Table of Contents
- Amazon S3
- Application Whitelisting
- Attack Surface Analysis/Reduction
- Auditing Account Passwords/Privileges
- Auditing Processes
- Malicious USB
- OS X
- User Awareness Training
- Cmd.exe Command Obfuscation Generator & Detection Test Harness
- A layer 4 Single Packet Authentication (SPA) Module, used to conceal TCP ports on public facing machines and add an extra layer of security.
- This repo contains sample queries for Advanced hunting on Windows Defender Advanced Threat Protection. With these sample queries, you can start to experience Advanced hunting, including the types of data that it covers and the query language it supports. You can also explore a variety of attack techniques and how they may be surfaced through Advanced hunting.
- PE-sieve scans a given process, searching for the modules containing in-memory code modifications. When found, it dumps the modified PE.
- ClrGuard is a proof of concept project to explore instrumenting the Common Language Runtime (CLR) for security purposes. ClrGuard leverages a simple appInit DLL (ClrHook32/64.dll) in order to load into all CLR/.NET processes. From there, it performs an in-line hook of security critical functions. Currently, the only implemented hook is on the native LoadImage() function. When events are observed, they are sent over a named pipe to a monitoring process for further introspection and mitigation decision.
Windows ISV Software Security Defenses - msdn https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791851(v=ws.11)
Add User Awareness Training
- Capirca is a tool designed to utilize common definitions of networks, services and high-level policy files to facilitate the development and manipulation of network access control lists (ACLs) for various platforms. It was developed by Google for internal use, and is now open source.
- So you want to beat the Red Team - sCameron Moore - Bsides Philly 2016
- NorkNork - Tool for identifying Empire persistence payloads
- Removing Backdoors – Powershell Empire Edition - n00py
- A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.
- Sysinternals Sysmon suspicious activity guide - blogs.technet
Using an Expanded Cyber Kill Chain Model to Increase Attack Resiliency - Sean Malone - BHUSA16
- We'll review what actions are taken in each phase, and what's necessary for the adversary to move from one phase to the next. We'll discuss multiple types of controls that you can implement today in your enterprise to frustrate the adversary's plan at each stage, to avoid needing to declare "game over" just because an adversary has gained access to the internal network. The primary limiting factor of the traditional Cyber Kill Chain is that it ends with Stage 7: Actions on Objectives, conveying that once the adversary reaches this stage and has access to a system on the internal network, the defending victim has already lost. In reality, there should be multiple layers of security zones on the internal network, to protect the most critical assets. The adversary often has to move through numerous additional phases in order to access and manipulate specific systems to achieve his objective. By increasing the time and effort required to move through these stages, we decrease the likelihood of the adversary causing material damage to the enterprise.
- Intrigue-core is a framework for automated attack surface discovery.
- Tools to measure the maturity of Enterprise Security Architecture processes
- Command line process auditing
- The first restful API to control all firewall brands. Configure any firewall with restful API calls, no more manual rule configuration. Centralize all your firewalls into one API.
- Simple tool to configure Windows Filtering Platform (WFP) which can configure network activity on your computer. The lightweight application is less than a megabyte, and it is compatible with Windows Vista and higher operating systems. You can download either the installer or portable version. For correct working, need administrator rights.
- ERNW Repository of Hardening Guides
- OWASP Secure Configuration Guide
- PHP Secure Configuration Checker
Security + DevOps Automatic Server Hardening - dev-sec.io
- Open Source Automated Hardening Framework
- This is a practical guide to using YubiKey as a SmartCard for storing GPG encryption and signing keys.
- OS X
AIL framework - Analysis Information Leak framework
- AIL is a modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams. AIL framework is flexible and can be extended to support other functionalities to mine sensitive information.
- Prevents you from committing passwords and other sensitive information to a git repository.
- KeyNuker scans public activity across all Github users in your Github organization(s) and proactively deletes any AWS keys that are accidentally leaked. It gets the list of AWS keys to scan by directly connecting to the AWS API.
You're Leaking Trade Secrets - Defcon22 Michael Schrenk
- Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.
- AIL framework - Analysis Information Leak framework
- A UNIX security auditing tool based on several security frameworks
- Filenames and Pathnames in Shell: How to do it Correctly
- Monit is a small Open Source utility for managing and monitoring Unix systems. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations.
- Red Hat Enterprise Linux 6 Security Guide
- A practical guide to securing macOS.
- A userland network manager with monitoring and limiting capabilities for macOS.
- A kernel network manager with monitoring and limiting capabilities for macOS.
- OverSight monitors a mac's mic and webcam, alerting the user when the internal mic is activated, or whenever a process accesses the webcam.
- LuLu is the free open-source macOS firewall that aims to block unauthorized (outgoing) network traffic
- Mercure is a tool for security managers who want to teach their colleagues about phishing.
- This module is used to report phishing URLs to their WHOIS/RDAP abuse contact information.
- PhishingKitHunter (or PKHunter) is a tool made for identifying phishing kits URLs used in phishing campains targeting your customers and using some of your own website files (as CSS, JS, ...). This tool - write in Python 3 - is based on the analysis of referer's URL which GET particular files on the legitimate website (as some style content) or redirect user after the phishing session. Log files (should) contains the referer URL where the user come from and where the phishing kit is deployed. PhishingKitHunter parse your logs file to identify particular and non-legitimate referers trying to get legitimate pages based on regular expressions you put into PhishingKitHunter's config file.
- Catching phishing before they catch you
- Tracking Newly Registered Domains - SANS
- The hnrd.py is a python utility for finding and analysing potential phishing domains used in phishing campaigns targeting your customers. This utility is written in python (2.7 and 3) and is based on the analysis of the features below by consuming a free daily list provided by the Whoisds site.
- Exchange Transport rules using text matching and Regular Expressions to detect and enable response to basic phishing. Designed to augment EOP in Office 365.
- Decryptonite is a tool that uses heuristics and behavioural analysis to monitor for and stop ransomware.
- Practical Approach to Detecting and Preventing Web Application Attacks over HTTP2
AWS Lambda - IAM Access Key Disabler
- The AWS Key disabler is a Lambda Function that disables AWS IAM User Access Keys after a set amount of time in order to reduce the risk associated with old access keys.
- OWASP Secure Headers Project
The Open Guide to Amazon Web Services
- A lot of information on AWS is already written. Most people learn AWS by reading a blog or a “getting started guide” and referring to the standard AWS references. Nonetheless, trustworthy and practical information and recommendations aren’t easy to come by. AWS’s own documentation is a great but sprawling resource few have time to read fully, and it doesn’t include anything but official facts, so omits experiences of engineers. The information in blogs or Stack Overflow is also not consistently up to date. This guide is by and for engineers who use AWS. It aims to be a useful, living reference that consolidates links, tips, gotchas, and best practices. It arose from discussion and editing over beers by several engineers who have used AWS extensively.
Windows Firewall Hook Enumeration
- We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how these hooks could be identified and finally how the enumeration tool was developed.
- Detecting DLL Hijackingon Windows
- The Effectiveness of Tools in Detecting the 'Maleficent Seven' Privileges in the Windows Environment
Windows DACL Enum Project
- A collection of tools to enumerate and analyse Windows DACLs
- AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It - labofapenetrationtester
- Windows Firewall Hook Enumeration
- Blocking Remote Use of Local Accounts
MS Security Advisory 2871997
- Update to Improve Credentials Protection and Management
Invoke-HoneyCreds - Ben0xA
- Use Invoke-HoneyCreds to distribute fake cred throughout environment as "legit" service account and monitor for use of creds
The CredDefense Toolkit - BlackHills
- Credential and Red Teaming Defense for Windows Environments
- KB2871997 and Wdigest – Part 1
- Overview of Device Guard in Windows Server 2016
- Protect derived domain credentials with Windows Defender Credential Guard - docs.ms
- Windows Defender Device Guard deployment guide - docs ms
- Windows Defender Credential Guard: Requirements - docs.ms
- Windows 10 Device Guard and Credential Guard Demystified - blogs.technet
- Manage Windows Defender Credential Guard - docs.ms
- Busy Admin’s Guide to Device Guard and Credential Guard - adaptiva
- Protect derived domain credentials with Windows Defender Credential Guard
- Using a hypervisor to secure your desktop – Credential Guard in Windows 10 - blogs.msdn
- Credential Guard lab companion - blogs.technet
- A reference Device Guard code integrity policy consisting of FilePublisher deny rules for published Device Guard configuration bypasses.
- Defending against mimikatz
- Kerberos Golden Ticket: Mitigating pass the ticket on Active Directory
- Mitigating Kerberos Golden Tickets:
- Protection from Kerberos Golden Ticket: Mitigating pass the ticket on Active Directory CERT-EU 2014
- Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory
- Using SCOM to Detect Golden Tickets
Pass the Hash
Mitigating Pass-the-Hash Attacks and other credential Theft-version2
- Official MS paper.
Pass-the-Hash II: Admin’s Revenge - Skip Duckwall & Chris Campbell
- Protecting against Pass-The-Hash and other techniques
- Fixing Pass the Hash and Other Problems
Pass the Hash Guidance
- Configuration guidance for implementing Pass-the-Hash mitigations. iadgov
- Mitigating Pass-the-Hash Attacks and other credential Theft-version2
- What would a real hacker do to your Active Directory
- Securing Microsoft Active Directory Federation Server (ADFS)
- NtdsAudit is an application to assist in auditing Active Directory databases. It provides some useful statistics relating to accounts and passwords. It can also be used to dump password hashes for later cracking.
- Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft's Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.
- Building/Designing Infrastructure
- Securing Domain Controllers to Improve Active Directory Security - adsecurity.org
- Protecting Privileged Domain Accounts: Network Authentication In-Depth
Active Directory: Real Defense for Domain Admins
- Did your AD recently get owned on a pentest? It’s always fun to see an unknown entry show up in your Domain Admins group (#fail). Come learn how to truly protect your organization’s IT crown jewels from some of the most popular AD attacks. If you’re stuck trying to figure out what to do with null sessions, pass the hash techniques, or protecting your Domain Admins, then you will want to be here.
Auditing Account Passwords/Privileges
- Account lockout threshold - technet
- Password Policy - technet
- As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.
Guarded Fabric/Shielded VMs
- Guarded fabric and shielded VMs
- Shielded VMs – additional considerations when running a guarded fabric - blogs.technet
- Shielded VMs: A conceptual review of the components and steps necessary to deploy a guarded fabric
- Step-by-step: Quick reference guide to deploying guarded hosts
- Step by Step – Configuring Guarded Hosts with Virtual Machine Manager 2016 - blogs.technet
- Guarded Fabric Deployment Guide for Windows Server 2016
- Step by Step – Configuring Key Protection for the Host Guardian Service in Windows Server 2016
- Why use shielded VMs for your privileged access workstation (PAW) solution?
- Frequently Asked Questions About HGS Certificates
- Join Host Guardian Servers to an existing bastion forest
- Step by Step: Shielding existing VMs without VMM - blogs.technet
- Step-by-step: Quick reference guide to deploying guarded hosts
- Step by Step – Shielded VM Recovery - blogs.technet
- The 10 Windows group policy settings you need to get right
- Group Policy for WSUS - grouppolicy.biz
- GPO Best Policies - grouppolicy.biz
- Securing Windows with Group Policy Josh - Rickard - Derbycon7
- Guidance on Deployment of MS15-011 and MS15-014 - blogs.technet
- MS15-011 & MS15-014: Hardening Group Policy - blogs.technet
Awesome Windows Domain Hardening
- A curated list of awesome Security Hardening techniques for Windows.
- Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2 and Windows 7 - technet
- Harden windows IP Stack
Secure Host Baseline
- Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. iadgov
- Second section good resource for hardening windows
- Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. iadgov
SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016
- "SAMRi10" tool is a short PowerShell (PS) script which alters remote SAM access default permissions on Windows 10 & Windows Server 2016. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim's network.
Enable Attack surface reduction - docs.ms
- Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
- Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
- Investigate malicious Windows logon by visualizing and analyzing Windows event log
Software Restriction Policies - docs.ms
- This topic for the IT professional describes Software Restriction Policies (SRP) in Windows Server 2012 and Windows 8, and provides links to technical information about SRP beginning with Windows Server 2003.
- Detecting Lateral Movement through Tracking Event Logs - JPCERTCC
- Detecting Lateral Movements in Windows Infrastructure - CERT-EU
- Awesome Windows Domain Hardening
Just Enough Administration (JEA)
- Just Enough Administration - docs.ms
- Just Enough Administration: Windows PowerShell security controls help protect enterprise data - msdn
- JEA Pre-requisites
- JEA Role Capabilities
- JEA Session Configurations
- Registering JEA Configurations
- Using JEA
- JEA Security Considerations
- Auditing and Reporting on JEA
Just Enough Administration Samples and Resources
- Just Enough Administration (JEA) is a PowerShell security technology that provides a role based access control platform for anything that can be managed with PowerShell. It enables authorized users to run specific commands in an elevated context on a remote machine, complete with full PowerShell transcription and logging. JEA is included in PowerShell version 5 and higher on Windows 10 and Windows Server 2016, and older OSes with the Windows Management Framework updates.
- Conveigh is a Windows PowerShell LLMNR/NBNS spoofer detection tool. LLMNR/NBNS requests sent by Conveigh are not legitimate requests to any enabled LLMNR/NBNS services. The requests will not result in name resolution in the event that a spoofer is present.
- Respounder sends LLMNR name resolution requests for made-up hostnames that do not exist. In a normal non-adversarial network we do not expect such names to resolve. However, a responder, if present in the network, will resolve such queries and therefore will be forced to reveal itself.
Local Administrator Password Solution
- Microsoft security advisory: Local Administrator Password Solution
Local Administrator Password Solution - technet
- The "Local Administrator Password Solution" (LAPS) provides a centralized storage of secrets/passwords in Active Directory (AD) - without additional computers. Each organization’s domain administrators determine which users, such as helpdesk admins, are authorized to read the passwords.
- Introduction to Microsoft LAPS (Local Administrator Password Solution)
- [Set up Microsoft LAPS (Local Administrator Password Solution) in Active Directory](Introduction to Microsoft LAPS (Local Administrator Password Solution) - 4sysops)(https://4sysops.com/archives/set-up-microsoft-laps-local-administrator-password-solution-in-active-directory/)
- FAQs for Microsoft Local Administrator Password Solution (LAPS) - Part 1 - 4sysops
- FAQs for Microsoft Local Administrator Password Solution (LAPS) - Part 2 - 4sysops
- Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields
- Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016
- New feature in Office 2016 can block macros and help prevent infection (2016)
- Block or unblock external content in Office documents - support.office
- CIRCLean is an independent hardware solution to clean documents from untrusted (obtained) USB keys / USB sticks. The device automatically converts untrusted documents into a readable but disarmed format and stores these clean files on a trusted (user owned) USB key/stick.
- Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields - docs.ms
Domain Password Audit Tool (DPAT)
- This is a python script that will generate password use statistics from password hashes dumped from a domain controller and a password crack file such as hashcat.potfile generated from the Hashcat tool during password cracking. The report is an HTML report with clickable links.
- Tutorial Video & Demo
- Azure AD and ADFS best practices: Defending against password spray attacks
- Detect Password Spraying With Windows Event Log Correlation
- Domain Password Audit Tool (DPAT)
Privileged Access Workstation
How Microsoft IT used Windows 10 and Windows Server 2016 to implement privileged access workstations
- As part of the security strategy to protect administrative privilege, Microsoft recommends using a dedicated machine, referred to as PAW (privileged access workstation), for administrative tasks; and using a separate device for the usual productivity tasks such as Outlook and Internet browsing. This can be costly for the company to acquire machines just for server administrative tasks, and inconvenient for the admins to carry multiple machines. In this session, we show you how MSIT uses shielded VMs on the new release of Windows client to implement a PAW.
- Privileged Access Workstation(PAW) - blogs.technet
- PAW host buildout - blogs.technet
- How to deploy a VM template for PAW - blogs.technet
- How Microsoft IT used Windows 10 and Windows Server 2016 to implement privileged access workstations
Automating security with PowerShell, Jaap Brasser (@Jaap_Brasser)
- There is no doubt that security has been in the spotlight over the last few years, recent events have been responsible for the increased demand for better and more secure systems. Security was often treated as an afterthought or something that could be implemented ‘later’. In this session, we will go over some best practices, using existing tools and frameworks to help you set up a more secure environment and to get a grasp of what is happening in your environment. We will leverage your existing automation skills to secure and automate these workflows. Expect a session with a lot of demos and resources that can directly be implemented.
- PowerShell ♥ the Blue Team
- Powershell Security at Enterprise Customers - blogs.msdn
- More Detecting Obfuscated PowerShell
Revoke-Obfuscation - tool
- PowerShell v3.0+ compatible PowerShell obfuscation detection framework.
- Revoke Obfuscation PowerShell Obfuscation Detection And Evasion Using Science Lee Holmes Daniel - Derbycon7 - talk
- 🚀 PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
- Detecting and Preventing PowerShell Downgrade Attacks - leeholmes
- Automating security with PowerShell, Jaap Brasser (@Jaap_Brasser)
- A rogue-USB-device defeat program for Windows.
- Artillery is a combination of a honeypot, monitoring tool, and alerting system. Eventually this will evolve into a hardening monitoring platform as well to detect insecure configurations from nix systems.
- This tool automates the process of creating logon relations from MS Windows Security Events by showing a graphical relation among users domains, source and destination logons as well as session duration.
- VOYEUR's main purpose is to automate several tasks of an Active Directory build review or security assessment. Also, the tool is able to create a fast (and pretty) Active Directory report. The tool is developed entirely in PowerShell (a powerful scripting language) without dependencies like Microsoft Remote Administration tools. (Just .Net Framework 2.0 and Office Excel if you want a useful and pretty report). The generated report is a perfect starting point for well-established forensic, incident response team, security consultants or security researchers who want to quickly analyze threats in Active Directory Services.
- Uproot is a Host Based Intrusion Detection System (HIDS) that leverages Permanent Windows Management Instrumentation (WMI) Event Susbcriptions to detect malicious activity on a network. For more details on WMI Event Subscriptions please see the WMIEventing Module
- A PowerShell module to abstract the complexities of Permanent WMI Event Subscriptions
- Know your Windows Processes or Die Trying - sysforensics
- Explore all the tasks (processes) running on your Mac with TaskExplorer.
- Measure Boot Performance with the Windows Assessment and Deployment Toolkit
- Securing Windows Workstations: Developing a Secure Baseline
- Evaluate Fast Startup Using the Assessment Toolkit
- Windows Performance Toolkit Reference
- The Malware Management Framework
- Securing Windows Workstations: Developing a Secure Baselineadsecurity.org
- ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis. The report can provide a holistic picture of the current state of the target AD environment. It can be run from any workstation that is connected to the environment, even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) accounts. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts. The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP.
- Credential Guard
- Device Guard and Credential Guard hardware readiness tool
- Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control - docs.ms
- Requirements and deployment planning guidelines for Windows Defender Device Guard - docs.ms
- Driver compatibility with Device Guard in Windows 10 - docs.ms
Windows Event Forwarding Guidance
- Over the past few years, Palantir has a maintained an internal Windows Event Forwarding (WEF) pipeline for generating and centrally collecting logs of forensic and security value from Microsoft Windows hosts. Once these events are collected and indexed, alerting and detection strategies (ADS) can be constructed not only on high-fidelity security events (e.g. log deletion), but also for deviations from normalcy, such as unusual service account access, access to sensitive filesystem or registry locations, or installation of malware persistence. The goal of this project is to provide the necessary building blocks for organizations to rapidly evaluate and deploy WEF to a production environment, and centralize public efforts to improve WEF subscriptions and encourage adoption. While WEF has become more popular in recent years, it is still dramatically underrepresented in the community, and it is our hope that this project may encourage others to adopt it for incident detection and response purposes. We acknowledge the efforts that Microsoft, IAD, and other contributors have made to this space and wish to thank them for providing many of the subscriptions, ideas, and techniques that will be covered in this post.
- Auditing Security Events - WCF - docs.ms
- Windows Security Log Events - ultimatewindowssecurity.com
- Windows Event Forwarding Guidance
- A curated list of awesome Security Hardening techniques for Windows.
- Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events.
- In this article you will learn the fundamentals of Windows service accounts. Specifically, we discover the options and best practices concerning the selection of a service account for a particular service application.
In this article you will learn some best-practice suggestions for using service applications according to the IT security rule of least privilege.
- An open source custom password filter DLL and userspace service to better protect / control Active Directory domain passwords.