From ad1fbb915ce5168a15de2493d7ef2fee2bdd6cf7 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 19 Dec 2023 17:58:13 +0100 Subject: [PATCH] Attack Surface Reduction + Azure Subscription --- docs/active-directory/pwd-comments.md | 38 +++++++++++++----------- docs/cloud/azure/azure-requirements.md | 8 +++++ docs/redteam/evasion/windows-defenses.md | 24 ++++++++++++++- 3 files changed, 52 insertions(+), 18 deletions(-) diff --git a/docs/active-directory/pwd-comments.md b/docs/active-directory/pwd-comments.md index da89fdf..da449e4 100644 --- a/docs/active-directory/pwd-comments.md +++ b/docs/active-directory/pwd-comments.md @@ -1,23 +1,27 @@ # Password - AD User Comment -```powershell -$ crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc -$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users -GET-DESC... 10.0.2.11 389 dc01 [+] Found following users: -GET-DESC... 10.0.2.11 389 dc01 User: Guest description: Built-in account for guest access to the computer/domain -GET-DESC... 10.0.2.11 389 dc01 User: krbtgt description: Key Distribution Center Service Account -``` +There are 3-4 fields that seem to be common in most Active Directory schemas: `UserPassword`, `UnixUserPassword`, `unicodePwd` and `msSFU30Password`. -There are 3-4 fields that seem to be common in most AD schemas: `UserPassword`, `UnixUserPassword`, `unicodePwd` and `msSFU30Password`. +* Password in User Description + ```powershell + crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc + crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users + GET-DESC... 10.0.2.11 389 dc01 [+] Found following users: + GET-DESC... 10.0.2.11 389 dc01 User: Guest description: Built-in account for guest access to the computer/domain + GET-DESC... 10.0.2.11 389 dc01 User: krbtgt description: Key Distribution Center Service Account + ``` -```powershell -enum4linux | grep -i desc +* Get `unixUserPassword` attribute from all users in ldap + ```ps1 + nxc ldap 10.10.10.10 -u user -p pass -M get-unixUserPassword -M getUserPassword + ``` -Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID -``` +* Native Powershell command + ```powershell + Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID + ``` -or dump the Active Directory and `grep` the content. - -```powershell -ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/ -``` \ No newline at end of file +* Dump the Active Directory and `grep` the content. + ```powershell + ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/ + ``` \ No newline at end of file diff --git a/docs/cloud/azure/azure-requirements.md b/docs/cloud/azure/azure-requirements.md index 3c59dda..f949773 100644 --- a/docs/cloud/azure/azure-requirements.md +++ b/docs/cloud/azure/azure-requirements.md @@ -2,9 +2,17 @@ ## Pentest Requirements +Users and roles: * **Global Reader** and **Security Reader** roles in Azure AD * **Reader** permission over the subscription +Subscriptions: +* [Azure Dev/Test](https://azure.microsoft.com/en-us/pricing/offers/dev-test) subscription. +* Visual Studio subscription determines the monthly Azure credits you receive + * Visual Studio Enterprise: $150/month + * MSDN Platforms: $100 + * Visual Studio Professional: $50 + * Visual Studio Test Professional: $50 ## Powershell and Native Modules diff --git a/docs/redteam/evasion/windows-defenses.md b/docs/redteam/evasion/windows-defenses.md index d346323..00f5fe4 100644 --- a/docs/redteam/evasion/windows-defenses.md +++ b/docs/redteam/evasion/windows-defenses.md @@ -13,6 +13,7 @@ * [Protected Process Light](#protected-process-light) * [Credential Guard](#credential-guard) * [Event Tracing for Windows](#event-tracing-for-windows) +* [Attack Surface Reduction](#attack-surface-reduction) * [Windows Defender Antivirus](#windows-defender-antivirus) * [Windows Defender Application Control](#windows-defender-application-control) * [Windows Defender Firewall](#windows-defender-firewall) @@ -296,6 +297,26 @@ The `Microsoft-Windows-Threat-Intelligence` provider corresponds to ETWTI, an ad The most common bypassing technique is patching the function `EtwEventWrite` which is called to write/log ETW events. You can list the providers registered for a process with `logman query providers -pid ` +## Attack Surface Reduction + +> Attack Surface Reduction (ASR) refers to strategies and techniques used to decrease the potential points of entry that attackers could use to exploit a system or network. + +```ps1 +Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions AuditMode +Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled +``` + +| Description | Ids | +|---------------------------------------------------------------------------|--------------------------------------| +| Block execution of potentially obfuscated scripts | 5beb7efe-fd9a-4556-801d-275e5ffc04cc | +| Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d | +| Block abuse of exploited vulnerable signed drivers | 56a863a9-875e-4185-98a7-b882c64b5ce5 | +| Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 | +| Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c | +| Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 | +| Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | + + ## Windows Defender Antivirus Also known as `Microsoft Defender`. @@ -418,4 +439,5 @@ You can check if it is done decrypting using this command: `manage-bde -status` * [DISABLING AV WITH PROCESS SUSPENSION - March 24, 2023 - By Christopher Paschen ](https://www.trustedsec.com/blog/disabling-av-with-process-suspension/) * [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/) * [ETW: Event Tracing for Windows 101 - ired.team](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101) -* [Remove Windows Defender Application Control (WDAC) policies - Microsoft - 12/09/2022](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies) \ No newline at end of file +* [Remove Windows Defender Application Control (WDAC) policies - Microsoft - 12/09/2022](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies) +* [Attack surface reduction rules reference - Microsoft 365 - 11/30/2023](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide) \ No newline at end of file