Hi Guss, ensure you have LAPS and PAM deployed. If you have the same local Admin Account & password on all clients, it makes lateral movement a breeze.
PAM:
LAPS:
https://www.microsoft.com/en-us/download/details.aspx?id=46899
PowerShell / Azure / Active Directory / Windows Server / Security and more ...
Hi Guss, ensure you have LAPS and PAM deployed. If you have the same local Admin Account & password on all clients, it makes lateral movement a breeze.
PAM:
LAPS:
https://www.microsoft.com/en-us/download/details.aspx?id=46899
Microsoft changed the key concept for LAPS.
New Policies, LAPS for Windows, LAPS in Azure AD etc.
Check out the following Link:
https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts
This vulnerability can let attackers gain admin rights on vulnerable systems and execute arbitrary code with SYSTEM privileges. Affected Systems are all OS released since October 2018, starting with Windows 10 1809 and Windows Server 2019.
Restrict access to the contents of %windir%\system32\config:
Most time there should be warning events in the System event log, with a source called Time-Service.
To verify network connection and ntp settings you can use w32tm.
show source server:
w32tm /query /source
verify network connectivity to an NTP server:
w32tm /stripchart /computer:ntp01.mydomain.zz
show configuration:
w32tm /query /configuration
(NT5DS using domain hierarchy)
force client to use domain hierarchy:
w32tm /config /syncfromflags:domhier /update
Find attached a script to get all systems that using zerologon (event 5829) described in CVE-2020-1472. I want to upload this script to my technet gallery, but MS changed it all so I cant acces it...
More infos about this topic and how to handle the update process:
You can change the event to find other objects like trusts etc.
# --------------------------------------------------------------------------------------------------------
# Author: Tim Buntrock
# Script: Get_ZeroLogons5829.ps1
# Description: Get all machinesamaccountnames that appear in Event 5829, to find systems using zerologon!
# --------------------------------------------------------------------------------------------------------
# Prepare Variables
Param (
[parameter(Mandatory=$false,Position=0)][String]$DCName = "localhost",
[parameter(Mandatory=$false,Position=1)][Int]$Minutes = 15)
# Create an Array to hold the values
$InsecureNetLogons = @()
# Grab the appropriate events
$Events = Get-WinEvent -ComputerName $DCName -FilterHashtable @{Logname='System';Id=5829; StartTime=(get-date).AddMinutes("-$Minutes")}
# Loop through each event
ForEach ($Event in $Events) {
$eventXML = [xml]$Event.ToXml()
$Client = ($eventXML.event.EventData.Data[0]) #get Machinesamaccountname
# Add Them To a Row in our Array
$Row = "" | select Client
$Row.Client =$Client
# Add the row to our Array
$InsecureNetLogons += $Row
}
# Dump it all out to a CSV and open gridview
Write-Host $InsecureNetLogons.Count "records found ... saving unique entries to .\InsecureNetLogons.csv for DC" $ComputerName -ForegroundColor DarkYellow
$InsecureNetLogons | Sort-Object -Unique -Property Client| Export-CSV -NoTypeInformation .\InsecureNetLogons.csv
$InsecureNetLogons | Sort-Object -Unique -Property Client| Out-GridView