Examples from the OSIsoft sponsor talk, Hardcore Windows Hardening, at S4x18.

Examples from S4x18 sponsor talk

This gist contains examples from the S4x18 sponsor talk, Hardcore Windows Hardening.
https://s4x18.com/sessions/sponsor-stage-13/

Slide08_SimpleDSCExampleSMBv1.ps1

# Simple DSC example to ensure SMBv1 is disabled

Configuration SMBv1Example {
	param(
		[string]$ComputerName="localhost"
	)
	
	Import-DscResource -ModuleName PSDesiredStateConfiguration

	Node $ComputerName {
		WindowsFeature SMBv1_Disable {
			Ensure = "Absent"
			Name = "FS-SMB1"
		}
	}
}

Slide09_ConvertMSBaselinesToDSC.ps1

# Install BaselineManagement module and convert MS recommended baseline.
# Ref: BaselineManagement repo on GitHub (https://github.com/Microsoft/BaselineManagement)
# Ref: Security Baselines for Windows, MS Security Guidance Blog (https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)

# A few modules are required
$RequiredModules = @('AuditPolicyDSC','SecurityPolicyDSC','BaselineManagement')
# NuGet required to retrieve resources
Install-PackageProvider -Name NuGet
# PSGallery needs to be trusted
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
# Pull in required modules 
Find-Module $RequiredModules | Install-Module

# Import the new BaselineManagement module
Import-Module BaselineManagement
# Feed it your favorite GPO
ConvertFrom-GPO -OutputConfigurationScript `
				-OutputPath '.\' `
				-Path '.\GPOs\{088E04EC-440C-48CB-A8D7-A89D0162FBFB}'

Slide11_DeviceGuardTLDR.ps1

# Device Guard overview
# Ref: Overview of Device Guard in Windows Server 2016, TechNet Blog (https://blogs.technet.microsoft.com/datacentersecurity/2016/09/20/overview-of-device-guard-in-windows-server-2016/) 
# Ref: Enable Virtualization-based protection of code integrity, MS Docs (https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security)

# Enable Device Guard
$DGRegKey = "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
reg add $DGRegKey /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add $DGRegKey /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add $DGRegKey /v "Locked" /t REG_DWORD /d 0 /f
reg add "$DGRegKey\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "$DGRegKey\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f

# Create and deploy policy
# Set paths
$policyConfig = $($env:userprofile + '\Documents\Publisher.xml')
$policyBin = $($env:userprofile + '\Documents\Publisher.bin')
$policyP7B = $($env:WinDir + '\System32\CodeIntegrity\SiPolicy.p7b')
# Create policy (audit by default)
New-CIPolicy -Level FilePublisher -Fallback Hash -UserPEs -FilePath $policyConfig
# Alter policy to enforce
Set-RuleOption -FilePath $policyConfig -Option 3 -delete
# Convert to BIN
ConvertFrom-CIPolicy $policyConfig $policyBin
# Deploy policy
Copy-Item $policyBin $policyP7B -Verbose

# Get audit events
Get-WinEvent -ProviderName 'Microsoft-Windows-CodeIntegrity' `
							| Where-Object { $_.Id -eq 3077 } `
							| Format-List

# Get Status with msinfo32 or Get-CimInstance below
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

Slide12_GetAllUnsignedProcesses.ps1

# Get all processes running unsigned code.
# Ref: Lee Holmes tweet (https://twitter.com/Lee_Holmes/status/875781096885043201)

Get-Process | Get-Item -ErrorAction Ignore `
            | Get-AuthenticodeSignature `
            | Group {$_.SignerCertificate.Subject } `
            | Select Count,Name

Slide13-14_ExtractInfoFromCIPolicy.ps1

# Extract signers from CIPolicy

$policyConfig = "$env:userprofile\Documents\PublisherRules.xml"
[xml]$PolicyContents = Get-Content $policyConfig
$PolicyContents.SiPolicy.Signers.Signer `
		| Select Name, @{
							Name="Publisher";
							Expression={$_.CertPublisher.Value}
						},
						@{
							Name="Root";
							Expression={$_.CertRoot.Value}
						} -Unique
 
# Extract hashed files

$policyConfig = "$env:userprofile\Documents\PublisherRules.xml"
[xml]$PolicyContents = Get-Content $policyConfig
$PolicyContents.SiPolicy.FileRules.Allow `
		| Select FriendlyName, Hash

Slide22_PINetMgrWSHExample.vbs

' SLIDE 22: VB script for WSH for PINetMgr
' MSDN has documented examples
' Ref: Restricting Service, WFAS on MSDN (https://msdn.microsoft.com/en-us/library/windows/desktop/aa366327(v=vs.85).aspx)

option explicit
' IP protocol
const NET_FW_IP_PROTOCOL_TCP                  = 6
' Action
const NET_FW_ACTION_ALLOW                     = 1
' Direction
const NET_FW_RULE_DIR_IN                      = 1
const NET_FW_RULE_DIR_OUT                     = 2

' Create the FwPolicy2 object.
Dim fwPolicy2
Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")
' Get the Service Restriction object for the local firewall policy.
Dim ServiceRestriction
Set ServiceRestriction = fwPolicy2.ServiceRestriction
' Put in block-all inbound and block-all outbound Windows Service Hardening (WSH) networking rules for the service
ServiceRestriction.RestrictService "PINetMgr", "%piserver%\bin\pinetmgr.exe", TRUE, FALSE

' Get the collection of Windows Service Hardening networking rules
Dim wshRules
Set wshRules = ServiceRestriction.Rules

' Add inbound WSH allow rule for service PINetMgr
Dim NewInboundRule
Set NewInboundRule = CreateObject("HNetCfg.FWRule")
NewInboundRule.Name = "Allow only TCP 5450 inbound to service"
NewInboundRule.ApplicationName = "%piserver%bin\pinetmgr.exe"
NewInboundRule.ServiceName = "PINetMgr"
NewInboundRule.Protocol = NET_FW_IP_PROTOCOL_TCP
NewInboundRule.LocalPorts = 5450
NewInboundRule.Action = NET_FW_ACTION_ALLOW
NewInboundRule.Direction = NET_FW_RULE_DIR_IN
NewInboundRule.Enabled = true
' Add the inbound allow rule
wshRules.Add NewInboundRule

' Add outbound WSH allow rules for PINetMgr
Dim NewOutboundRule
Set NewOutboundRule = CreateObject("HNetCfg.FWRule")
NewOutboundRule.Name = "Allow outbound traffic from service"
NewOutboundRule.ApplicationName = "%piserver%bin\pinetmgr.exe"
NewOutboundRule.ServiceName = "PINetMgr"
NewOutboundRule.Protocol = NET_FW_IP_PROTOCOL_TCP
NewOutboundRule.RemotePorts = "49152-65535"
NewOutboundRule.Action = NET_FW_ACTION_ALLOW
NewOutboundRule.Direction = NET_FW_RULE_DIR_OUT
NewOutboundRule.Enabled = true
' Add the outbound allow rule
wshRules.Add NewOutboundRule

Slide23_PINetMgrWSHExample.ps1

# PS script for WSH

$Program = "%piserver%bin\pinetmgr.exe"
$Service = "PINetMgr"
$LocalPort = "5450"
$RemotePort = "49152-65535"
$Protocol = "TCP"

$WSHRules = @(
				@{
					Name = "Inbound service restriction rule for $Service"
					Action = "Block"
					Direction = "Inbound"
				},
				@{
					Name = "Outbound service restriction rule for $Service"
					Action = "Block"
					Direction = "Outbound"
				},
				@{
					Name = "Allow only TCP $LocalPort inbound to $Service"
					Action = "Allow"
					Direction = "Inbound"
					Protocol = $Protocol
					LocalPort = $LocalPort
				},
				@{
					Name = "Allow only TCP $RemotePort outbound from $Service"	
					Action = "Allow"
					Direction = "Outbound"
					Protocol = $Protocol
					RemotePort = $RemotePort
				}
			)

# Loop through the rules and apply.
foreach($Rule in $WSHRules)
{
	# Include the proper scope on each rule
	$Rule += @{
					DisplayName = $Rule.Name
					Program = $Program
					Service = $Service
					Enabled = "TRUE"
					PolicyStore = "ConfigurableServiceStore"
				}
	New-NetFirewallRule @Rule 
}

Slide25_PINetMgrWSHDSC.ps1

Configuration ServiceHardening
{
    param(
        $ComputerName="localhost",
        $Service="PINetMgr",
        $Program="%piserver%bin\pinetmgr.exe",
        $LocalPort = "5450",
        $RemotePort = "49152-65535",
        [ValidateSet("TCP","UDP")]
        $Protocol = "TCP"
    )
    Import-DscResource -ModuleName PSDesiredStateConfiguration

    Node $ComputerName
    {
		switch($Protocol)
        {
            "TCP" {$ProtocolID = "6"}
            "UDP" {$ProtocolID = "17"}
        }

        $ConfigurableServiceStore = "HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System"
		$Version = "v2.26"

        $AllowInRuleName = "Allow only $Protocol $LocalPort inbound to $Service"
        Registry $AllowInRuleName
        {
            Ensure = 'Present'
			Key = $ConfigurableServiceStore
			ValueData = "$Version|Action=Allow|Active=TRUE|Dir=In|" + `
                        "Protocol=$ProtocolID|" + `
                        "LPort=$LocalPort|" + `
                        "App=$Program|" + `
                        "Svc=$Service|" + `
                        "Name=$AllowInRuleName|"
            ValueName = $AllowInRuleName
			ValueType = 'String'
        }

        $AllowOutRuleName = "Allow only $Protocol $LocalPort outbound from $Service"
        Registry $AllowOutRuleName
        {
            Ensure = 'Present'
			Key = $ConfigurableServiceStore
			ValueData = "$Version|Action=Allow|Active=TRUE|Dir=Out|" + `
                        "Protocol=$ProtocolID|" + `
                        "RPort2_10=$RemotePort|" + `
                        "App=$Program|" + `
                        "Svc=$Service|" + `
                        "Name=$AllowOutRuleName|"
			ValueName = $AllowOutRuleName
			ValueType = 'String'
        }
        $RestrictInRuleName = "Inbound service restriction rule for $Service"
        Registry $RestrictInRuleName
        {
            Ensure = 'Present'
			Key = $ConfigurableServiceStore
			ValueData = "$Version|Action=Block|Active=TRUE|Dir=In|" + `
                        "App=$Program|" + `
                        "Svc=$Service|" + `
                        "Name=$RestrictInRuleName|"
            ValueName = $RestrictInRuleName
			ValueType = 'String'
        }
        $RestrictOutRuleName = "Outbound service restriction rule for $Service"
        Registry $RestrictOutRuleName
        {
            Ensure = 'Present'
            Key = $ConfigurableServiceStore
            ValueData = "$Version|Action=Block|Active=TRUE|Dir=Out|" + `
                        "App=$Program|" + `
                        "Svc=$Service|" + `
                        "Name=$RestrictOutRuleName|"
            ValueName = $RestrictOutRuleName
            ValueType = 'String'
        }
    }
}

Slide36_JITPSExample.ps1

# Just In Time access with PowerShell
# Ref: Ian Far, "Hey, Scripting Guy! Blog" (https://blogs.technet.microsoft.com/heyscriptingguy/2015/05/23/weekend-scripter-use-powershell-for-jit-administration-and-pam-part-1/)

Set-ADUserJitAdmin -UserOn "CN=Example User,OU=User Accounts,DC=contoso,DC=com" `
								-Domain "contoso.com" `
								-PrivGroup "Domain Admins" `
								-TtlHours 10 `
								-Verbose

Slide38_SysmonSetup.bat

REM Setting up Sysmon

sysmon -i -accepteula
sysmon -c YourAwesomeConfig.xml
wevutil sl Microsoft-Windows-Sysmon/Operational /ms:20971520

Slide39_IntriguingSysmonRules.txt

# Permalinks to nteresting Sysmon rules written by experts

Detect when file creation time changes *retroactively* in user files
https://github.com/SwiftOnSecurity/sysmon-config/blob/831a828ffe9b7e002d835434d8488e4c74b99c85/sysmonconfig-export.xml#L152

Registry modification events rules that take a lot of care to remove noise.
https://github.com/SwiftOnSecurity/sysmon-config/blob/831a828ffe9b7e002d835434d8488e4c74b99c85/sysmonconfig-export.xml#L340

Suspicious processes and locations for connections to originate.
https://github.com/MotiBa/Sysmon/blob/0bb711209230a71188f2e4216dbd6a6ec524254d/config_v8.xml#L59