infosecn1nja
/
AD-Attack-Defense
mirror of https://github.com/infosecn1nja/AD-Attack-Defense.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update section Important Security Updates to table format lists & added RiskySPN tool

pull/5/head
Rahmat Nurfauzi 2019-09-22 14:21:34 +07:00 committed by GitHub
parent 6e5b77889a
commit cfabcd7a88
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
README.md
View File

@ -386,6 +386,7 @@ Advanced Threat Protection and Advanced Threat Analytics](https://www.blackhat.c
* [Aorato Skeleton Key Malware Remote DC Scanner](https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73) - Remotely scans for the existence of the Skeleton Key Malware * [Aorato Skeleton Key Malware Remote DC Scanner](https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73) - Remotely scans for the existence of the Skeleton Key Malware
* [Reset the krbtgt account password/keys](https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51) - This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation * [Reset the krbtgt account password/keys](https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51) - This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation
* [Reset The KrbTgt Account Password/Keys For RWDCs/RODCs](https://gallery.technet.microsoft.com/Reset-The-KrbTgt-Account-5f45a414) * [Reset The KrbTgt Account Password/Keys For RWDCs/RODCs](https://gallery.technet.microsoft.com/Reset-The-KrbTgt-Account-5f45a414)
* [RiskySPN](https://github.com/cyberark/RiskySPN) - RiskySPNs is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name).
* [Deploy-Deception](https://github.com/samratashok/Deploy-Deception) - A PowerShell module to deploy active directory decoy objects * [Deploy-Deception](https://github.com/samratashok/Deploy-Deception) - A PowerShell module to deploy active directory decoy objects
* [SpoolerScanner](https://github.com/vletoux/SpoolerScanner) - Check if MS-RPRN is remotely available with powershell/c# * [SpoolerScanner](https://github.com/vletoux/SpoolerScanner) - Check if MS-RPRN is remotely available with powershell/c#
* [dcept](https://github.com/secureworks/dcept) - A tool for deploying and detecting use of Active Directory honeytokens * [dcept](https://github.com/secureworks/dcept) - A tool for deploying and detecting use of Active Directory honeytokens
@ -471,14 +472,16 @@ Advanced Threat Protection and Advanced Threat Analytics](https://www.blackhat.c
* Limit service account rights that are currently DA (or equivalent). * Limit service account rights that are currently DA (or equivalent).
### Important Security Updates ### Important Security Updates
* [CVE-2019-1040 - Windows NTLM Tampering Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1040) |CVE|Title|Description|Link|
* [CVE-2019-0683 - Active Directory Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0683) |---|-----|-----------|----|
* [CVE-2019-0708 - Remote Desktop Services Remote Code Execution Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708) |CVE-2019-1040|Windows NTLM Tampering Vulnerability|A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka 'Windows NTLM Tampering Vulnerability'.|https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1040|
* [CVE-2018-8581 - Microsoft Exchange Server Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8518) |CVE-2019-0683|Active Directory Elevation of Privilege Vulnerability|An elevation of privilege vulnerability exists in Active Directory Forest trusts due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest, aka 'Active Directory Elevation of Privilege Vulnerability'.|https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0683|
* [CVE-2017-0143 - Windows SMB Remote Code Execution Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143) |CVE-2019-0708|Remote Desktop Services Remote Code Execution Vulnerability|A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.|https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708|
* [CVE-2016-0128 - Windows SAM and LSAD Downgrade Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0128) |CVE-2018-8581|Microsoft Exchange Server Elevation of Privilege Vulnerability|An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server.|https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8518|
* [CVE-2014-6324 - Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068) |CVE-2017-0143|Windows SMB Remote Code Execution Vulnerability|The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.|https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143|
* [CVE-2014-1812 - Vulnerability in Group Policy Preferences could allow elevation of privilege](https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati) |CVE-2016-0128|Windows SAM and LSAD Downgrade Vulnerability|The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 do not properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "Windows SAM and LSAD Downgrade Vulnerability" or "BADLOCK."|https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0128|
|CVE-2014-6324|Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)|The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka "Kerberos Checksum Vulnerability."|https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068|
|CVE-2014-1812|Vulnerability in Group Policy Preferences could allow elevation of privilege|The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."|https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati|
### Detection ### Detection
|Attack|Event ID| |Attack|Event ID|