跳转到主要内容

标签(标签)

资源精选(342) Go开发(108) Go语言(103) Go(99) angular(82) LLM(78) 大语言模型(63) 人工智能(53) 前端开发(50) LangChain(43) golang(43) 机器学习(39) Go工程师(38) Go程序员(38) Go开发者(36) React(33) Go基础(29) Python(24) Vue(22) Web开发(20) Web技术(19) 精选资源(19) 深度学习(19) Java(18) ChatGTP(17) Cookie(16) android(16) 前端框架(13) JavaScript(13) Next.js(12) 安卓(11) 聊天机器人(10) typescript(10) 资料精选(10) NLP(10) 第三方Cookie(9) Redwoodjs(9) ChatGPT(9) LLMOps(9) Go语言中级开发(9) 自然语言处理(9) PostgreSQL(9) 区块链(9) mlops(9) 安全(9) 全栈开发(8) OpenAI(8) Linux(8) AI(8) GraphQL(8) iOS(8) 软件架构(7) RAG(7) Go语言高级开发(7) AWS(7) C++(7) 数据科学(7) whisper(6) Prisma(6) 隐私保护(6) JSON(6) DevOps(6) 数据可视化(6) wasm(6) 计算机视觉(6) 算法(6) Rust(6) 微服务(6) 隐私沙盒(5) FedCM(5) 智能体(5) 语音识别(5) Angular开发(5) 快速应用开发(5) 提示工程(5) Agent(5) LLaMA(5) 低代码开发(5) Go测试(5) gorm(5) REST API(5) kafka(5) 推荐系统(5) WebAssembly(5) GameDev(5) CMS(5) CSS(5) machine-learning(5) 机器人(5) 游戏开发(5) Blockchain(5) Web安全(5) Kotlin(5) 低代码平台(5) 机器学习资源(5) Go资源(5) Nodejs(5) PHP(5) Swift(5) devin(4) Blitz(4) javascript框架(4) Redwood(4) GDPR(4) 生成式人工智能(4) Angular16(4) Alpaca(4) 编程语言(4) SAML(4) JWT(4) JSON处理(4) Go并发(4) 移动开发(4) 移动应用(4) security(4) 隐私(4) spring-boot(4) 物联网(4) nextjs(4) 网络安全(4) API(4) Ruby(4) 信息安全(4) flutter(4) RAG架构(3) 专家智能体(3) Chrome(3) CHIPS(3) 3PC(3) SSE(3) 人工智能软件工程师(3) LLM Agent(3) Remix(3) Ubuntu(3) GPT4All(3) 软件开发(3) 问答系统(3) 开发工具(3) 最佳实践(3) RxJS(3) SSR(3) Node.js(3) Dolly(3) 移动应用开发(3) 低代码(3) IAM(3) Web框架(3) CORS(3) 基准测试(3) Go语言数据库开发(3) Oauth2(3) 并发(3) 主题(3) Theme(3) earth(3) nginx(3) 软件工程(3) azure(3) keycloak(3) 生产力工具(3) gpt3(3) 工作流(3) C(3) jupyter(3) 认证(3) prometheus(3) GAN(3) Spring(3) 逆向工程(3) 应用安全(3) Docker(3) Django(3) R(3) .NET(3) 大数据(3) Hacking(3) 渗透测试(3) C++资源(3) Mac(3) 微信小程序(3) Python资源(3) JHipster(3) 语言模型(2) 可穿戴设备(2) JDK(2) SQL(2) Apache(2) Hashicorp Vault(2) Spring Cloud Vault(2) Go语言Web开发(2) Go测试工程师(2) WebSocket(2) 容器化(2) AES(2) 加密(2) 输入验证(2) ORM(2) Fiber(2) Postgres(2) Gorilla Mux(2) Go数据库开发(2) 模块(2) 泛型(2) 指针(2) HTTP(2) PostgreSQL开发(2) Vault(2) K8s(2) Spring boot(2) R语言(2) 深度学习资源(2) 半监督学习(2) semi-supervised-learning(2) architecture(2) 普罗米修斯(2) 嵌入模型(2) productivity(2) 编码(2) Qt(2) 前端(2) Rust语言(2) NeRF(2) 神经辐射场(2) 元宇宙(2) CPP(2) 数据分析(2) spark(2) 流处理(2) Ionic(2) 人体姿势估计(2) human-pose-estimation(2) 视频处理(2) deep-learning(2) kotlin语言(2) kotlin开发(2) burp(2) Chatbot(2) npm(2) quantum(2) OCR(2) 游戏(2) game(2) 内容管理系统(2) MySQL(2) python-books(2) pentest(2) opengl(2) IDE(2) 漏洞赏金(2) Web(2) 知识图谱(2) PyTorch(2) 数据库(2) reverse-engineering(2) 数据工程(2) swift开发(2) rest(2) robotics(2) ios-animation(2) 知识蒸馏(2) 安卓开发(2) nestjs(2) solidity(2) 爬虫(2) 面试(2) 容器(2) C++精选(2) 人工智能资源(2) Machine Learning(2) 备忘单(2) 编程书籍(2) angular资源(2) 速查表(2) cheatsheets(2) SecOps(2) mlops资源(2) R资源(2) DDD(2) 架构设计模式(2) 量化(2) Hacking资源(2) 强化学习(2) flask(2) 设计(2) 性能(2) Sysadmin(2) 系统管理员(2) Java资源(2) 机器学习精选(2) android资源(2) android-UI(2) Mac资源(2) iOS资源(2) Vue资源(2) flutter资源(2) JavaScript精选(2) JavaScript资源(2) Rust开发(2) deeplearning(2) RAD(2)

A curated list of awesome Security Hardening techniques for Windows.

Created by gepeto42 and PaulWebSec but highly inspired from PyroTek3 research!

Summary

This document summarizes the information related to Pyrotek and Harmj0y's DerbyCon talk called "111 Attacking EvilCorp Anatomy of a Corporate Hack". Video and slides are available below.

It also incorporates hardening techniques necessary to prevent other attacks, including techniques discussed by gepeto42 and joeynoname during their THOTCON 0x7 talk.

Something's missing? Create a Pull Request and add it.

Initial foothold

  • No hardening effort should come at the expense of upgrading operating systems.
  • Deploy EMET to Workstations (End of line in July 2018 - Consider keeping EMET for Windows 7 but prioritize upgrades to Windows 10 and Edge).
  • Use AppLocker to block exec content from running in user locations (home dir, profile path, temp, etc).
  • Hardening against DMA Attacks? Here you go and an interesting article from Synacktiv about DMA attacks
  • Manage PowerShell execution via Applocker or constrained language mode.
  • Enable PowerShell logging (v3+) & command process logging.
  • Block Office macros (Windows & Mac) on content downloaded from the Internet.
  • Deploy security tooling that monitors for suspicious behavior. Consider using WEF to forward only interesting events to your SIEM or logging system.
  • Limit capability by blocking/restricting attachments via email/download:
    • Executables extensions:
    • (ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, pif, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif, etc.)
    • Office files that support macros (docm, xlsm, pptm, etc.)
    • Ensure these file types are blocked.
    • Block forgotten/unused Excel file extensions: IQY, SLK
  • Change default program for anything that opens with Windows scripting to notepad (test first!)
    • bat, js, jse, vbe, vbs, wsf, wsh, hta, vbs, etc.
    • GPO: User Configuration -> Preferences -> Control Panel Settings -> Folder Options -> Open With
    • Action: Replace
    • File Extension: (extension)
    • Associated Program: %windir%\system32\notepad.exe
    • Set as default: Enabled.
  • Preventing activation of OLE packages in Office with the PackagerPrompt registry setting

Reconnaissance

  • Deploy Windows 10 and limit local group enumeration.
  • Limit workstation to workstation communication.
  • Increase security on sensitive GPOs.
  • Evaluate deployment of behavior analytics (Microsoft ATA).

BloodHound "prevention":

  • Use NetCease to prevent unprivileged session enumeration.
  • Use Samri10 to prevent unprivileged local admin collection (this fix already exists in Windows 10 1607 and above).

Lateral Movement

  • Configure GPO to prevent local accounts from network authentication (KB2871997). In addition to this KB, Countercept article is recommending two other changes in the registry:
  1. Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TokenLeakDetectDelaySecs = 30. This will clear credentials of logged off users after 30 seconds (mimicking the behavior of Windows 8.1+)
  2. Set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 0. This will prevent Wdigest credentials being stored in memory, again as is the default for Windows 8.1+.
  • Ensure local administrator account passwords are automatically changed (Microsoft LAPS) & remove extra local admin accounts.
  • Limit workstation to workstation communication (Windows Firewall).
    • Test psexec with good credentials between two workstations. If it works, you have a lateral movement problem.

Privilege Escalation

  • Remove files with passwords in SYSVOL (including GPP).
  • Ensure admins don’t log onto untrusted systems (regular workstations) by configuring DENY user right assignments with GPOs.
  • Provide Privileged Access Workstations or PAWs for all highly privileged work. Those should never have access to the Internet.
  • Use Managed Service Accounts for SAs when possible (FGPP)
  • For systems that do not support Managed Service Accounts, deploy a Fine-Grained Password Policy to ensure the passwords are >32 characters.
  • Ensure all computers are talking NTLMv2 & Kerberos, deny LM/NTLMv1.

Protect Administration Credentials

  • Ensure all admins only log onto approved admin workstations & servers. (See PAW in Privilege Escalation section)
  • Ensure all built-in groups but Administrator are denied from logging on to Domain Controllers user User Right Assignments. By default, Backup operators, Account operators can login to Domain Controllers, which is dangerous.
  • Add all admin accounts to Protected Users group (requires Windows 2012 R2 DCs).
  • Admin workstations & servers:
    • Control & limit access to admin workstations & servers.
    • Remove NetBIOS over TCP/IP
    • Disable LLMNR.
    • Disable WPAD.

Strengthen/Remove Legacy

  • Start now by using PingCastle which performs incredible AD audit
  • Audit/Restrict NTLM.
  • Enforce LDAP signing.
  • Enable SMB signing (& encryption where poss.).
  • Disable WPAD & LLMNR & work to disable NetBIOS.
  • Windows 10, remove:
    • SMB 1.0/CIFS
    • Windows PowerShell 2.0
  • Use shims to enable old applications that require admin privileges to work by believing they have them.

Tools

  • PingCastle - an Active Directory audit tool (and free!) with pretty good metrics.
  • Responder - A LLMNR, NBT-NS and MDNS poisoner
  • BloodHound - Six Degrees of Domain Admin
  • AD Control Path - Active Directory Control Paths auditing and graphing tools
  • PowerSploit - A PowerShell Post-Exploitation Framework
  • PowerView - Situational Awareness PowerShell framework
  • Empire - PowerShell and Python post-exploitation agent
  • Mimikatz - Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
  • Tools Cheatsheets - (Beacon, PowerView, PowerUp, Empire, ...)
  • UACME - Defeating Windows User Account Control
  • Windows System Internals - (Including Sysmon etc.)
  • Hardentools - Collection of simple utilities designed to disable a number of "features" exposed by Windows
  • CrackMapExec - A swiss army knife for pentesting Windows/Active Directory environments
  • SharpSploit
  • Rubeus - Rubeus is a C# toolset for raw Kerberos interaction and abuses
  • Koadic - Koadic, or COM Command & Control, is a Windows post-exploitation rootkit
  • SILENTTRINITY - A post-exploitation agent powered by Python, IronPython, C#/.NET

Videos

Slides

Additional resources

原文:https://github.com/PaulSec/awesome-windows-domain-hardening