Windows 10
Author: Stefan Waldvogel
This article describes all changes to Windows 10.
Overview:
We do the following things:
- install Windows 10 in a virtual environment (link to a different article)
- join the machine a domain
- change some system settings so we get a better logging
- download and install a LimaCharlie agent
- download and install Atomic Red Team
For this lab I am using a Windows 10 and join it to a domain to get a realistic environment for our tests.
Installation of Win 10 is not hard, you find the link on the left side.
Overview:
We do the following things:
- install Windows 10 in a virtual environment (link to a different article)
- join the machine a domain
- change some system settings so we get a better logging
- download and install a LimaCharlie agent
- download and install Atomic Red Team
For this lab I am using a Windows 10 and join it to a domain to get a realistic environment for our tests.
Installation of Win 10 is not hard, you find the link on the left side.
The link does not describe how to add the machine to the domain, so I do it here in a brief way.
We have to change our DNS network setting, because our network does not know where our DNS server is.
Find the server's IP address, and the the IP under DNS (right click on netwok symbol) open network setting, Change adapter options and right click your ethernet card, Properties,
We have to change our DNS network setting, because our network does not know where our DNS server is.
Find the server's IP address, and the the IP under DNS (right click on netwok symbol) open network setting, Change adapter options and right click your ethernet card, Properties,
Open "Access work or school"
Windows ask for the domain name and the Administrator user. If everything worked well, you get a welcome message.
|
|
We should restart the client and we can log into it with a domain user. Windows asks for the netbios name, I changed my netbios name to something unique, your netbios name is most likely your domain name without .local.
Congratulations, the first step is done, you have a running Active Directory lab at home.
Installing LimaCharlie's agent
Follow the link to setup and install LimaCharlie.
Installing LimaCharlie's agent
Follow the link to setup and install LimaCharlie.
If you did it right, you should see something like this:
The Kernel will take a while, do not worry about that right now.
Set up logging on the client (and on the server)
This section is somewhat optional, but I want to have additional visibility. I have to watch general settings, server (e.g. Kerberos) settings and Powershell.
The website what2log gives us a great starting point and covers some important log settings.
Powershell logging
Small excursion (optional knowledge) how to log Powershell
Remember, Windows 10 might not log all PowerShell commands, a hacker can do anything with your system and you do not have an idea.
Increasing the log size
wevtutil gl "Security" # Print the current parameters of the Security log provider
wevtutil sl "Security" /ms:100000000 # Set the security log maximum size to 100MB
The standard size is about 20MB and might be a bit small.
Enable Module Logging
-> These are PowerShell commands. Copy the full block and run it.
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -Name EnableModuleLogging -PropertyType DWORD -Value 1
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames -Name '*' -PropertyType String -Value '*'
--> generates Windows EventIDs with the code 4103
Enable Script Block Logging
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Name ScriptBlockLogging -PropertyType DWORD -Value 1
--> generates Windows EventIDs with the code 4104
Enable Transcription
New-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name EnableTranscripting -PropertyType DWORD -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name EnableInvocationHeader -PropertyType DWORD -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name OutputDirectory -PropertyType String -Value C:\PSHTranscripts
New-Item 'C:\PSHTranscripts' -ItemType "directory"
Here you can check if LimaCharlie works correctly. We change the log size and this is a possible attack to hide.
Open LimaCharlie, click "Detections" and you should see a matching entry. This is a False Positive, because the change is wanted.
Set up logging on the client (and on the server)
This section is somewhat optional, but I want to have additional visibility. I have to watch general settings, server (e.g. Kerberos) settings and Powershell.
The website what2log gives us a great starting point and covers some important log settings.
Powershell logging
Small excursion (optional knowledge) how to log Powershell
Remember, Windows 10 might not log all PowerShell commands, a hacker can do anything with your system and you do not have an idea.
Increasing the log size
wevtutil gl "Security" # Print the current parameters of the Security log provider
wevtutil sl "Security" /ms:100000000 # Set the security log maximum size to 100MB
The standard size is about 20MB and might be a bit small.
Enable Module Logging
-> These are PowerShell commands. Copy the full block and run it.
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -Name EnableModuleLogging -PropertyType DWORD -Value 1
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames -Name '*' -PropertyType String -Value '*'
--> generates Windows EventIDs with the code 4103
Enable Script Block Logging
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Name ScriptBlockLogging -PropertyType DWORD -Value 1
--> generates Windows EventIDs with the code 4104
Enable Transcription
New-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name EnableTranscripting -PropertyType DWORD -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name EnableInvocationHeader -PropertyType DWORD -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name OutputDirectory -PropertyType String -Value C:\PSHTranscripts
New-Item 'C:\PSHTranscripts' -ItemType "directory"
Here you can check if LimaCharlie works correctly. We change the log size and this is a possible attack to hide.
Open LimaCharlie, click "Detections" and you should see a matching entry. This is a False Positive, because the change is wanted.
Installing Atomic Red Team
Install via the following link. Please deactivate Windows Real-Time Protection, at least for the folder where you want to install Atomic Red Team.
Install via the following link. Please deactivate Windows Real-Time Protection, at least for the folder where you want to install Atomic Red Team.
You should see something like this:
Install YAML and you can view a module.
Hint: if you do copy&paste sometimes the system adds a ? at the beginning or at the end. Remove it and run it again.
Hint: if you do copy&paste sometimes the system adds a ? at the beginning or at the end. Remove it and run it again.
© 2021. This work is licensed under a CC BY-SA 4.0 license