Posh-Sysmon Module for Creating Sysmon Configuration Files

Sysmon configuration can be complex in addition to hard to maintain by hand. For this purpose I created a module called Posh-Sysmon some time ago to aid in the creation and maintenance of configuration files. The module was initially written after the release of version 2.0 and has been maintained and expanded as new version have been released all the way to the current one at the time of this blog post being written with version 6.0. 

The module is written for PowerShell v3.0 and above and can be installed from the PowerShell Gallery if running version 5.0 or 5.1 using the cmdlet 

Read More

Home Lab - Networking

In this post I will cover the basic set up of the basic building block network which is a simple flat network behind a router acting as Firewall, NAT, DHCP and VPN for the network.

The first action is to create a Virtual Switch that will be connectivity for all the virtual machines in this flat network. Almost all virtual solutions support having a virtual switch under one name or another. Since I choose for my home lab ESXi the commands shown will be for this platform but in general terms can be done the same with Hyper-V or XenServer. 

The main reason why I'm showing all the steps via command line is so that they can be automated later in a script if this is a process that will be repeated several times.

Read More

Writing a Active Directory Audit Module - Getting a DirectoryEntry

In the previous blog post when we look at the object returned it has all of the information properly parsed and shown so I do not have to run around parsing fields and converting them but for me a critical piece of information is not shown and that is the SID of the forest domain. If you have played with analysis of some logs and with Mimikatz attacks you know the SID is of great importance. For this we will use the System.DirectoryServices namespace, specifically the DirecotryEntry class that represents a path in AD.

Read More

Writing a Active Directory Audit Module - Getting Forest Info

In the last blog post we covered setting the goals for the project, general guidelines, how I set up a project in GitHub and the creation of the module manifest. In this blog post we will cover some of the API around ActiveDirectory that we can use in Windows PowerShell to access and query it either from a host already in the domain or with alternate credentials against a specific host. 

Currently when working in Windows PowerShell there are 4 main ways to interact with Active Directory:

  • ActiveDirectory module - gets installed with RSAT or when then Domain Controller role is added to a server. Varies per version of Windows.
  • System.DirectoryServices Namespace - it is a .Net wrapper around the ADSI (Active Directory Service Interface) COM object. It represents a specific path or Object in AD allowing for the pulling of information and modification.
  • System.DirectoryServices.ActiveDirectory namespace - It provides several .Net classes that abstract AD services. Provides access to manipulating forest, domain, site, subnet, partition, and schema are part of the object model.
  • System.DirectoryServices.AccountManagement namespace provides uniform access and manipulation of user, computer, and group security principals
Read More

RDP TLS Certificate Deployment Using GPO

Remote Desktop has been the Go To remote administration tool for many IT professionals and sadly many even expose it to the internet leading to brutefoce attacks and Man in the Middle attacks. I still remember the fist time I saw how easy it is from Irongeek examples using Cain & Able http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-sniff and http://www.irongeek.com/i.php?page=security/cain-rdp-mitm-parser I have taken great care to make sure RDP connections in my network and customer networks are as secure as possible. Here is an example on how to deploy TLS certificates for use of RDP via GPO and how to configure some none Microsoft systems.

 

Read More