Attack Surface Reduction + Azure Subscription
parent
f5ea8808f8
commit
ad1fbb915c
|
@ -1,23 +1,27 @@
|
||||||
# Password - AD User Comment
|
# Password - AD User Comment
|
||||||
|
|
||||||
```powershell
|
There are 3-4 fields that seem to be common in most Active Directory schemas: `UserPassword`, `UnixUserPassword`, `unicodePwd` and `msSFU30Password`.
|
||||||
$ crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc
|
|
||||||
$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users
|
|
||||||
GET-DESC... 10.0.2.11 389 dc01 [+] Found following users:
|
|
||||||
GET-DESC... 10.0.2.11 389 dc01 User: Guest description: Built-in account for guest access to the computer/domain
|
|
||||||
GET-DESC... 10.0.2.11 389 dc01 User: krbtgt description: Key Distribution Center Service Account
|
|
||||||
```
|
|
||||||
|
|
||||||
There are 3-4 fields that seem to be common in most AD schemas: `UserPassword`, `UnixUserPassword`, `unicodePwd` and `msSFU30Password`.
|
* Password in User Description
|
||||||
|
```powershell
|
||||||
|
crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc
|
||||||
|
crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users
|
||||||
|
GET-DESC... 10.0.2.11 389 dc01 [+] Found following users:
|
||||||
|
GET-DESC... 10.0.2.11 389 dc01 User: Guest description: Built-in account for guest access to the computer/domain
|
||||||
|
GET-DESC... 10.0.2.11 389 dc01 User: krbtgt description: Key Distribution Center Service Account
|
||||||
|
```
|
||||||
|
|
||||||
```powershell
|
* Get `unixUserPassword` attribute from all users in ldap
|
||||||
enum4linux | grep -i desc
|
```ps1
|
||||||
|
nxc ldap 10.10.10.10 -u user -p pass -M get-unixUserPassword -M getUserPassword
|
||||||
|
```
|
||||||
|
|
||||||
Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
|
* Native Powershell command
|
||||||
```
|
```powershell
|
||||||
|
Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
|
||||||
|
```
|
||||||
|
|
||||||
or dump the Active Directory and `grep` the content.
|
* Dump the Active Directory and `grep` the content.
|
||||||
|
```powershell
|
||||||
```powershell
|
ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
|
||||||
ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
|
```
|
||||||
```
|
|
|
@ -2,9 +2,17 @@
|
||||||
|
|
||||||
## Pentest Requirements
|
## Pentest Requirements
|
||||||
|
|
||||||
|
Users and roles:
|
||||||
* **Global Reader** and **Security Reader** roles in Azure AD
|
* **Global Reader** and **Security Reader** roles in Azure AD
|
||||||
* **Reader** permission over the subscription
|
* **Reader** permission over the subscription
|
||||||
|
|
||||||
|
Subscriptions:
|
||||||
|
* [Azure Dev/Test](https://azure.microsoft.com/en-us/pricing/offers/dev-test) subscription.
|
||||||
|
* Visual Studio subscription determines the monthly Azure credits you receive
|
||||||
|
* Visual Studio Enterprise: $150/month
|
||||||
|
* MSDN Platforms: $100
|
||||||
|
* Visual Studio Professional: $50
|
||||||
|
* Visual Studio Test Professional: $50
|
||||||
|
|
||||||
## Powershell and Native Modules
|
## Powershell and Native Modules
|
||||||
|
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
* [Protected Process Light](#protected-process-light)
|
* [Protected Process Light](#protected-process-light)
|
||||||
* [Credential Guard](#credential-guard)
|
* [Credential Guard](#credential-guard)
|
||||||
* [Event Tracing for Windows](#event-tracing-for-windows)
|
* [Event Tracing for Windows](#event-tracing-for-windows)
|
||||||
|
* [Attack Surface Reduction](#attack-surface-reduction)
|
||||||
* [Windows Defender Antivirus](#windows-defender-antivirus)
|
* [Windows Defender Antivirus](#windows-defender-antivirus)
|
||||||
* [Windows Defender Application Control](#windows-defender-application-control)
|
* [Windows Defender Application Control](#windows-defender-application-control)
|
||||||
* [Windows Defender Firewall](#windows-defender-firewall)
|
* [Windows Defender Firewall](#windows-defender-firewall)
|
||||||
|
@ -296,6 +297,26 @@ The `Microsoft-Windows-Threat-Intelligence` provider corresponds to ETWTI, an ad
|
||||||
The most common bypassing technique is patching the function `EtwEventWrite` which is called to write/log ETW events. You can list the providers registered for a process with `logman query providers -pid <PID>`
|
The most common bypassing technique is patching the function `EtwEventWrite` which is called to write/log ETW events. You can list the providers registered for a process with `logman query providers -pid <PID>`
|
||||||
|
|
||||||
|
|
||||||
|
## Attack Surface Reduction
|
||||||
|
|
||||||
|
> Attack Surface Reduction (ASR) refers to strategies and techniques used to decrease the potential points of entry that attackers could use to exploit a system or network.
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions AuditMode
|
||||||
|
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
|
||||||
|
```
|
||||||
|
|
||||||
|
| Description | Ids |
|
||||||
|
|---------------------------------------------------------------------------|--------------------------------------|
|
||||||
|
| Block execution of potentially obfuscated scripts | 5beb7efe-fd9a-4556-801d-275e5ffc04cc |
|
||||||
|
| Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d |
|
||||||
|
| Block abuse of exploited vulnerable signed drivers | 56a863a9-875e-4185-98a7-b882c64b5ce5 |
|
||||||
|
| Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 |
|
||||||
|
| Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c |
|
||||||
|
| Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 |
|
||||||
|
| Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 |
|
||||||
|
|
||||||
|
|
||||||
## Windows Defender Antivirus
|
## Windows Defender Antivirus
|
||||||
|
|
||||||
Also known as `Microsoft Defender`.
|
Also known as `Microsoft Defender`.
|
||||||
|
@ -418,4 +439,5 @@ You can check if it is done decrypting using this command: `manage-bde -status`
|
||||||
* [DISABLING AV WITH PROCESS SUSPENSION - March 24, 2023 - By Christopher Paschen ](https://www.trustedsec.com/blog/disabling-av-with-process-suspension/)
|
* [DISABLING AV WITH PROCESS SUSPENSION - March 24, 2023 - By Christopher Paschen ](https://www.trustedsec.com/blog/disabling-av-with-process-suspension/)
|
||||||
* [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/)
|
* [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/)
|
||||||
* [ETW: Event Tracing for Windows 101 - ired.team](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101)
|
* [ETW: Event Tracing for Windows 101 - ired.team](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101)
|
||||||
* [Remove Windows Defender Application Control (WDAC) policies - Microsoft - 12/09/2022](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies)
|
* [Remove Windows Defender Application Control (WDAC) policies - Microsoft - 12/09/2022](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies)
|
||||||
|
* [Attack surface reduction rules reference - Microsoft 365 - 11/30/2023](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide)
|
Loading…
Reference in New Issue