The B.T.P.S. Security Package

The B.T.P.S. Security PackageThe B.T.P.S. Security PackageThe B.T.P.S. Security Package
  • Home
  • Git Repos
    • GitHub Page
    • GitLab Page
  • Setup
    • WinRM over HTTPS
    • Installer.ps1 Usage
    • WEF Application
    • Email Alerts
    • Sysmon Setup
  • Donate
    • PayPal
    • LiberPay
  • Report Issues
  • More
    • Home
    • Git Repos
      • GitHub Page
      • GitLab Page
    • Setup
      • WinRM over HTTPS
      • Installer.ps1 Usage
      • WEF Application
      • Email Alerts
      • Sysmon Setup
    • Donate
      • PayPal
      • LiberPay
    • Report Issues

The B.T.P.S. Security Package

The B.T.P.S. Security PackageThe B.T.P.S. Security PackageThe B.T.P.S. Security Package
  • Home
  • Git Repos
  • Setup
  • Donate
  • Report Issues

OsbornePro : tobor

The Blue Team PowerShell Security Package

The Blue Team PowerShell Security PackageThe Blue Team PowerShell Security PackageThe Blue Team PowerShell Security Package
GitHub Page

The Blue Team Powershell security package

Documentation

General Summary for this project can be read HERE.

The Installer.ps1 script is good to go. I created a virtual environment and ran everything from scratch to ensure you get the max protection and visibility possible with the least amount of fuss. If you experience any trouble please let me know so I am aware and can fix it. If you experience any issues or need help, feel free to reach out to me. My aim is to make this as easy to get going as possible. If something is to difficult or confusing please tell me about it. rosborne@osbornepro.com I am still adding content to this site as it is fairly new.


FEATURE COMING SOON:

  • ELK SIEM Tool: I am going to set up a configuration for the ELK SIEM tool. This tool is free for certain uses and offers a purchase if desired. It will include Elasticsearch, Kibana, Logstash, Winlogbeat, and GeoIP. The configuration is going to use the Windows Event Forwarding (WEF) configuration I cover in the WEF Application Setup. The purpose of this is to prevent the need to install agents on the devices in your environment. The free version does not offer LDAP authentication unfortunately. The configuration will use TLS certificates to encrypt communications on the local host and listen for outside connections if you decide to install other stack programs such as APM-Server, Heartbeat, or Metricbeat. Winlogbeat logs will be sent to Logstash and modified to included GeoIP tags that can be used for mapping IP addresses. Default passwords will of course also be changed. I will also create a Docker file that can be used to prevent the need for too much manual set up. When available it can be obtained from the Official OsbornePro LLC docker site https://hub.docker.com/orgs/osbornepro
  • I am NO longer planning on integrating the Virus Total API for MD5 hash comparisons. This does not provide enough cost per value however I will include a script to do this in case it is valuable to your situation.


IMPORTANT: This Blue Team PowerShell Security Package, assumes that you have referenced the Windows Event Logging Cheat Sheet for logging in your environment. Use LOG-MD or CIS-CAT (an SCAP Tool) to ensure the recommended logging is configured. These logging recommendations adhere to commonly accepted guidelines in the cyber security community. Even without the use of this security application, these guidelines should be followed to better assist your organization in the event of a compromise.


CODE CONTRIBUTIONS

I am always open to suggestions and ideas as well as contributions if  anyone wishes to help add to this package. Credit will of course be given where credit is due. If you wish to contribute I have placed some info on that HERE.

What Purpose Does This Serve?

      This repository contains a collection of PowerShell tools that can be utilized to protect and defend an environment based on the recommendations of multiple cyber security researchers at Microsoft. These tools were created with a small to medium size mostly Windows environment in mind as smaller organizations do not always have the type of funding available to overly spend on security. The goal of this project lines up with the goals of OsbornePro LLC. This exists to help add value to a smaller organization's security by creating more visibility for the IT Administrator or Security Team.

      For the case of organizations with 1,000’s of devices; you may find that this entire suite does not apply to you. This has to do with how some of the discoveries operate. For example the alert I have in the “Device Discovery” directory relies on DHCP assigned IP addresses. All DHCP servers in an environment are queried to create a list of known MAC addresses. This information is then saved to a CSV file for reference in discovering any new devices that join a network. This file could become to large to be effective. The other alert I can see not being effective is the "Local Port Scan Alert". This is because if there is an over abundance of connections the script will not be able to cover all of the connections quickly enough. Other alerts in this security package are still appropriate no matter the network size as they are Event ID based typically. To begin, I suggest setting up WinRM over HTTPS in your environment.

Begin WinRM Setup

SAMPLE ALERT IMAGES

Unusual Sign In Detected

Unusual User Sign In Occurred

This alert is letting the recipient know the reception account signed into a device outside of its normal assignments

New Device Discovered

Never Before Seen Device Joined Network

This alert is displaying 4 devices that recently were physically plugged into an Ethernet cable or joined the Wi-Fi network. Now that these devices are known they will not be detected again unless you remove them from the CSV file containing device history info.

Suspicious Event Triggered

Suspicious Event Triggered

This alert was triggered from centralized logs using Windows Event Forwarding. System Update, when run on Lenovo computers as a standard user, will create a temp account, add it to the local administrators group and install missing updates. It then removes the created account from the local Administrators group and deletes the account. If this were an attacker trying to cover their tracks this would have caught it.

Port Scan Detection

Port Scan Detection

This alert informs the cyber security team when a port scan has been attempted against a server. This currently does not work for File Servers or VoIP servers which have hundreds of unique IP addresses connecting a minute.

Remediate a Compromised Office Account

Remediate A Compromised Office Account

This is some output showing the results of what happens when the RemediateCompromisedOfficeAccount.ps1 is run. For more information on what this does click HERE.

Office365 Review Mail Forwarding Rules

Review Mail Forwarding Rules

This alert is meant to come in once a week. It allows administrators to easily view any email forwarding rules and ensure that no information is being compromised unknowingly.

Account Locked Out

Account Locked Out From Failed Password Attempts

This alert lets you know when a user account has been locked out. There is also an alert to be notified when a locked out account has been manually unlocked.

Autoruns in Event Viewer

Daily Autoruns Information Sent to Event Viewer

This is showing the Autoruns Event Viewer entry that gets created. An easy to read CSV file also gets saved to C:\Program FIles\AutorunsToWinEventLog\AutorunsOutput.csv 

Thanks to:  https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog 

Insecure LDAP Bind Performed

Insecure LDAP Bind Occurred

This alert is to let you know when an LDAP Bind occurs that is not encrypted with LDAP over SSL. This can help to implement LDAP over SSL in an environment or discover possible LDAP enumeration attempts from an attacker.

Accounts Expiring Alert

User Account Expiring

This alert lets IT Administrators know when a user account is about to expire.

DNS Zone transfer alert

DNS Zone Transfer Alert

This alert was triggered by an executed DNS Zone transfer. Normal DNS server communication does not trigger this alert. Manually requesting a zone transfer will, allowing you to discover any attackers looking to learn about your environment.

Connection History Log

Connection History

ListenPortMonitor.ps1's main goal is to keep an eye open for newly opened ports on a server to discover possible Reverse Shells or Bind Shells. A connection history log is kept to help trace connections that have been established with a server.

Image of email alert containing information on blacklisted IP addresses that were connected too

Blacklisted IP or Young Domain

When a device establishes a connection to an IP that is on 4 or more blacklists or a domain that is less than 2 years old you will be informed. The events are also stored in the Event Viewer under "MaliciousIPs". It seems that an IP address on 3 blacklists does not necessarily mean it is dangerous or something to do anything about. Correct me if my analysis is wrong.

User changed another users password alert

Password Changed

This alert informs you when a users password has been changed by an Administrator or other user. Allowing user to change passwords through Azure will generate this alert as well.

Password changed by user alert

Normal Password Change

Receive an alert whenever a user has changed their password. Compare this value to the Administrator list you receive. This allow you to notice any passwords changing outside normal conditions.

Disabling weak ciphers and SSL

Disable Wek Ciphers and SSL

Hardening cmdlet allows you to quickly and easily disable weak TLS protocols and associated ciphers to prevent weak encryption methods from being used.

Account unlocked

User Account Unlocked

This alert informs administrators when a user account has been manually unlocked as well as who unlocked what account.

User With Passwords Expiring

Receive a list of users whose passwords are expiring in the next 2 weeks. This helps you keep tabs and who is expected to be changing their passwords. Someone not on this list who has their password changed may be under attack.

Enable DNS over HTTPS

Enable DNS over HTTPS

This hardening cmdlet allows you to easily enable or if desired disable DNS over HTTPS on any Windows 10 Device in your environment

WEF Application Overview

Home Page Image of the Windows Event Forwarding (WEF) Application

Windows Event Forwarder Application

Summary


The purpose of this web application is to easily investigate any email alerts received that indicate a possible compromise. This server has Windows Event Forwarding (WEF), configured in a "source collector" set up. This means that the clients in the environment initiate connections to the server before sending logs. When one of the suspicious event ID's occur on any of the devices, the event info is forwarded to the WEF source collector server using WinRM over HTTPS. Once an hour the collected event logs are imported into a SQL database. Any newly discovered events that indicate possible compromise trigger an email alert which is then sent to the IT Administrators. This application can be used to search that SQL database and view the details of an event. The SQL database is useful because searching a SQL database is 100x faster than parsing the Windows Event Logs through XML. It also stores critical events for a longer period of time than the events would normally exists inside Event Viewer. This is because when Event Viewer logs reach a certain size, old logs are removed to make room for new ones.


Protection against SQL injections and CSRF have been implemented. Penetration testing has been performed to ensure the security of the application. There are no presently discovered vulnerabilities. Security is a feature! If you find a vulnerability that I have not please let me know so I can fix it. rosborne@osbornepro.com

Functionality

REORDER: The columns in the database table can be organized by ascending or descending order. This is done by clicking the linked column header. 


SEARCH: The search will parse the database by searching for the specified term in all of the columns. There are presently 10 items that will be displayed per page. 


DETAILED: Events can also be shown in a detailed view by clicking the "Details" button next to an event in the table. This will display a few more bits of info for the event. 

WEF Setup & Instructions
Image of WEF Applications SQL Database Presentation

Table View of WEF Application

This WEF Application is used to view and st log files that are a high likelihood to be indications of compromise. These logs get collected from all devices in the environment. The following Event ID's are collected and put into the database:
1, 2, 1102, 4732, 4733, 4720, 4726, 7045, 4756, 4757, 4728, 4729, 4649, 4723,

Event Details Expanded

Detail View

 Events can also be shown in a detailed view by clicking the "Details" button next to an event in the table. This will display a few more bits of info for the event.  

Top of Page

Copyright © 2021 OsbornePro - All Rights Reserved. 


DISCLAIMER: This suite nor any other security suite or tool can completely prevent or detect all security vulnerabilities. This tool adds monitoring to an environment and may not catch every possible scenario and is no guarantee of discovery.

Questions or Comments: info@osbornepro.com

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept