awesome-windows-domain-hardening
Security Hardening Techniques
Provides a curated list of security hardening techniques for Windows
A curated list of awesome Security Hardening techniques for Windows.
2k stars
121 watching
265 forks
last commit: almost 5 years ago
Linked from 5 awesome lists
hardeningsecuritywindows
Awesome Windows Domain Hardening / Initial foothold | |||
| EMET | Deploy to Workstations (End of line in July 2018 - Consider keeping EMET for Windows 7 but prioritize upgrades to Windows 10 and Edge) | ||
| AppLocker | Use to block exec content from running in user locations (home dir, profile path, temp, etc) | ||
| Here you go | Hardening against DMA Attacks? and an interesting article from | ||
| PowerShell logging | Enable (v3+) & command process logging | ||
| Block Office macros | (Windows & Mac) on content downloaded from the Internet | ||
| WEF | Deploy security tooling that monitors for suspicious behavior. Consider using to forward only interesting events to your SIEM or logging system | ||
Awesome Windows Domain Hardening / Initial foothold / Limit capability by blocking/restricting attachments via email/download: | |||
| these file types | Ensure are blocked | ||
| Excel file extensions | Block forgotten/unused : IQY, SLK | ||
Awesome Windows Domain Hardening / Initial foothold | |||
| Preventing activation of OLE packages | in Office with the PackagerPrompt registry setting | ||
Awesome Windows Domain Hardening / Reconnaissance | |||
| GPO | Increase security on sensitive s | ||
| (Microsoft ATA) | Evaluate deployment of behavior analytics | ||
| NetCease | Use to prevent unprivileged session enumeration | ||
| Samri10 | Use to prevent unprivileged local admin collection (this fix already exists in Windows 10 1607 and above) | ||
Awesome Windows Domain Hardening / Lateral Movement | |||
| (KB2871997) | Configure GPO to prevent local accounts from network authentication . In addition to this KB, is recommending two other changes in the registry: | ||
| (Microsoft LAPS) | Ensure local administrator account passwords are automatically changed & remove extra local admin accounts | ||
| (Windows Firewall) | Limit workstation to workstation communication | ||
Awesome Windows Domain Hardening / Privilege Escalation | |||
| (including GPP) | Remove files with passwords in SYSVOL | ||
| PAWs | Provide Privileged Access Workstations or for all highly privileged work. Those should never have access to the Internet | ||
| (FGPP) | Use Managed Service Accounts for SAs when possible | ||
| Fine-Grained Password Policy | For systems that do not support Managed Service Accounts, deploy a to ensure the passwords are >32 characters | ||
| LM/NTLMv1 | Ensure all computers are talking NTLMv2 & Kerberos, deny | ||
Awesome Windows Domain Hardening / Protect Administration Credentials | |||
| Protected Users group | Add all admin accounts to (requires Windows 2012 R2 DCs) | ||
Awesome Windows Domain Hardening / Protect Administration Credentials / Admin workstations & servers: | |||
| LLMNR | Disable | ||
| WPAD | Disable | ||
Awesome Windows Domain Hardening / Strengthen/Remove Legacy | |||
| LDAP signing | Enforce | ||
| SMB signing | Enable (& encryption where poss.) | ||
| shims | Use to enable old applications that require admin privileges to work by believing they have them | ||
Awesome Windows Domain Hardening / Tools | |||
| PingCastle | an Active Directory audit tool (and free!) with pretty good metrics | ||
| Responder | 5,471 | about 2 months ago | A LLMNR, NBT-NS and MDNS poisoner |
| BloodHound | 9,893 | 5 months ago | Six Degrees of Domain Admin |
| AD Control Path | 654 | almost 4 years ago | Active Directory Control Paths auditing and graphing tools |
| PowerSploit | 11,918 | over 4 years ago | A PowerShell Post-Exploitation Framework |
| PowerView | 11,918 | over 4 years ago | Situational Awareness PowerShell framework |
| Empire | 7,461 | almost 5 years ago | PowerShell and Python post-exploitation agent |
| Mimikatz | 19,466 | 5 months ago | Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets |
| Tools Cheatsheets | 1,042 | about 7 years ago | (Beacon, PowerView, PowerUp, Empire, ...) |
| UACME | 6,377 | 4 months ago | Defeating Windows User Account Control |
| Windows System Internals | (Including Sysmon etc.) | ||
| Hardentools | 2,931 | 8 months ago | Collection of simple utilities designed to disable a number of "features" exposed by Windows |
| CrackMapExec | 8,453 | 12 months ago | A swiss army knife for pentesting Windows/Active Directory environments |
| SharpSploit | 1,750 | over 3 years ago | |
| Rubeus | 4,135 | 2 months ago | Rubeus is a C# toolset for raw Kerberos interaction and abuses |
| Koadic | Koadic, or COM Command & Control, is a Windows post-exploitation rootkit | ||
| SILENTTRINITY | 2,196 | 12 months ago | A post-exploitation agent powered by Python, IronPython, C#/.NET |
Awesome Windows Domain Hardening / Videos | |||
| Beyond the Mcse: Active Directory for the Security Professional | |||
| BSides DC 2016 - PowerShell Security: Defending the Enterprise from the Latest Attack Platform | |||
| Six Degrees of Domain Admin... - Andy Robbins, Will Schroeder, Rohan Vazarkar | |||
| 111 Attacking EvilCorp Anatomy of a Corporate Hack | |||
| Red vs Blue: Modern Active Directory Attacks & Defense | |||
| Offensive Active Directory with Powershell | |||
| Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | |||
| Real Solutions From Real Incidents: Save Money and Your Job! | |||
| AppLocker Bypass Techniques | |||
Awesome Windows Domain Hardening / Slides | |||
| From Workstation To Domain Admin - Why Secure Administration Isn't Secure | |||
| Exploiting AD Administrator Insecurities | |||
| How to go from Responding to Hunting with Sysinternals Sysmon | |||
| 111 Attacking EvilCorp Anatomy of a Corporate Hack | |||
| Real Solutions From Real Incidents: Save Money and Your Job! | |||
Awesome Windows Domain Hardening / Additional resources | |||
| ADSecurity | |||
| Harmj0y's blog | |||
| Sysmon SecuriTay's configuration file | 4,803 | 5 months ago | template with default high-quality event tracing |
| Explaining and adapting Tay’s Sysmon configuration | and | ||
| Use of PSExec | |||
| Preventing Mimikatz attacks | |||
| Useful list of Windows Security Log Events | |||
| Introducing SharpSploit: A C# Post-Exploitation Library | |||
| From Kekeo to Rubeus | |||
| Windows oneliners to download remote payload and execute arbitrary code | |||
| Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. | 1,558 | almost 2 years ago | |
lissy93/awesome-privacy
decalage2/awesome-security-hardening
coreb1t/awesome-pentest-cheat-sheets
bytesnipers/awesome-pentest-cheat-sheets
spacial/awesome-systoolsMore related projects:
-
hausec/adape-script
-
emilyanncr/windows-post-exploitation
-
nextronsystems/aptsimulator
-
antoniococo/sharpyshell
-
bluscreenofjeff/red-team-infrastructure-wiki
-
bats3c/shad0w
-
donnemartin/haxor-news
-
govolution/avet
-
s1ckb0y1337/active-directory-exploitation-cheat-sheet
-
alessandroz/lazagne
-
-
-
netspi/esc
-
kkawakam/rustyline