Tag: server

Defense

Exchange Emergency Mitigation Service with new CU Update

This is a big thing in the Exchange world from my POV! I believe this is dropping sometime today (28th September!)

History

Exchange OWA, ECP etc. are exposed online not only for mailbox access, calendar sharing but also are a requirement for hybrid mode sync capabilities.

Vulnerabilities in Exchange this year (ProxyLogon/ProxyShell) have shown how problematic an attack surface this is. The good news is, Microsoft have created a feature for Exchange to help mitigate these attacks in the future via the EM Service!

Read more “Exchange Emergency Mitigation Service with new CU Update”
Defense

Post Compromise Active Directory Checklist

Nuke it from orbit, it’s the only way to be sure!

Ok, in an ideal world you can re-deploy your entire environment from scratch, but back in the most people’s real world’s that’s not that simple. So, what do we do if we can’t nuke from orbit in a post compromise situation? Well, we need to clean up! This isn’t an exhaustive list, not a total guide. it’s a quick list to make you think about some key common areas and actions that might need to be taken! after all if someone got r00t, who knows what they did! (trust me, most orgs monitoring is a bit naff!)

Potential Actions

  • Reset all user account passwords twice (thanks @tazwake)
    • Reset all administrator passwords
    • Reset all service accounts passwords
  • Reset (twice – but bear in mind the issues with replication so there’s specific guidance on this) the KRBTGT password
  • Reset all computer account passwords
  • Check the value of the computer account password change value
  • Reset all LAPS Passwords
  • Reset permissions on AdminSDHolders object
  • Revoke and re-issue all certificates from ADCS
  • Check for malicious scheduled tasks (thanks @SchizoDuckie)
  • Check for malicious WMI event filters
  • Check for malicious autoruns or other registry-based persistence mechanisms
  • Check for utilman style backdoors
  • Check for malicious printers/printer drivers (thanks @SchizoDuckie)
  • Review Active Directory Delegated access permissions (thank https://twitter.com/@indachtig)
  • Rotate ADFS token signing and token decryption certificates (thanks @4n6Bexaminer)
  • Check Service Control Manager (SCM) security descriptors (https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights) (thanks @EricaZeli)
  • Check for object changes around initial access/event timescales (thanks @IISResetMe)
  • Validate group memberships against known baselines (replication metadata, backup, AD reporting tools/reports etc.) (thanks @IISResetMe)
  • Harden Active Directory (look at pingcastle and MITRE) (thanks @MarkSewe)
  • Review logon scripts in GPOS and SYSVOL (thanks @CisoDiagonal and A-HAX!)
  • Rotate Group Managed Service Accounts (GMSA) (thanks @infosecspy)
  • Rotate LAPS credentials
  • Review Azure AD/AD Connect (thanks @infosecspy)
  • Harden Endpoints
  • Update AV
  • Deploy EDR
  • Deploy SYSMON
  • DNS Zone Integrity (Public and Private) (thanks to @jermuv)
  • Rote domain trust keys (thanks @DebugPrivilege)
  • Review potential RBCD Bakdoors (thanks @DebugPrivilege)
  • Review msDsConsistencyGuid attribute of compromised accounts (thanks @DebugPrivilege)
  • Check Exchange (easy right?)
  • Review accounts for “Key Trust Account Mapping” takeover and reset if required (thanks @nodauf)
    • https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
  • Review Active Directory Domains and Trusts (thanks @dragon199421)
  • Deploy new Domain Controllers (keep existing forest/domain metadata)
  • Clear VSS/Backups/Snapshots that are likely to be classed as unsafe (thanks to @Digit4lbytes) Read more “Post Compromise Active Directory Checklist”
Defense

Ransomware Defence: Part 2a – Persistence, Privilege Escalation and…

Recap

In Part 1 (Initial Access Defence and Checklist) we looked at ways of hardening your attack surface to defend against initial access. When it comes to ransomware there is a range of elements and variables in the kill chain that need to be successful for the outcomes to be achieved by the criminals. Here we are going to move further into the kill chain to look at further defences. Remember you need to have an “Assume Breach” mindset if you are going to be able to defend against ransomware, that being said, there is a hell of a lot of things you can do for 0 to low investment costs that provide a great ROI. Now some of this is going to be repeated guidance from part 1, that’s ok repetition is good (make sure you are covered from multiple perspectives). Ok let us get to it! Read more “Ransomware Defence: Part 2a – Persistence, Privilege Escalation and Lateral Movement”

CTF

How to enable NULL Bind on LDAP with Windows…

History of NULL bind

Back in the early Active Directory days NULL bind was actually enabled by default, these days you can get a rootDSE NULL bind out of the box but on Windows Server 2019 you can even disable this!

So why would I want to enable NULL bind? Well, some legacy apps may need it but generally speaking you don’t want NULL bind enabled.

The lesson here is DO NOT copy what I am doing here! Simples! Read more “How to enable NULL Bind on LDAP with Windows Server 2019”

Defense

Field Notes – Just Patch

Windows update stuck at 0% download status

Often is we find an environment missing software updates it’s easy for someone without hands on experience to say, ‘just patch’. Outside of change requests, outside of authorisation, maintenance windows, roll back plans, communications etc. there is also the fact that ‘just patching’ isn’t that simple. Even for fairly standard patching tasks using Windows Updates you sometimes hit a snag. Today I’m looking at exactly that issue on a server, so I thought I’d post the steps to resolve an issue but also, I think this is a nice way to highlight the realities of patching.

We show a GUI and command line (PowerShell) method to achieve this result (the PowerShell isn’t fancy but I figured you could go away and upgrade that if you fancied some fun). Windows update sometimes has issues (does not all software!) and it is sometimes that we need to help it along the way, so let’s get too it! Read more “Field Notes – Just Patch”