The following article summarizes a multi-part series I’m writing on standing-up an open source Security Incident Response Platform. This platform allows for log retention and analysis, alert generation, IoC enrichment, and case management.
As the Identity and Authentication source of most Enterprises, Active Directory is the backbone of local and federated authentication. Coupled with the prevalence of Cloud computing, organizations are depending more-and-more on federated authentication and expanding their Active Directory into the Cloud.
Rclone brands themselves as “rsync for cloud storage”, and with its versatility and the number of providers it supports I’m inclined to believe them.
This is a list of all the User Rights Assignments available on a Windows network along with a brief description and default values. The definitions are taken from the Microsoft documentation.
In May 2018 the Australian Cyber Security Center published an updated list of recommended configuration settings for hardening Windows 10 version 1709. This 50 page guide provides easily readable recommendations along with explanations of why the settings should be changed.
While investigating the demise of NetBIOS and how to fully remove it from a network I came across and interesting observation.
A client recently called in with an interesting problem. When users would create a new folder on a network share, four folders would appear instead of one. Even more interesting is that this was only happening for those users when connecting to the share from a Windows 10 workstation. The same user accessing the share from Windows 7 would only create a single folder.
Policy Analyzer is one of the tools included as part of the Microsoft Security Compliance Toolkit, which Microsoft describes as “a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.”
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. In short, it analyzes group membership, GPOs, permissions, and currently logged-on sessions to visually displays links between objects in order to identify misconfigurations and easy paths to compromise. This tool is not for analyzing the permissions on a single server, but rather for identifying the path of least resistance to gaining elevated Domain permissions.
In preparation for an upcoming post, I recently dove into my notes on installing the Prometheus monitoring server. My last time setting up Prometheus was on an Ubuntu server and the repository version was at least the same major revision version as the current release. This time I’m installing on Debian 9 and currently the latest Prometheus version is 2.3.2 while the Debian repository is offering 1.5.2. That’s unacceptable. While the sid repository does contain 2.3.2, I decided to take the opportunity to deploy in a cleaner (and less permanent) manner through Docker. Prometheus is well supported in Docker environments and it gave me an opportunity to brush up on my container deploying skills.