
https://lolbas-project.github.io/#
https://github.com/LOLBAS-Project/LOLBAS
Windows Script Host, PowerShell and HTA)
https://file-info.xyz/31572ed38d8cc7deed7d2d7806bc88ba/storagewmi.dll.mui.html 643da5be13e18037f4fa484d4ccb51b9
Install-Module -Name PowerShellGet -Force
alternate data streams
test.txt:ha.exe
hidden powershell hosts
systems automation file (escape parameters)
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";alert('boom');"
https://medium.com/@fecarrara1/powershell-for-file-integrity-check-36203aef64a4
Get-ChildItem -Recurse | Get-FileHash -Algorithm MD5 | Out-File -FilePath 'C:\windows-10pro.txt'
C:\windows\ServiceProfiles\NetworkService\NTUSER.DAT C:\windows\ServiceProfiles\LocalService\NTUSER.DAT
Boot debugger
https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/using-debugger-commands
winload.efi manage-bde -protectors -disable C: bcdedit /bootdebug on bcdedit /dbgsettings serial debugport:1 baudrate:115200 bcdedit /dbgsettings net hostip:10.0.0.199 port:50000 (copy the key) shutdown /r /t 0 windbg cp winload!OslArchTransferToKernel (reactos) disassembly .echo _LOADER_PARAMETER_BLOCK .reload /f ntoskrnl.exe=00000000`00b2c000 dt nt!_LOADER_PARAMETER_BLOCK @rcx
echo 0xfffff800`20c2a8e0 LoadOrderListHead (reactos) dt nt!_LDR_DATA_TABLE_ENTRY 0xfffff800`20c2a8e0 ntoskrnl.exe DllBase .reload /u nt .reload /f ntoskrnl.exe=0xfffff800`90c00000 u rdx nt!KiSystemStartup lidt (load interupt ... table) f 00a620e8 00a62129-1 90
bcdedit /bootdebug {bootmgr} on