- API Security Tasks
- Device Guard
- General Configuration
- LAPS
- Layered Architecture
- Mitigate Kerberoast
- Mitigate Skeleton Key
- Mitigate Trust Attack
- Privileged Administrative Workstations
- Protected Users Group
- Red Forest
| Name | Description | URL |
|---|---|---|
| badssl.com | 🔒 Memorable site for testing clients against bad SSL configs. | https://github.com/chromium/badssl.com |
| Dangerzone | Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs | https://github.com/freedomofpress/dangerzone |
| Hawk-eye | A powerful scanner to scan your Filesystem, S3, MySQL, Redis, Google Cloud Storage and Firebase storage for PII and sensitive data. | https://github.com/rohitcoder/hawk-eye |
| Slack Watchman | Slack enumeration and exposed secrets detection tool | https://github.com/PaperMtn/slack-watchman |
| STACS | Static Token And Credential Scanner | https://github.com/stacscan/stacs |
Shoutout to Tara Janca from We Hack Purple!
- List all APIs (create an inventory)
- Put them behind a gateway
- Throttling and resource quotas
- Logging, monitoring and alerting
- Block all unused HTTP methods
- Use a service mesh for communication management
- Implement standards for your organisation / API definition documents
- Strict Linting
- Authenticate THEN authorize
- Avoid verbose error messages
- Decommission old or unused versions of APIs
- Do all the same secure coding practices you normally do; input validation using approved lists, parameterized queries, bounds checking, etc.
- Hardens against malware
- Run trusted code only, enforced in Kernel and Userspace (CCI, UMCI, KMCI)
- UEFI Secure Boot protects bios and firmware
- Limit login of DAs to DCs only
- Never run a service with DA privileges
- Check out temporary group memberships (Can have TTL)
- Disable account delegation for sensitive accounts (in ad usersettings)
Centralized password storage with periodic randomization, stored in computer objects in fields mc-mcsAdmPwd (cleartext), ms-mcs-AdmPwdExperiationTime.
- Tier0: Domain Admins/Enterprise Admins
- Tier1: Significant Resource Access
- Tier2: Administrator for Workstations / Support etc.
Use strong passwords and manage service accounts.
$ New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\ -Name RunAsPPL -Value 1 -Verbose$ Get-WinEvent -FilterHashtable @{Logname='System';ID=12} | ?{$_.message -like "*protected process*"}- Enable SID Filtering
- Enable Selective Authentication (access between forests not automated)
- Use hardened workstation for performing sensitive task.
- Cannot use CredSSP & Wdigest (no more cleartext creds)
- NTLM Hash not cached
- Kerberos does not use DES or RC4
- Requires at least server 2008, need to test impact, no offline sign-on (no caching), useless for computers and service accounts
- ESAE Enhanced Security Admin Environment
- Dedicated administrative forest for managing critical assets (forests are security boundaries)