Awesome Windows Domain Hardening
A curated list of awesome Security Hardening techniques for Windows.
Created by gepeto42 and PaulWebSec but highly inspired from PyroTek3 research!
Summary
This document summarizes the information related to Pyrotek and Harmj0y's DerbyCon talk called "111 Attacking EvilCorp Anatomy of a Corporate Hack". Video and slides are available below.
It also incorporates hardening techniques necessary to prevent other attacks, including techniques discussed by gepeto42 and joeynoname during their THOTCON 0x7 talk.
Something's missing? Create a Pull Request and add it.
Initial foothold
- No hardening effort should come at the expense of upgrading operating systems.
- Deploy EMET to Workstations (End of line in July 2018 - Consider keeping EMET for Windows 7 but prioritize upgrades to Windows 10 and Edge).
- Use AppLocker to block exec content from running in user locations (home dir, profile path, temp, etc).
- Hardening against DMA Attacks? Here you go and an interesting article from Synacktiv about DMA attacks
- Manage PowerShell execution via Applocker or constrained language mode.
- Enable PowerShell logging (v3+) & command process logging.
- Block Office macros (Windows & Mac) on content downloaded from the Internet.
- Deploy security tooling that monitors for suspicious behavior. Consider using WEF to forward only interesting events to your SIEM or logging system.
- Limit capability by blocking/restricting attachments via email/download:
- Executables extensions:
- (ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, pif, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif, etc.)
- Office files that support macros (docm, xlsm, pptm, etc.)
- Ensure these file types are blocked.
- Block forgotten/unused Excel file extensions: IQY, SLK
- Change default program for anything that opens with Windows scripting to notepad (test first!)
- bat, js, jse, vbe, vbs, wsf, wsh, hta, vbs, etc.
- GPO: User Configuration -> Preferences -> Control Panel Settings -> Folder Options -> Open With
- Action: Replace
- File Extension: (extension)
- Associated Program: %windir%\system32\notepad.exe
- Set as default: Enabled.
- Preventing activation of OLE packages in Office with the PackagerPrompt registry setting
Reconnaissance
- Deploy Windows 10 and limit local group enumeration.
- Limit workstation to workstation communication.
- Increase security on sensitive GPOs.
- Evaluate deployment of behavior analytics (Microsoft ATA).
BloodHound "prevention":
- Use NetCease to prevent unprivileged session enumeration.
- Use Samri10 to prevent unprivileged local admin collection (this fix already exists in Windows 10 1607 and above).
Lateral Movement
- Configure GPO to prevent local accounts from network authentication (KB2871997). In addition to this KB, Countercept article is recommending two other changes in the registry:
- Set
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TokenLeakDetectDelaySecs
= 30. This will clear credentials of logged off users after 30 seconds (mimicking the behavior of Windows 8.1+) - Set
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential
= 0. This will prevent Wdigest credentials being stored in memory, again as is the default for Windows 8.1+.
- Ensure local administrator account passwords are automatically changed (Microsoft LAPS) & remove extra local admin accounts.
- Limit workstation to workstation communication (Windows Firewall).
- Test psexec with good credentials between two workstations. If it works, you have a lateral movement problem.
Privilege Escalation
- Remove files with passwords in SYSVOL (including GPP).
- Ensure admins donβt log onto untrusted systems (regular workstations) by configuring DENY user right assignments with GPOs.
- Provide Privileged Access Workstations or PAWs for all highly privileged work. Those should never have access to the Internet.
- Use Managed Service Accounts for SAs when possible (FGPP)
- For systems that do not support Managed Service Accounts, deploy a Fine-Grained Password Policy to ensure the passwords are >32 characters.
- Ensure all computers are talking NTLMv2 & Kerberos, deny LM/NTLMv1.
Protect Administration Credentials
- Ensure all admins only log onto approved admin workstations & servers. (See PAW in Privilege Escalation section)
- Ensure all built-in groups but Administrator are denied from logging on to Domain Controllers user User Right Assignments. By default, Backup operators, Account operators can login to Domain Controllers, which is dangerous.
- Add all admin accounts to Protected Users group (requires Windows 2012 R2 DCs).
- Admin workstations & servers:
Strengthen/Remove Legacy
- Start now by using PingCastle which performs incredible AD audit
- Audit/Restrict NTLM.
- Enforce LDAP signing.
- Enable SMB signing (& encryption where poss.).
- Disable WPAD & LLMNR & work to disable NetBIOS.
- Windows 10, remove:
- SMB 1.0/CIFS
- Windows PowerShell 2.0
- Use shims to enable old applications that require admin privileges to work by believing they have them.
Tools
- PingCastle - an Active Directory audit tool (and free!) with pretty good metrics.
- Responder - A LLMNR, NBT-NS and MDNS poisoner
- BloodHound - Six Degrees of Domain Admin
- AD Control Path - Active Directory Control Paths auditing and graphing tools
- PowerSploit - A PowerShell Post-Exploitation Framework
- PowerView - Situational Awareness PowerShell framework
- Empire - PowerShell and Python post-exploitation agent
- Mimikatz - Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
- Tools Cheatsheets - (Beacon, PowerView, PowerUp, Empire, ...)
- UACME - Defeating Windows User Account Control
- Windows System Internals - (Including Sysmon etc.)
- Hardentools - Collection of simple utilities designed to disable a number of "features" exposed by Windows
- CrackMapExec - A swiss army knife for pentesting Windows/Active Directory environments
- SharpSploit
- Rubeus - Rubeus is a C# toolset for raw Kerberos interaction and abuses
- Koadic - Koadic, or COM Command & Control, is a Windows post-exploitation rootkit
- SILENTTRINITY - A post-exploitation agent powered by Python, IronPython, C#/.NET
Videos
- Beyond the Mcse: Active Directory for the Security Professional
- BSides DC 2016 - PowerShell Security: Defending the Enterprise from the Latest Attack Platform
- Six Degrees of Domain Admin... - Andy Robbins, Will Schroeder, Rohan Vazarkar
- 111 Attacking EvilCorp Anatomy of a Corporate Hack
- Red vs Blue: Modern Active Directory Attacks & Defense
- Offensive Active Directory with Powershell
- Advanced Incident Detection and Threat Hunting using Sysmon and Splunk
- Real Solutions From Real Incidents: Save Money and Your Job!
- AppLocker Bypass Techniques
Slides
- From Workstation To Domain Admin - Why Secure Administration Isn't Secure
- Exploiting AD Administrator Insecurities
- How to go from Responding to Hunting with Sysinternals Sysmon
- 111 Attacking EvilCorp Anatomy of a Corporate Hack
- Real Solutions From Real Incidents: Save Money and Your Job!
Additional resources
- ADSecurity
- Harmj0y's blog
- Sysmon SecuriTay's configuration file - template with default high-quality event tracing
- Explaining and adapting Tayβs Sysmon configuration and here
- Use of PSExec
- Preventing Mimikatz attacks
- Useful list of Windows Security Log Events
- Introducing SharpSploit: A C# Post-Exploitation Library
- From Kekeo to Rubeus
- Windows oneliners to download remote payload and execute arbitrary code
- Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings.