Attack Surface Reduction + Azure Subscription

docs/active-directory/pwd-comments.md

@@ -1,23 +1,27 @@
 # Password - AD User Comment
 
-```powershell
-$ crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc
-$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users
-GET-DESC... 10.0.2.11       389    dc01    [+] Found following users: 
-GET-DESC... 10.0.2.11       389    dc01    User: Guest description: Built-in account for guest access to the computer/domain
-GET-DESC... 10.0.2.11       389    dc01    User: krbtgt description: Key Distribution Center Service Account
-```
+There are 3-4 fields that seem to be common in most Active Directory schemas: `UserPassword`, `UnixUserPassword`, `unicodePwd` and `msSFU30Password`.
 
-There are 3-4 fields that seem to be common in most AD schemas: `UserPassword`, `UnixUserPassword`, `unicodePwd` and `msSFU30Password`.
+* Password in User Description
+    ```powershell
+    crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc
+    crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users
+    GET-DESC... 10.0.2.11       389    dc01    [+] Found following users: 
+    GET-DESC... 10.0.2.11       389    dc01    User: Guest description: Built-in account for guest access to the computer/domain
+    GET-DESC... 10.0.2.11       389    dc01    User: krbtgt description: Key Distribution Center Service Account
+    ```
 
-```powershell
-enum4linux | grep -i desc
+* Get `unixUserPassword` attribute from all users in ldap
+    ```ps1
+    nxc ldap 10.10.10.10 -u user -p pass -M get-unixUserPassword -M getUserPassword
+    ```
 
-Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
-```
+* Native Powershell command
+    ```powershell
+    Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
+    ```
 
-or dump the Active Directory and `grep` the content.
-
-```powershell
-ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
-```
+* Dump the Active Directory and `grep` the content.
+    ```powershell
+    ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
+    ```

docs/cloud/azure/azure-requirements.md

@@ -2,9 +2,17 @@
 
 ## Pentest Requirements
 
+Users and roles:
 * **Global Reader** and **Security Reader** roles in Azure AD
 * **Reader** permission over the subscription
 
+Subscriptions:
+* [Azure Dev/Test](https://azure.microsoft.com/en-us/pricing/offers/dev-test) subscription.
+* Visual Studio subscription determines the monthly Azure credits you receive
+    * Visual Studio Enterprise: $150/month
+    * MSDN Platforms: $100
+    * Visual Studio Professional: $50
+    * Visual Studio Test Professional: $50
 
 ## Powershell and Native Modules
 

docs/redteam/evasion/windows-defenses.md

@@ -13,6 +13,7 @@
 * [Protected Process Light](#protected-process-light)
 * [Credential Guard](#credential-guard)
 * [Event Tracing for Windows](#event-tracing-for-windows)
+* [Attack Surface Reduction](#attack-surface-reduction)
 * [Windows Defender Antivirus](#windows-defender-antivirus)
 * [Windows Defender Application Control](#windows-defender-application-control)
 * [Windows Defender Firewall](#windows-defender-firewall)
@@ -296,6 +297,26 @@ The `Microsoft-Windows-Threat-Intelligence` provider corresponds to ETWTI, an ad
 The most common bypassing technique is patching the function `EtwEventWrite` which is called to write/log ETW events. You can list the providers registered for a process with `logman query providers -pid <PID>`
 
 
+## Attack Surface Reduction
+
+> Attack Surface Reduction (ASR) refers to strategies and techniques used to decrease the potential points of entry that attackers could use to exploit a system or network.
+
+```ps1
+Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions AuditMode
+Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
+```
+
+| Description | Ids |
+|---------------------------------------------------------------------------|--------------------------------------|
+| Block execution of potentially obfuscated scripts                         | 5beb7efe-fd9a-4556-801d-275e5ffc04cc |
+| Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d |
+| Block abuse of exploited vulnerable signed drivers                        | 56a863a9-875e-4185-98a7-b882c64b5ce5 |
+| Block executable content from email client and webmail                    | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 |
+| Block process creations originating from PSExec and WMI commands          | d1e49aac-8f56-4280-b9ba-993a6d77406c |
+| Use advanced protection against ransomware                                | c1db55ab-c21a-4637-bb3f-a12568109d35 |
+| Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 |
+
+
 ## Windows Defender Antivirus
 
 Also known as `Microsoft Defender`.
@@ -418,4 +439,5 @@ You can check if it is done decrypting using this command: `manage-bde -status`
 * [DISABLING AV WITH PROCESS SUSPENSION - March 24, 2023 - By Christopher Paschen ](https://www.trustedsec.com/blog/disabling-av-with-process-suspension/)
 * [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/)
 * [ETW: Event Tracing for Windows 101 - ired.team](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101)
-* [Remove Windows Defender Application Control (WDAC) policies - Microsoft - 12/09/2022](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies)
+* [Remove Windows Defender Application Control (WDAC) policies - Microsoft - 12/09/2022](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies)
+* [Attack surface reduction rules reference - Microsoft 365 - 11/30/2023](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide)