Log4Shell

Ok this is not a small subject areas and it’s not a HOW TO guide but it should at least give you some ideas for tools to deploy and areas to check that are abused by Ransomware gangs and ATPs etc. Thanks to people who contributed!

This is not everything but it’s some common low hanging weaknesses:

  1. Make sure you have an offline backup! (not domain joined etc.)
  2. Run pingcastle (https://www.pingcastle.com/)
  3. Run Purple Knight (https://www.purple-knight.com/) (thanks @MarkSewe)
  4. Disable NULL bind if its enabled (old, upgraded domains often have this enabled still)
  5. Ensure you are not vulnerable to kerberoasting
  6. Check for accounts with KERBEROS PRE AUTHENTICATION DISABLED
  7. Look for accounts with “Does not require password” (thanks @dcdiagfix)
  8. Look for accounts with “Password never set” (thanks @dcdiagfix)
  9. Check “adminsdholder” does not have inheritance enabled
  10. Check the password policy
    1. Check account lockout policies
  11. Ensure passwords are not stored in group policy preferences
  12. Audit high privilege access users and reduce wherever possible
  13. Ensure audit policies are configured appropriately
  14. Check for passwords in the description fields
  15. Where possible restrict admin services to management vlans
    1. E.g., Restrict where HPA accounts can do admin from
  16. Deploy Sysmon
  17. Use L0hptcrack and run a password audit (this can be a risky activity so if you do this use caution/research)
    1. Harden weak passwords
  18. If possible, disable LM hashes
  19. Reset the krbtgt account (twice) as per MS guidance
  20. Use a dual or tri account model for high priv users
  21. Where possible configure admin accounts as restricted admin
  22. Ensure you have offline domain backups
  23. Enable centralised domain logging (using WEF/WEC at minimum)
  24. Remove unrequired SPNs from admin accounts etc.
  25. If server 2016 domain mode enable time based admin (thanks @0daydorpher)
    1. http://woshub.com/temporary-membership-in-active-directory-groups/
  26. Enable domain recycle bin
  27. Check Certificate Authority template permissions (thanks @lkarlslund)
  28. Review User Right Assignments (thanks @DebugPrivilege)
  29. oh and make sure it’s PATCHED! (FULLY!)
  30. Deploy LAPS
  31. Enale Kerberos AES256
  32. Remove users rights to join AD (thanks emove user rights to join devices to AD (thanks @NathanMcNulty)
  33. Disable Spool Services on domain controllers!
  34. ADCS
  35. Not AD but also review:
    1. ADCS Security Configuration
    2. Exchange
  36. For AzureAD Connect don’t sync admin accounts/service accounts etc.

There’s loads of info online my friend nathan did this threat which is super cool: https://twitter.com/NathanMcNulty/status/1282369991308763136?s=20&t=GydfOKbnRy9VGBBUqugClw

also i’ve made a post incident AD recovery list (if u can’t nuke from orbit etc.)

and one about preparing to be attacked:

also because the community rocks, go and check out this guide:

https://www.hub.trimarcsecurity.com/amp/securing-active-directory-performing-an-active-directory-security-review