Windows
Windows Server
https://github.com/ntdevlabs/tiny11builder
https://info.microsoft.com/ww-landing-windows-server-2022.html
https://www.allkeyshop.com/blog/buy-windows-server-2022-cd-key-compare-prices/
Win Server on XEN
https://gist.github.com/vinhjaxt/a774ac87b0313a34f4c445048d8e13cf
lvcreate -n win-dc -L 48G share
/etc/xen/win-dc.hvm builder = "hvm" name = "win-dc" memory = "3072" viridian = 1 vcpus = 4 vif = ['bridge=lan,model=e1000,rate=10Gb/s'] disk = ['phy:/dev/share/win-dc,hda,w','file:/share/SERVER_EVAL_x64FRE_en-us.iso,hdc:cdrom,r']
Install the GUI Desktop Experience, the Cloudsync depends on graphics that are otherwise not available. Running the Core version without graphics is awesome if you manage windows server by powershell.
Remove Role and Demote AD
Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster Move-ADDirectoryServerOperationMasterRole -Identity win-dcx -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster
sconfig 2 Change hostname 8 Set static IP 8 set dns 7 enable remote desktop 6 Install updates 13 restart
1 join domain
add role active directory promote to primary dc, by clicking the flag in the server manager
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Install-ADDSDomainController -CreateDnsDelegation:$false -InstallDns:$true -DomainName "domain.com" -SiteName "Default-First-Site-Name" -ReplicationSourceDC "win-dcx.domain.com" -DatabasePath "C:\Windows\NTDS" -LogPath "C:\Windows\NTDS" -SysvolPath "C:\Windows\SYSVOL" -Force:$true
AD
https://learn.microsoft.com/en-us/troubleshoot/windows-server/welcome-windows-server
https://4sysops.com/archives/active-directory-passwords-all-you-need-to-know/
DSREGCMD /status
MTU
netsh interface ipv4 set subinterface "Ethernet" mtu=1464 netsh interface ipv6 set subinterface "Ethernet" mtu=1464
Network
netstat -na netstat -nao netstat -ab netstat -a -n -p tcp -o perfmon /res
Powershell
$PSVersionTable.PSVersion
Install-Module -Name PowerShellGet -Force Install-Module -Name Az -AllowClobber -Scope CurrentUser Install-Module -Name Az -AllowClobber -Scope AllUsers Set-ExecutionPolicy RemoteSigned Set-ExecutionPolicy Restricted
Import-Module Az.Accounts Connect-AzAccount Install-AzAksKubectl Write-Output $Env:Path Import-AzAksCredential -ResourceGroupName cluster -Name cluster
PATH
$Env:Path += ";C:\Program Files\Git\cmd\"
Hardening Monitoring
NMAP/Nessus/Ports Version Checks / Updates Hardening ELK Access Logs / Firewall Logs INotify Canaries
https://github.com/0x6d69636b/windows_hardening
Windows and Active Directory administration Check existing User Accounts / Roles Update Server? Run Latest updates Check Certificates (Root) Shell Integrity. CIS Security Hardening Integrity Scans Network Sflow Rita Kansa OSquery ELK Alert Observium eventlogger
Startup Apps Services Processes
Users Performance Process list Event manager msiexec.exe
psexec CPU, Memory, Disk Space, Temperature
HyperVisor
Enable virtualization in UEFI Windows Features, Hyper-V (Platform and Management Tools)
Hyper-V Set video
Set-VMVideo -VMName "Ubuntu 20.04" -HorizontalResolution 1920 -VerticalResolution 1080
/etc/default/grub GRUB_CMDLINE_LINUX="quiet splash video=hyperv_fb:1920x1200"
Set-VMProcessor -VMName "Ubuntu 20.04" -HwThreadCountPerCore 2
"KVM requires a CPU that supports vmx or svm" Set-VMProcessor -VMName "Ubuntu 20.04" -ExposeVirtualizationExtensions $true
Security issues
availability
security
report incidents
business tasks > react time 15 minutes
white time not able to access report outages information requests 'from media' communication to other blue teams
green team is infra support
white team simulated users
capture vm ubuntu / captures one segment span port ... reachable from dmz? custom ... kali
Network Picture / HW info
info recon/ feedback ... yellow/red/white/blue
Access Logs Elasticsearch SIEM Syslog / Logstash? Beats winlogbeat > routable ... tunnel auditbeats Uptime in Elasticsearch CIS Hardening ... Ansible Elastalert
automate everything? ansible online patching ... smb patching agents
scripted attacks defender avast
nessus? target yes scan > rogue vm's ...
match list of known hosts. external host scans
users program enumerators ... ambitions pdf reader
iis ... user ... Defaced Websites? Scanner
Detect Changes Guestbook... Injections attacks
Host down monitoring
VM outside for checking services Detect filechanges?
Offline Patching ... WSUS
Administrator user ... different passwords per hosts
Integrity of windows ... / ISTI Team
FileChanges?
WindowsOPenSCAP?
Trolling Strategy PS Binary
advanded debugging test
WINRM Do everything that was needed Document fidings WINRM
3PP Firewall Windows Avast / Firewall / Offline Patching
Netstat ...
Credentials / Wiki Allow white team access / Regular Access to Windows. Scoring ports : Scan SNMP SMTP PING
Working rules with forensics team / communications team how to report. During Prep MISP ??? Avast ask for permissions ... white team request clicks everything they can live forensics ... ?? / live analysis / show binary
ZIG module? lateral movmebt windows RITA SYSLOG Beacon detection ActiveCM Company
The specified extrinsic Method does not exist. OpenWBEM https://file-info.xyz/31572ed38d8cc7deed7d2d7806bc88ba/storagewmi.dll.mui.html
Communication Strategy. Communication should be recordable template / threat rep Install MISP for reporting
Cleanup reports / this ip is attacking outside ... our hosts not reported report malware / compromise this file or process =>
threat report directly by team members in the chat ... one liners tickets to the green team?
Example issues
pdf view not working news paper website / review if it makes sense? responds.
msexe wscript lolbas talos blog hunting for
user accounts function accounts with $
logon types 4624 / logintype 2,3,4,5,6,7,8,9,10,11 impersonation level ultimatewindowssecurity.com
https://www.sneakymonkey.net/2018/06/25/blue-team-tips/ https://chrissanders.org/publications/
laps AdmPwd.dll SecCli.dll
https://adsecurity.org/?p=3377
Best Practice Analyzer https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759260(v=ws.11)?redirectedfrom=MSDN
Remote Management with Server Manager https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759202%28v%3dws.11%29
Windows Removal
https://www.askvg.com/gui...lt-in-apps-in-windows-10/
https://www.laptopmag.com...e-windows-10-builtin-apps
https://www.howtogeek.com...nd-how-to-reinstall-them/
https://github.com/Sycnex/Windows10Debloater
Powershell -> Run as Administrator->
Get-AppxPackage -AllUsers | where-object {$_.name –notlike "*store*"} | Remove-AppxPackage
ADFS
EnableCredSSP X509Enrollment.CX509PrivateKey.1
ADFS for webservice SSO Windows-based service for file sharing Outlook Web Access WSUS server for BTs Primary Domain controller for MIL domain Secondary domain controller for MIL domain Windows Fileserver for MIL file sharing needs
Preparation
Preparing an Ansible playbook for: online patching Preparing an Ansible playbook for: installing SIEM/HIDS agents Preparing an Ansible playbook for: installing 3PP antivirus (avast free?) Prepare rules for SIEM alerts. Preparing on how we retrieve, store and send malware files for malware analysis Prepare an ansible playbook for: audit local + domain users on system + removal of unneeded users Prepare ansible playbook for: enumerating programs/processes so we can audit and remove unneeded ones (needs to include SMB) Prepare the MAC hardening Preparing IIS hardening (automated) + permissions IIS user Preparing an ansible playbook for: installing + configuring 3PP firewall Prepare offline patching as a patching 'plan B' Preparing an ansible playbook for: create special Administrator user + placing different password per host. Prepare scan to recognize rogue hosts Prepare strategy for logging changes to files (which ones, how to enable logging, make ansible playbook for it) Prepare ansible playbook for running windows Openscap (and collect results somewhere) Come up with a 'trolling' strategy.. how can we make life for red-teamers harder? aliases for certain commands? what does cobalt strike do so we know what commands Prepare CIS hardening script
Day 0 Enable powershell/winRM everywhere. Change administrator password on all hosts. Run windows updates Audit accounts + remove unneeded ones Audit programs/processes + remove unneeded ones Install FW and AV with Ansible Install IDS/TI agents Run scans Document findings Add our trolling stuff (if we want to go that route) Run CIS hardening scripts
https://www.ultimatewindowssecurity.com/securitylog/default.aspx
https://github.com/api0cradle/LOLBAS
https://www.sneakymonkey.net/2018/01/21/laps/
https://chrissanders.org/publications/
Integrity
https://lolbas-project.github.io/#
https://github.com/LOLBAS-Project/LOLBAS
Windows Script Host, PowerShell and HTA)
https://file-info.xyz/31572ed38d8cc7deed7d2d7806bc88ba/storagewmi.dll.mui.html 643da5be13e18037f4fa484d4ccb51b9
Install-Module -Name PowerShellGet -Force
alternate data streams
test.txt:ha.exe
hidden powershell hosts
systems automation file (escape parameters)
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";alert('boom');"
https://medium.com/@fecarrara1/powershell-for-file-integrity-check-36203aef64a4 Get-ChildItem -Recurse | Get-FileHash -Algorithm MD5 | Out-File -FilePath 'C:\Users\janmg\windows-10pro.txt'
C:\windows\ServiceProfiles\NetworkService\NTUSER.DAT C:\windows\ServiceProfiles\LocalService\NTUSER.DAT