my personal blog about systemcenter

Delegations Matter , Hunting mistakes with Bloodhound

Categories: Bloodhound
Comments Off on Delegations Matter , Hunting mistakes with Bloodhound

In this example i will use Bloodhound to show alternative path to Domain Admins

In the environment almost All Domain Admins have been removed , leaving DA-Alice as the sole enabled Domain Admin account

This makes a nice clean domains , does not give Alice much time off though so that will need to be fixes , but beats having 20+ Domain Admins running around , and Alice uses her Tier 0 Admin Workstation , so the users only logs on to the right security tiers

But we all know Alice and Bob is working together , Bob is helping out with password reset and a previous admin delegated rights to the Password-Reset Group

This is where the trouble start , Support-BOB is a member of Password-Reset , that group have been delegated full control over the Company OU to be able to reset passwords

First Mistake was to delegate full access and not only the password reset needed , but the 2nd and worse mistake was that someone placed the admin users under “Company” because it was the easy options , following bloodHound Shortest Path to Domain Admin

Gives us Support-BOB who have write permissions on all users in Admins that DA-Alice is a part off , this mean that no matter if Alice keeps doing everything right , Support-BOB can now reset DA-Alice password and start creating chaos.

In this case a Quick fix is to move the Admins outside of the Delegations so that Support-BOB rights that was on the “Company” OU does not apply anymore

This ends up giving us a single path to domain admin being DA-Alice

https://bloodhound.readthedocs.io/en/latest/data-analysis/bloodhound-gui.html

Check out BloodHound , ensure you have permission to run it as it will most likely will set off a alarm bell or two

Building new reference machine with “new “Edge and finding a google Cert

Categories: Uncategorized
Comments Off on Building new reference machine with “new “Edge and finding a google Cert

I was building a new reference image for my Windows PC

PS C:\Program Files (x86)\Microsoft\Edge\Application> $EDGE = Get-SystemDriver -ScanPath `C:\Program Files (x86)\Microsoft\Edge\Application’ -UserPEs

PS C:\Program Files (x86)\Microsoft\Edge\Application> New-CIPolicy -FilePath EDGE.xml -DriverFiles $EDGE -Level FilePUBLISHER -UserPEs

Running the file level scan for publisher to see whats “around”

    <Signer ID=”ID_SIGNER_F_71″ Name=”DigiCert SHA2 Assured ID Code Signing CA”>

      <CertRoot Type=”TBS” Value=”E767799478F64A34B3F53FF3BB9057FE1768F4AB178041B0DCC0FF1E210CBA65″ />

      <CertPublisher Value=”Google LLC” />

      <FileAttribRef RuleID=”ID_FILEATTRIB_F_21″ />

 

Outside of the Microsoft certificate there was a reference to a Google Certificate

    <FileAttrib ID=”ID_FILEATTRIB_F_21″ FriendlyName=”C:\Program Files (x86)\Microsoft\Edge\Application\79.0.309.71\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll FileAttribute” FileName=”widevinecdm.dll” MinimumFileVersion=”4.10.1440.18″ />

Looking at the file its cross signed with both Microsoft and Google

Will create the policy without the Google signer for now 🙂

Finding clients using insecure LDAP binds

Categories: Uncategorized
Comments Off on Finding clients using insecure LDAP binds

Microsoft announced in August 2019 that they will enforce the use of Secure LDAP binds from Marts 2020 Update

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

This means that applications that uses “classic” LDAP over 389 will fail after applying updates in the Marts 2020 Cycle


Take Action: Microsoft Security Advisory 
ADV190023 published to introduce LDAP channel binding and LDAP signing support. Administrators will need to test these settings in their environment after manually adjusting them on their servers.

First Call to Action was August 2019 , so if you missed this (like me) this is very late getting started to prevent possible outages pending Marts Update Cycle

Required: Security Update available on Windows Update for all supported Windows platforms that will enable LDAP channel binding and LDAP signing on Active Directory servers by default.

Second Call to Action is now , get searching in the logs

Event 2886,2889,2887,1220 from Directory Services are the ones to ensure are logged and searhable

Domain Controllers will pr default log a 2886 Every 24 hours with how many clients connected , this will see if there is a usage but not who/what

For detailed logging On your Domain Controllers enable LDAP Interface Events Logging to Level 2


Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2

and to Disable Logging again

Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v “16 LDAP Interface Events” /t REG_DWORD /d 0
With Logging set to level 2 , you will now see clients connection with insecure bind , source ip and username that authenticated with Event ID 2889

The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection. 

If you see 1220 a client tried to use LDAP/s but the domain controller didn’t have a certificate available

LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate. 

Getting Microsoft Defender to work with Google Santa enabled

Categories: Uncategorized
Comments Off on Getting Microsoft Defender to work with Google Santa enabled

Google Santa is an open source project that helps OSX Administrators secure the workstations, its whitelists binaries on either SHA256 or Certificate Level. (Download https://github.com/google/santa)

Santa Supports local database and remote sync server for configuration, the first post will cover local database, remote sync server will be covered later

For this test we are going to whitelist the certificates used by Microsoft Defender ATP

Mixing Whitelisting and Modern Protections might be overkill but its very good for locking down high profile target

Santa’s default configuration is monitor mode so to enforce the rules we need to change the Santa configuration

Following the example config from the documentation https://santa.readthedocs.io/en/latest/deployment/configuration/

ClientMode is change from 1 (monitor mode) to 2 (Enforced)

And the testing here is done with local config so we need to remove the SyncBaseURL Key/String to support local modification of the allow/deny list

And we can see that the default configuration is Monitor Mode

Install the config file

And we are in lockdown mode , so any binary will be block unless it matches binary or certificate rules (or is system file)

So let’s start the Microsoft Defender ATP installer

And Santa picks up the different daemons Defender ATP will run and blocks the execution as they are not in the allow list yet , running this in monitor mode would make the install successful without errors on the first run and then looking at log files , I hit ignore for a bunch of times and then go for the log files

Santa Logs are at /var/db/santa/santa.log

action=EXEC|decision=DENY|reason=UNKNOWN|sha256=241fde944258965f8912bfc30b55a60c821642722131e64b1d3dfce2d1913354|cert_sha256=e552705f4fa93f4b571e2804a107ce74a49f45e26729d192665d59a5cd3934a8|cert_cn=Developer ID Application: Microsoft Corporation (UBF8T346G9)|pid=687|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=L|path=/Applications/Microsoft Defender ATP.app/Contents/Resources/wdavdaemon.app/Contents/MacOS/wdavdaemon

action=EXEC|decision=DENY|reason=UNKNOWN|sha256=9a01cc98d7e1c5d3f1cde3f6b06b8d1540a0c35f80bf7026e8bf8274b05403cd|cert_sha256=09d93952b7b31903e1d9b85d5c8b48bbb86ad9830757ee5e75cd114fbb7e7303|cert_cn=Developer ID Application: Microsoft Corporation (UBF8T346G9)|pid=774|ppid=1|uid=501|user=fr-santatest|gid=20|group=staff|mode=L|path=/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app/Contents/MacOS/Microsoft AU Daemon

And we can see that there are 2 different certs being used, 1 for the main Defender ATP files and 1 for the Microsoft Update Application

santactl rule –whitelist –sha256 09d93952b7b31903e1d9b85d5c8b48bbb86ad9830757ee5e75cd114fbb7e7303 –certificate

Added rule for SHA-256: 09d93952b7b31903e1d9b85d5c8b48bbb86ad9830757ee5e75cd114fbb7e7303.

FR-SantaTests-Mac:~ root# santactl rule –whitelist –sha256 e552705f4fa93f4b571e2804a107ce74a49f45e26729d192665d59a5cd3934a8 –certificate

Added rule for SHA-256: e552705f4fa93f4b571e2804a107ce74a49f45e26729d192665d59a5cd3934a8.

We use santactl to add rules to our whitelist , and after this Microsoft Defender ATP is now fully functional with Santa running as additional protection

Edit : now with correct ATP vs APT , thanks Jan

Testing ScaleFT BeyondCorp Secure Remote Access without a VPN

Categories: BeyondCorp, NoVPN, ScaleFT, Security
Comments Off on Testing ScaleFT BeyondCorp Secure Remote Access without a VPN

Testing ScaleFT access from admin workstation to remote server through remote desktop protocol but without VPN or Remote Desktop Gateway

ScaleFT creates a BeyondCorp secure style access to internal resources without publishing them over VPN or direct connection from the internet

This setup will cover a basic integration between one pc and one server, ScaleFT provides a free version for personal use for up to 5 servers, so this is a large step forward in providing secure access to your resources

Signup at https://www.scaleft.com/ , and there is excellent documentation in place and instant trial access

This is my first go at a BeyondCorp install and so far its looks very good

This is a simple test without the full security integration so no AzureAD or Okta , room for more improvements

Overall process

1 , Register Trial

2 , Setup Client

3 , Create Project

4 , Add Server to Project

5 , Add Permission to Project

6 , Use Secure BeyondCorp access to your internal resources

Protocol available Web Applications, Remote Desktop and SSH

And the Step by Step

clip_image002

Logging in to the interface there is no clients for now

Adding a client is as simple as downloading and running

sft enroll –team “tenant name”

clip_image004

ScaleFT does not require local admin rights to function on the machine where access is started form

clip_image006

Adding the client to the team require authentication , from the initial testing with Edge I saw some issues that needs a bit of time to repro , but running with chrome works

clip_image008

And we can now see my pc in the portal

clip_image010

To Enroll a Server we need to create a project

clip_image012

clip_image014

And then we can go to enrollment tokens to create a token for server to enroll

clip_image016

Setup token name and save the token

On the server we can install the scaleFT server side tools with powershell

PS C:\ScaleFT> Import-Module .\Install.psm1

PS C:\ScaleFT> Install-ScaleFTServerTools -EnrollmentToken

Downloading https://dist.scaleft.com/server-tools/windows/latest/ScaleFT-Server-Tool

C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi is signed by ScaleFT

Starting msiexec on C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi

MSI Log path: C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.log

Removing C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi

Starting Service scaleft-server-tools

True

clip_image018

clip_image020

And 2 minutes later we have it installed (on my slow connection)

clip_image022

And we now have a server to access

clip_image024

As we deal with zero trust we need to create a group that gives access

clip_image026

Groups can give either local admin or local user permissions, for this test we will use Admin

clip_image028

Back to my client and run sft list-servers

clip_image030

Getting prompted for access to ScaleFT and allowing access

clip_image032

I can now see my server

clip_image034

And we try to login

clip_image036

And in this environment we have locked down NTLM , and ScaleFT proxy through local host so we need to allow that

clip_image038

And adding local host to NTLM exceptions

clip_image040

And we can now logon through our tunnel.

clip_image042

And when we are done working we can issue a sft logout

clip_image044

And we have a full audit history

clip_image046

Can you tell if a PC remoted in from a unencrypted machine in your environment ?

So, what does ScaleFT do on our Windows Box to create access and users

After initial authentication we can see ScaleFT creating the admindemo user (that is my ScaleFT user) , adding it to local admin and terminal server users)

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Creating local user ‘admindemo’ based on user:’1d55549f-d4c9-7adc-2463-3b3414354e7c'” goal=user_create

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Adding local user ‘admindemo’ to local group ‘Administrators’ based on group:’BUILTIN-A3FC-7CF8FAD6C251′” goal=group_member_add

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Adding local user ‘admindemo’ to local group ‘Remote Desktop Users’ based on group:’BUILTIN–B750-50F1D33462FE'” goal=group_member_add

clip_image048

ScaleFT cycles password at each logon so a test from here shows

* Username : WIN-GNM5AES6691\admindemo

* Domain : TERMSRV/127.0.0.1

* Password : C1Vi5JqadyEZjW%HuskZcWM3cI3JkXOPDx#JApF3HvgB#%ZxpMZ3D4wBKPGdcT4n

And after next logon

* Username : WIN-GNM5AES6691\admindemo

* Domain : TERMSRV/127.0.0.1

* Password : i7GYIDBh%UVD90S!uT[email protected]

So that looks good