├── .DS_Store ├── .gitignore ├── 20230614145346_BloodHound.zip ├── 20230615135413_BloodHound.zip ├── 20230615141409_BloodHound.zip ├── 20230615141922_BloodHound.zip ├── 20230615142934_BloodHound.zip ├── 20230617170902_BloodHound.zip ├── 20250208163630_BloodHound.zip ├── Advanced_monitoring ├── .DS_Store ├── Security_Onion_2.3 │ ├── README.md │ ├── SO-Dashboard-Elastic.JPG │ ├── SO-Dashboard.JPG │ ├── SO-Winlogbeat.JPG │ ├── SO-Winlogbeat_Config_Check.JPG │ ├── SO-Winlogbeat_Config_OK.JPG │ ├── SO-Winlogbeat_Service.JPG │ ├── sysmon-config.xml │ └── winlogbeat.yml └── Security_Onion_2.4 │ ├── Images │ ├── so_1.png │ ├── so_10.png │ ├── so_11.png │ ├── so_11a.png │ ├── so_12.png │ ├── so_13.png │ ├── so_14.png │ ├── so_15.png │ ├── so_2.png │ ├── so_3.png │ ├── so_4.png │ ├── so_5.png │ ├── so_6.png │ ├── so_7.png │ ├── so_8.png │ └── so_9.png │ └── Setup_advanced_monitoring.md ├── Azure_Active_Directory ├── Collect_information_and_hunting.md └── Images │ ├── aad_0.png │ ├── aad_1.png │ ├── aad_2.png │ ├── aad_3.png │ ├── aad_4.png │ ├── aad_5.png │ ├── aad_6.png │ ├── sen_1.png │ ├── sen_2.png │ ├── sen_3.png │ ├── sen_4.png │ ├── sen_5.png │ ├── wt_1.png │ ├── wt_2.png │ ├── wt_3.png │ └── wt_4.png ├── BloodHound.JPG ├── BloodHound_and_SharpHound.txt ├── Commands.sh ├── Different_hunting_methods ├── .DS_Store ├── Credential_Theft_and_Ransomware_Infection.md ├── Images │ ├── Azure_Arc.png │ ├── Example_1.png │ ├── Hunt_Query_1.png │ ├── Hunt_Query_2.png │ ├── Hunt_Query_3.png │ ├── Hunt_Query_4.png │ ├── adrecon_1.png │ ├── adrecon_10.png │ ├── adrecon_11.png │ ├── adrecon_12.png │ ├── adrecon_13.png │ ├── adrecon_14.png │ ├── adrecon_15.png │ ├── adrecon_2.png │ ├── adrecon_3.png │ ├── adrecon_4.png │ ├── adrecon_5.png │ ├── adrecon_6.png │ ├── adrecon_7.png │ ├── adrecon_8.png │ └── adrecon_9.png ├── In-depth_investigation_active_directory.md ├── Local_host_infection_and_malicious_behavior.md └── Operating_system_configuration_changes.md ├── Links.txt ├── MITRE_ATT&CK_Techniques_Windows_Eventlog_IDs.md ├── PowerShell ├── Create_a_gMSA.ps1 ├── Finding_Unused_Group_Policy_Objects.ps1 ├── Finding_outdated_software.ps1 ├── GPO_Permissions.ps1 ├── Generating_group_membership_report.ps1 ├── Group_Membership_Report.ps1 ├── Hunting_Account_Events.ps1 ├── Hunting_AdminSDHolder_SDProp.ps1 ├── Hunting_Domain_Information.ps1 ├── Hunting_Groupmembership.ps1 ├── Hunting_Objects_in_Active_Directory.ps1 ├── Hunting_User_Account_Password_Change_LockOut.ps1 ├── List_all_SPNs_used.ps1 ├── Password_Expiration.ps1 ├── README.md ├── Resetting_Password_Unlocking_Accounts.ps1 ├── SID_History.ps1 ├── Search_AD_Permissions.ps1 ├── Search_Replicating_Directory_Changes_permission.ps1 ├── Search_stale_accounts.ps1 ├── Searching_for_misconfigured_permissions.ps1 ├── Tracking_the_Source_of_Account_Lock_Outs_and_Bad_Passwords.ps1 ├── TrustedforDelegation.ps1 └── Users_without_Manager.ps1 ├── README.md ├── Security_compliance_toolkit_and_baselines ├── Analyze_group_policy_objects.md └── Images │ ├── pol_0.png │ ├── pol_1.png │ ├── pol_2.png │ ├── pol_3.png │ ├── pol_4.png │ ├── pol_5.png │ ├── pol_6.png │ ├── pol_7.png │ ├── pol_8.png │ └── pol_9.png ├── WSL_Kali_Post_Installation.txt └── WSLg_and_Kali_Win-Kex.txt /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/.DS_Store -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store -------------------------------------------------------------------------------- /20230614145346_BloodHound.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/20230614145346_BloodHound.zip -------------------------------------------------------------------------------- /20230615135413_BloodHound.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/20230615135413_BloodHound.zip -------------------------------------------------------------------------------- /20230615141409_BloodHound.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/20230615141409_BloodHound.zip -------------------------------------------------------------------------------- /20230615141922_BloodHound.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/20230615141922_BloodHound.zip -------------------------------------------------------------------------------- /20230615142934_BloodHound.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/20230615142934_BloodHound.zip -------------------------------------------------------------------------------- /20230617170902_BloodHound.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/20230617170902_BloodHound.zip -------------------------------------------------------------------------------- /20250208163630_BloodHound.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/20250208163630_BloodHound.zip -------------------------------------------------------------------------------- /Advanced_monitoring/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/.DS_Store -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.3/README.md: -------------------------------------------------------------------------------- 1 | # Set up advanced monitoring - at no extra cost! 2 | In order for information to be examined quickly and efficiently, I believe it is essential to store the information centrally. This is where Security Onion comes in (The tool is free of charge!). 3 | 4 | But before information can be examined, advanced logging (in this example, with domain controllers) must be set up. The following article from the Microsoft documentation is a great starting point. 5 | 6 | **Configure Windows Event collection** 7 | https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection 8 | 9 | Now it's time to install and configure Security Onion. On the website of Security Onion Solutions there is a really great documentation for installation and configuration. The hardware requirements are addressed and everything needed to get an instance up and running. 10 | 11 | > Note: Here you can find the information about the installation and configuration: [Security Onion Documentation](https://docs.securityonion.net/en/2.3/) 12 | 13 | After the installation, it is now time to set up the agent (Winlogbeat) on all systems (that are to be monitored). 14 | 15 | Download Winlogbeat Agent 16 | 17 | When you have downloaded the agent and the installation has been completed, you will be asked at the end if you want to open the directory to the configuration files. Confirm this so that the directory is opened. This directory contains sample configuration files for the agent. I have provided you with an example here. These file are written in YAML format. 18 | 19 | [Winlogbeat Configuration File](/Advanced_monitoring/winlogbeat.yml) 20 | 21 | If you have copied this file into the directory, you can now run a check and see if everything is ok. YAML is very space sensitive, a check is worthwhile in any case. 22 | 23 | Check the Configuration File 24 | 25 | An "OK" confirmation must be issued otherwise the service will not start. 26 | 27 | Config OK 28 | 29 | If everything is in order, the service must now be started. 30 | 31 | Start the service 32 | 33 | Now it's time to install Sysmon. You can get the tool directly from the Sysinternals website: 34 | 35 | **Live Sysinternals** 36 | https://live.sysinternals.com/ 37 | 38 | I have downloaded the file Sysmon64.exe. Sysmon is very detailed in its default configuration. But you can define which information is important for you. I will gladly provide you with an example configuration file. 39 | 40 | [Sysmon Configuration File](/Advanced_monitoring/sysmon-config.xml) 41 | 42 | > Note: This configuration file is from @SwiftOnSecurity (many thanks here!) https://github.com/SwiftOnSecurity 43 | 44 | Afterwards the installation is done as follows: 45 | - sysmon64.exe -i sysmon-config.xml 46 | 47 | When you access the file for the first time, you still have to accept the license terms. 48 | 49 | > Note: You can automate the installation of the Winlogbeat agent and Sysmon very well with a group policy object. 50 | 51 | If you have made all preparations you can now call the URL to your Security Onion (as defined by you during the installation) and check if the information has arrived. 52 | 53 | Dashobard 54 | 55 | Elastic Dashobard 56 | 57 | --- 58 | ## *HAPPY HUNTING!* 59 | --- -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.3/SO-Dashboard-Elastic.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.3/SO-Dashboard-Elastic.JPG -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.3/SO-Dashboard.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.3/SO-Dashboard.JPG -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.3/SO-Winlogbeat.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.3/SO-Winlogbeat.JPG -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.3/SO-Winlogbeat_Config_Check.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.3/SO-Winlogbeat_Config_Check.JPG -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.3/SO-Winlogbeat_Config_OK.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.3/SO-Winlogbeat_Config_OK.JPG -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.3/SO-Winlogbeat_Service.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.3/SO-Winlogbeat_Service.JPG -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.3/winlogbeat.yml: -------------------------------------------------------------------------------- 1 | ###################### Winlogbeat Configuration Example ######################## 2 | 3 | # This file is an example configuration file highlighting only the most common 4 | # options. The winlogbeat.reference.yml file from the same directory contains 5 | # all the supported options with more comments. You can use it as a reference. 6 | # 7 | # You can find the full configuration reference here: 8 | # https://www.elastic.co/guide/en/beats/winlogbeat/index.html 9 | 10 | # ======================== Winlogbeat specific options ========================= 11 | 12 | # event_logs specifies a list of event logs to monitor as well as any 13 | # accompanying options. The YAML data type of event_logs is a list of 14 | # dictionaries. 15 | # 16 | # The supported keys are name, id, xml_query, tags, fields, fields_under_root, 17 | # forwarded, ignore_older, level, event_id, provider, and include_xml. 18 | # The xml_query key requires an id and must not be used with the name, 19 | # ignore_older, level, event_id, or provider keys. Please visit the 20 | # documentation for the complete details of each option. 21 | # https://go.es.io/WinlogbeatConfig 22 | 23 | winlogbeat.event_logs: 24 | - name: Application 25 | ignore_older: 72h 26 | 27 | - name: System 28 | 29 | - name: Security 30 | 31 | - name: ForwardedEvents 32 | tags: [forwarded] 33 | 34 | - name: Windows PowerShell 35 | event_id: 400, 403, 600, 800 36 | 37 | - name: Microsoft-Windows-PowerShell/Operational 38 | event_id: 4103, 4104, 4105, 4106 39 | - name: Microsoft-Windows-Sysmon/Operational 40 | 41 | # ====================== Elasticsearch template settings ======================= 42 | 43 | setup.template.settings: 44 | index.number_of_shards: 1 45 | #index.codec: best_compression 46 | #_source.enabled: false 47 | 48 | 49 | # ================================== General =================================== 50 | 51 | # The name of the shipper that publishes the network data. It can be used to group 52 | # all the transactions sent by a single shipper in the web interface. 53 | #name: 54 | 55 | # The tags of the shipper are included in their own field with each 56 | # transaction published. 57 | #tags: ["service-X", "web-tier"] 58 | 59 | # Optional fields that you can specify to add additional information to the 60 | # output. 61 | #fields: 62 | # env: staging 63 | 64 | # ================================= Dashboards ================================= 65 | # These settings control loading the sample dashboards to the Kibana index. Loading 66 | # the dashboards is disabled by default and can be enabled either by setting the 67 | # options here or by using the `setup` command. 68 | # setup.dashboards.enabled: false 69 | 70 | # The URL from where to download the dashboards archive. By default this URL 71 | # has a value which is computed based on the Beat name and version. For released 72 | # versions, this URL points to the dashboard archive on the artifacts.elastic.co 73 | # website. 74 | #setup.dashboards.url: 75 | 76 | # =================================== Kibana =================================== 77 | 78 | # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. 79 | # This requires a Kibana endpoint configuration. 80 | setup.kibana: 81 | 82 | # Kibana Host 83 | # Scheme and port can be left out and will be set to the default (http and 5601) 84 | # In case you specify and additional path, the scheme is required: http://localhost:5601/path 85 | # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 86 | #host: "localhost:5601" 87 | 88 | # Kibana Space ID 89 | # ID of the Kibana Space into which the dashboards should be loaded. By default, 90 | # the Default Space will be used. 91 | #space.id: 92 | 93 | # =============================== Elastic Cloud ================================ 94 | 95 | # These settings simplify using Winlogbeat with the Elastic Cloud (https://cloud.elastic.co/). 96 | 97 | # The cloud.id setting overwrites the `output.elasticsearch.hosts` and 98 | # `setup.kibana.host` options. 99 | # You can find the `cloud.id` in the Elastic Cloud web UI. 100 | #cloud.id: 101 | 102 | # The cloud.auth setting overwrites the `output.elasticsearch.username` and 103 | # `output.elasticsearch.password` settings. The format is `:`. 104 | #cloud.auth: 105 | 106 | # ================================== Outputs =================================== 107 | 108 | # Configure what output to use when sending the data collected by the beat. 109 | 110 | # ---------------------------- Elasticsearch Output ---------------------------- 111 | #output.elasticsearch: 112 | # Array of hosts to connect to. 113 | hosts: ["localhost:9200"] 114 | 115 | # Protocol - either `http` (default) or `https`. 116 | #protocol: "https" 117 | 118 | # Authentication credentials - either API key or username/password. 119 | #api_key: "id:api_key" 120 | #username: "elastic" 121 | #password: "changeme" 122 | 123 | # ------------------------------ Logstash Output ------------------------------- 124 | output.logstash: 125 | # The Logstash hosts 126 | hosts: ["192.168.49.49:5044"] 127 | 128 | # Optional SSL. By default is off. 129 | # List of root certificates for HTTPS server verifications 130 | #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] 131 | 132 | # Certificate for SSL client authentication 133 | #ssl.certificate: "/etc/pki/client/cert.pem" 134 | 135 | # Client Certificate Key 136 | #ssl.key: "/etc/pki/client/cert.key" 137 | 138 | # ================================= Processors ================================= 139 | processors: 140 | - add_host_metadata: 141 | when.not.contains.tags: forwarded 142 | - add_cloud_metadata: ~ 143 | 144 | # ================================== Logging =================================== 145 | 146 | # Sets log level. The default log level is info. 147 | # Available log levels are: error, warning, info, debug 148 | #logging.level: debug 149 | 150 | # At debug level, you can selectively enable logging only for some components. 151 | # To enable all selectors use ["*"]. Examples of other selectors are "beat", 152 | # "publisher", "service". 153 | #logging.selectors: ["*"] 154 | 155 | # ============================= X-Pack Monitoring ============================== 156 | # Winlogbeat can export internal metrics to a central Elasticsearch monitoring 157 | # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The 158 | # reporting is disabled by default. 159 | 160 | # Set to true to enable the monitoring reporter. 161 | #monitoring.enabled: false 162 | 163 | # Sets the UUID of the Elasticsearch cluster under which monitoring data for this 164 | # Winlogbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch 165 | # is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. 166 | #monitoring.cluster_uuid: 167 | 168 | # Uncomment to send the metrics to Elasticsearch. Most settings from the 169 | # Elasticsearch output are accepted here as well. 170 | # Note that the settings should point to your Elasticsearch *monitoring* cluster. 171 | # Any setting that is not set is automatically inherited from the Elasticsearch 172 | # output configuration, so if you have the Elasticsearch output configured such 173 | # that it is pointing to your Elasticsearch monitoring cluster, you can simply 174 | # uncomment the following line. 175 | #monitoring.elasticsearch: 176 | 177 | # ============================== Instrumentation =============================== 178 | 179 | # Instrumentation support for the winlogbeat. 180 | #instrumentation: 181 | # Set to true to enable instrumentation of winlogbeat. 182 | #enabled: false 183 | 184 | # Environment in which winlogbeat is running on (eg: staging, production, etc.) 185 | #environment: "" 186 | 187 | # APM Server hosts to report instrumentation results to. 188 | #hosts: 189 | # - http://localhost:8200 190 | 191 | # API Key for the APM Server(s). 192 | # If api_key is set then secret_token will be ignored. 193 | #api_key: 194 | 195 | # Secret token for the APM Server(s). 196 | #secret_token: 197 | 198 | 199 | # ================================= Migration ================================== 200 | 201 | # This allows to enable 6.7 migration aliases 202 | #migration.6_to_7.enabled: true 203 | 204 | -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_1.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_10.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_11.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_11a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_11a.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_12.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_13.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_14.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_15.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_2.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_3.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_4.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_5.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_6.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_7.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_8.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Images/so_9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Advanced_monitoring/Security_Onion_2.4/Images/so_9.png -------------------------------------------------------------------------------- /Advanced_monitoring/Security_Onion_2.4/Setup_advanced_monitoring.md: -------------------------------------------------------------------------------- 1 | # Set up advanced monitoring with the Security Onion - at no extra cost! 2 | In order for information to be examined quickly and efficiently, I believe it is essential to store the information centrally. This is where Security Onion comes in (The tool is free of charge!). 3 | 4 | But before information can be examined, advanced logging (in this example, with domain controllers) must be set up. The following article from the Microsoft documentation is a great starting point. 5 | 6 | **Configure Windows Event collection** 7 | https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection 8 | 9 | Now it's time to install and configure Security Onion. On the website of Security Onion Solutions there is a really great documentation for installation and configuration. The hardware requirements are addressed and everything needed to get an instance up and running. 10 | 11 | > Note: Here you can find the information about the installation and configuration: [Security Onion Documentation](https://docs.securityonion.net/en/2.4/) 12 | 13 | **Use the new Security Onion 2.4** 14 | 15 | Use the new Security Onion 2.4 16 | 17 | > Note: If you are still using the Winlogbeat agent, you should first uninstall it before installing the new agent. 18 | 19 | **Stop the service - should be removed after uninstall** 20 | 21 | Check the service 22 | 23 | **Uninstall old agents if necessary** 24 | 25 | Uninstall old agents 26 | 27 | **The status of the Security Onion** 28 | 29 | After the installation of the Security Onion, it is now time to set up the agent (Elastic Agent) on all systems (that are to be monitored). First, check the status of the Security Onion. 30 | 31 | **At the console** 32 | 33 | ``` 34 | sudo so-status 35 | 36 | ``` 37 | 38 | Check the status 39 | 40 | **With the browser** 41 | 42 | Check the status 43 | 44 | **The firewall settings** 45 | 46 | But before we start with the installation of the agent. We first need to adjust the Security Onion firewall settings so that the agent can communicate with the Security Onion. 47 | 48 | Firewall Settings 49 | 50 | **Download the agent** 51 | 52 | Download the agent 53 | 54 | **Install the agent (elevated rights)** 55 | 56 | Install the agent 57 | 58 | **Accept warning and install the agent** 59 | 60 | Accept warning and install the agent 61 | 62 | **The installation starts** 63 | 64 | The installation starts 65 | 66 | **The installation is complete** 67 | 68 | The installation is complete 69 | 70 | **Check the service** 71 | 72 | Check the service 73 | 74 | ## Now it's time to install Sysmon. You can get the tool directly from the Sysinternals website: 75 | 76 | **Live Sysinternals** 77 | https://live.sysinternals.com/ 78 | 79 | I have downloaded the file Sysmon64.exe. Sysmon is very detailed in its default configuration. But you can define which information is important for you. I will gladly provide you with an example configuration file. 80 | 81 | [Sysmon Configuration File](/Advanced_monitoring/Security_Onion_2.3/sysmon-config.xml) 82 | 83 | > Note: This configuration file is from @SwiftOnSecurity (many thanks here!) https://github.com/SwiftOnSecurity 84 | 85 | Afterwards the installation is done as follows: 86 | 87 | ``` 88 | sysmon64.exe -i sysmon-config.xml 89 | ``` 90 | 91 | When you access the file for the first time, you still have to accept the license terms. 92 | 93 | Accept the license terms 94 | 95 | > Note: You can automate the installation of the Elastic Agent and Sysmon very well with a group policy object. 96 | 97 | If you have made all preparations you can now call the URL to your Security Onion (as defined by you during the installation) and check if the information has arrived. 98 | 99 | Dashobard 100 | 101 | Fleet Agents 102 | 103 | **This is an example of the information that is collected** 104 | 105 | Information 106 | 107 | --- 108 | ## *HAPPY MONITORING!* 109 | --- -------------------------------------------------------------------------------- /Azure_Active_Directory/Collect_information_and_hunting.md: -------------------------------------------------------------------------------- 1 | # Collect information in Entra ID with AzureADRecon and hunt with Microsoft Sentinel! 2 | 3 | ## As always we start with a list of MITRE techniques: 4 | 5 | ### Initial Access 6 | 7 | **Drive-by Compromise** 8 | https://attack.mitre.org/techniques/T1189/ 9 | 10 | **Exploit Public-Facing Application** 11 | https://attack.mitre.org/techniques/T1190/ 12 | 13 | **External Remote Services** 14 | https://attack.mitre.org/techniques/T1133/ 15 | 16 | **Phishing** 17 | https://attack.mitre.org/techniques/T1566/ 18 | 19 | **Phishing: Spearphishing Link** 20 | https://attack.mitre.org/techniques/T1566/002/ 21 | 22 | **Valid Accounts** 23 | https://attack.mitre.org/techniques/T1078/ 24 | 25 | ### Execution 26 | 27 | **Command and Scripting Interpreter** 28 | https://attack.mitre.org/techniques/T1059/ 29 | 30 | ### Persistence 31 | 32 | **Account Manipulation** 33 | https://attack.mitre.org/techniques/T1098/ 34 | 35 | **Create Account** 36 | https://attack.mitre.org/techniques/T1136/ 37 | 38 | **Office Application Startup** 39 | https://attack.mitre.org/techniques/T1137/ 40 | 41 | ### Credential Access 42 | 43 | **Brute Force** 44 | https://attack.mitre.org/techniques/T1110/ 45 | 46 | ### Discovery 47 | 48 | **Permission Groups Discovery** 49 | https://attack.mitre.org/techniques/T1069/ 50 | 51 | ## AzureADRecon 52 | 53 | > **Note: The AzureADRecon tool is provided by Prashant Mahajan (@prashant3535), thanks for that!** 54 | https://github.com/adrecon/AzureADRecon 55 | 56 | **Installing:** 57 | 58 | Download the tool, the easiest way is to save the .zip file right away. 59 | 60 | Download 61 | 62 | > Note: **Attention: It is possible that the antimalware program reacts during the download** 63 | 64 | If you have git installed, you can start by cloning the repository: 65 | 66 | git clone https://github.com/adrecon/AzureADRecon.git 67 | 68 | If you downloaded the tool using a zip file, extract the zip file and place it in a location that you can easily find again. If you cloned the repository, a folder was created directly. 69 | Now launch PowerShell or Windows Terminal, whichever you prefer, and navigate to the extract/clone folder. 70 | 71 | Navigate to the folder 72 | 73 | In order to get started we need one more prerequisite, in my case the PowerShell AzureAD module. However, you are welcome to work with the Microsoft Graph, but this requires additional preparations afterwards. 74 | 75 | ``` 76 | Install-Module AzureAD -Verbose -Force -Allowclobber 77 | ``` 78 | 79 | Install AzureAD Module 80 | 81 | Don't forget we need to adjust the execution policy in PowerShell! 82 | 83 | ``` 84 | Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser 85 | ``` 86 | 87 | Execution Policy 88 | 89 | > **Note: In order to work with this tool, you need to work with an account that has sufficient rights in Entra ID.** 90 | 91 | **To run AzureADRecon (will prompt for credentials)** 92 | 93 | ``` 94 | PS C:\AzureADRecon-master> .\AzureADRecon.ps1 95 | ``` 96 | 97 | or 98 | 99 | ``` 100 | PS C:\AzureADRecon-master> $username = "your user principal name" 101 | PS C:\AzureADRecon-master> $passwd = ConvertTo-SecureString "your password" -AsPlainText -Force 102 | PS C:\AzureADRecon-master> $creds = New-Object System.Management.Automation.PSCredential ($username, $passwd) 103 | PS C:\AzureADRecon-master> .\AzureADRecon.ps1 -Credential $creds 104 | ``` 105 | 106 | > **Note: To get the report as a spreadsheet, Excel must be installed on the system.** 107 | 108 | **The report is created in the same folder** 109 | 110 | Report 111 | 112 | **Now open the report and start the investigation and analysis** 113 | 114 | Open the Report 115 | 116 | **User Stats** 117 | 118 | User Stats 119 | 120 | **Users** 121 | 122 | Users 123 | 124 | **Directory Roles** 125 | 126 | Directory Roles 127 | 128 | **Directory Roles Members** 129 | 130 | Directory Roles Members 131 | 132 | **Devices** 133 | 134 | Devices 135 | 136 | ## Hunting with Microsoft Sentinel 137 | 138 | Now we have detailed information from the Microsoft client. The information was not collected just like that, but because there was a suspicion. Now we continue with advanced hunting in Microsoft Sentinel. 139 | 140 | In Microsoft Sentinel, we can directly access the incidents from the overview. 141 | 142 | Sentinel Incidents 143 | 144 | **List of incidents** 145 | 146 | List of incidents 147 | 148 | **View full incident details** 149 | 150 | View full incident details 151 | 152 | **Now the deep dive into the incident** 153 | 154 | Deep dive 155 | 156 | **Investigate each incident** 157 | 158 | Investigate 159 | 160 | --- 161 | ## *HAPPY INVESTIGATING!* 162 | --- -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/aad_0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/aad_0.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/aad_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/aad_1.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/aad_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/aad_2.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/aad_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/aad_3.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/aad_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/aad_4.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/aad_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/aad_5.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/aad_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/aad_6.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/sen_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/sen_1.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/sen_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/sen_2.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/sen_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/sen_3.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/sen_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/sen_4.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/sen_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/sen_5.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/wt_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/wt_1.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/wt_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/wt_2.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/wt_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/wt_3.png -------------------------------------------------------------------------------- /Azure_Active_Directory/Images/wt_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Azure_Active_Directory/Images/wt_4.png -------------------------------------------------------------------------------- /BloodHound.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/BloodHound.JPG -------------------------------------------------------------------------------- /BloodHound_and_SharpHound.txt: -------------------------------------------------------------------------------- 1 | ##On Kali Linux 2 | 3 | #Update the repo metadata 4 | sudo apt update && sudo apt upgrade -y 5 | 6 | #Install BloodHound 7 | sudo apt install bloodhound 8 | 9 | #This will start the DB 10 | sudo neo4j console 11 | 12 | #Copy the link an open in a browser 13 | #Enter username (neo4j) and password (neo4j) and then change the password 14 | 15 | #Back in the terminal start Bloodhound 16 | bloodhound 17 | 18 | #The browser starts, enter the username (neo4j) and the new password 19 | 20 | ##On a Windows system that has joined the Active Directory 21 | 22 | #To work with Bloodhound you need data in your database, for this you can use SharpHound 23 | https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors 24 | 25 | #Be careful SharpHound triggers the anti-malware protection 26 | SharpHound --CollectionMethods All 27 | 28 | #Or 29 | SharpHound --CollectionMethods Group,LocalAdmin,GPOLocalGroup,Session,LoggedOn,Trusts,ACL,Container,RDP,ObjectProps,DCOM,SPNTargets,PSRemote,LocalGroup -------------------------------------------------------------------------------- /Commands.sh: -------------------------------------------------------------------------------- 1 | #Check the the winlogbeat config file 2 | C:\Program Files\Elastic\Beats\8.7.1>winlogbeat.cmd test config -c "C:\ProgramData\Elastic\Beats\winlogbeat\winlogbeat.yml" -e 3 | 4 | #Install sysmon (Change to the directory where you downloaded Sysmon) 5 | Sysmon64.exe -i sysmon-config.xml 6 | 7 | -------------------------------------------------------------------------------- /Different_hunting_methods/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/.DS_Store -------------------------------------------------------------------------------- /Different_hunting_methods/Credential_Theft_and_Ransomware_Infection.md: -------------------------------------------------------------------------------- 1 | # Credential Theft and Ransomware Infection! 2 | 3 | ## We start with a list of MITRE techniques (Credential Theft): 4 | 5 | **OS Credential Dumping** 6 | https://attack.mitre.org/techniques/T1003/ 7 | 8 | **Native API** 9 | https://attack.mitre.org/techniques/T1106/ 10 | 11 | **Unsecured Credentials: Credentials in Registry** 12 | https://attack.mitre.org/techniques/T1552/002/ 13 | 14 | **Steal or Forge Kerberos Tickets: Kerberoasting** 15 | https://attack.mitre.org/techniques/T1558/003/ 16 | 17 | **Indicator Removal: File Deletion** 18 | https://attack.mitre.org/techniques/T1070/004/ 19 | 20 | **Query Registry** 21 | https://attack.mitre.org/techniques/T1012/ 22 | 23 | **Password Policy Discovery** 24 | https://attack.mitre.org/techniques/T1201/ 25 | 26 | ## The Windows Event ID's for the MITRE techniques! 27 | 28 | **OS Credential Dumping** 29 | 30 | - Event ID: 1003 (LSASS credential dumping) 31 | 32 | https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/ 33 | 34 | **Native API** 35 | 36 | - Event ID: 4656 (A handle to an object was requested) 37 | 38 | - Event ID: 4663 (An attempt was made to access an object) 39 | 40 | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor 41 | 42 | **Unsecured Credentials: Credentials in Registry** 43 | 44 | - Event ID: 4657 (A registry value was modified) 45 | 46 | https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure 47 | 48 | **Steal or Forge Kerberos Tickets: Kerberoasting** 49 | 50 | Event ID: 4769 (A Kerberos service ticket was requested) 51 | Event ID: 4771 (Kerberos pre-authentication failed) 52 | 53 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 54 | 55 | **Indicator Removal: File Deletion** 56 | 57 | - Event ID: 4660 (An object was deleted) 58 | 59 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4660 60 | 61 | **Query Registry** 62 | 63 | - Event ID: 4663 (An attempt was made to access an object) 64 | 65 | - Event ID: 4656 (A handle to an object was requested) 66 | - Event ID: 4657 (A registry value was modified) 67 | 68 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry 69 | 70 | **Password Policy Discovery** 71 | 72 | - Event ID: 4793 (The Password Policy Checking API was called) 73 | 74 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4793 75 | 76 | 77 | ## The list of MITRE techniques (Ransomware Infection): 78 | 79 | **Command and Scripting Interpreter** 80 | https://attack.mitre.org/techniques/T1059/ 81 | 82 | **System Network Configuration Discovery** 83 | https://attack.mitre.org/techniques/T1016/ 84 | 85 | **System Network Connections Discovery** 86 | https://attack.mitre.org/techniques/T1049/ 87 | 88 | **Event Triggered Execution** 89 | https://attack.mitre.org/techniques/T1546/ 90 | 91 | **Dynamic Resolution** 92 | https://attack.mitre.org/techniques/T1568/ 93 | 94 | ## Devices integrated in - Microsoft Defender for Endpoint 95 | 96 | **If there is any suspicion or concrete compression on a device, you can isolate it immediately!** 97 | 98 | Device Isolation 99 | 100 | ### Hunt for ransomware infection! 101 | 102 | https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-find-ransomware 103 | 104 | **Stopping multiple processes using taskkill.exe** 105 | 106 | ``` 107 | // Find attempts to stop processes using taskkill.exe 108 | DeviceProcessEvents 109 | | where Timestamp > ago(1d) 110 | | where FileName =~ "taskkill.exe" 111 | | summarize taskKillCount = dcount(ProcessCommandLine), TaskKillList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m) 112 | | where taskKillCount > 10 113 | ``` 114 | 115 | **Stopping processes using net stop** 116 | 117 | ``` 118 | // Find attempts to stop processes using net stop 119 | DeviceProcessEvents 120 | | where Timestamp > ago(1d) 121 | | where FileName =~ "net.exe" and ProcessCommandLine has "stop" 122 | | summarize netStopCount = dcount(ProcessCommandLine), NetStopList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m) 123 | | where netStopCount > 10 124 | ``` 125 | 126 | **Deletion of data on multiple drives using cipher.exe** 127 | 128 | ``` 129 | // Look for cipher.exe deleting data from multiple drives 130 | DeviceProcessEvents 131 | | where Timestamp > ago(1d) 132 | | where FileName =~ "cipher.exe" 133 | // cipher.exe /w flag used for deleting data 134 | | where ProcessCommandLine has "/w" 135 | | summarize CipherCount = dcount(ProcessCommandLine), 136 | CipherList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m) 137 | // cipher.exe accessing multiple drives in a short timeframe 138 | | where CipherCount > 1 139 | ``` 140 | 141 | **Clearing of forensic evidence from event logs using wevtutil** 142 | 143 | ``` 144 | // Look for use of wevtutil to clear multiple logs 145 | DeviceProcessEvents 146 | | where Timestamp > ago(1d) 147 | | where ProcessCommandLine has "WEVTUTIL" and ProcessCommandLine has "CL" 148 | | summarize LogClearCount = dcount(ProcessCommandLine), ClearedLogList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m) 149 | | where LogClearCount > 10 150 | ``` 151 | 152 | **Turning off services using sc.exe** 153 | 154 | ``` 155 | // Look for sc.exe disabling services 156 | DeviceProcessEvents 157 | | where Timestamp > ago(1d) 158 | | where ProcessCommandLine has "sc" and ProcessCommandLine has "config" and ProcessCommandLine has "disabled" 159 | | summarize ScDisableCount = dcount(ProcessCommandLine), ScDisableList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m) 160 | | where ScDisableCount > 10 161 | ``` 162 | 163 | **Turning off System Restore** 164 | 165 | ``` 166 | DeviceProcessEvents 167 | //Pivoting for rundll32 168 | | where InitiatingProcessFileName =~ 'rundll32.exe' 169 | //Looking for empty command line 170 | and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != "" 171 | //Looking for schtasks.exe as the created process 172 | and FileName in~ ('schtasks.exe') 173 | //Disabling system restore 174 | and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore' 175 | and ProcessCommandLine has 'disable' 176 | ``` 177 | 178 | **Backup deletion** 179 | 180 | ``` 181 | DeviceProcessEvents 182 | | where FileName =~ "wmic.exe" 183 | | where ProcessCommandLine has "shadowcopy" and ProcessCommandLine has "delete" 184 | | project DeviceId, Timestamp, InitiatingProcessFileName, FileName, 185 | ProcessCommandLine, InitiatingProcessIntegrityLevel, InitiatingProcessParentFileName 186 | ``` -------------------------------------------------------------------------------- /Different_hunting_methods/Images/Azure_Arc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/Azure_Arc.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/Example_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/Example_1.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/Hunt_Query_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/Hunt_Query_1.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/Hunt_Query_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/Hunt_Query_2.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/Hunt_Query_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/Hunt_Query_3.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/Hunt_Query_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/Hunt_Query_4.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_1.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_10.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_11.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_12.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_13.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_14.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_15.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_2.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_3.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_4.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_5.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_6.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_7.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_8.png -------------------------------------------------------------------------------- /Different_hunting_methods/Images/adrecon_9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Different_hunting_methods/Images/adrecon_9.png -------------------------------------------------------------------------------- /Different_hunting_methods/In-depth_investigation_active_directory.md: -------------------------------------------------------------------------------- 1 | # In-depth investigation and analysis of the Active Directory with ADRecon! 2 | 3 | ## As always we start with a list of MITRE techniques: 4 | 5 | ### Discovery 6 | 7 | **Password Policy Discovery** 8 | https://attack.mitre.org/techniques/T1201/ 9 | 10 | **Permission Groups Discovery** 11 | https://attack.mitre.org/techniques/T1069/ 12 | 13 | **Account Discovery** 14 | https://attack.mitre.org/techniques/T1087/ 15 | 16 | ### Credential Access 17 | 18 | **Steal or Forge Kerberos Tickets** 19 | https://attack.mitre.org/techniques/T1558 20 | 21 | **Steal or Forge Kerberos Tickets: Kerberoasting** 22 | https://attack.mitre.org/techniques/T1558/003/ 23 | 24 | ### Collection 25 | 26 | **Data from Information Repositories** 27 | https://attack.mitre.org/techniques/T1213/ 28 | 29 | ## Examine the Active Directory without elevated rights! 30 | 31 | **I use this account for the investigation** 32 | 33 | - The system used here is a member of the domain (in this example > bot.pri) 34 | 35 | ``` 36 | whoami 37 | ``` 38 | 39 | whoami 40 | 41 | **We are looking for information about the domain** 42 | 43 | ``` 44 | net user /domain 45 | ``` 46 | 47 | Domain Information 48 | 49 | **We are looking for information about specific accounts** 50 | 51 | ``` 52 | net user /domain svc1 53 | ``` 54 | 55 | Specific Account Information 56 | 57 | **We are looking for information about specific accounts** 58 | 59 | ``` 60 | net user /domain svc2 61 | ``` 62 | 63 | Specific Account Information 64 | 65 | ## ADRecon 66 | 67 | > **Note: The ADRecon tool is provided by Prashant Mahajan (@prashant3535), thanks for that!** 68 | https://github.com/adrecon/ADRecon 69 | 70 | Download the tool, the easiest way is to save the .zip file right away. 71 | 72 | > Note: **Attention: It is possible that the antimalware program reacts during the download** 73 | 74 | Download 75 | 76 | **Unzip the file, open PowerShell and move into the extracted folder** 77 | 78 | Unzip 79 | 80 | **Set the execution policy to unrestricted** 81 | 82 | Execution Policy 83 | 84 | **Run ADRecon (We do not need elevated rights for the examination)** 85 | 86 | Run ADRecon 87 | 88 | > **Note: To get the report as a spreadsheet, Excel must be installed on the system.** 89 | 90 | **The report is created in the same folder** 91 | 92 | Report 93 | 94 | **Now open the report and start the investigation and analysis** 95 | 96 | Open the report 97 | 98 | **User Stats** 99 | 100 | User Stats 101 | 102 | **Users** 103 | 104 | Users 105 | 106 | **User SPNs** 107 | 108 | User SPNs 109 | 110 | **Lets hunt for a kerberoastable information** 111 | 112 | Hunt for User SPNs 113 | 114 | **Now we can use the hashes and hunt for the password** 115 | 116 | Hunt for the password -------------------------------------------------------------------------------- /Different_hunting_methods/Local_host_infection_and_malicious_behavior.md: -------------------------------------------------------------------------------- 1 | # Local host infection and malicious behavior! 2 | 3 | ## We start with a list of MITRE techniques: 4 | 5 | **Indicator Removal: File Deletion** 6 | https://attack.mitre.org/techniques/T1070/004/ 7 | 8 | **Obfuscated Files or Information** 9 | https://attack.mitre.org/techniques/T1027/ 10 | 11 | **Deobfuscate/Decode Files or Information** 12 | https://attack.mitre.org/techniques/T1140/ 13 | 14 | **System Binary Proxy Execution: Rundll32** 15 | https://attack.mitre.org/techniques/T1218/011/ 16 | 17 | **Hijack Execution Flow: DLL Search Order Hijacking** 18 | https://attack.mitre.org/techniques/T1574/001/ 19 | 20 | **Command and Scripting Interpreter** 21 | https://attack.mitre.org/techniques/T1059/ 22 | 23 | **Indicator Removal** 24 | https://attack.mitre.org/techniques/T1070/ 25 | 26 | **Hide Artifacts: NTFS File Attributes** 27 | https://attack.mitre.org/techniques/T1564/004/ 28 | 29 | **Subvert Trust Controls: Code Signing** 30 | https://attack.mitre.org/techniques/T1553/002/ 31 | 32 | **Archive Collected Data** 33 | https://attack.mitre.org/techniques/T1560/ 34 | 35 | **Scheduled Task/Job** 36 | https://attack.mitre.org/techniques/T1053/ 37 | 38 | **Command and Scripting Interpreter: PowerShell** 39 | https://attack.mitre.org/techniques/T1059/001/ 40 | 41 | **System Services: Service Execution** 42 | https://attack.mitre.org/techniques/T1569/002/ 43 | 44 | **Native API** 45 | https://attack.mitre.org/techniques/T1106/ 46 | 47 | **Event Triggered Execution: Accessibility Features** 48 | https://attack.mitre.org/techniques/T1546/008/ 49 | 50 | **Boot or Logon Autostart Execution: Shortcut Modification** 51 | https://attack.mitre.org/techniques/T1547/009/ 52 | 53 | **Create or Modify System Process: Windows Service** 54 | https://attack.mitre.org/techniques/T1543/003/ 55 | 56 | **Hijack Execution Flow: Path Interception by PATH Environment Variable** 57 | https://attack.mitre.org/techniques/T1574/007/ 58 | 59 | **Create or Modify System Process: Windows Service** 60 | https://attack.mitre.org/techniques/T1543/003/ 61 | 62 | **Event Triggered Execution: Windows Management Instrumentation Event Subscription** 63 | https://attack.mitre.org/techniques/T1546/003/ 64 | 65 | **Data Staged** 66 | https://attack.mitre.org/techniques/T1074/ 67 | 68 | ## The Windows Event ID's for the MITRE techniques! 69 | 70 | **Indicator Removal: File Deletion (T1070/004):** 71 | This technique involves deleting files that could provide indicators of an attacker's presence or activity. Possible Windows Event IDs associated with this technique are **4660** (An object was deleted), **4663** (An attempt was made to access an object), **5140** (A network share object was accessed), **5145** (A network share object was checked to see whether client can be granted desired access), and **5156** (The Windows Filtering Platform has permitted a connection). 72 | 73 | **Obfuscated Files or Information (T1027):** 74 | This technique involves obfuscating files or information to make them more difficult to detect or analyze. Possible Windows Event IDs associated with this technique are **592** (A new process has been created), **4688** (A new process has been created), **4103** (Windows PowerShell log), **4104** (Windows PowerShell log), and **400** (Windows Defender Application Control blocked an operation). 75 | 76 | **Deobfuscate/Decode Files or Information (T1140)**. 77 | This technique involves decrypting or deobfuscating files or information that were previously encrypted or obfuscated. Possible Windows Event IDs associated with this technique are **592** (A new process has been created), **4688** (A new process has been created), **4103** (Windows PowerShell log), **4104** (Windows PowerShell log), and **4656** (A handle to an object was requested). 78 | 79 | **System Binary Proxy Execution Rundll32 (T1218/011)** 80 | This technique involves the execution of malicious code via the system binary rundll32.exe, which is used to load and execute functions from DLL files. Possible Windows Event IDs associated with this technique are **592** (A new process has been created), **4688** (A new process has been created), **4656** (A handle to an object was requested), **4658** (The handle to an object was closed) and **4697** (A service was installed in the system). 81 | 82 | **Hijack Execution Flow: DLL Search Order Hijacking (T1574/001)** 83 | This technique involves placing a malicious DLL file in a directory that is searched before the legitimate DLL file's directory to hijack the execution flow. Possible Windows Event IDs associated with this technique are **592** (A new process has been created), **4688** (A new process has been created), **4656** (A handle to an object was requested), **4658** (The handle to an object was closed), and **4697** (A service was installed in the system). 84 | 85 | **Command and Scripting Interpreter (T1059)** 86 | This technique involves running commands or scripts through a command or script interpreter such as cmd.exe, powershell.exe, or bash. Possible Windows Event IDs associated with this technique are **592** (A new process has been created), **4688** (A new process has been created), **4103** (Windows PowerShell log), **4104** (Windows PowerShell log), and **8004** (Script ran by AMSI). 87 | 88 | **Indicator Removal on Host: Clear Command History (T1070/003)** 89 | This technique involves clearing the command history from a command line session to remove traces of an attacker's activities. Possible Windows Event IDs associated with this technique are none because this action is not logged. 90 | 91 | **Hide Artifacts: NTFS File Attributes (T1564/004)** 92 | This technique involves exploiting NTFS file attributes such as Alternate Data Streams or Hidden Attributes to hide files or information. Possible Windows Event IDs associated with this technique are **4656** (A handle to an object was requested), **4660** (An object was deleted), **4663** (An attempt was made to access an object), and **4690** (An attempt was made to duplicate a handle to an object). 93 | 94 | **Subvert Trust Controls: Code Signing (T1553/002)** 95 | This technique involves subverting trust controls by signing malicious code with stolen or forged certificates to feign code authenticity and integrity. Possible Windows Event IDs associated with this technique are **4656** (A handle to an object was requested), **4658** (The handle to an object was closed), **4697** (A service was installed in the system), **5038** (Code integrity determined that the image hash of a file is not valid) and **6281** (Code integrity determined that the page hashes of an image file are not valid). 96 | 97 | **Archive Collected Data (T1560)** 98 | This technique involves archiving collected data in a compressed or encrypted file or container to facilitate transfer or storage. Possible Windows Event IDs associated with this technique are **592** (A new process has been created), **4688** (A new process has been created), **4656** (A handle to an object was requested), **4660** (An object was deleted), and **4663** (An attempt was made to access an object). 99 | 100 | **Scheduled Task/Job (T1053)** 101 | This technique involves creating or modifying scheduled tasks or jobs to execute malicious code at specific times or events. Possible Windows Event IDs associated with this technique are **106** (Scheduled task registered), **140** (Scheduled task updated), **141** (Scheduled task deleted), **4698** (A scheduled task was created), **4699** (A scheduled task was deleted), and **4702** (A scheduled task was updated). 102 | 103 | **Command and Scripting Interpreter** 104 | PowerShell (T1059/001): This technique involves running commands or scripts through the PowerShell interpreter. Possible Windows Event IDs associated with this technique are **592** (A new process has been created), **4688** (A new process has been created), **4103** (Windows PowerShell log), **4104** (Windows PowerShell log), and **8004** (Script ran by AMSI). 105 | 106 | **System Services: Service Execution (T1569/002)** 107 | This technique involves executing malicious code as a system service or via a system service. Possible Windows Event IDs associated with this technique are **592** (A new process has been created), **4688** (A new process has been created), **4697** (A service was installed in the system), **7045** (A service was installed in the system), and **7036** (The service entered the running state). 108 | 109 | **Native API (T1106)** 110 | This technique involves executing malicious code via native API functions such as CreateProcess or CreateThread that are not logged by higher levels of the Windows API. Possible Windows Event IDs associated with this technique are none, as this action is not logged. 111 | 112 | **Event Triggered Execution: Accessibility Features (T1546/008)** 113 | This technique involves exploiting accessibility features such as sticky keys or Ease of Access Center to execute malicious code at logon. Possible Windows Event IDs associated with this technique are **592** (A new process has been created), **4688** (A new process has been created), **4624** (An account was successfully logged on) and **4648** (A logon was attempted using explicit credentials). 114 | 115 | **Boot or Logon Autostart Execution: Shortcut Modification (T1547/009)** 116 | This technique involves modifying shortcuts executed at logon or system startup to execute malicious code. Possible Windows Event IDs associated with this technique are **592** (A new process has been created), **4688** (A new process has been created), **4624** (An account was successfully logged on), and **4648** (A logon was attempted using explicit credentials). 117 | 118 | **Create or Modify System Process: Windows Service (T1543/003)** 119 | This technique involves creating or modifying a Windows service to execute or persist malicious code. Possible Windows Event IDs associated with this technique are **592** (A new process has been created), **4688** (A new process has been created), **4697** (A service was installed in the system), **7045** (A service was installed in the system), and **7036** (The service entered the running state). 120 | 121 | **Hijack Execution Flow: Path Interception by PATH Environment Variable (T1574/007)** 122 | This technique involves manipulating the PATH environment variable to execute a malicious executable instead of a legitimate one. Possible Windows Event IDs associated with this technique are **592** (A new process has been created), **4688** (A new process has been created) and **4656** (A handle to an object was requested). 123 | 124 | **Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546/003)** 125 | This technique involves creating or modifying a WMI event subscription to execute malicious code on a specific event. Possible Windows Event IDs associated with this technique are **19** (WMIEventFilter activity detected), **20** (WMIEventConsumer activity detected), **21** (WMIEventConsumerToFilter activity detected), and **5861** (WMI Event Subscription). 126 | 127 | **Data Staged (T1074)** 128 | This technique involves storing collected data in a temporary or hidden location on the system or network in preparation for later access or exfiltration. Possible Windows Event IDs associated with this technique are **4656** (A handle to an object was requested), **4660** (An object was deleted), **4663** (An attempt was made to access an object), and **5140** (A network share object was accessed). 129 | 130 | ## Links to the Microsoft documentation for some Windows Event ID's: 131 | 132 | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4660 133 | 134 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663 135 | 136 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688 137 | 138 | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-592 139 | 140 | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4103 141 | 142 | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 143 | 144 | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656 145 | 146 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4690 147 | 148 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 149 | 150 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702 151 | 152 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038 153 | 154 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140 155 | 156 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145 157 | 158 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 159 | 160 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281 161 | 162 | https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows 163 | 164 | https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon 165 | 166 | ## If you have included your client systems in Microsoft Defender for Endpoint, you can research threats with advanced hunting. 167 | 168 | **Example queries 1:** 169 | Hunt for schedule task creation: 170 | ``` 171 | DeviceProcessEvents 172 | | where FileName == "schtasks.exe" 173 | | where ActionType == "ProcessCreated" 174 | | where ProcessCommandLine contains "create" 175 | | project DeviceName, AccountName, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine 176 | ``` 177 | 178 | Hunting Query 179 | 180 | **Example queries 2:** 181 | Hunt for network configuration discovery: 182 | ``` 183 | DeviceProcessEvents 184 | | where InitiatingProcessCommandLine contains "Get-WmiObject Win32_NetworkAdapterConfiguration" 185 | ``` 186 | 187 | **Example queries 3:** 188 | Hunt for execution of a DLL with rundll32.exe using CMD: 189 | ``` 190 | DeviceProcessEvents 191 | | where FileName == "cmd.exe" 192 | | where ProcessCommandLine contains "rundll32" 193 | ``` -------------------------------------------------------------------------------- /Different_hunting_methods/Operating_system_configuration_changes.md: -------------------------------------------------------------------------------- 1 | # Operating System Configuration Changes! 2 | 3 | ## We start with a list of MITRE techniques: 4 | 5 | **Event Triggered Execution: Accessibility Features** 6 | https://attack.mitre.org/techniques/T1546/008/ 7 | 8 | **Event Triggered Execution: Windows Management Instrumentation Event Subscription** 9 | https://attack.mitre.org/techniques/T1546/003/ 10 | 11 | **Input Capture: Credential API Hooking** 12 | https://attack.mitre.org/techniques/T1056/004/ 13 | 14 | **Process Injection** 15 | https://attack.mitre.org/techniques/T1055/ 16 | 17 | **Command and Scripting Interpreter** 18 | https://attack.mitre.org/techniques/T1059/ 19 | 20 | **Impair Defenses: Disable or Modify Tools** 21 | https://attack.mitre.org/techniques/T1562/001/ 22 | 23 | **Hide Artifacts: NTFS File Attributes** 24 | https://attack.mitre.org/techniques/T1564/004/ 25 | 26 | **Indicator Removal: File Deletion** 27 | https://attack.mitre.org/techniques/T1070/004/ 28 | 29 | **Subvert Trust Controls: Code Signing** 30 | https://attack.mitre.org/techniques/T1553/002/ 31 | 32 | **System Binary Proxy Execution** 33 | https://attack.mitre.org/techniques/T1218/ 34 | 35 | **Data Staged** 36 | https://attack.mitre.org/techniques/T1074/ 37 | 38 | ## The Windows Event ID's for the MITRE techniques! 39 | 40 | **Event Triggered Execution: Accessibility Features (T1546/008)** 41 | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows Event ID: Not specified 42 | 43 | **Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546/003)** 44 | Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. Windows Event ID: 19, 20, 21 45 | 46 | **Input Capture: Credential API Hooking (T1056/004)** 47 | Adversaries may use Credential API Hooking to steal credentials and other sensitive data. Windows Event ID: Not specified 48 | 49 | **Process Injection (T1055)** 50 | Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Windows Event ID: 86 51 | 52 | **Command and Scripting Interpreter (T1059)** 53 | This technique involves running commands or scripts through a command or script interpreter such as cmd.exe, powershell.exe, or bash. Possible Windows Event IDs associated with this technique are **592** (A new process has been created), **4688** (A new process has been created), **4103** (Windows PowerShell log), **4104** (Windows PowerShell log), and **8004** (Script ran by AMSI). 54 | 55 | **Impair Defenses: Disable or Modify Tools (T1562/001)** 56 | Adversaries may disable security tools to avoid detection of their malware/tools and activities. Windows Event ID: Not specified 57 | 58 | **Hide Artifacts: NTFS File Attributes (T1564/004)** 59 | This technique involves exploiting NTFS file attributes such as Alternate Data Streams or Hidden Attributes to hide files or information. Possible Windows Event IDs associated with this technique are **4656** (A handle to an object was requested), **4660** (An object was deleted), **4663** (An attempt was made to access an object), and **4690** (An attempt was made to duplicate a handle to an object). 60 | 61 | **Indicator Removal: File Deletion (T1070/004):** 62 | This technique involves deleting files that could provide indicators of an attacker's presence or activity. Possible Windows Event IDs associated with this technique are **4660** (An object was deleted), **4663** (An attempt was made to access an object), **5140** (A network share object was accessed), **5145** (A network share object was checked to see whether client can be granted desired access), and **5156** (The Windows Filtering Platform has permitted a connection). 63 | 64 | **Subvert Trust Controls: Code Signing (T1553/002)** 65 | Adversaries may abuse code signing to subvert trust controls in order to validate malicious software as being produced by a legitimate software vendor. Windows Event ID: Not specified 66 | 67 | **System Binary Proxy Execution (T1218/011)** 68 | Adversaries may execute their own malicious payloads by hijacking the binaries or commands of a system binary. Windows Event ID: Not specified 69 | 70 | **Data Staged (T1074)** 71 | This technique involves storing collected data in a temporary or hidden location on the system or network in preparation for later access or exfiltration. Possible Windows Event IDs associated with this technique are **4656** (A handle to an object was requested), **4660** (An object was deleted), **4663** (An attempt was made to access an object), and **5140** (A network share object was accessed). 72 | 73 | ## Links to the Microsoft documentation for some Windows Event ID's: 74 | 75 | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4660 76 | 77 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663 78 | 79 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688 80 | 81 | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-592 82 | 83 | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4103 84 | 85 | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 86 | 87 | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656 88 | 89 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4690 90 | 91 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 92 | 93 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702 94 | 95 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038 96 | 97 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140 98 | 99 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145 100 | 101 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 102 | 103 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281 104 | 105 | https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows 106 | 107 | https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon 108 | 109 | ## If you have included your client systems in Microsoft Defender for Endpoint, you can research threats with advanced hunting. 110 | 111 | **Example queries 1:** 112 | Hunt for registry creation in Image File Execution Options (IFEO) accessibility features: 113 | ``` 114 | DeviceRegistryEvents 115 | | where RegistryKey contains "Image File Execution Options" 116 | | where ActionType == "RegistryKeyCreated" 117 | ``` 118 | 119 | Hunting Query 120 | 121 | **Example queries 2:** 122 | Hunt for process injection with mavinject.exe: 123 | ``` 124 | DeviceEvents 125 | | where ActionType == "CreateRemoteThreadApiCall" 126 | | where InitiatingProcessFileName =~ "mavinject.exe" 127 | | where InitiatingProcessCommandLine contains "/INJECTRUNNING" 128 | | extend targetProcess = (parsejson(AdditionalFields).TargetProcess).CommandLine 129 | | project DeviceName , ActionType , InitiatingProcessFileName, InitiatingProcessCommandLine, targetProcess 130 | ``` 131 | 132 | **Example queries 3:** 133 | Hunt for schedule task creation: 134 | ``` 135 | DeviceProcessEvents 136 | | where FileName == "schtasks.exe" 137 | | where ActionType == "ProcessCreated" 138 | ``` 139 | 140 | Hunting Query 141 | 142 | **Example queries 4:** 143 | Hunt for exclusion addition to MDE policy: 144 | ``` 145 | DeviceProcessEvents 146 | | where FileName == "powershell.exe" 147 | | where ActionType == "ProcessCreated" 148 | | where ProcessCommandLine contains "-ExecutionPolicy Bypass" 149 | | where ProcessCommandLine contains "Defender" 150 | ``` 151 | 152 | Hunting Query 153 | 154 | ## Azure Arc: Monitor file and registry integrity! 155 | 156 | **You can integrate your on-premises server systems with Azure Arc to monitor the systems specifically.** 157 | 158 | Azure Arc -------------------------------------------------------------------------------- /Links.txt: -------------------------------------------------------------------------------- 1 | Security Onion Documentation 2 | https://docs.securityonion.net 3 | 4 | Configure Windows Event collection 5 | https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection 6 | 7 | Steal or Forge Kerberos Tickets: Kerberoasting 8 | https://attack.mitre.org/techniques/T1558/003/ 9 | 10 | Event ID 4611 (often generated by mimikatz) A trusted logon process has been registered with the local System authority. 11 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611 12 | 13 | Event ID 4673 (often generated by mimikatz) When the tool tries to assign itself missing permissions. 14 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 15 | 16 | 4662(S, F): An operation was performed on an object 17 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662#security-monitoring-recommendations 18 | 19 | Security assessment: Unsecure SID History attributes 20 | https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute 21 | 22 | 4625(F): An account failed to log on 23 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 24 | 25 | Brute Force 26 | https://attack.mitre.org/techniques/T1110/ 27 | 28 | 4740(S): A user account was locked out 29 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740 -------------------------------------------------------------------------------- /MITRE_ATT&CK_Techniques_Windows_Eventlog_IDs.md: -------------------------------------------------------------------------------- 1 | # MITRE ATT&CK Techniques and the Windows Eventlog ID's 2 | 3 | ## Steal or Forge Kerberos Tickets: Kerberoasting 4 | https://attack.mitre.org/techniques/T1558/003/ 5 | 6 | **4769(S, F): A Kerberos service ticket was requested** 7 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 8 | 9 | ## Credential Access 10 | https://attack.mitre.org/tactics/TA0006/ 11 | 12 | **4611(S): A trusted logon process has been registered with the Local Security Authority** 13 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611 14 | 15 | **4673(S, F): A privileged service was called** 16 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 17 | 18 | **4662(S, F): An operation was performed on an object** 19 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662#security-monitoring-recommendations 20 | 21 | ## Access Token Manipulation 22 | https://attack.mitre.org/techniques/T1134/ 23 | 24 | **5136(S): A directory service object was modified** 25 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136 26 | 27 | **4661(S, F): A handle to an object was requested** 28 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661 29 | 30 | **5137(S): A directory service object was created** 31 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137 32 | 33 | **5141(S): A directory service object was deleted** 34 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141 35 | 36 | ## OS Credential Dumping: DCSync 37 | https://attack.mitre.org/techniques/T1003/006/ 38 | 39 | **4932(S): Synchronization of a replica of an Active Directory naming context has begun** 40 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4932 41 | 42 | 43 | ## Access Token Manipulation: SID-History Injection 44 | https://attack.mitre.org/techniques/T1134/005/ 45 | 46 | **Security assessment: Unsecure SID History attributes** 47 | https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute 48 | 49 | **4765(S): SID History was added to an account** 50 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765 51 | 52 | ## Indicator Removal: Clear Windows Event Logs 53 | https://attack.mitre.org/techniques/T1070/001/ 54 | 55 | **1102(S): The audit log was cleared** 56 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102 57 | 58 | **Security monitoring recommendations for many audit events** 59 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events 60 | 61 | ## Brute Force 62 | https://attack.mitre.org/techniques/T1110/ 63 | 64 | **4740(S): A user account was locked out** 65 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740 66 | -------------------------------------------------------------------------------- /PowerShell/Create_a_gMSA.ps1: -------------------------------------------------------------------------------- 1 | #The first step, create the root key 2 | 3 | #Use this command in productive environment (Important wait 10h - replication) 4 | Add-KdsRootKey -EffectiveImmediately 5 | 6 | #This command is intended for a test environment 7 | Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10)) 8 | 9 | #Create a new group 10 | New-ADGroup -Name TestMSA ` 11 | -GroupScope DomainLocal ` 12 | -Description "Group for servers of TestMSA" ` 13 | -DisplayName "Test gMSA group" ` 14 | -GroupCategory Security ` 15 | -SAMAccountName TestMSA ` 16 | -PassThru 17 | 18 | #To this group I now add the "Members 19 | Add-ADGroupMember -Identity TestMSA ` 20 | -Members "dc01$","dc02$" ` 21 | -PassThru 22 | 23 | #Control 24 | Get-ADGroupMember -Identity TestMSA 25 | 26 | #Now create a new account 27 | New-ADServiceAccount -Name SvcAcnt1 ` 28 | -DNSHostName SvcAcnt1.corp.pri ` 29 | -PassThru 30 | 31 | #The account will be edited now 32 | Set-ADServiceAccount -Identity SvcAcnt1 ` 33 | -PrincipalsAllowedToRetrieveManagedPassword TestMSA ` 34 | -PrincipalsAllowedToDelegateToAccount TestMSA ` 35 | -PassThru 36 | 37 | #Before running this cmdlet, the systems must be restarted (so that group membership is applied) 38 | Invoke-Command -ComputerName dc02 -ScriptBlock {Restart-Computer -Force} 39 | 40 | #Install the service account on DC02 41 | Invoke-Command -ComputerName dc02 -ScriptBlock {Install-ADServiceAccount -Identity SvcAcnt1} 42 | 43 | #Control 44 | Invoke-Command -ComputerName dc02 -ScriptBlock {Test-ADServiceAccount -Identity SvcAcnt1} 45 | 46 | #Now in services we can select this account for a specific service -------------------------------------------------------------------------------- /PowerShell/Finding_Unused_Group_Policy_Objects.ps1: -------------------------------------------------------------------------------- 1 | ### 2 | #A GPO that is either not linked or linked to empty OUs! 3 | ### 4 | 5 | #Sort OUs with GPO links by whether or not they have non-OU children 6 | 7 | #Get all OUs with GPO links: 8 | Get-ADOrganizationalUnit -Filter {LinkedGroupPolicyObjects -like "*"} | Format-Table Name 9 | 10 | #For each OU, we need to: 11 | $OU = 'OU=Desktops,OU=Luzern,DC=prime,DC=pri' 12 | Get-ADObject -Filter {ObjectClass -ne 'OrganizationalUnit'} -SearchBase $OU 13 | 14 | #Loop through them all 15 | ForEach($OU in Get-ADOrganizationalUnit -Filter {LinkedGroupPolicyObjects -like "*"}){ 16 | $objects = $null 17 | $objects = Get-ADObject -Filter {ObjectClass -ne 'OrganizationalUnit'} -SearchBase $OU 18 | If($objects){ 19 | [pscustomobject]@{ 20 | OU = $OU 21 | Empty = $false 22 | } 23 | }Else{ 24 | [pscustomobject]@{ 25 | OU = $OU 26 | Empty = $true 27 | } 28 | } 29 | } 30 | 31 | #Yes, functionize that please 32 | Function Get-ADOUStatus { 33 | param ( 34 | [string]$Filter = '*' 35 | ) 36 | ForEach($OU in Get-ADOrganizationalUnit -Filter $Filter){ 37 | $objects = $null 38 | $objects = Get-ADObject -Filter {ObjectClass -ne 'OrganizationalUnit'} -SearchBase $OU 39 | If($objects){ 40 | [pscustomobject]@{ 41 | OU = $OU 42 | Empty = $false 43 | LinkedGPOs = [bool]$OU.LinkedGroupPolicyObjects 44 | } 45 | }Else{ 46 | [pscustomobject]@{ 47 | OU = $OU 48 | Empty = $true 49 | LinkedGPOs = [bool]$OU.LinkedGroupPolicyObjects 50 | } 51 | } 52 | } 53 | } 54 | 55 | #Usage 56 | Get-ADOUStatus 57 | 58 | #Find GPOs linked to those empty OUs 59 | 60 | #Store the OU status in a variable 61 | $emptyOUs = Get-ADOUStatus | Where-Object {$_.Empty -and $_.LinkedGPOs} 62 | 63 | #Get the linked GPO Guids 64 | $emptyOUs[0].OU.LinkedGroupPolicyObjects 65 | 66 | #Convert it to a GPO 67 | $emptyOUs[0].OU.LinkedGroupPolicyObjects[0].Substring(4,36) 68 | #Or regex 69 | $emptyOUs[0].OU.LinkedGroupPolicyObjects[0] -match '^cn=\{(?[^\{\}]+)\}' 70 | $Matches.guid 71 | 72 | Get-GPO -Guid $emptyOUs[0].OU.LinkedGroupPolicyObjects[0].Substring(4,36) 73 | 74 | #Object to build output 75 | $GPOsLinkedToEmptyOUs = @() 76 | 77 | ForEach($OU in $emptyOUs.OU){ 78 | ForEach($GPOGuid in $OU.LinkedGroupPolicyObjects){ 79 | $GPO = Get-GPO -Guid $GPOGuid.Substring(4,36) 80 | Write-Host "GPO: '$($GPO.DisplayName)' is linked to empty OU: $($OU.Name)" 81 | If($GPOsLinkedToEmptyOUs.GPOId -contains $GPO.Id){ 82 | ForEach($LinkedGPO in ($GPOsLinkedToEmptyOUs | Where-Object {$_.GPOId -eq $GPO.Id})){ 83 | $LinkedGPO.EmptyOU = [string[]]$LinkedGPO.EmptyOU + "$($OU.DistinguishedName)" 84 | } 85 | }Else{ 86 | $GPOsLinkedToEmptyOUs += [PSCustomObject]@{ 87 | GPOName = $GPO.DisplayName 88 | GPOId = $GPO.Id 89 | EmptyOU = $OU.DistinguishedName 90 | NonEmptyOU = '' 91 | } 92 | } 93 | } 94 | } 95 | 96 | #result 97 | $GPOsLinkedToEmptyOUs | Format-List 98 | 99 | #Check if those GPOs are linked to any OUs with children 100 | $nonEmptyOUs = Get-ADOUStatus | Where-Object {-not $_.Empty} 101 | ForEach($OU in $nonEmptyOUs.OU){ 102 | ForEach($GPO in $GPOsLinkedToEmptyOUs){ 103 | ForEach($GPOGuid in $OU.LinkedGroupPolicyObjects){ 104 | If($GPOGuid.Substring(4,36) -eq $GPO.GPOId){ 105 | Write-Host "GPO: '$($GPO.GPOName)' also linked to non-empty OU: $($OU.Name)" 106 | If($GPO.NonEmptyOU){ 107 | $GPO.NonEmptyOU = [string[]]$GPO.NonEmptyOU + $OU.DistinguishedName 108 | }Else{ 109 | $GPO.NonEmptyOU = $OU.DistinguishedName 110 | } 111 | } 112 | } 113 | } 114 | } 115 | 116 | #Now 117 | $GPOsLinkedToEmptyOUs | Format-List 118 | 119 | #Bring it all together into a function with useful output 120 | Function Get-GPOStatus { 121 | [cmdletbinding()] 122 | Param() 123 | Function Get-ADOUStatus { 124 | param ( 125 | [string]$Filter = '*' 126 | ) 127 | ForEach($OU in Get-ADOrganizationalUnit -Filter $Filter){ 128 | $objects = $null 129 | $objects = Get-ADObject -Filter {ObjectClass -ne 'OrganizationalUnit'} -SearchBase $OU 130 | If($objects){ 131 | [pscustomobject]@{ 132 | OU = $OU 133 | Empty = $false 134 | LinkedGPOs = [bool]$OU.LinkedGroupPolicyObjects 135 | } 136 | }Else{ 137 | [pscustomobject]@{ 138 | OU = $OU 139 | Empty = $true 140 | LinkedGPOs = [bool]$OU.LinkedGroupPolicyObjects 141 | } 142 | } 143 | } 144 | } 145 | $OUs = Get-ADOUStatus | Where-Object {$_.LinkedGPOs} 146 | $GPOsLinkedToEmptyOUs = @() 147 | ForEach($OU in ($OUs | Where-Object {$_.empty}).OU){ 148 | ForEach($GPOGuid in $OU.LinkedGroupPolicyObjects){ 149 | $GPO = Get-GPO -Guid $GPOGuid.Substring(4,36) 150 | Write-Verbose "GPO: '$($GPO.DisplayName)' is linked to empty OU: $($OU.Name)" 151 | If($GPOsLinkedToEmptyOUs.GPOId -contains $GPO.Id){ 152 | ForEach($LinkedGPO in ($GPOsLinkedToEmptyOUs | Where-Object {$_.GPOId -eq $GPO.Id})){ 153 | $LinkedGPO.EmptyOU = [string[]]$LinkedGPO.EmptyOU + "$($OU.DistinguishedName)" 154 | } 155 | }Else{ 156 | $GPOsLinkedToEmptyOUs += [PSCustomObject]@{ 157 | GPOName = $GPO.DisplayName 158 | GPOId = $GPO.Id 159 | EmptyOU = $OU.DistinguishedName 160 | NonEmptyOU = '' 161 | } 162 | } 163 | } 164 | } 165 | ForEach($OU in ($OUs | Where-Object {-not $_.empty}).OU){ 166 | ForEach($GPO in $GPOsLinkedToEmptyOUs){ 167 | ForEach($GPOGuid in $OU.LinkedGroupPolicyObjects){ 168 | If($GPOGuid.Substring(4,36) -eq $GPO.GPOId){ 169 | Write-Verbose "GPO: '$($GPO.GPOName)' also linked to non-empty OU: $($OU.Name)" 170 | If($GPO.NonEmptyOU){ 171 | $GPO.NonEmptyOU = [string[]]$GPO.NonEmptyOU + $OU.DistinguishedName 172 | }Else{ 173 | $GPO.NonEmptyOU = $OU.DistinguishedName 174 | } 175 | } 176 | } 177 | } 178 | } 179 | $GPOsLinkedToEmptyOUs 180 | } 181 | 182 | #Usage 183 | Get-GPOStatus -Verbose | Format-List 184 | 185 | #Finding unused GPOs 186 | Get-GPOStatus | Where-Object {$_.EmptyOU -and -not $_.NonEmptyOU} -------------------------------------------------------------------------------- /PowerShell/Finding_outdated_software.ps1: -------------------------------------------------------------------------------- 1 | ############################################### 2 | #Finding Missing Patches and Outdated Software 3 | ############################################### 4 | 5 | #We search for all updates that are not hidden and not installed 6 | (New-Object -ComObject Microsoft.Update.Session).CreateupdateSearcher().Search("IsHidden=0 and IsInstalled=0").Updates | Select-Object Title 7 | 8 | #Search in the registry for the installed software 9 | Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object Displayname,Publisher,Version,Installdate 10 | 11 | #Search in the registry for the installed software 12 | Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object Displayname,Publisher,Version,Installdate -------------------------------------------------------------------------------- /PowerShell/GPO_Permissions.ps1: -------------------------------------------------------------------------------- 1 | #Domain Policy Modification 2 | https://attack.mitre.org/techniques/T1484/ 3 | 4 | #How to give users access to Group Policy Objects 5 | https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/give-users-access-group-policy-objects 6 | 7 | 8 | Get-GPO -All 9 | 10 | Get-GPPermission „nameofgpo“ -All -------------------------------------------------------------------------------- /PowerShell/Generating_group_membership_report.ps1: -------------------------------------------------------------------------------- 1 | #Gather info about a single User's group membership 2 | (Get-ADUser 'Max.Pane' -Properties MemberOf).MemberOf 3 | 4 | #Nicely formated 5 | (Get-ADUser 'Max.Pane' -Properties MemberOf).MemberOf | ForEach-Object {Get-ADGroup $_} 6 | 7 | #Multiple Users 8 | Get-ADUser -Filter {Title -like '*Manager*'} -Properties MemberOf 9 | 10 | #Format 11 | $users = Get-ADUser -Filter {Title -like '*Manager*'} -Properties MemberOf 12 | foreach($user in $users){ 13 | [pscustomobject]@{ 14 | Name = $user.Name 15 | User = $user.SamAccountName 16 | Memberships = ($user.MemberOf | ForEach-Object{Get-ADGroup $_}).Name 17 | } 18 | } 19 | 20 | #Install the Excel module 21 | Install-Module ImportExcel -Scope CurrentUser -Force -AllowClobber 22 | 23 | #Import the module 24 | Import-Module ImportExcel 25 | 26 | #Make it presentable 27 | $userGroups = @() 28 | $users = Get-ADUser -Filter {Title -like '*Manager*'} -Properties MemberOf 29 | foreach($user in $users){ 30 | $userGroups += [pscustomobject]@{ 31 | User = $user.SamAccountName 32 | Name = $user.Name 33 | Memberships = ($user.MemberOf | ForEach-Object{Get-ADGroup $_}).Name -join ', ' 34 | } 35 | } 36 | $userGroups | Export-Excel .\UserGroups.xlsx -Title 'Manager Group Memberships' 37 | 38 | #Validate 39 | Import-Excel .\UserGroups.xlsx -StartRow 2 40 | 41 | #Functionize it! 42 | Function Get-ADUserGroupMembershipReport { 43 | [CmdletBinding()] 44 | Param( 45 | [Parameter( 46 | ValueFromPipeline = $true 47 | )] 48 | [Microsoft.ActiveDirectory.Management.ADUser]$Identity, 49 | [Parameter( 50 | Mandatory = $true 51 | )] 52 | [string]$FilePath, 53 | [string]$Title = 'AD User Membership Report', 54 | [string[]]$Properties 55 | ) 56 | begin{ 57 | $out = @() 58 | } 59 | process{ 60 | $propertiesToQuery = $Properties + 'MemberOf' 61 | $user = Get-ADUser $Identity -Properties $propertiesToQuery 62 | $tmp = [pscustomobject]@{ 63 | User = $user.SamAccountName 64 | Name = $user.Name 65 | Memberships = ($user.MemberOf | ForEach-Object{Get-ADGroup $_}).Name -join ', ' 66 | } 67 | ForEach($property in $Properties){ 68 | $tmp | Add-Member -MemberType NoteProperty -Name $property -Value $user."$property" 69 | } 70 | $out += $tmp 71 | } 72 | end{ 73 | $out | Export-Excel $FilePath -Title $Title 74 | } 75 | } 76 | 77 | #Usage 78 | Get-ADUserGroupMembershipReport -Identity 'Max.Pane' -FilePath .\Test.xlsx -Title "Max's Memberships" 79 | 80 | #Verify 81 | Import-Excel .\Test.xlsx -StartRow 2 82 | Remove-Item .\Test.xlsx 83 | 84 | #All of a manager's reports 85 | Get-ADUser -Filter {Manager -eq 'Max.Pane'} | ` 86 | Get-ADUserGroupMembershipReport -FilePath .\Test.xlsx -Properties Title -Title "Minion membership report for Max Pane" -------------------------------------------------------------------------------- /PowerShell/Group_Membership_Report.ps1: -------------------------------------------------------------------------------- 1 | #Some Preparations 2 | Install-Module ImportExcel 3 | Import-Module ImportExcel 4 | 5 | #Gather info 6 | #Single User's group membership: 7 | (Get-ADUser 'Leonard.Clark' -Properties MemberOf).MemberOf 8 | 9 | #Nicely formated 10 | (Get-ADUser 'Leonard.Clark' -Properties MemberOf).MemberOf | ForEach-Object {Get-ADGroup $_} 11 | 12 | #Multiple Users 13 | Get-ADUser -Filter {Title -like '*Engineer*'} -Properties MemberOf 14 | 15 | #Format 16 | $users = Get-ADUser -Filter {Title -like '*Engineer*'} -Properties MemberOf 17 | foreach($user in $users){ 18 | [pscustomobject]@{ 19 | Name = $user.Name 20 | User = $user.SamAccountName 21 | Memberships = ($user.MemberOf | ForEach-Object{Get-ADGroup $_}).Name 22 | } 23 | } 24 | 25 | #Make it presentable 26 | $userGroups = @() 27 | $users = Get-ADUser -Filter {Title -like '*Engineer*'} -Properties MemberOf 28 | foreach($user in $users){ 29 | $userGroups += [pscustomobject]@{ 30 | User = $user.SamAccountName 31 | Name = $user.Name 32 | Memberships = ($user.MemberOf | ForEach-Object{Get-ADGroup $_}).Name -join ', ' 33 | } 34 | } 35 | $userGroups | Export-Excel .\UserGroups.xlsx -Title 'Engineer Group Memberships' 36 | 37 | #Validate 38 | Import-Excel .\UserGroups.xlsx -StartRow 2 -------------------------------------------------------------------------------- /PowerShell/Hunting_Account_Events.ps1: -------------------------------------------------------------------------------- 1 | #Indicator Removal: Clear Windows Event Logs 2 | https://attack.mitre.org/techniques/T1070/001/ 3 | 4 | 5 | #Remote Session 6 | Enter-PSSession -ComputerName DC01 7 | 8 | #Prep work for lockouts 9 | #Account lockout Event ID 10 | $LockOutID = 4740 11 | 12 | #Find the PDC 13 | (Get-ADDomain).PDCEmulator 14 | $PDCEmulator = (Get-ADDomain).PDCEmulator 15 | 16 | #Query event log 17 | Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ 18 | LogName = 'Security' 19 | ID = $LockOutID 20 | } 21 | 22 | #Parse the event 23 | #Assign to a variable 24 | $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ 25 | LogName = 'Security' 26 | ID = $LockOutID 27 | } 28 | 29 | #Examine some properties 30 | $events[0].Message 31 | 32 | #Cool, but not as easy as: 33 | $events[0].Properties 34 | $events[0].Properties[1].Value 35 | 36 | #For all events: 37 | ForEach($event in $events){ 38 | [pscustomobject]@{ 39 | UserName = $event.Properties[0].Value 40 | CallerComputer = $event.Properties[1].Value 41 | TimeStamp = $event.TimeCreated 42 | } 43 | } -------------------------------------------------------------------------------- /PowerShell/Hunting_AdminSDHolder_SDProp.ps1: -------------------------------------------------------------------------------- 1 | #Define the path to the AdminSDHolder container 2 | $adminSDHolderPath = "CN=AdminSDHolder,CN=System," + (Get-ADRootDSE).rootDomainNamingContext 3 | 4 | #Get the ACLs for the AdminSDHolder container 5 | $acl = Get-Acl -Path "AD:\$adminSDHolderPath" 6 | 7 | #Output the ACLs 8 | Write-Host "AdminSDHolder ACLs:" 9 | foreach ($ace in $acl.Access) { 10 | Write-Host "`tIdentity: $($ace.IdentityReference)" 11 | Write-Host "`t\tAccessControlType: $($ace.AccessControlType)" 12 | Write-Host "`t\tRights: $($ace.ActiveDirectoryRights)" 13 | Write-Host "`t\tIsInherited: $($ace.IsInherited)" 14 | } 15 | 16 | #Get the SDProp configuration 17 | $sdpropConfig = Get-ADObject -Filter 'objectClass -eq "samDomain"' -Property ntsecuritydescriptor 18 | 19 | #Output of the SDProp configuration 20 | Write-Host "SDProp-Configuration:" 21 | Write-Host "`tOwner: $($sdpropConfig.ntsecuritydescriptor.Owner)" 22 | Write-Host "`tGroup: $($sdpropConfig.ntsecuritydescriptor.Group)" 23 | 24 | #Get the SDProp execution frequency from the PDC's registry. 25 | $pdc = (Get-ADDomainController -Discover -Service PrimaryDC).HostName 26 | $sdpropFrequency = Invoke-Command -ComputerName $pdc -ScriptBlock { 27 | Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "AdminSDProtectFrequency" | Select-Object -ExpandProperty "AdminSDProtectFrequency" 28 | } 29 | 30 | #Output of the SDProp execution frequency 31 | Write-Host "SDProp is executed every $([int]$sdpropFrequency[0]) seconds". -------------------------------------------------------------------------------- /PowerShell/Hunting_Domain_Information.ps1: -------------------------------------------------------------------------------- 1 | #Get the current forest in Active Directory 2 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() 3 | 4 | #Get the current domain in Active Directory 5 | [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() 6 | 7 | #Define the root domain of the forest 8 | $ForestRootDomain = 'prime.pri' 9 | 10 | #Get all trust relationships for the specified forest 11 | ([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $ForestRootDomain)))).GetAllTrustRelationships() 12 | 13 | #Get all trust relationships for the current domain 14 | ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() 15 | 16 | #Get all global catalogs in the current forest 17 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs 18 | 19 | #Discover Enterprise Services without Network Scanning 20 | Get-adcomputer -filter {ServicePrincipalName -like "*TERMSRV*"} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation 21 | 22 | Get-adcomputer -filter {ServicePrincipalName -like "*WinRM*"} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation 23 | 24 | Get-adcomputer -filter {ServicePrincipalName -like "*WinRM*"} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation 25 | 26 | #Discover Service Accounts 27 | Get-aduser -Filter {ServicePrincipalName -like "*"} -Properties PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation 28 | 29 | #Discover Computers without Network Scanning 30 | Get-ADComputer -Filter {PrimaryGroupID -eq "515"} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation 31 | 32 | #Discover Domain Controllers without Network Scanning 33 | Get-ADComputer -Filter {PrimaryGroupID -eq "516"} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation 34 | 35 | #Identify Admin Accounts 36 | Get-ADUser -Filter {AdminCount -eq 1} -Properties Name,AdminCount,ServicePrincipalName,PasswordLastSet,LastLogonDate,MemberOf 37 | 38 | #Find Admin Groups 39 | Get-ADGroup -Filter {GroupCategory -eq 'Security' -AND Name -like "*admin*"} 40 | 41 | #Identify Domain Password Policy 42 | Get-ADDefaultDomainPasswordPolicy 43 | 44 | #Identify Fine-Grained Password Policies 45 | Get-ADFineGrainedPasswordPolicy -Filter * 46 | 47 | #Identify Managed Service Accounts & Group Managed Service Accounts 48 | Get-ADServiceAccount -Filter * -Properties * -------------------------------------------------------------------------------- /PowerShell/Hunting_Groupmembership.ps1: -------------------------------------------------------------------------------- 1 | #Import Active Directory module 2 | Import-Module ActiveDirectory 3 | 4 | #Retrieve all users in AD 5 | $users = Get-ADUser -Filter * 6 | 7 | #Go through all users 8 | foreach ($user in $users) { 9 | #Retrieve the properties 10 | $username = $user.SamAccountName 11 | 12 | #Get the group memberships 13 | $groups = Get-ADUser $user.SamAccountName | Get-ADPrincipalGroupMembership | Select-Object -ExpandProperty Name 14 | 15 | #Format and output the information 16 | Write-Host "Username: $username" 17 | Write-Host "`tGroupMembership:" 18 | 19 | foreach ($group in $groups) { 20 | Write-Host "`t`t$group" 21 | } 22 | } -------------------------------------------------------------------------------- /PowerShell/Hunting_Objects_in_Active_Directory.ps1: -------------------------------------------------------------------------------- 1 | #Import Active Directory module 2 | Import-Module ActiveDirectory 3 | 4 | #Retrieve all objects in AD 5 | $objects = Get-ADObject -Filter * 6 | 7 | #Go through all objects 8 | foreach ($object in $objects) { 9 | #Check if the object is a user account 10 | if ($object.ObjectClass -eq "user") { 11 | #Output the information 12 | Write-Host "User account: $($object.DistinguishedName)" 13 | 14 | #Check if this is a service account 15 | if ($object.UserPrincipalName) { 16 | Write-Host "`tServiceAccount" 17 | } 18 | 19 | #Check if the account has service principal names 20 | try { 21 | $spn = Get-ADUser $($object.DistinguishedName) -Property ServicePrincipalNames 22 | if ($spn.ServicePrincipalNames) { 23 | Write-Host "`tIs a Service Principal Names" 24 | } 25 | } catch { 26 | #No action required 27 | } 28 | } 29 | #Check if this is a computer account 30 | elseif ($object.ObjectClass -eq "computer") { 31 | Write-Host "Computer account: $($object.DistinguishedName)" 32 | } 33 | } -------------------------------------------------------------------------------- /PowerShell/Hunting_User_Account_Password_Change_LockOut.ps1: -------------------------------------------------------------------------------- 1 | #Import Active Directory module 2 | Import-Module ActiveDirectory 3 | 4 | #Get all users in AD 5 | $users = Get-ADUser -Filter * -Property PasswordLastSet, LockedOut 6 | 7 | #Go through all users 8 | foreach ($user in $users) { 9 | #Retrieve the properties 10 | $username = $user.SamAccountName 11 | $passwordLastSet = $user.PasswordLastSet 12 | $lockedOut = $user.LockedOut 13 | 14 | #Format and output the information 15 | Write-Host "Username: $username" 16 | Write-Host "`tLast password change: $passwordLastSet" 17 | 18 | #Check the lock status 19 | if ($lockedOut) { 20 | Write-Host "`tThe account is LOCKED" 21 | } else { 22 | Write-Host "`tThe account is NOT locked." 23 | } 24 | } -------------------------------------------------------------------------------- /PowerShell/List_all_SPNs_used.ps1: -------------------------------------------------------------------------------- 1 | #Create a DirectorySearcher object to search Active Directory 2 | $search = New-Object DirectoryServices.DirectorySearcher([ADSI]"") 3 | 4 | #Set the filter to search for objects with servicePrincipalName attribute 5 | $search.filter = "(servicePrincipalName=*)" 6 | 7 | #Execute the search and get all results 8 | $results = $search.Findall() 9 | 10 | #Iterate through each result 11 | foreach($result in $results) 12 | { 13 | #Get the directory entry for the current result 14 | $userEntry = $result.GetDirectoryEntry() 15 | 16 | #Output the name of the object with specific background and foreground colors 17 | Write-host "Object Name = " $userEntry.name -backgroundcolor "yellow" -foregroundcolor "black" 18 | 19 | #Output the distinguished name of the object 20 | Write-host "DN = " $userEntry.distinguishedName 21 | 22 | #Output the object category 23 | Write-host "Object Cat. = " $userEntry.objectCategory 24 | 25 | #Output the service principal names 26 | Write-host "servicePrincipalNames" 27 | 28 | $i=1 29 | 30 | #Iterate through each service principal name and output it 31 | foreach($SPN in $userEntry.servicePrincipalName) 32 | { 33 | Write-host "SPN(" $i ") = " $SPN 34 | $i+=1 35 | } 36 | 37 | #Output an empty line for better readability 38 | Write-host "" 39 | } 40 | 41 | ########################################################## 42 | #This is an onther way to list all SPNs used in the domain 43 | ########################################################## 44 | 45 | #Import Active Directory module 46 | Import-Module ActiveDirectory 47 | 48 | #Retrieve all objects in Active Directory 49 | $objects = Get-ADObject -Filter * 50 | 51 | #Iterate through each object 52 | foreach ($object in $objects) { 53 | #Check if the object is a user account 54 | if ($object.ObjectClass -eq "user") { 55 | #Output the distinguished name of the user account 56 | Write-Host "User account: $($object.DistinguishedName)" 57 | 58 | #Check if this is a service account by looking for UserPrincipalName 59 | if ($object.UserPrincipalName) { 60 | Write-Host "`tServiceAccount" 61 | } 62 | 63 | #Check if the account has service principal names 64 | try { 65 | $spn = Get-ADUser $($object.DistinguishedName) -Property ServicePrincipalNames 66 | if ($spn.ServicePrincipalNames) { 67 | Write-Host "`tIs a Service Principal Names" 68 | } 69 | } catch { 70 | #No action required if an error occurs 71 | } 72 | } 73 | #Check if this is a computer account 74 | elseif ($object.ObjectClass -eq "computer") { 75 | #Output the distinguished name of the computer account 76 | Write-Host "Computer account: $($object.DistinguishedName)" 77 | } 78 | } -------------------------------------------------------------------------------- /PowerShell/Password_Expiration.ps1: -------------------------------------------------------------------------------- 1 | #Account Manipulation 2 | https://attack.mitre.org/techniques/T1098/ 3 | 4 | #Getting the password expiration date 5 | #msDS-UserPasswordExpiryTimeComputed property 6 | $userParams = @{ 7 | Identity = 'Leonard.Clark' 8 | Properties = 'Name','msDS-UserPasswordExpiryTimeComputed' 9 | } 10 | Get-ADUser @userParams | Format-Table $userParams['Properties'] 11 | 12 | #Save to a variable 13 | $user = Get-ADUser @userParams 14 | 15 | #Try Get Date 16 | Get-Date $user.'msDS-UserPasswordExpiryTimeComputed' 17 | 18 | #.NET 19 | [datetime]::FromFileTime($user.'msDS-UserPasswordExpiryTimeComputed') 20 | $expirationDate = [datetime]::FromFileTime($user.'msDS-UserPasswordExpiryTimeComputed') 21 | 22 | #Now how far away is that? 23 | New-TimeSpan -Start (Get-Date) -End $expirationDate 24 | 25 | #Finding all users' with soon expiring passwords 26 | #First we need a filter: 27 | $filter = {Enabled -eq $true -and PasswordNeverExpires -eq $false} 28 | 29 | #Get all those users 30 | Get-ADUser -Filter $filter 31 | 32 | #Then define what 'soon' is 33 | $days = 7 34 | 35 | #Convert that to filetime 36 | $date = (Get-Date).AddDays($days).ToFileTime() 37 | 38 | $date 39 | 40 | #And get all the users 41 | Get-ADUser -Filter $filter -Properties 'msDS-UserPasswordExpiryTimeComputed' | ` 42 | Where-Object {$_.'msDS-UserPasswordExpiryTimeComputed' -lt $date} | Select-Object UserPrincipalName -------------------------------------------------------------------------------- /PowerShell/README.md: -------------------------------------------------------------------------------- 1 | # PowerShell, MITRE ATT&CK and Microsoft Documentation 2 | 3 | In this directory are a few PowerShell (examples) scripts to examine the Active Directory. Some scripts also contain MITRE ATT&CK techniques and information from the Microsoft documentation. -------------------------------------------------------------------------------- /PowerShell/Resetting_Password_Unlocking_Accounts.ps1: -------------------------------------------------------------------------------- 1 | #Account Manipulation 2 | https://attack.mitre.org/techniques/T1098/ 3 | 4 | 5 | #Get-Member 6 | Get-ADUser -Filter * -Properties * | Get-Member -MemberType property 7 | 8 | #Resetting passwords 9 | #Current state 10 | Get-ADUser 'Jonathan.Fisher' -Properties PasswordExpired,LockedOut | Format-Table Name,PasswordExpired,LockedOut 11 | 12 | #Reset the password 13 | $securePassword = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force 14 | Set-ADAccountPassword 'Jonathan.Fisher' -NewPassword $securePassword -Reset 15 | 16 | #Force a password change 17 | Set-ADUser 'Jonathan.Fisher' -ChangePasswordAtLogon $true 18 | 19 | #Current state 20 | Get-ADUser 'Jonathan.Fisher' -Properties PasswordExpired,LockedOut | Format-Table Name,PasswordExpired,LockedOut 21 | 22 | #Unlocking accounts 23 | #Current State 24 | Get-ADUser 'Leonard.Clark' -Properties LockedOut | Format-Table Name,LockedOut 25 | 26 | #Unlock that account 27 | Unlock-ADAccount 'Leonard.Clark' -------------------------------------------------------------------------------- /PowerShell/SID_History.ps1: -------------------------------------------------------------------------------- 1 | #Access Token Manipulation: SID-History Injection 2 | https://attack.mitre.org/techniques/T1134/005/ 3 | 4 | #Security assessment: Unsecure SID History attributes 5 | https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute 6 | 7 | Get-ADUser -Filter * -Properties cn,memberof,sidhistory 8 | 9 | Get-ADUser -Properties sidhistory,memberof -Filter {sidhistory -like '*'} 10 | 11 | #Remove the SIDHistory attribute using the SID identified earlier 12 | Set-ADUser -Identity Anna.Sibu -Remove @{SIDHistory='S-1-5-21-...'} -------------------------------------------------------------------------------- /PowerShell/Search_AD_Permissions.ps1: -------------------------------------------------------------------------------- 1 | Import-Module ActiveDirectory -WarningAction SilentlyContinue 2 | # force use of specified credentials everywhere 3 | $creds=Get-Credential 4 | $PSDefaultParameterValues = @{"*-AD*:Credential"=$creds} 5 | 6 | #GET DC Name 7 | $dcname=(Get-ADDomainController).Name 8 | New-PSDrive -Name ADDS -PSProvider ActiveDirectory -Server $dcname -Root //RootDSE/ -Credential $creds 9 | Set-Location ADDS: 10 | 11 | $OUs = @(Get-ADDomain | Select-Object -ExpandProperty DistinguishedName) 12 | $OUs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName 13 | $OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -SearchScope OneLevel -LDAPFilter '(objectClass=container)' | Select-Object -ExpandProperty DistinguishedName 14 | 15 | $domain = (Get-ADDomain).Name 16 | 17 | #'NT AUTHORITY\SYSTEM', 'S-1-5-32-548', 'NT AUTHORITY\SELF' 18 | $groups_to_ignore = ( "$domain\Enterprise Admins", "$domain\Domain Admins") 19 | 20 | 21 | ForEach ($OU in $OUs) { 22 | $report += Get-Acl -Path "AD:\$OU" | 23 | Select-Object -ExpandProperty Access | ? {$_.IdentityReference -match "$domain*" -and $_.IdentityReference -notin $groups_to_ignore} | 24 | Select-Object @{name='organizationalUnit';expression={$OU}}, ` 25 | @{name='objectTypeName';expression={if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') {'All'} Else {$schemaIDGUID.Item($_.objectType)}}}, ` 26 | @{name='inheritedObjectTypeName';expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, ` 27 | * 28 | } 29 | 30 | $filterrep= $report | Where-Object {-not $_.IsInherited} 31 | 32 | Write-Output ( $filterrep | Select-Object OrganizationalUnit,ObjectTypeName,ActiveDirectoryRights,IdentityReference | Format-Table | Out-String) 33 | -------------------------------------------------------------------------------- /PowerShell/Search_Replicating_Directory_Changes_permission.ps1: -------------------------------------------------------------------------------- 1 | #Get all permissions in the domain, filtered to the two critical replication permissions represented by their GUIDs 2 | Import-Module ActiveDirectory 3 | Set-Location 'AD:DC=prime,DC=pri' # Replace with distinguished name of your domain 4 | $AllReplACLs = (Get-AcL).Access | Where-Object {$_.ObjectType -eq '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' -or $_.ObjectType -eq '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'} 5 | 6 | #Filter this list to RIDs above 1000 which will exclude well-known Administrator groups 7 | foreach ($ACL in $AllReplACLs) 8 | { 9 | $user = New-Object System.Security.Principal.NTAccount($ACL.IdentityReference) 10 | $SID = $user.Translate([System.Security.Principal.SecurityIdentifier]) 11 | $RID = $SID.ToString().Split("-")[7] 12 | if([int]$RID -gt 1000) 13 | { 14 | Write-Host "Permission to Sync AD granted to:" $ACL.IdentityReference 15 | } 16 | } -------------------------------------------------------------------------------- /PowerShell/Search_stale_accounts.ps1: -------------------------------------------------------------------------------- 1 | #Let me explain my "stale" 2 | #1. Haven't logged in for X days 3 | #2. Hasn't logged in 4 | #3. Created at least X days ago 5 | 6 | #The KRBTGT account will be listed, but is not to be considered here. 7 | 8 | #Using Search-ADAccount 9 | Search-ADAccount -AccountInactive -TimeSpan '90.00:00:00' -UsersOnly 10 | 11 | #Using a filter 12 | Get-ADUser "Leonard.Clark" -Properties LastLogonTimeStamp | Select-Object Name,LastLogonTimeStamp 13 | 14 | #If it is older than $LogonDate 15 | $LogonDate = (Get-Date).AddHours(-1).ToFileTime() 16 | Get-ADUser -Filter {LastLogonTimeStamp -lt $LogonDate} 17 | 18 | #If it doesn't have value 19 | Get-ADUser -Filter {LastLogonTimeStamp -notlike "*"} -Properties LastLogonTimeStamp | 20 | Select-Object Name,LastLogonTimeStamp 21 | 22 | #And if the account was created before $createdDate 23 | $createdDate = (Get-Date).AddDays(-14) 24 | Get-ADUser -Filter {Created -lt $createdDate} -Properties Created | 25 | Select-Object Name,Created 26 | 27 | #Add them all together: 28 | $filter = { 29 | ((LastLogonTimeStamp -lt $logonDate) -or (LastLogonTimeStamp -notlike "*")) 30 | -and (Created -lt $createdDate) 31 | } 32 | 33 | Get-ADuser -Filter $filter | Select-Object SamAccountName 34 | 35 | #Functionize it 36 | Function Get-ADStaleUsers { 37 | [cmdletbinding()] 38 | Param ( 39 | [datetime]$NoLogonSince = (Get-Date).AddDays(-90), 40 | [datetime]$CreatedBefore = (Get-Date).AddDays(-14) 41 | ) 42 | $NoLogonString = $NoLogonSince.ToFileTime() 43 | $filter = { 44 | ((LastLogonTimeStamp -lt $NoLogonString) -or (LastLogonTimeStamp -notlike "*")) 45 | -and (Created -lt $createdBefore) 46 | } 47 | Write-Host $filter 48 | Get-ADuser -Filter $filter 49 | } 50 | 51 | #Usage 52 | Get-ADStaleUsers 53 | 54 | #Usage 55 | Get-ADStaleUsers -NoLogonSince (Get-Date).AddDays(-30) -CreatedBefore (Get-Date).AddDays(-1) -------------------------------------------------------------------------------- /PowerShell/Searching_for_misconfigured_permissions.ps1: -------------------------------------------------------------------------------- 1 | ################################## 2 | #Finding Misconfigured Permissions 3 | ################################## 4 | 5 | whoami 6 | 7 | net user tom /domain 8 | 9 | #We search recursively for all files with the extensions .exe and .ps1 10 | Get-ChildItem C:\ -Force -Recurse -Include *.exe,*.ps1 11 | 12 | #Suppressed errors 13 | Get-ChildItem C:\ -Force -Recurse -Include *.exe,*.ps1 -ErrorAction SilentlyContinue 14 | 15 | #We get the ACL of all files with the extensions .exe and .ps1 16 | Get-ChildItem C:\ -Force -Recurse -Include *.exe,*.ps1 -ErrorAction SilentlyContinue | Get-Acl 17 | 18 | #We search for the string "Users Allow FullControl" in the ACL of all files with the extensions .exe and .ps1 19 | Get-ChildItem C:\ -Force -Recurse -Include *.exe,*.ps1 -ErrorAction SilentlyContinue | Get-Acl | Out-String -Stream | Select-String -Pattern "Users Allow FullControl" 20 | 21 | #We pretend that we have found this script 22 | Get-ChildItem C:\ -Recurse -Filter "reboot-event.ps1" -ErrorAction SilentlyContinue -------------------------------------------------------------------------------- /PowerShell/Tracking_the_Source_of_Account_Lock_Outs_and_Bad_Passwords.ps1: -------------------------------------------------------------------------------- 1 | #An important preparation is that the extended monitoring is set up in the Default Domain Controllers Policy. 2 | 3 | #Prep work for lockouts 4 | #Account lockout Event ID 5 | $LockOutID = 4740 6 | 7 | #Find the PDC 8 | (Get-ADDomain).PDCEmulator 9 | $PDCEmulator = (Get-ADDomain).PDCEmulator 10 | 11 | #Connect to the PDC 12 | Enter-PSSession -ComputerName $PDCEmulator 13 | 14 | #Query event log 15 | Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ 16 | LogName = 'Security' 17 | ID = $LockOutID 18 | } 19 | 20 | #Parse the event 21 | #Assign to a variable 22 | $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ 23 | LogName = 'Security' 24 | ID = $LockOutID 25 | } 26 | 27 | #Examine some properties 28 | $events[0].Message 29 | 30 | #Regex? 31 | $events[0].Message -match 'Caller Computer Name:\s+(?[^\s]+)' 32 | $Matches.caller 33 | 34 | #Cool, but not as easy as: 35 | $events[0].Properties 36 | $events[0].Properties[1].Value 37 | 38 | #For all events: 39 | ForEach($event in $events){ 40 | [pscustomobject]@{ 41 | UserName = $event.Properties[0].Value 42 | CallerComputer = $event.Properties[1].Value 43 | TimeStamp = $event.TimeCreated 44 | } 45 | } 46 | 47 | #And we'll make that a function 48 | Function Get-ADUserLockouts { 49 | [CmdletBinding( 50 | DefaultParameterSetName = 'All' 51 | )] 52 | Param ( 53 | [Parameter( 54 | ValueFromPipeline = $true, 55 | ParameterSetName = 'ByUser' 56 | )] 57 | [Microsoft.ActiveDirectory.Management.ADUser]$Identity 58 | ) 59 | Begin{ 60 | $LockOutID = 4740 61 | $PDCEmulator = (Get-ADDomain).PDCEmulator 62 | } 63 | Process { 64 | If($PSCmdlet.ParameterSetName -eq 'All'){ 65 | #Query event log 66 | $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ 67 | LogName = 'Security' 68 | ID = $LockOutID 69 | } 70 | }ElseIf($PSCmdlet.ParameterSetName -eq 'ByUser'){ 71 | $user = Get-ADUser $Identity 72 | #Query event log 73 | $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ 74 | LogName = 'Security' 75 | ID = $LockOutID 76 | } | Where-Object {$_.Properties[0].Value -eq $user.SamAccountName} 77 | } 78 | ForEach($event in $events){ 79 | [pscustomobject]@{ 80 | UserName = $event.Properties[0].Value 81 | CallerComputer = $event.Properties[1].Value 82 | TimeStamp = $event.TimeCreated 83 | } 84 | } 85 | } 86 | End{} 87 | } 88 | 89 | #Usage 90 | Get-ADUserLockouts 91 | 92 | #Single user 93 | Get-ADUser 'jesse.pinkman' | Get-ADUserLockouts 94 | 95 | #Prep work for bad passwords 96 | #Bad password event ID 97 | $badPwId = 4625 98 | 99 | #Get the events from the PDC 100 | $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ 101 | LogName = 'Security' 102 | ID = $badPwId 103 | } 104 | 105 | #Correlate the logon types 106 | $LogonType = @{ 107 | '2' = 'Interactive' 108 | '3' = 'Network' 109 | '4' = 'Batch' 110 | '5' = 'Service' 111 | '7' = 'Unlock' 112 | '8' = 'Networkcleartext' 113 | '9' = 'NewCredentials' 114 | '10' = 'RemoteInteractive' 115 | '11' = 'CachedInteractive' 116 | } 117 | 118 | #Format the properties 119 | ForEach($event in $events){ 120 | [pscustomobject]@{ 121 | TargetAccount = $event.properties.Value[5] 122 | LogonType = $LogonType["$($event.properties.Value[10])"] 123 | CallingComputer = $event.Properties.Value[13] 124 | IPAddress = $event.Properties.Value[19] 125 | TimeStamp = $event.TimeCreated 126 | } 127 | } 128 | 129 | #Bring it all together 130 | Function Get-ADUserBadPasswords { 131 | [CmdletBinding( 132 | DefaultParameterSetName = 'All' 133 | )] 134 | Param ( 135 | [Parameter( 136 | ValueFromPipeline = $true, 137 | ParameterSetName = 'ByUser' 138 | )] 139 | [Microsoft.ActiveDirectory.Management.ADUser]$Identity 140 | ) 141 | Begin { 142 | $badPwId = 4625 143 | $PDCEmulator = (Get-ADDomain).PDCEmulator 144 | $LogonType = @{ 145 | '2' = 'Interactive' 146 | '3' = 'Network' 147 | '4' = 'Batch' 148 | '5' = 'Service' 149 | '7' = 'Unlock' 150 | '8' = 'Networkcleartext' 151 | '9' = 'NewCredentials' 152 | '10' = 'RemoteInteractive' 153 | '11' = 'CachedInteractive' 154 | } 155 | } 156 | Process { 157 | If($PSCmdlet.ParameterSetName -eq 'All'){ 158 | #Query event log 159 | $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ 160 | LogName = 'Security' 161 | ID = $badPwId 162 | } 163 | }ElseIf($PSCmdlet.ParameterSetName -eq 'ByUser'){ 164 | $user = Get-ADUser $Identity 165 | #Query event log 166 | $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ 167 | LogName = 'Security' 168 | ID = $badPwId 169 | } | Where-Object {$_.Properties[5].Value -eq $user.SamAccountName} 170 | } 171 | ForEach($event in $events){ 172 | [pscustomobject]@{ 173 | TargetAccount = $event.properties.Value[5] 174 | LogonType = $LogonType["$($event.properties.Value[10])"] 175 | CallingComputer = $event.Properties.Value[13] 176 | IPAddress = $event.Properties.Value[19] 177 | TimeStamp = $event.TimeCreated 178 | } 179 | } 180 | } 181 | End{} 182 | } 183 | 184 | #Usage 185 | Get-ADUserBadPasswords | Format-Table 186 | 187 | #Single account 188 | Get-ADUser administrator | Get-ADUserBadPasswords | Format-Table -------------------------------------------------------------------------------- /PowerShell/TrustedforDelegation.ps1: -------------------------------------------------------------------------------- 1 | #Enable computer and user accounts to be trusted for delegation 2 | https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation 3 | 4 | Get-ADComputer -Filter {TrustedforDelegation -eq $true} #(Domaincontroller's are not interesting) 5 | 6 | #Event ID 4624 7 | #Successful logins (search for users/service accounts that have logged in to systems that are TrustedforDelegation). 8 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 -------------------------------------------------------------------------------- /PowerShell/Users_without_Manager.ps1: -------------------------------------------------------------------------------- 1 | #Define needed info 2 | $properties = 'Name','Department','Title','GivenName','SurName' 3 | 4 | #Get those users 5 | Get-ADUser -Filter * -Properties * | Format-Table $properties 6 | 7 | #We can filter for specific managers 8 | Get-ADUser -Filter {Manager -eq 'Nicholas.Murray'} 9 | 10 | #But not empty manager 11 | Get-ADUser -Filter {Manager -eq ''} 12 | 13 | #Using an LDAPFilter 14 | Get-ADUser -LDAPFilter "(!manager=*)" -Properties Manager | Format-Table Name,Manager 15 | 16 | #Combine both into an LDAP filter 17 | $properties += 'Manager' 18 | $ldapFilter = "(|(!$($properties[0])=*)" 19 | For($x=1;$x -lt $properties.count; $x++){ 20 | $ldapFilter += "(!$($properties[$x])=*)" 21 | } 22 | $ldapFilter += ')' 23 | $ldapFilter 24 | 25 | Get-ADUser -LDAPFilter $ldapFilter -Properties $properties | Format-Table $properties -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Active Directory Advanced Threat Hunting - Identify vulnerabilities before others do! 2 | This repo is about Active Directory Advanced Threat Hunting! 3 | 4 | BloodHound -------------------------------------------------------------------------------- /Security_compliance_toolkit_and_baselines/Analyze_group_policy_objects.md: -------------------------------------------------------------------------------- 1 | # Advanced hunting for group policy settings! 2 | 3 | ## We start with a list of MITRE techniques: 4 | 5 | **Domain Policy Modification** 6 | https://attack.mitre.org/techniques/T1484/ 7 | 8 | **Domain Policy Modification: Group Policy Modification** 9 | https://attack.mitre.org/techniques/T1484/001/ 10 | 11 | **Group Policy Discovery** 12 | https://attack.mitre.org/techniques/T1615/ 13 | 14 | **Domain Policy Modification: Domain Trust Modification** 15 | https://attack.mitre.org/techniques/T1484/002/ 16 | 17 | **Unsecured Credentials: Group Policy Preferences** 18 | https://attack.mitre.org/techniques/T1552/006/ 19 | 20 | ## The Windows Event ID's for the MITRE techniques! 21 | 22 | **Domain Policy Modification** 23 | 4739(S): Domain Policy was changed 24 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4739 25 | 26 | **Group Policy Discovery** 27 | Appendix L: Events to Monitor 28 | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor 29 | 30 | **Domain Policy Modification: Domain Trust Modification** 31 | 4716(S): Trusted domain information was modified 32 | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4716 33 | 34 | 35 | 36 | ## Compare the Default Domain Controllers Policy with the security baselines using the Policy Analyzer! 37 | 38 | **So that we can compare the Default Domain Controllers Policy, we create a backup** 39 | 40 | Create a backup 41 | 42 | **Security Compliance Toolkit and Baselines** 43 | https://www.microsoft.com/en-us/download/details.aspx?id=55319 44 | 45 | **We need the necessary tools and baselines** 46 | 47 | Choose the dowmload 48 | 49 | **Extract the files** 50 | 51 | Extract the files 52 | 53 | **From the Windows-Server-2022-Security-Baseline-FINAL folder, copy the following file** 54 | 55 | Copy the file 56 | 57 | **Paste the file in the Policy Analyzer folder** 58 | 59 | Paste the file 60 | 61 | **Open the Policy Analyzer** 62 | 63 | Open the Policy Analyzer 64 | 65 | > Note: If you have a low screen resolution you may not be able to see the bottom part of the application. It is important that you see the bottom part so that you can adjust the path to the policy rule sets (see red marker). 66 | 67 | **Now we have to add the default domain controller policy** 68 | 69 | Add the default domain controller policy 70 | 71 | **Click on the import button** 72 | 73 | Import the policy 74 | 75 | **Give it a name and then click on safe** 76 | 77 | Give it a name 78 | 79 | **Now you can compare the policy with the security baseline** 80 | 81 | Compare the policy 82 | 83 | --- 84 | ## *HAPPY COMPARING!* 85 | --- -------------------------------------------------------------------------------- /Security_compliance_toolkit_and_baselines/Images/pol_0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Security_compliance_toolkit_and_baselines/Images/pol_0.png -------------------------------------------------------------------------------- /Security_compliance_toolkit_and_baselines/Images/pol_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Security_compliance_toolkit_and_baselines/Images/pol_1.png -------------------------------------------------------------------------------- /Security_compliance_toolkit_and_baselines/Images/pol_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Security_compliance_toolkit_and_baselines/Images/pol_2.png -------------------------------------------------------------------------------- /Security_compliance_toolkit_and_baselines/Images/pol_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Security_compliance_toolkit_and_baselines/Images/pol_3.png -------------------------------------------------------------------------------- /Security_compliance_toolkit_and_baselines/Images/pol_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Security_compliance_toolkit_and_baselines/Images/pol_4.png -------------------------------------------------------------------------------- /Security_compliance_toolkit_and_baselines/Images/pol_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Security_compliance_toolkit_and_baselines/Images/pol_5.png -------------------------------------------------------------------------------- /Security_compliance_toolkit_and_baselines/Images/pol_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Security_compliance_toolkit_and_baselines/Images/pol_6.png -------------------------------------------------------------------------------- /Security_compliance_toolkit_and_baselines/Images/pol_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Security_compliance_toolkit_and_baselines/Images/pol_7.png -------------------------------------------------------------------------------- /Security_compliance_toolkit_and_baselines/Images/pol_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Security_compliance_toolkit_and_baselines/Images/pol_8.png -------------------------------------------------------------------------------- /Security_compliance_toolkit_and_baselines/Images/pol_9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/1077603066cb47ba9adc3a4fea367d5eecf2db18/Security_compliance_toolkit_and_baselines/Images/pol_9.png -------------------------------------------------------------------------------- /WSL_Kali_Post_Installation.txt: -------------------------------------------------------------------------------- 1 | WSL Kali Linux (Post Installation) 2 | ---------------------------------- 3 | 4 | sudo apt update && sudo apt upgrade 5 | 6 | sudo apt-get update && apt-cache search kali-linux-top10 7 | 8 | sudo apt -y install kali-linux-top10 9 | 10 | or 11 | 12 | sudo apt -y install kali-linux-default 13 | 14 | -------------------------------------------------------------------------------- /WSLg_and_Kali_Win-Kex.txt: -------------------------------------------------------------------------------- 1 | #In a Windows Terminal 2 | 3 | wsl --update 4 | 5 | #For Example to work with wireshark 6 | 7 | kali 8 | 9 | sudo groupadd wireshark 10 | sudo usermod -aG wireshark tom 11 | sudo dpkg-reconfigure wireshark-common 12 | 13 | exit 14 | 15 | wslg wireshark 16 | 17 | #Install a GUI on Kali 18 | #https://www.kali.org/docs/wsl/win-kex/ 19 | 20 | sudo apt update && sudo apt upgrade 21 | 22 | sudo apt install kali-win-kex -y 23 | 24 | kex 25 | 26 | --------------------------------------------------------------------------------