my personal blog about systemcenter

All posts in Security

Delegations Matter , Hunting mistakes with Bloodhound

Categories: Bloodhound
Comments Off on Delegations Matter , Hunting mistakes with Bloodhound

In this example i will use Bloodhound to show alternative path to Domain Admins

In the environment almost All Domain Admins have been removed , leaving DA-Alice as the sole enabled Domain Admin account

This makes a nice clean domains , does not give Alice much time off though so that will need to be fixes , but beats having 20+ Domain Admins running around , and Alice uses her Tier 0 Admin Workstation , so the users only logs on to the right security tiers

But we all know Alice and Bob is working together , Bob is helping out with password reset and a previous admin delegated rights to the Password-Reset Group

This is where the trouble start , Support-BOB is a member of Password-Reset , that group have been delegated full control over the Company OU to be able to reset passwords

First Mistake was to delegate full access and not only the password reset needed , but the 2nd and worse mistake was that someone placed the admin users under “Company” because it was the easy options , following bloodHound Shortest Path to Domain Admin

Gives us Support-BOB who have write permissions on all users in Admins that DA-Alice is a part off , this mean that no matter if Alice keeps doing everything right , Support-BOB can now reset DA-Alice password and start creating chaos.

In this case a Quick fix is to move the Admins outside of the Delegations so that Support-BOB rights that was on the “Company” OU does not apply anymore

This ends up giving us a single path to domain admin being DA-Alice

https://bloodhound.readthedocs.io/en/latest/data-analysis/bloodhound-gui.html

Check out BloodHound , ensure you have permission to run it as it will most likely will set off a alarm bell or two

Testing ScaleFT BeyondCorp Secure Remote Access without a VPN

Categories: BeyondCorp, NoVPN, ScaleFT, Security
Comments Off on Testing ScaleFT BeyondCorp Secure Remote Access without a VPN

Testing ScaleFT access from admin workstation to remote server through remote desktop protocol but without VPN or Remote Desktop Gateway

ScaleFT creates a BeyondCorp secure style access to internal resources without publishing them over VPN or direct connection from the internet

This setup will cover a basic integration between one pc and one server, ScaleFT provides a free version for personal use for up to 5 servers, so this is a large step forward in providing secure access to your resources

Signup at https://www.scaleft.com/ , and there is excellent documentation in place and instant trial access

This is my first go at a BeyondCorp install and so far its looks very good

This is a simple test without the full security integration so no AzureAD or Okta , room for more improvements

Overall process

1 , Register Trial

2 , Setup Client

3 , Create Project

4 , Add Server to Project

5 , Add Permission to Project

6 , Use Secure BeyondCorp access to your internal resources

Protocol available Web Applications, Remote Desktop and SSH

And the Step by Step

clip_image002

Logging in to the interface there is no clients for now

Adding a client is as simple as downloading and running

sft enroll –team “tenant name”

clip_image004

ScaleFT does not require local admin rights to function on the machine where access is started form

clip_image006

Adding the client to the team require authentication , from the initial testing with Edge I saw some issues that needs a bit of time to repro , but running with chrome works

clip_image008

And we can now see my pc in the portal

clip_image010

To Enroll a Server we need to create a project

clip_image012

clip_image014

And then we can go to enrollment tokens to create a token for server to enroll

clip_image016

Setup token name and save the token

On the server we can install the scaleFT server side tools with powershell

PS C:\ScaleFT> Import-Module .\Install.psm1

PS C:\ScaleFT> Install-ScaleFTServerTools -EnrollmentToken

Downloading https://dist.scaleft.com/server-tools/windows/latest/ScaleFT-Server-Tool

C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi is signed by ScaleFT

Starting msiexec on C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi

MSI Log path: C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.log

Removing C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi

Starting Service scaleft-server-tools

True

clip_image018

clip_image020

And 2 minutes later we have it installed (on my slow connection)

clip_image022

And we now have a server to access

clip_image024

As we deal with zero trust we need to create a group that gives access

clip_image026

Groups can give either local admin or local user permissions, for this test we will use Admin

clip_image028

Back to my client and run sft list-servers

clip_image030

Getting prompted for access to ScaleFT and allowing access

clip_image032

I can now see my server

clip_image034

And we try to login

clip_image036

And in this environment we have locked down NTLM , and ScaleFT proxy through local host so we need to allow that

clip_image038

And adding local host to NTLM exceptions

clip_image040

And we can now logon through our tunnel.

clip_image042

And when we are done working we can issue a sft logout

clip_image044

And we have a full audit history

clip_image046

Can you tell if a PC remoted in from a unencrypted machine in your environment ?

So, what does ScaleFT do on our Windows Box to create access and users

After initial authentication we can see ScaleFT creating the admindemo user (that is my ScaleFT user) , adding it to local admin and terminal server users)

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Creating local user ‘admindemo’ based on user:’1d55549f-d4c9-7adc-2463-3b3414354e7c'” goal=user_create

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Adding local user ‘admindemo’ to local group ‘Administrators’ based on group:’BUILTIN-A3FC-7CF8FAD6C251′” goal=group_member_add

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Adding local user ‘admindemo’ to local group ‘Remote Desktop Users’ based on group:’BUILTIN–B750-50F1D33462FE'” goal=group_member_add

clip_image048

ScaleFT cycles password at each logon so a test from here shows

* Username : WIN-GNM5AES6691\admindemo

* Domain : TERMSRV/127.0.0.1

* Password : C1Vi5JqadyEZjW%HuskZcWM3cI3JkXOPDx#JApF3HvgB#%ZxpMZ3D4wBKPGdcT4n

And after next logon

* Username : WIN-GNM5AES6691\admindemo

* Domain : TERMSRV/127.0.0.1

* Password : i7GYIDBh%[email protected]

So that looks good

Adding OpenLiveWriter to a DeviceGuard Protected Machine

Categories: Device Guard, Security
Comments Off on Adding OpenLiveWriter to a DeviceGuard Protected Machine

I wanted to add OpenLiveWriter to my pc but since its protected by device guard it required a few additional steps

Following Matt Graeber (@mattifestation http://www.exploit-monday.com/2016/12/updating-device-guard-code-integrity.html guide to merging policies i ended up with the folowing

PS C:\Windows\system32> $OpenLiveWriter = Get-SystemDriver -ScanPath ‘C:\Users\FR\AppData\Local\OpenLiveWriter’ –UserPEsimage

Scanning the install directory

New-CIPolicy -FilePath OpenLiveWriter.xml -DriverFiles $OpenLiveWriter -Level PUBLISHER -UserPEs

image

“Unable to generate rules for all scanned files at the requested level.  A list of files not covered by the current policy can be found at C:\
Users\Flemming Riis\AppData\Local\Temp\tmpD089tmp.  If it is safe to not include these files, no action needs to be taken, otherwise a more c
omplete policy may be created using the -fallback switch”

image

First run was with publisher , but the majority of the files isn’t signed so i changed the policy to HASH , this laves a issue with autoupdate so the icon was changed to openlivewriter.exe instead of the update.exe

image

image

We now end up with a rather large list of allowed files

And putting it all together

$MasterRuleXml = ‘BASE.xml’ (this was my T460s baseline)

$OpenLiveWriter = Get-SystemDriver -ScanPath ‘C:\Users\FR\AppData\Local\OpenLiveWriter’ -UserPEs

New-CIPolicy -FilePath OpenLiveWriter.xml -DriverFiles $OpenLiveWriter -Level HASH -UserPEs

$OpenLiveWriterRules = New-CIPolicyRule -DriverFiles $OpenLiveWriter -Level HASH

Merge-CIPolicy -OutputFilePath FinalPolicy.xml -PolicyPaths $MasterRuleXml -Rules $OpenLiveWriterRules

ConvertFrom-CIPolicy -XmlFilePath .\FinalPolicy.xml -BinaryFilePath SIPolicy.p7b

And after a reboot i can now run openlivewriter on my device guard protected pc Smile


Count your Domain Controllers Often and Always

Categories: Active Directory, AD, Advanced Threat Analytics, ATA, Security
Comments Off on Count your Domain Controllers Often and Always

Had a talk the other day with a friend around domain controllers , we talked about how fast many orgs would actually detect a new domain controller , and if they did how fast

As this is a normal operation its not flagged by ATA , but it would be a very nice feature to add ( as far as i can see , this is a new install so no 30 days ML with admin behavior) , ATA should detect a admin logging on to a new server but need to test on a aged system

There is most likely a lot of eventlog hints of new domain controllers added need to examine for them also

image

Adding a new domain controller

image

We can see the new object as domain controller

image

Adding Domain Controllers Group to Sensitive Groups could h

image

So we could get a report like this if a DC was added could be a very good feature

image

Or list domain controllers not monitored by ATA

Detecting Domain Controllers being added

One method could be to use @LazyWinAdm 

https://github.com/lazywinadmin/Monitor-ADGroupMembership

Running

.\Monitor-ADGroupMembership.ps1 -group “Domain Controllers” -Emailfrom [email protected] -Emailto “[email protected]” -EmailServer 10.0.0.51 –Verbose

on a rapid schedule

image

image

First run find the now 2 domain controllers

image

And we will now get a email alart when a new domain controller is added or removed

Building a secure workstation one step at a time Part1

Categories: Device Guard, Security, Windows 10
Comments Off on Building a secure workstation one step at a time Part1

Been trying to spend more time on device security and have been using device guard to lock down a admin workstation and servers

I am follow the examples from Matt’s post on merging baseline with new policy’s

http://www.exploit-monday.com/2016/12/updating-device-guard-code-integrity.html

If you dont follow @mattifestation Matt Graeber start now his work published on device guard is gold

image

Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\explorer.exe) attempted to load \Device\HarddiskVolume4\Source\PUTTY.EXE that did not meet the Enterprise signing level requirements.

So i wanted to add putty to my base policy

$Putty = Get-SystemDriver -ScanPath ‘C:\Source’ –UserPEs

New-CIPolicy -FilePath Putty.xml -DriverFiles $Putty -Level HASH -UserPEs

$MasterRuleXml = ‘FinalPolicy.xml’

$PuttyRules = New-CIPolicyRule -DriverFiles $Putty -Level Publisher

Merge-CIPolicy -OutputFilePath FinalPolicy_Merged.xml -PolicyPaths $MasterRuleXml -Rules $PuttyRules

ConvertFrom-CIPolicy -XmlFilePath .\FinalPolicy_Merged.xml -BinaryFilePath SIPolicy.p7b

Following the example on Matt’s blog post i wanted to try to add putty just on a file hash level , this will lock the policy down to this version only adding overhead when new released are out , but since putty isnt updated that often i will continue with file hash

It seems that going forward config manager can help with this , going to be exiting to see

This end up with the following xml that can will be merged into our policy file and applied at next reboot

<?xml version=”1.0″ encoding=”utf-8″?>
<SiPolicy xmlns=”urn:schemas-microsoft-com:sipolicy”>
   <VersionEx>10.0.0.0</VersionEx>
   <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
   <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
   <Rules>
     <Rule>
       <Option>Enabled:Unsigned System Integrity Policy</Option>
     </Rule>
     <Rule>
       <Option>Enabled:Audit Mode</Option>
     </Rule>
     <Rule>
       <Option>Enabled:Advanced Boot Options Menu</Option>
     </Rule>
     <Rule>
       <Option>Required:Enforce Store Applications</Option>
     </Rule>
     <Rule>
       <Option>Enabled:UMCI</Option>
     </Rule>
   </Rules>
   <!–EKUS–>
   <EKUs />
   <!–File Rules–>
   <FileRules>
     <Allow ID=”ID_ALLOW_A_1″ FriendlyName=”C:\Source\PUTTY.EXE Hash Sha1″ Hash=”AB51FE77E5DB6A1979EEB6DFA6957613945F5562″ />
     <Allow ID=”ID_ALLOW_A_2″ FriendlyName=”C:\Source\PUTTY.EXE Hash Sha256″ Hash=”03EE66107D104F8ACA6E376D8B274ADF0D671A4D44F0549B6D83B775C0B21AAB” />
     <Allow ID=”ID_ALLOW_A_3″ FriendlyName=”C:\Source\PUTTY.EXE Hash Page Sha1″ Hash=”736A707BFBB80DFE3EE4259DF8BCD078B505BB4A” />
     <Allow ID=”ID_ALLOW_A_4″ FriendlyName=”C:\Source\PUTTY.EXE Hash Page Sha256″ Hash=”0843BA10DA94FC68065EA9B1FD53857106194E458FBF203948628A0EB3C539E3″ />
   </FileRules>
   <!–Signers–>
   <Signers />
   <!–Driver Signing Scenarios–>
   <SigningScenarios>
     <SigningScenario Value=”131″ ID=”ID_SIGNINGSCENARIO_DRIVERS_1″ FriendlyName=”Auto generated policy on 05-07-2017″>
       <ProductSigners />
     </SigningScenario>
     <SigningScenario Value=”12″ ID=”ID_SIGNINGSCENARIO_WINDOWS” FriendlyName=”Auto generated policy on 05-07-2017″>
       <ProductSigners>
         <FileRulesRef>
           <FileRuleRef RuleID=”ID_ALLOW_A_1″ />
           <FileRuleRef RuleID=”ID_ALLOW_A_2″ />
           <FileRuleRef RuleID=”ID_ALLOW_A_3″ />
           <FileRuleRef RuleID=”ID_ALLOW_A_4″ />
         </FileRulesRef>
       </ProductSigners>
     </SigningScenario>
   </SigningScenarios>
   <UpdatePolicySigners />
   <CiSigners />
   <HvciOptions>0</HvciOptions>
</SiPolicy>

So after reboot and policy applied

image

We now have a working putty

image

But since the author certificate wasnt whitelisted we cant run other tools , this was meant as a example on filehash vs certificate not due to lack of trust from Simon Tatham