I maintain a list of links I call “security stuff every Microsoft customer should know” that I send to every customer I visit. The list ranges from basic things to more in depth security knowledge, and is now available even if I haven’t visited you. 🙂 You might want to bookmark this page, as it will get updated periodically.
My links on security I send to every customer :
Best Practices for Securing Active Directory
https://technet.microsoft.com/en-us/library/dn487446.aspx This whitepaper also contains a large quantity of monitoring guidance including which optional logs to turn on. I highly recommend at least skimming through this whole whitepaper.
Pass the Hash Whitepapers
http://microsoft.com/pth (this URL also hosts ongoing content and discussions on the topic of Pass the Hash – there are two whitepapers here, I recommend reading both. )
Channel9 Presentation of SLAM and Lateral Movement :
POP-EMET Presentation :
LAPS Video :
Download LAPS :
The Hierarchy of Cyber Needs – Basics like credential hygiene, patching, and least privilege often solve more problems than advanced solutions.
JIT-JEA (just in time just enough admin – this is the future) :
Advanced Threat Analytics :
Less technical/more managerial concerns version https://channel9.msdn.com/Blogs/Taste-of-Premier/DigitalSpringCleaning (this one also discusses Cyber extortion and destructive attacks)
More technical version https://channel9.msdn.com/Blogs/Taste-of-Premier/Ransomware101
MMPC Blogs on Ransomware, including Samas which is a targeted attack:
Windows Event Forwarding and monitoring what matters (centralized logging for free!)
Blackbelt security from TechEd 2014
LUA Buglight – are your users running as admin because an application supposedly needs it? Don’t let one app ruin your whole security posture, Aaron’s got an app for that:
KB2871997 Overview of the backported security features from 8.1/2012 to 7/2008R2. These features are critical for stopping lateral movement, especially the “Local Account” principal. (Highly recommend following the SRD blog in general, as it is one of the best sources from Microsoft) :
How Cybersecurity investigations actually work – how real attacks happen, a little on what the Incident Response process looks like and a lot on what you could be doing to stop attackers
*the attack I show in this was based on this : http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html I’m not linking this to show you how to hack – that’s not why I am here, but to show you people who do want to attack you can find clever ways quite easily. You should learn how these work so you can defend against them.
Information on the JASBug/GPO patch – this bug would allow you to trick a Windows workstation into getting group policy from the internet. It was patched however there are steps that need to be configured post-patch to defend against it :
Blackhat talk on Golden Ticket and other attacks (which can be prevented by the controls we discussed)
https://www.youtube.com/watch?v=-IMrNGPZTl0 (PtH mitigations make all of this moot.)
SRD posts on some of the critical security issues in the last couple years :
Places in AD attackers can use for persistence:
Kerberoasting, a technique for stealing credentials even if the account has not logged onto the box:
Discussions on Powershell persistence and logging – this is a very popular technique now and most 2008R2/Win7 customers don’t have sufficient logging or preventions :
http://www.exploit-monday.com/2015/11/investigating-subversive-powershell.html – Powershell profiles can be a sneaky and difficult to detect way to maintain persistence on a network. Make sure you know all the locations if you’re researching them. (Which Matt has kindly written about here. 🙂 )
Powershell best practices with some awesome people, Lee Holmes and James Forshaw :
UEFI and SecureBoot attacks:
adsecurity.org – Sean’s whole blog is amazing and you should read the whole thing if you are security Windows. 🙂
Derivative Local Admin Discovery – if you don’t have host firewalls on in your network, any authenticated user can discover the memberships of Local Admin Groups in your environment. This is a real world attacker behavior, and here’s a write up and a tool by a pen tester on it :
Pretty good writeup of some webshell behavior to maintain persistence on a network:
Microsoft Security Intelligence Report, published quarterly:
Threatpost discussions of various attacks that can be used:
http://threatpost.com/chinese-hackers-compromised-forbes-com-using-ie-flash-zero-days/110996 This one is really important, because this targeted malware being deployed simply by visiting a website. This is why defense in depth/desktop hardening/credential hygiene/EMET are so key.
“Admin Free” Active Directory blog posts (anything Laura writes is gold) :
Purging Legacy Authentication Protocols :
Building custom X-Path filters :
Spotting the Adversary with Windows Event Forwarding from our dear friends at the NSA, which is a good write-up of basic monitoring (including gathering crash dumps, as they can indicate compromise in many instances) :
OCTAVE framework for threat modeling :
http://www.sei.cmu.edu/reports/99tr017.pdf (this is the older version but still applicable!)
TechEd presentation on memory analysis which contains details on Pass the Hash and Golden Ticket :
TechEd presentation on EMET to prevent zero days and other exploits (EMET is free!):
Way more indepth overview of EMET :
Redirecting the default place computers joined to your domain go (remember Computers is a “Container” and can’t get policy such as randomized passwords and firewall.) :
Reducing the number of computers someone can join to the domain so any person with credentials can’t add random Macs to the domain :
Using Powershell to get local group membership like Admins :
Blocking out of date ActiveX on the internet. If you have out of date Java or Flash for a mission critical application and can’t do EMET ASR, please please please deploy this GPO. Otherwise every time you hit a website with a malicious exploit kit embedded in it, you are pretty much guaranteed to get malware like Ransomware.
Have a suspicious IP in your logs? Don’t ping it or nslookup! This can tip off the attacker. Try searching for it in these tools instead:
Well Known Security Identifiers in Windows – one day you will be reading an event log in an emergency and you will need this 🙂
Hope these help!