Deploy PAM & LAPS

Hi Guss, ensure you have LAPS and PAM deployed. If you have the same local Admin Account & password on all clients, it makes lateral movement a breeze.

PAM:

https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services

LAPS:

https://www.microsoft.com/en-us/download/details.aspx?id=46899

MS updated key concepts in Windows LAPS

Microsoft changed the key concept for LAPS. 

New Policies, LAPS for Windows, LAPS in Azure AD etc.

Check out the following Link:

https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts

Workaround for Windows 10 SeriousSAM vulnerability

This vulnerability can let attackers gain admin rights on vulnerable systems and execute arbitrary code with SYSTEM privileges. Affected Systems are all OS released since October 2018, starting with Windows 10 1809 and Windows Server 2019.

Restrict access to the contents of %windir%\system32\config:

1. Open Command Prompt or PowerShell as an administrator.
2. Run this command:
• Command Prompt: icacls %windir%\system32\config\*.* /inheritance:e
•  Windows PowerShell: icacls $env:windir\system32\config\*.* /inheritance:en

And deleting Volume Shadow Copies!

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934

Troubleshooting time sync issues on a AD domain computer

Most time there should be warning events in the System event log, with a source called Time-Service. 

To verify network connection and ntp settings you can use w32tm.

show source server:

w32tm /query /source

verify network connectivity to an NTP server:

w32tm /stripchart /computer:ntp01.mydomain.zz

show configuration:

w32tm /query /configuration

(NT5DS using domain hierarchy)

force client to use domain hierarchy:

w32tm /config /syncfromflags:domhier /update

Get Zerlologons CVE-2020-1472 using PowerShell

Find attached a script to get all systems that using zerologon (event 5829) described in CVE-2020-1472. I want to upload this script to my technet gallery, but MS changed it all so I cant acces it...

More infos about this topic and how to handle the update process:

https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e

You can change the event to find other objects like trusts etc.

# --------------------------------------------------------------------------------------------------------
# Author: Tim Buntrock
# Script: Get_ZeroLogons5829.ps1
# Description: Get all machinesamaccountnames that appear in Event 5829, to find systems using zerologon!
# --------------------------------------------------------------------------------------------------------


# Prepare Variables
Param (
        [parameter(Mandatory=$false,Position=0)][String]$DCName = "localhost",
        [parameter(Mandatory=$false,Position=1)][Int]$Minutes = 15)

# Create an Array to hold the values
$InsecureNetLogons = @()

# Grab the appropriate events
$Events = Get-WinEvent -ComputerName $DCName -FilterHashtable @{Logname='System';Id=5829; StartTime=(get-date).AddMinutes("-$Minutes")}

# Loop through each event
ForEach ($Event in $Events) {
    $eventXML = [xml]$Event.ToXml()
    $Client = ($eventXML.event.EventData.Data[0]) #get Machinesamaccountname
    # Add Them To a Row in our Array
    $Row = "" | select Client
    $Row.Client =$Client
    # Add the row to our Array
    $InsecureNetLogons += $Row    
}

# Dump it all out to a CSV and open gridview
Write-Host $InsecureNetLogons.Count "records found ... saving unique entries to .\InsecureNetLogons.csv for DC" $ComputerName -ForegroundColor DarkYellow
$InsecureNetLogons | Sort-Object -Unique -Property Client| Export-CSV -NoTypeInformation .\InsecureNetLogons.csv
$InsecureNetLogons | Sort-Object -Unique -Property Client| Out-GridView