Last active
June 23, 2020 12:23
-
-
Save hpaul-osi/d1d4dd80e2627c94aac9b7e55a5ec799 to your computer and use it in GitHub Desktop.
Examples from the OSIsoft sponsor talk, Hardcore Windows Hardening, at S4x18.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This gist contains examples from the S4x18 sponsor talk, Hardcore Windows Hardening. | |
| https://s4x18.com/sessions/sponsor-stage-13/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simple DSC example to ensure SMBv1 is disabled | |
| Configuration SMBv1Example { | |
| param( | |
| [string]$ComputerName="localhost" | |
| ) | |
| Import-DscResource -ModuleName PSDesiredStateConfiguration | |
| Node $ComputerName { | |
| WindowsFeature SMBv1_Disable { | |
| Ensure = "Absent" | |
| Name = "FS-SMB1" | |
| } | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Install BaselineManagement module and convert MS recommended baseline. | |
| # Ref: BaselineManagement repo on GitHub (https://github.com/Microsoft/BaselineManagement) | |
| # Ref: Security Baselines for Windows, MS Security Guidance Blog (https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) | |
| # A few modules are required | |
| $RequiredModules = @('AuditPolicyDSC','SecurityPolicyDSC','BaselineManagement') | |
| # NuGet required to retrieve resources | |
| Install-PackageProvider -Name NuGet | |
| # PSGallery needs to be trusted | |
| Set-PSRepository -Name PSGallery -InstallationPolicy Trusted | |
| # Pull in required modules | |
| Find-Module $RequiredModules | Install-Module | |
| # Import the new BaselineManagement module | |
| Import-Module BaselineManagement | |
| # Feed it your favorite GPO | |
| ConvertFrom-GPO -OutputConfigurationScript ` | |
| -OutputPath '.\' ` | |
| -Path '.\GPOs\{088E04EC-440C-48CB-A8D7-A89D0162FBFB}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Device Guard overview | |
| # Ref: Overview of Device Guard in Windows Server 2016, TechNet Blog (https://blogs.technet.microsoft.com/datacentersecurity/2016/09/20/overview-of-device-guard-in-windows-server-2016/) | |
| # Ref: Enable Virtualization-based protection of code integrity, MS Docs (https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security) | |
| # Enable Device Guard | |
| $DGRegKey = "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" | |
| reg add $DGRegKey /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f | |
| reg add $DGRegKey /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f | |
| reg add $DGRegKey /v "Locked" /t REG_DWORD /d 0 /f | |
| reg add "$DGRegKey\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f | |
| reg add "$DGRegKey\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f | |
| # Create and deploy policy | |
| # Set paths | |
| $policyConfig = $($env:userprofile + '\Documents\Publisher.xml') | |
| $policyBin = $($env:userprofile + '\Documents\Publisher.bin') | |
| $policyP7B = $($env:WinDir + '\System32\CodeIntegrity\SiPolicy.p7b') | |
| # Create policy (audit by default) | |
| New-CIPolicy -Level FilePublisher -Fallback Hash -UserPEs -FilePath $policyConfig | |
| # Alter policy to enforce | |
| Set-RuleOption -FilePath $policyConfig -Option 3 -delete | |
| # Convert to BIN | |
| ConvertFrom-CIPolicy $policyConfig $policyBin | |
| # Deploy policy | |
| Copy-Item $policyBin $policyP7B -Verbose | |
| # Get audit events | |
| Get-WinEvent -ProviderName 'Microsoft-Windows-CodeIntegrity' ` | |
| | Where-Object { $_.Id -eq 3077 } ` | |
| | Format-List | |
| # Get Status with msinfo32 or Get-CimInstance below | |
| Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get all processes running unsigned code. | |
| # Ref: Lee Holmes tweet (https://twitter.com/Lee_Holmes/status/875781096885043201) | |
| Get-Process | Get-Item -ErrorAction Ignore ` | |
| | Get-AuthenticodeSignature ` | |
| | Group {$_.SignerCertificate.Subject } ` | |
| | Select Count,Name |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Extract signers from CIPolicy | |
| $policyConfig = "$env:userprofile\Documents\PublisherRules.xml" | |
| [xml]$PolicyContents = Get-Content $policyConfig | |
| $PolicyContents.SiPolicy.Signers.Signer ` | |
| | Select Name, @{ | |
| Name="Publisher"; | |
| Expression={$_.CertPublisher.Value} | |
| }, | |
| @{ | |
| Name="Root"; | |
| Expression={$_.CertRoot.Value} | |
| } -Unique | |
| # Extract hashed files | |
| $policyConfig = "$env:userprofile\Documents\PublisherRules.xml" | |
| [xml]$PolicyContents = Get-Content $policyConfig | |
| $PolicyContents.SiPolicy.FileRules.Allow ` | |
| | Select FriendlyName, Hash |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' SLIDE 22: VB script for WSH for PINetMgr | |
| ' MSDN has documented examples | |
| ' Ref: Restricting Service, WFAS on MSDN (https://msdn.microsoft.com/en-us/library/windows/desktop/aa366327(v=vs.85).aspx) | |
| option explicit | |
| ' IP protocol | |
| const NET_FW_IP_PROTOCOL_TCP = 6 | |
| ' Action | |
| const NET_FW_ACTION_ALLOW = 1 | |
| ' Direction | |
| const NET_FW_RULE_DIR_IN = 1 | |
| const NET_FW_RULE_DIR_OUT = 2 | |
| ' Create the FwPolicy2 object. | |
| Dim fwPolicy2 | |
| Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2") | |
| ' Get the Service Restriction object for the local firewall policy. | |
| Dim ServiceRestriction | |
| Set ServiceRestriction = fwPolicy2.ServiceRestriction | |
| ' Put in block-all inbound and block-all outbound Windows Service Hardening (WSH) networking rules for the service | |
| ServiceRestriction.RestrictService "PINetMgr", "%piserver%\bin\pinetmgr.exe", TRUE, FALSE | |
| ' Get the collection of Windows Service Hardening networking rules | |
| Dim wshRules | |
| Set wshRules = ServiceRestriction.Rules | |
| ' Add inbound WSH allow rule for service PINetMgr | |
| Dim NewInboundRule | |
| Set NewInboundRule = CreateObject("HNetCfg.FWRule") | |
| NewInboundRule.Name = "Allow only TCP 5450 inbound to service" | |
| NewInboundRule.ApplicationName = "%piserver%bin\pinetmgr.exe" | |
| NewInboundRule.ServiceName = "PINetMgr" | |
| NewInboundRule.Protocol = NET_FW_IP_PROTOCOL_TCP | |
| NewInboundRule.LocalPorts = 5450 | |
| NewInboundRule.Action = NET_FW_ACTION_ALLOW | |
| NewInboundRule.Direction = NET_FW_RULE_DIR_IN | |
| NewInboundRule.Enabled = true | |
| ' Add the inbound allow rule | |
| wshRules.Add NewInboundRule | |
| ' Add outbound WSH allow rules for PINetMgr | |
| Dim NewOutboundRule | |
| Set NewOutboundRule = CreateObject("HNetCfg.FWRule") | |
| NewOutboundRule.Name = "Allow outbound traffic from service" | |
| NewOutboundRule.ApplicationName = "%piserver%bin\pinetmgr.exe" | |
| NewOutboundRule.ServiceName = "PINetMgr" | |
| NewOutboundRule.Protocol = NET_FW_IP_PROTOCOL_TCP | |
| NewOutboundRule.RemotePorts = "49152-65535" | |
| NewOutboundRule.Action = NET_FW_ACTION_ALLOW | |
| NewOutboundRule.Direction = NET_FW_RULE_DIR_OUT | |
| NewOutboundRule.Enabled = true | |
| ' Add the outbound allow rule | |
| wshRules.Add NewOutboundRule |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PS script for WSH | |
| $Program = "%piserver%bin\pinetmgr.exe" | |
| $Service = "PINetMgr" | |
| $LocalPort = "5450" | |
| $RemotePort = "49152-65535" | |
| $Protocol = "TCP" | |
| $WSHRules = @( | |
| @{ | |
| Name = "Inbound service restriction rule for $Service" | |
| Action = "Block" | |
| Direction = "Inbound" | |
| }, | |
| @{ | |
| Name = "Outbound service restriction rule for $Service" | |
| Action = "Block" | |
| Direction = "Outbound" | |
| }, | |
| @{ | |
| Name = "Allow only TCP $LocalPort inbound to $Service" | |
| Action = "Allow" | |
| Direction = "Inbound" | |
| Protocol = $Protocol | |
| LocalPort = $LocalPort | |
| }, | |
| @{ | |
| Name = "Allow only TCP $RemotePort outbound from $Service" | |
| Action = "Allow" | |
| Direction = "Outbound" | |
| Protocol = $Protocol | |
| RemotePort = $RemotePort | |
| } | |
| ) | |
| # Loop through the rules and apply. | |
| foreach($Rule in $WSHRules) | |
| { | |
| # Include the proper scope on each rule | |
| $Rule += @{ | |
| DisplayName = $Rule.Name | |
| Program = $Program | |
| Service = $Service | |
| Enabled = "TRUE" | |
| PolicyStore = "ConfigurableServiceStore" | |
| } | |
| New-NetFirewallRule @Rule | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Configuration ServiceHardening | |
| { | |
| param( | |
| $ComputerName="localhost", | |
| $Service="PINetMgr", | |
| $Program="%piserver%bin\pinetmgr.exe", | |
| $LocalPort = "5450", | |
| $RemotePort = "49152-65535", | |
| [ValidateSet("TCP","UDP")] | |
| $Protocol = "TCP" | |
| ) | |
| Import-DscResource -ModuleName PSDesiredStateConfiguration | |
| Node $ComputerName | |
| { | |
| switch($Protocol) | |
| { | |
| "TCP" {$ProtocolID = "6"} | |
| "UDP" {$ProtocolID = "17"} | |
| } | |
| $ConfigurableServiceStore = "HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System" | |
| $Version = "v2.26" | |
| $AllowInRuleName = "Allow only $Protocol $LocalPort inbound to $Service" | |
| Registry $AllowInRuleName | |
| { | |
| Ensure = 'Present' | |
| Key = $ConfigurableServiceStore | |
| ValueData = "$Version|Action=Allow|Active=TRUE|Dir=In|" + ` | |
| "Protocol=$ProtocolID|" + ` | |
| "LPort=$LocalPort|" + ` | |
| "App=$Program|" + ` | |
| "Svc=$Service|" + ` | |
| "Name=$AllowInRuleName|" | |
| ValueName = $AllowInRuleName | |
| ValueType = 'String' | |
| } | |
| $AllowOutRuleName = "Allow only $Protocol $LocalPort outbound from $Service" | |
| Registry $AllowOutRuleName | |
| { | |
| Ensure = 'Present' | |
| Key = $ConfigurableServiceStore | |
| ValueData = "$Version|Action=Allow|Active=TRUE|Dir=Out|" + ` | |
| "Protocol=$ProtocolID|" + ` | |
| "RPort2_10=$RemotePort|" + ` | |
| "App=$Program|" + ` | |
| "Svc=$Service|" + ` | |
| "Name=$AllowOutRuleName|" | |
| ValueName = $AllowOutRuleName | |
| ValueType = 'String' | |
| } | |
| $RestrictInRuleName = "Inbound service restriction rule for $Service" | |
| Registry $RestrictInRuleName | |
| { | |
| Ensure = 'Present' | |
| Key = $ConfigurableServiceStore | |
| ValueData = "$Version|Action=Block|Active=TRUE|Dir=In|" + ` | |
| "App=$Program|" + ` | |
| "Svc=$Service|" + ` | |
| "Name=$RestrictInRuleName|" | |
| ValueName = $RestrictInRuleName | |
| ValueType = 'String' | |
| } | |
| $RestrictOutRuleName = "Outbound service restriction rule for $Service" | |
| Registry $RestrictOutRuleName | |
| { | |
| Ensure = 'Present' | |
| Key = $ConfigurableServiceStore | |
| ValueData = "$Version|Action=Block|Active=TRUE|Dir=Out|" + ` | |
| "App=$Program|" + ` | |
| "Svc=$Service|" + ` | |
| "Name=$RestrictOutRuleName|" | |
| ValueName = $RestrictOutRuleName | |
| ValueType = 'String' | |
| } | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Just In Time access with PowerShell | |
| # Ref: Ian Far, "Hey, Scripting Guy! Blog" (https://blogs.technet.microsoft.com/heyscriptingguy/2015/05/23/weekend-scripter-use-powershell-for-jit-administration-and-pam-part-1/) | |
| Set-ADUserJitAdmin -UserOn "CN=Example User,OU=User Accounts,DC=contoso,DC=com" ` | |
| -Domain "contoso.com" ` | |
| -PrivGroup "Domain Admins" ` | |
| -TtlHours 10 ` | |
| -Verbose |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM Setting up Sysmon | |
| sysmon -i -accepteula | |
| sysmon -c YourAwesomeConfig.xml | |
| wevutil sl Microsoft-Windows-Sysmon/Operational /ms:20971520 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Permalinks to nteresting Sysmon rules written by experts | |
| Detect when file creation time changes *retroactively* in user files | |
| https://github.com/SwiftOnSecurity/sysmon-config/blob/831a828ffe9b7e002d835434d8488e4c74b99c85/sysmonconfig-export.xml#L152 | |
| Registry modification events rules that take a lot of care to remove noise. | |
| https://github.com/SwiftOnSecurity/sysmon-config/blob/831a828ffe9b7e002d835434d8488e4c74b99c85/sysmonconfig-export.xml#L340 | |
| Suspicious processes and locations for connections to originate. | |
| https://github.com/MotiBa/Sysmon/blob/0bb711209230a71188f2e4216dbd6a6ec524254d/config_v8.xml#L59 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment