• Stars
    star
    1,737
  • Rank 26,819 (Top 0.6 %)
  • Language
  • Created almost 8 years ago
  • Updated almost 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A curated list of awesome Security Hardening techniques for Windows.

Awesome Windows Domain Hardening Awesome

A curated list of awesome Security Hardening techniques for Windows.

Created by gepeto42 and PaulWebSec but highly inspired from PyroTek3 research!

Summary

This document summarizes the information related to Pyrotek and Harmj0y's DerbyCon talk called "111 Attacking EvilCorp Anatomy of a Corporate Hack". Video and slides are available below.

It also incorporates hardening techniques necessary to prevent other attacks, including techniques discussed by gepeto42 and joeynoname during their THOTCON 0x7 talk.

Something's missing? Create a Pull Request and add it.

Initial foothold

  • No hardening effort should come at the expense of upgrading operating systems.
  • Deploy EMET to Workstations (End of line in July 2018 - Consider keeping EMET for Windows 7 but prioritize upgrades to Windows 10 and Edge).
  • Use AppLocker to block exec content from running in user locations (home dir, profile path, temp, etc).
  • Hardening against DMA Attacks? Here you go and an interesting article from Synacktiv about DMA attacks
  • Manage PowerShell execution via Applocker or constrained language mode.
  • Enable PowerShell logging (v3+) & command process logging.
  • Block Office macros (Windows & Mac) on content downloaded from the Internet.
  • Deploy security tooling that monitors for suspicious behavior. Consider using WEF to forward only interesting events to your SIEM or logging system.
  • Limit capability by blocking/restricting attachments via email/download:
    • Executables extensions:
    • (ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, pif, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif, etc.)
    • Office files that support macros (docm, xlsm, pptm, etc.)
    • Ensure these file types are blocked.
    • Block forgotten/unused Excel file extensions: IQY, SLK
  • Change default program for anything that opens with Windows scripting to notepad (test first!)
    • bat, js, jse, vbe, vbs, wsf, wsh, hta, vbs, etc.
    • GPO: User Configuration -> Preferences -> Control Panel Settings -> Folder Options -> Open With
    • Action: Replace
    • File Extension: (extension)
    • Associated Program: %windir%\system32\notepad.exe
    • Set as default: Enabled.
  • Preventing activation of OLE packages in Office with the PackagerPrompt registry setting

Reconnaissance

  • Deploy Windows 10 and limit local group enumeration.
  • Limit workstation to workstation communication.
  • Increase security on sensitive GPOs.
  • Evaluate deployment of behavior analytics (Microsoft ATA).

BloodHound "prevention":

  • Use NetCease to prevent unprivileged session enumeration.
  • Use Samri10 to prevent unprivileged local admin collection (this fix already exists in Windows 10 1607 and above).

Lateral Movement

  • Configure GPO to prevent local accounts from network authentication (KB2871997). In addition to this KB, Countercept article is recommending two other changes in the registry:
  1. Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TokenLeakDetectDelaySecs = 30. This will clear credentials of logged off users after 30 seconds (mimicking the behavior of Windows 8.1+)
  2. Set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 0. This will prevent Wdigest credentials being stored in memory, again as is the default for Windows 8.1+.
  • Ensure local administrator account passwords are automatically changed (Microsoft LAPS) & remove extra local admin accounts.
  • Limit workstation to workstation communication (Windows Firewall).
    • Test psexec with good credentials between two workstations. If it works, you have a lateral movement problem.

Privilege Escalation

  • Remove files with passwords in SYSVOL (including GPP).
  • Ensure admins don’t log onto untrusted systems (regular workstations) by configuring DENY user right assignments with GPOs.
  • Provide Privileged Access Workstations or PAWs for all highly privileged work. Those should never have access to the Internet.
  • Use Managed Service Accounts for SAs when possible (FGPP)
  • For systems that do not support Managed Service Accounts, deploy a Fine-Grained Password Policy to ensure the passwords are >32 characters.
  • Ensure all computers are talking NTLMv2 & Kerberos, deny LM/NTLMv1.

Protect Administration Credentials

  • Ensure all admins only log onto approved admin workstations & servers. (See PAW in Privilege Escalation section)
  • Ensure all built-in groups but Administrator are denied from logging on to Domain Controllers user User Right Assignments. By default, Backup operators, Account operators can login to Domain Controllers, which is dangerous.
  • Add all admin accounts to Protected Users group (requires Windows 2012 R2 DCs).
  • Admin workstations & servers:
    • Control & limit access to admin workstations & servers.
    • Remove NetBIOS over TCP/IP
    • Disable LLMNR.
    • Disable WPAD.

Strengthen/Remove Legacy

  • Start now by using PingCastle which performs incredible AD audit
  • Audit/Restrict NTLM.
  • Enforce LDAP signing.
  • Enable SMB signing (& encryption where poss.).
  • Disable WPAD & LLMNR & work to disable NetBIOS.
  • Windows 10, remove:
    • SMB 1.0/CIFS
    • Windows PowerShell 2.0
  • Use shims to enable old applications that require admin privileges to work by believing they have them.

Tools

  • PingCastle - an Active Directory audit tool (and free!) with pretty good metrics.
  • Responder - A LLMNR, NBT-NS and MDNS poisoner
  • BloodHound - Six Degrees of Domain Admin
  • AD Control Path - Active Directory Control Paths auditing and graphing tools
  • PowerSploit - A PowerShell Post-Exploitation Framework
  • PowerView - Situational Awareness PowerShell framework
  • Empire - PowerShell and Python post-exploitation agent
  • Mimikatz - Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
  • Tools Cheatsheets - (Beacon, PowerView, PowerUp, Empire, ...)
  • UACME - Defeating Windows User Account Control
  • Windows System Internals - (Including Sysmon etc.)
  • Hardentools - Collection of simple utilities designed to disable a number of "features" exposed by Windows
  • CrackMapExec - A swiss army knife for pentesting Windows/Active Directory environments
  • SharpSploit
  • Rubeus - Rubeus is a C# toolset for raw Kerberos interaction and abuses
  • Koadic - Koadic, or COM Command & Control, is a Windows post-exploitation rootkit
  • SILENTTRINITY - A post-exploitation agent powered by Python, IronPython, C#/.NET

Videos

Slides

Additional resources

More Repositories

1

awesome-sec-talks

A collected list of awesome security talks
3,999
star
2

twittor

A fully featured backdoor that uses Twitter as a C&C server
Python
759
star
3

API-dnsdumpster.com

(Unofficial) Python API for https://dnsdumpster.com/
Python
274
star
4

HQLmap

(Deprecated) HQLmap, Automatic tool to exploit HQL injections
Python
223
star
5

CSRFT

A lightweight CSRF Toolkit for easy Proof of concept
Python
174
star
6

Shodan-Firefox-Addon

Shodan Firefox Add-on
JavaScript
151
star
7

Shodan.io-mobile-app

Official repository for the Shodan.io mobile Application
TypeScript
138
star
8

crt.sh

(Unofficial) Python API for https://crt.sh
Python
129
star
9

osint-facebook-reset-password

Python util to retrieve full display name and profile picture from a single email address
Python
95
star
10

skype-osint

Python OSINT Tool to retrieve information from Skype
Python
74
star
11

API-EZTV.it

(Unofficial) Python API for the torrent website EZTV.it
Python
72
star
12

SPIPScan

SPIP (CMS) Scanner for penetration testing purpose written in Python
Python
69
star
13

metasearch-public

Stop searching for sample hashes on 10 different sites.
Python
65
star
14

API-malwr.com

(Unofficial) Python API for https://malwr.com/
Python
62
star
15

go-http-monitor

A (dead-simple) Golang utility allowing you to monitor HTTP endpoints
Go
38
star
16

cybercrime-tracker.net

(Unofficial) Python API for cybercrime-tracker.net
Python
37
star
17

API-InstagramLocation

Python OSINT Tool to retrieve pictures from a specific location using Instagram API
Python
35
star
18

pepito

Finds sensitive stuff in your git repository by specifying terms to look for
Python
31
star
19

Shodan-mattermost

Mattermost - Shodan Slash command
Python
30
star
20

VNWA

Vulnerable Node.js Web Application to pratice with your pentesting skills
JavaScript
21
star
21

API-namechk.com

(Unofficial) Python API for http://namechk.com
Python
19
star
22

HTTP-traceroute

HTTP-traceroute in Go
Go
18
star
23

ransomware-tracker

(Unofficial) Python API for http://ransomwaretracker.abuse.ch/tracker/
Python
16
star
24

API-netcraft.com

(Unofficial) Python API for http://netcraft.com
Python
15
star
25

SearchShodan

This is a basic example of how to search into Shodan using the ShodanAPI.
Python
15
star
26

exploitdb-json-api

JSON API for ExploitDB Website
JavaScript
15
star
27

API-checkusernames.com

(Unofficial) Python API for http://checkusernames.com
Python
13
star
28

XSS-Callback

A lightweight HTTP Server that exploits XSS victim's session automatically
JavaScript
11
star
29

SSLBlackList

(Unofficial) Python API for https://sslbl.abuse.ch/
Python
11
star
30

WhatHashIsIt

# Deprecated # "What hash is it?" service allows you to identify the hashing functions used of your hash(es) based on their characteristics.
JavaScript
10
star
31

Social-Markdown

"Dillinger.io clone" allowing live concurrent editing.
JavaScript
10
star
32

TVShowsManager

Basic manager to download your TV Shows automatically with EZTV.it website.
Python
9
star
33

recon-scan

Recon tool using Yatedo and Pipl
Python
9
star
34

paulsec.github.io

Repository containing my portfolio
HTML
8
star
35

censysio

Censysio Python wrapper
Python
7
star
36

Python-plugins

Quick Python project with a simple Plugin architecture
Python
7
star
37

API-HaveIBeenPwned

(Unofficial) Python API for HaveIBeenPwned Website
Python
7
star
38

what-is-this-browser

Python script that tells you what's the potential configuration behind a User-Agent
Python
6
star
39

markovobfuscate

Python library and tools to obfuscate data based on Markov models built off the same data
Python
6
star
40

drupal-enum-users

(Python) Quick script to enumerate users on a Drupal instance
Python
6
star
41

burito

# Deprecated # Burito, Hydra-like tool to audit Web application using forms containing server-side generated params.
Python
6
star
42

API-Email-Format

email-format.com (Unofficial) Python API
Python
5
star
43

Virus-Total-Dump

Python script that dumps behavourial information about a list of hashes
Python
5
star
44

API-Yatedo

(Unofficial) Python API for Yatedo Website
Python
5
star
45

shellpot-nodejs

Honeypot written in Node.js for the Shellshock vulnerability
JavaScript
4
star
46

filesharer-nodejs

File sharer based on Node.js using AES encryption for your files
JavaScript
4
star
47

API-ShouldIChangeMyPassword

(Unofficial) Python API for ShouldIChangeMyPassword Website
Python
4
star
48

node-ip-info

Retrieves information about a specific IP
JavaScript
4
star
49

Raspberry-APT

# Deprecated # Raspberry APT - Automatic Pwn Tool suite to perform automatic pentest.
Python
4
star
50

feedrss-python

Quick command line tool to retrieve RSS blog post ordered by published date
Python
3
star
51

slidecast

Python utility to show pictures in a slideshow on your chromecast
Python
3
star
52

JSONLogger

JSONLogger - HTTP Proxy that logs JSON HTTP Response in the console
JavaScript
3
star
53

API-Pipl

(Unofficial) Python API for Pipl Website
Python
3
star
54

wordpress-vulnscan-add-on

Mozilla Add-on that retrieves potential vulnerabilities based on the Wordpress website you're visiting
2
star
55

kafka-boilerplate-docker

Kafka boilerplate example with docker-compose
Python
2
star
56

clermontech-fastapi

Python
1
star
57

Telegram-bot

Python bot to control your server through Telegram
1
star
58

API-oldpiratebay

(Unofficial) Python API for Old Pirate Bay
Python
1
star