Skip to content

Instantly share code, notes, and snippets.

@alexiasa

alexiasa/blue_team_notes.md

Last active November 4, 2024 18:06
Show Gist options
  • Save alexiasa/fba4466849fde5b9ec3dd3cd7d1b3e9f to your computer and use it in GitHub Desktop.
Save alexiasa/fba4466849fde5b9ec3dd3cd7d1b3e9f to your computer and use it in GitHub Desktop.
Download ZIP
My CCDC Blue Team Notes
Raw
blue_team_notes.md

CCDC Notes

Log Review Cheatsheet Critical Log Review Checklist for Security Incidents

Hardening GPO Reference UT Windows Hardening Checklist

CLI Windows Command Line Cheat Sheet PowerShell Cheat Sheet

Report Resources

incident report form: https://www.sans.org/media/score/incident-forms/IH-Identification.pdf change report form: https://www.pvamu.edu/its/wp-content/uploads/sites/46/change-management-request-form_fill.pdf

Windows Endpoint Checklist

Priority Task Method Procedure
High Enable host-based firewalls GUI wf.msc > RClick Windows Advanced... > Properties > ON
High Reset default passwords for AD user accounts CLI/Script Set-ADAccountPassword/Script Reset password for all specified users
High Reset local admin passwords CLI net user <user> <pass>
High Install important patches GUI Windows Update
High Deploy vendor endpoint protection GUI Windows Defender, AppLocker, etc.
Medium Disable SMBv1 GUI Detect Enable and Disable SMB versions in windows
Medium Begin regular monitoring with TCPView, Process Explorer, Regmon, or scheduled tasks GUI Sysinternals
Medium Disable Unnecessary Services CLI/GUI start with netstat -anob/resmon.exe
Medium Manage host-based firewalls via policy GUI Managing Windows Firewall with GPOs
Low Deploy sysmon GUI Sysinternals Sysmon suspicious activity guide – Windows Security
Low Deploy centralized Windows logging GUI WEFFLES
Low Custom audit configurations GPO Google it
Low Configure LAPS for local admin passwords GUI Microsoft LAPS

Considerations

  • Service/software inventory: which ports are used? is software up to date? is it securely configured?
  • Network and local user inventory: are network accounts being used across multiple assets?
  • System inventory: are new systems appearing? are current systems reachable?

Powershell/Windows Shell

List Firewall Rules

Get all rules beginning with a string

Get-NetFirewallRule -DisplayGroup Remote*

Get all inbound rules beginning with a string

Get-NetFirewallRule -Action Allow -Enabled False -Direction Inbound -DisplayGroup Network* | select DisplayName, DisplayGroup

User Account Administration

Change AD user account password:

Set-ADAccountPassword -Identity <sAMAccountName> -Reset -NewPassword <password>

Change local user account password:

net user <username> <newpass>

Active Directory

Create GPO report:

Import-Module ActiveDirectory
Import-Module GroupPolicy

# identify the DC
$dc = Get-ADDomainController -Discover -Service PrimaryDC

# use this to generate HTML report for single GPO
Get-GPOReport -Name "A Group Policy Object" -Domain awesome.lab -Server $dc -ReportType HTML -Path C:\Users\Person\Desktop\GPOreport.html

# use this to generate HTML report for all GPOs in the domain
Get-GPOReport -All -Domain awesome.lab -Server $dc -ReportType HTML -Path C:\Users\Person\Desktop\AllGPOreport.html

Event Logs

Display local event logs

eventquery.vbs | more eventquery.vbs /L Security | more

Search for a specific event ID

wevtutil qe security /q:”*[System[(EventID=1102)]]” /c:5 /f:text /rd:true

/q: Specifies the query. The only thing you really need to change in here is the EventID, just replace it for the one you want. You can use truth operators in here as well as query specific alert levels. /c: specifies the number of events to display. (If you place nothing here, it will find all matching events) /f: Specifies the output type, by default it uses XML which can be difficult to read. /rd: This takes True or False. Set this to true in order to see the newest logs first.

Services, Processes, and Ports

List running processes and output to file

tasklist > c:\processes.txt

wmic query examples from stack overflow

# Name and account for all services:
wmic service get name,startname

# started services only:
wmic service where started=true get  name, startname

# services with specific pattern in name:
wmic service where 'name like "%sql%"' get  name, startname

# nicely formatted as html table (and then opened in your browser):
(wmic service where 'name like "%sql%"' get  name, startname /format:htable >out.html) && out.html

# Full syntax here: https://msdn.microsoft.com/en-us/library/aa394531%28v=vs.85%29.aspx

List listening ports/connections, PIDs, files responsible

netstat -anob

Resource monitor

resmon.exe - the above plus process names and firewall rule status for the service/application

File Integrity

Computes the cryptographic hash of a given file. Algorithms are: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512. certutil -hashfile C:\path\to\file SHA256

Nix Handy Stuff

netstat -tunapl - listening ports and processes ps auxf - process tree view cat /etc/passwd - list users

@mikeguerrawsu
Copy link

Thank you.
Mike

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment