OsbornePro : tobor

The Blue Team PowerShell Security Package

The Blue Team Powershell security package

Documentation

General Summary for this project can be read HERE.

The Installer.ps1 script is good to go as far as I can tell. My aim is to make this as easy to get going as possible so if something is to difficult or confusing please tell me about it. rosborne@osbornepro.com I am still adding content to this site as it is fairly new.

FEATURE COMING SOON:

I am looking into Virus Totals Uploader to see if doing some hash comparisons is a worthwhile inclusion with this tool. This may be something to mix in with Autoruns event logging. It may be better to just take note of any registry changes that are made or view the differences in the Autoruns files everyday. We will see. If you have ideas or contributions feel free to email me at rosoborne@osbornepro.com to let me know your thoughts.

IMPORTANT: This Blue Team PowerShell Security Package assumes that you have referenced the Windows Event Logging Cheat Sheet for logging in your environment. Use LOG-MD or CIS-CAT to ensure the recommended logging is configured. These logging recommendations adhere to commonly accepted guidelines in the cyber security community. Even without the use of this security application, these guidelines should be followed to better assist your organization in the event of a compromise.

DONATIONS

If you wish to donate to this project to help me keep this site hosted your donations will be graciously accepted using PayPal or at Liberpay.

CONTRIBUTIONS

I am always open to suggestions and ideas as well as contributions if anyone wishes to help add to this package. Credit will of course be given where credit is due. If you wish to contribute I have placed some info on that HERE.

What Purpose Does This Serve?

This repository contains a collection of PowerShell tools that can be utilized to protect and defend an environment based on the recommendations of multiple cyber security researchers at Microsoft. These tools were created with a small to medium size enterprise environment in mind as smaller organizations do not always have the type of funding available to overly spend on security. The goal of this project is to help add value to a smaller organizations security by creating more visibility for the average IT Administrator. Organizations with 1,000’s of devices may find that this entire suite does not apply to them. One such alert that would not apply to an environment with thousands of devices would be the “Device Checker” directory. This uses the DHCP servers and a CSV file to discover any new devices that join a network. Other alerts in this security package are still appropriate no matter the network size. To begin, I suggest setting up WinRM over HTTPS in your environment.

Begin WinRM Setup

SAMPLE ALERT IMAGES

Unusual User Sign In Occurred

This alert is letting the recipient know the reception account signed into a device outside of its normal assignments

Never Before Seen Device Joined Network

This alert is displaying 4 devices that recently were physically plugged into an Ethernet cable or joined the Wi-Fi network. Now that these devices are known they will not be detected again unless you remove them from the CSV file containing device history info.

Suspicious Event Triggered

This alert was triggered from centralized logs using Windows Event Forwarding. System Update, when run on Lenovo computers as a standard user, will create a temp account, add it to the local administrators group and install missing updates. It then removes the created account from the local Administrators group and deletes the account. If this were an attacker trying to cover their tracks this would have caught it.

Port Scan Detection

This alert informs the cyber security team when a port scan has been attempted against a server. This currently does not work for File Servers or VoIP servers which have hundreds of unique IP addresses connecting a minute.

Remediate A Compromised Office Account

This is some output showing the results of what happens when the RemediateCompromisedOfficeAccount.ps1 is run. For more information on what this does click HERE.

Review Mail Forwarding Rules

This alert is meant to come in once a week. It allows administrators to easily view any email forwarding rules and ensure that no information is being compromised unknowingly.

Account Locked Out From Failed Password Attempts

This alert lets you know when a user account has been locked out. There is also an alert to be notified when a locked out account has been manually unlocked.

Daily Autoruns Information Sent to Event Viewer

This is showing the Autoruns Event Viewer entry that gets created. An easy to read CSV file also gets saved to C:\Program FIles\AutorunsToWinEventLog\AutorunsOutput.csv

Thanks to: https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog

Insecure LDAP Bind Occurred

This alert is to let you know when an LDAP Bind occurs that is not encrypted with LDAP over SSL. This can help to implement LDAP over SSL in an environment or discover possible LDAP enumeration attempts from an attacker.

User Account Expiring

This alert lets IT Administrators know when a user account is about to expire.

DNS Zone Transfer Alert

This alert was triggered by an executed DNS Zone transfer. Normal DNS server communication does not trigger this alert. Manually requesting a zone transfer will, allowing you to discover any attackers looking to learn about your environment.

Connection History

ListenPortMonitor.ps1's main goal is to keep an eye open for newly opened ports on a server to discover possible Reverse Shells or Bind Shells. A connection history log is kept to help trace connections that have been established with a server.

Windows Event Forwarder Application

Summary

The purpose of this web application is to easily investigate any email alerts received that indicate a possible compromise. This server has Windows Event Forwarding (WEF), configured in a "source collector" set up. This means that the clients in the environment initiate connections to the server before sending logs. When one of the suspicious event ID's occur on any of the devices, the event info is forwarded to the WEF source collector server using WinRM over HTTPS. Once an hour the collected event logs are imported into a SQL database. Any newly discovered events that indicate possible compromise trigger an email alert which is then sent to the IT Administrators. This application can be used to search that SQL database and view the details of an event. The SQL database is useful because searching a SQL database is 100x faster than parsing the Windows Event Logs through XML. It also stores critical events for a longer period of time than the events would normally exists inside Event Viewer. This is because when Event Viewer logs reach a certain size, old logs are removed to make room for new ones.

Protection against SQL injections and CSRF have been implemented. Penetration testing has been performed to ensure the security of the application. There are no presently discovered vulnerabilities. Security is a feature! If you find a vulnerability that I have not please let me know so I can fix it. rosborne@osbornepro.com

Functionality

REORDER: The columns in the database table can be organized by ascending or descending order. This is done by clicking the linked column header.

SEARCH: The search will parse the database by searching for the specified term in all of the columns. There are presently 10 items that will be displayed per page.

DETAILED: Events can also be shown in a detailed view by clicking the "Details" button next to an event in the table. This will display a few more bits of info for the event.

WEF Setup & Instructions

The B.T.P.S. Security Package

The B.T.P.S. Security Package

The Blue Team PowerShell Security Package