BTPS-SecPack: Blue Team PowerShell Security Package

by do son · Published · Updated

WINspect

The Blue Team PowerShell Security Package

This repo contains a collection of PowerShell tools that can be utilized to protect defend an environment based on Microsoft’s recommendations.
This repo also assumes that you have referenced the Windows Event Logging Cheat Sheet for logging in your environment. Use LOG-MD or CIS-CAT to ensure the recommended logging is configured.

Installer.ps1

I wrote an initial install script to automatically set up as many of these protections automatically as possible. Most of these scripts are email alerts. When running Installer.ps1 you will be questioned on how you want to authenticate to your SMTP server. This can be done through the use of a credential file or using IP address authentication. This script should be run on a domain controller as this is where many of the alerts are located. I would suggest using WinRM over HTTPS in your environment. This script will let you know if LDAP over SSL is being utilized in your environment. It will help you set up each section of this package with pauses in the script that wait on you to complete a task if one is needed. One such wait for example is for you to set up a group policy to be pushed out. After being run the majority of the below protections will be applied to your environment. The “Unusual Sign-In Alert” will require you to modify the UserComputerList.csv file so it contains contents on what users are expected to be signing into what devices in your environment.

Download

git clone https://github.com/tobor88/BTPS-SecPack.git

What Protections Are Included After Running Installer.ps1?

  • Canary Executable Decoys I have included a few executable files that an attacker may not be able to resist executing. These executable files are fake binaries that print the help message of the original executable file to make it seem like the file is legitimate upon execution. These executable files are meant to be uploaded to Canary Tokens which will send you an email alert whenever the file is executed. Instructions on this can be viewed HERE
  • RemediateCompromisedOfficeAccount.ps1 VIEW is used to respond to a user whose Office365 password has been comrpomised. This will Reset password (which kills the session). Remove mailbox delegates. Remove mailforwarding rules to external domains. Remove global mailforwarding property on mailbox. Set password complexity on the account to be high. Enable mailbox auditing. Produce Audit Log for the admin to review.
  • Account and Password Alerts VIEW
    • Receive alerts when an account is expiring in 2 weeks or less
    • Receive alert containing a table of all users whose passwords are expiring in two weeks or less
    • Receive an alert when a user attempts to change their password
    • Receive an alert when one account attempts to change the password of another account
    • Receive an alert when an account fails to logon to a server
    • Receive an alert when a new user account is created
    • Receive an alert when a user account is locked out
    • Receive an alert when a user account has been unlocked
    • Receive an alert when administrator credentials are used to execute a process with elevated privileges. This is really only meant to monitor users who may have been given administrator credentials against IT’s recommendations. It can be used to monitor an administrator for malicious activity as well if desired. Chances are you will not need to implement MonitorAdminEscalation.ps1
  • AutoRunsToWinEvent ORIGINAL VIEW
    • This basically takes creates an event log entry in event viewer containig AutoRuns hashes. I am not the author of this. I am only including this in the package as it is an important thing to keep track of
  • Device Discovery VIEW
    • Receive an alert any time a device that has never been connected to your network before receives an IP address from one of your DHCP servers.
  • Event Alerts VIEW
    • Receive an alert when a DNS Zone Transfer occurs
    • Receive an alert when a new service is installed on a device that is not a Windows Defender upgrade
    • Receive an alert when a new computer is joined to the domain
    • Receive an alert when an insecure LDAP bind occurs (When Bind is not LDAP over SSL)
    • Receive an alert when a user signs into a device they were not assigned
  • Hardening Cmdlets VIEW
    • Receive daily information on Azure sign ins for your users
    • Disable weak TLS and SSL protocols on a Client or IIS Server
    • Enable DNS over HTTPS when available
    • Enable HSTS on a local IIS Server
    • Fix any service paths that contain spaces in the directory names but no quotations used to prevent the execution of injected payloads
    • Uninstall PowerShell version 2 from a remote or local machine(s)
    • Remove an email reported as spam from all inboxes that receive the email
    • Rotate the Kerberos keys used in an online exchange environment
    • Enable or Disable SMB signing on a device as well as disable or enable SMBv1 or SMBv2 and SMBv3
    • Enable RDP Network Level Authentication to prevent not domain computers from RDPing into a client
    • Update any available driver updates on a local or remote machine
    • Add a notification banner to emails that users receive in Outlook when the sender name matches a name in the company and the email address is not from the internal domain
  • Local Port Scan Monitor VIEW
    • Receive an alert when a port scan is detected on a local device
    • Receive an alert for when a bind shell is opened and keep a record of all established connections to a device including the port and protocols used
  • Sysmon VIEW
    • Enable Sysmon loggging in an environment using a default customized sysmon configuration file
    • Use WHOIS domain lookup to discover domains that were connected to less than 2 years old and receive an alert when a client connection happens
    • Perform a blacklist check on IP addresses that were connected too and receive alerts when a client connection happens
    • Perform a hash validation on Windows processes to discover MD5 hashes that Virus Total returns results on
  • WEF Application VIEW
    • Configure Windows Event Forwarding to collect events that are clear indications of compromise
    • Receive alerts when the Centralized Windows Event Collector logs any indicators of compromise
    • View the log files inside an application to prevent needing to sign into the server to view the collected alerts
  • Windows Update Cmdlets VIEW
    • Cmdlets that can be used to install all available windows updates
    • Cmdlet that can remove a single KB update that is not updating for whatever reason. Once removed you can use Update-Windows to reinstall the issued update.
  • Import-ScheduledTask VIEW
    • This is a cmdlet I am going to be using when I complete the Install.ps1 file that can be used to configure all of the above. For now use the READMEs I have provided to install the desired functionalitys.

Copyright (C) 2020 tobor88 

Tags: Blue Team PowerShell Security