What should I know about security? The massive list of links post.

I maintain a list of links I call "security stuff every Microsoft customer should know" that I send to every customer I visit. The list ranges from basic things to more in depth security knowledge, and is now available even if I haven't visited you. :) You might want to bookmark this page, as it will get updated periodically.

My links on security I send to every customer :

 

Best Practices for Securing Active Directory https://technet.microsoft.com/en-us/library/dn487446.aspx This whitepaper also contains a large quantity of monitoring guidance including which optional logs to turn on. I highly recommend at least skimming through this whole whitepaper.

 

Pass the Hash Whitepapers https://microsoft.com/pth (this URL also hosts ongoing content and discussions on the topic of Pass the Hash – there are two whitepapers here, I recommend reading both. )

 

Channel9 Presentation of SLAM and Lateral Movement : https://aka.ms/toppopslam

 

POP-EMET Presentation : https://channel9.msdn.com/Blogs/Taste-of-Premier/Taste-of-Premier-Protect-Your-Enterprise-with-the-Enhanced-Mitigation-Experience-Toolkit

 

LAPS Video : https://channel9.msdn.com/Blogs/Taste-of-Premier/Taste-of-Premier-How-to-tackle-Local-Admin-Password-Problems-in-the-Enterprise-with-LAPS

 

Download LAPS : https://aka.ms/laps

The Hierarchy of Cyber Needs - Basics like credential hygiene, patching, and least privilege often solve more problems than advanced solutions.

https://blogs.technet.microsoft.com/captain/2016/01/05/cyberneeds/

JIT-JEA (just in time just enough admin – this is the future) : https://channel9.msdn.com/events/Ignite/2015/BRK2470

 

AGPM :

https://channel9.msdn.com/events/TechEd/NorthAmerica/2011/WCL308

 

Advanced Threat Analytics : https://channel9.msdn.com/events/Ignite/2015/BRK3870

 

Ransomware Talks:

Less technical/more managerial concerns version https://channel9.msdn.com/Blogs/Taste-of-Premier/DigitalSpringCleaning (this one also discusses Cyber extortion and destructive attacks)

More technical version https://channel9.msdn.com/Blogs/Taste-of-Premier/Ransomware101

MMPC Blogs on Ransomware, including Samas which is a targeted attack:

https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/ https://blogs.technet.microsoft.com/mmpc/2016/02/24/locky-malware-lucky-to-avoid-it/

Windows Event Forwarding and monitoring what matters (centralized logging for free!) https://aka.ms/wef https://blogs.technet.com/b/jepayne/archive/2015/11/24/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem.aspx https://blogs.technet.com/b/jepayne/archive/2015/11/27/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts.aspx https://blogs.technet.com/b/kfalde/archive/2015/11/18/laps-audit-reporting-via-wef-posh-and-powerbi.aspx

Blackbelt security from TechEd 2014 https://channel9.msdn.com/events/TechEd/Europe/2014/WIN-B318

LUA Buglight - are your users running as admin because an application supposedly needs it? Don't let one app ruin your whole security posture, Aaron's got an app for that:

https://blogs.msdn.microsoft.com/aaron_margosis/2015/06/30/lua-buglight-2-3-with-support-for-windows-8-1-and-windows-10/

KB2871997 Overview of the backported security features from 8.1/2012 to 7/2008R2. These features are critical for stopping lateral movement, especially the "Local Account" principal. (Highly recommend following the SRD blog in general, as it is one of the best sources from Microsoft) :

https://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx

How Cybersecurity investigations actually work - how real attacks happen, a little on what the Incident Response process looks like and a lot on what you could be doing to stop attackers

https://channel9.msdn.com/Events/Ignite/Australia-2015/WIN433

*the attack I show in this was based on this : https://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html I'm not linking this to show you how to hack - that's not why I am here, but to show you people who do want to attack you can find clever ways quite easily. You should learn how these work so you can defend against them.

 

Information on the JASBug/GPO patch - this bug would allow you to trick a Windows workstation into getting group policy from the internet. It was patched however there are steps that need to be configured post-patch to defend against it :

https://www.jasadvisors.com/additonal-jasbug-security-exploit-info/ https://www.jasadvisors.com/about-jas/jasbug-security-vulnerability-fact-sheet/

 

Blackhat talk on Golden Ticket and other attacks (which can be prevented by the controls we discussed)

https://www.youtube.com/watch?v=-IMrNGPZTl0  (PtH mitigations make all of this moot.)

 

SRD posts on some of the critical security issues in the last couple years :

https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/ https://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx

 

Places in AD attackers can use for persistence:

https://adsecurity.org/?p=1929

Kerberoasting, a technique for stealing credentials even if the account has not logged onto the box:

https://adsecurity.org/?p=2293

Discussions on Powershell persistence and logging - this is a very popular technique now and most 2008R2/Win7 customers don't have sufficient logging or preventions :

https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html https://adsecurity.org/?p=2604 https://www.exploit-monday.com/2015/11/investigating-subversive-powershell.html - Powershell profiles can be a sneaky and difficult to detect way to maintain persistence on a network. Make sure you know all the locations if you're researching them. (Which Matt has kindly written about here. :) )

Powershell best practices with some awesome people, Lee Holmes and James Forshaw :

https://channel9.msdn.com/events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2013-Sessions/PowerShell-Best-Practices https://channel9.msdn.com/events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2013-Sessions/PowerShell-Code-Integrity

UEFI and SecureBoot attacks:

https://channel9.msdn.com/events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2014-Sesions/BlueHat-Security-Briefing-Fall-2014-Summary-of-Attacks-against-BIOS-and-Secure-Boot-Yuriy-Bulygin

 

adsecurity.org - Sean's whole blog is amazing and you should read the whole thing if you are security Windows. :)

Derivative Local Admin Discovery - if you don't have host firewalls on in your network, any authenticated user can discover the memberships of Local Admin Groups in your environment. This is a real world attacker behavior, and here's a write up and a tool by a pen tester on it :

https://wald0.com/?p=14

Pretty good writeup of some webshell behavior to maintain persistence on a network:

https://blog.crowdstrike.com/mo-shells-mo-problems-web-server-log-analysis/

Microsoft Security Intelligence Report, published quarterly:

https://microsoft.com/sir

Threatpost discussions of various attacks that can be used:

https://threatpost.com/tracking-malware-that-uses-dns-for-exfiltration/111147 https://threatpost.com/patched-windows-kernel-mode-driver-flaw-exploitable-with-one-bit-change/111020 https://threatpost.com/chinese-hackers-compromised-forbes-com-using-ie-flash-zero-days/110996 This one is really important, because this targeted malware being deployed simply by visiting a website. This is why defense in depth/desktop hardening/credential hygiene/EMET are so key.

 

“Admin Free” Active Directory blog posts (anything Laura writes is gold)  :

https://blogs.technet.com/b/lrobins/archive/2011/06/23/quot-admin-free-quot-active-directory-and-windows-part-1-understanding-privileged-groups-in-ad.aspx https://blogs.technet.com/b/lrobins/archive/2011/06/23/quot-admin-free-quot-active-directory-part-2-protected-accounts-and-groups-in-active-directory.aspx

 

Purging Legacy Authentication Protocols :

https://blogs.technet.com/b/askds/archive/2012/02/02/purging-old-nt-security-protocols.aspx

 

Building custom X-Path filters :

https://blogs.technet.com/b/kfalde/archive/2014/03/25/xpath-event-log-filtering.aspx

 

Spotting the Adversary with Windows Event Forwarding from our dear friends at the NSA, which is a good write-up of basic monitoring (including gathering crash dumps, as they can indicate compromise in many instances) :

https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf

 

OCTAVE framework for threat modeling :

https://www.cert.org/resilience/products-services/octave/ https://www.sei.cmu.edu/reports/99tr017.pdf (this is the older version but still applicable!)

 

TechEd presentation on memory analysis which contains details on Pass the Hash and Golden Ticket :

https://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B350#fbid=

 

TechEd presentation on EMET to prevent zero days and other exploits (EMET is free!):

https://channel9.msdn.com/events/TechEd/Europe/2014/CDP-B348

 

Way more indepth overview of EMET :

https://channel9.msdn.com/events/TechEd/NewZealand/2014/PCIT417

 

Redirecting the default place computers joined to your domain go (remember Computers is a “Container” and can’t get policy such as randomized passwords and firewall.) :

https://support.microsoft.com/kb/324949

 

Reducing the number of computers someone can join to the domain so any person with credentials can’t add random Macs to the domain :

https://support.microsoft.com/kb/243327

 

Using Powershell to get local group membership like Admins :

https://blogs.technet.com/b/heyscriptingguy/archive/2012/12/15/weekend-scripter-use-powershell-to-find-local-administrators-on-a-computer.aspx

 

Blocking out of date ActiveX on the internet. If you have out of date Java or Flash for a mission critical application and can't do EMET ASR, please please please deploy this GPO. Otherwise every time you hit a website with a malicious exploit kit embedded in it, you are pretty much guaranteed to get malware like Ransomware.

https://technet.microsoft.com/en-us/library/dn761713.aspx

Have a suspicious IP in your logs? Don't ping it or nslookup! This can tip off the attacker. Try searching for it in these tools instead:

https://isc.sans.edu/tools/whereis.html virustotal.com/

Well Known Security Identifiers in Windows - one day you will be reading an event log in an emergency and you will need this :)

https://support.microsoft.com/en-us/kb/243330

Hope these help!

-Jessica @jepayneMSFT