app locker

 

https://msendpointmgr.com/2021/08/13/log-analytics-applocker-better-together/

Use GPO and inheritance of GPO. Create two AD groups:

* dl_AppLocker_Enforced

* dl_AppLocker_Audit

Add the same rules to those, where one group would Enforce and second one does Audit only. Rules:

 - App Locker Rules, Hardening settings

 - Main Switch - this applies to GPO inheritance, see below, the last (nested) GPO (Server, Helpdesk,Test Computers) is a main switch and it decides if all rules are enforced or audited only 

GPO: Contoso.local

 |   Enforcement: Not configured (rules are enforced) X rules

 |   |

 |   GPO: Servers 

 |   Enforcement: Not configured (rules are enforced) Y rules, total X+Y rules are enforced

 |

 |  GPO: Helpdesk

 |   Enforcement: audit only, Z rules, total X +Z rules are audited, but not enforced

 |   

 |  GPO Test computers

    Enforcement:enforce rules, 0 rules, X rules are enforced 

Concept: "AppLocker Hardining" GPO is setup in top level, the only place

GPO name                                         Location         Purpose

AppLocker Default Rules                       Top                 Those are default rules, that allow Windows to                                                                                             start. DO NOT EDIT

AppLocker Hardening                         Top                 only deny rules, add all LOLBins there

"AppLocker Rules Servers

AppLocker Rules PAW Computers" each OU         allow rules, notepad++ for example

AppLocker Enforced                         each OU         This is Main Switch

AppLocker Audit Only                         single OU

To change a mode for a problematic computer, you move it from one OU to another OU (AuditOnly)

Rule types:

* Path rules (examples: C:\test\*, *\lolbin.exe,c:\users\*\appdata\local\adobe\*,\\dc1\SYSVOL\*,\\dc2\SYSVOL\*,\\server\share1,\\server1.contoso.local\share1\*,\\10.0.0.1\share1\*,K:\*)

* Hash rules

* Publisher rules

Publisher rules - best option after path rules

cert must be trusted abd valid, timestamp exists and valid this can be a paid or an internal CA

stick to company-level (publisher) instead of cetrain filename or versions

BTW: Everyone in Windows is everyone except unathenticaged users
BTW2. This blocks 95% of malware from running

hash rules are ONLY used when path or publisher rules cannot be applied, avoid it.

General rules:

* look for folders not files,

* look for publishers instead of hashes

* audit installation with AccessChk

* no admin rights

UnInstallation of obsolete .net

 Start-BitsTransfer "https://github.com/dotnet/cli-lab/releases/download/1.6.0/dotnet-core-uninstall-1.6.0.msi" -Destination c:\temp\dotnet-core-uninstall-1.6.0.msi

.\dotnet-core-uninstall-1.6.0.msi

 cd 'C:\Program Files (x86)\dotnet-core-uninstall\'

.\dotnet-core-uninstall list

  28 .\dotnet-core-uninstall dry-run

  30 .\dotnet-core-uninstall dry-run  --hosting-bundle 3.1.26

  31 .\dotnet-core-uninstall remove  --hosting-bundle 3.1.26

  32 .\dotnet-core-uninstall list

  33 .\dotnet-core-uninstall dry-run  --runtime 3.1.26

  34 .\dotnet-core-uninstall remove  --runtime 3.1.26

Get-WmiObject -Class Win32_Product | Format-Table

Analysis of storage analytics logs

 https://learn.microsoft.com/en-us/azure/storage/common/storage-analytics

1. Setup Azure Log analytics, see above

2. Download blobs from $log container, use storage explorer.

3. Build a single csv using this file. 

 .\XLog2CSV.ps1 -inputFolder "C:\temp\orthanc\blob\2023\11\" -outputFile c:\temp\november.csv

4. Import CSV into sql.

IF  EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[nov2023]') AND type in (N'U'))

DROP TABLE [dbo].[nov2023]

GO

CREATE TABLE [dbo].[nov2023](

    [Log_Version] [float] NOT NULL,

    [Transaction_Start_Time] [varchar](50) NOT NULL,

    [REST_Operation_Type] [varchar](50) NOT NULL,

    [Request_Status] [varchar](50) NOT NULL,

    [HTTP_Status_Code] [smallint] NOT NULL,

    [E2E_Latency] [smallint] NOT NULL,

    [Server_Latency] [smallint] NOT NULL,

    [Authentication_type] [varchar](50) NOT NULL,

    [Requestor_Account_Name] [varchar](50) NULL,

    [Owner_Account_Name] [varchar](50) NULL,

    [Service_Type] [varchar](50) NULL,

    [Request_URL] [varchar](1000) NULL,

    [Object_Key] [varchar](150) NULL,

    [Request_ID] [varchar](50) NULL,

    [Operation_Number] [tinyint] NULL,

    [Client_IP] [varchar](50) NULL,

    [Request_Version] [date] NULL,

    [Request_Header_Size] [smallint] NULL,

    [Request_Packet_Size] [int] NULL,

    [Response_Header_Size] [smallint] NULL,

    [Response_Packet_Size] [int] NULL,

    [Request_Content_Length] [int] NULL,

    [Request_MD5] [varchar](50) NULL,

    [Server_MD5] [varchar](50) NULL,

    [ETag] [varchar](50) NULL,

    [Last_Modified_Time] [varchar](50) NULL,

    [ConditionsUsed] [varchar](50) NULL,

    [User_Agent] [varchar](150) NULL,

    [Referrer] [varchar](1) NULL,

    [Client_Request_ID] [varchar](200) NULL,

    [User_Object_ID] [varchar](50) NULL,

    [Tenant_ID] [varchar](50) NULL,

    [Application_ID] [varchar](50) NULL,

    [Audience] [varchar](50) NULL,

    [Issuer] [varchar](100) NULL,

    [User_Principal_Name] [varchar](100) NULL,

    [Unused_Field] [varchar](1) NULL,

    [Authorization_Detail] [varchar](1200) NULL

) ON [PRIMARY]

GO

bulk insert [dbo].[nov2023] from "z:\november.csv" with ( FORMAT = 'CSV');

5.Analysis

--SELECT TOP (1000) * FROM [orthanc].[dbo].[output1]

--  select COUNT(*) from output1

--  select

-- Get IP address count

--select  CASE charindex(':',Client_IP)

--     WHEN 0 THEN Client_IP

--    else left(Client_ip,charindex(':',Client_IP)-1)

--END as Client_IP, count(*) as cnt

--from output1

--group by CASE charindex(':',Client_IP)

--     WHEN 0 THEN Client_IP

--    else left(Client_ip,charindex(':',Client_IP)-1)

--END

--order by 2 desc

select  CASE charindex(':',Client_IP)

     WHEN 0 THEN Client_IP

    else left(Client_ip,charindex(':',Client_IP)-1)

END as Client_IP

from output1

Highly available domain controller

 1. Deploy VM, change public IP addresses to "Standard".

2. Deploy LB.

resource "azurerm_lb" "lb-services-int" {

  resource_group_name = azurerm_resource_group.resource_group.name

  name                = local.lb_name

  location            = azurerm_resource_group.resource_group.location

  sku                 = "Standard"

  frontend_ip_configuration {

    name      = local.lb_name

    subnet_id = data.azurerm_subnet.eastus-test4.id

  }

  tags = azurerm_resource_group.resource_group.tags

}

resource "azurerm_lb_backend_address_pool" "backend_pool_services" {

  loadbalancer_id = azurerm_lb.lb-services-int.id

  name            = local.lb_backend_name

}

resource "azurerm_lb_probe" "lb_probe-ldap-389-Tcp" {

  #resource_group_name = azurerm_resource_group.resource_group.name

  loadbalancer_id     = azurerm_lb.lb-services-int.id

  name                = "tcpProbe-389-Tcp"

  protocol            = "Tcp"

  port                = 389

  interval_in_seconds = 5

  number_of_probes    = 2

}

resource "azurerm_lb_rule" "lb_rule-int-no-all" {

  loadbalancer_id                = azurerm_lb.lb-services-int.id

  name                           = "LBRule-int-all-tcp"

  protocol                       = "All"

  frontend_port                  = 0

  backend_port                   = 0

  frontend_ip_configuration_name = local.lb_name

  enable_floating_ip             = true

  backend_address_pool_ids        = [azurerm_lb_backend_address_pool.backend_pool_services.id]

  idle_timeout_in_minutes        = 5

  probe_id                       = azurerm_lb_probe.lb_probe-ldap-389-Tcp.id

  depends_on                     = [azurerm_lb_probe.lb_probe-ldap-389-Tcp]

  disable_outbound_snat          = true

}

data "azurerm_network_interface" "int1" {

  name                = "jarek7sndvm-nic"

  resource_group_name = "jareksandbox3-rg"

}

resource "azurerm_network_interface_backend_address_pool_association" "int1" {

  network_interface_id    = data.azurerm_network_interface.int1.id

  ip_configuration_name   = "ipconfiguration-jarek7sndvm"

  backend_address_pool_id = azurerm_lb_backend_address_pool.backend_pool_services.id

}

data "azurerm_network_interface" "int2" {

  name                = "jarek8sndvm-nic"

  resource_group_name = "jareksandbox4-rg"

}

resource "azurerm_network_interface_backend_address_pool_association" "int2" {

  network_interface_id    = data.azurerm_network_interface.int2.id

  ip_configuration_name   = "ipconfiguration-jarek8sndvm"

  backend_address_pool_id = azurerm_lb_backend_address_pool.backend_pool_services.id

}

3. Configure interfaces on VMs.

netsh interface ipv4 set interface "Ethernet" weakhostreceive=enabled

netsh interface ipv4 add addr "Loopback Pseudo-Interface 1" "10.5.2.10" "255.255.255.128"

netsh interface ipv4 set interface "Loopback Pseudo-Interface 1" weakhostreceive=enabled  weakhostsend=enabled

4. Install domain controller DSC.

5. Configure DNS:

All AD records are also configured - VIP was added to _sites, _tcp, _udp. This might not be required.

6. Test:

1..20| % {

Get-ADUser test01 -Server jarek8sndvm.contoso.local

Start-Sleep -Seconds 1

}

Get-ADUser test01 -server jarek7sndvm.contoso.local| Remove-ADUser -Confirm:$false;repadmin /syncall jarek7sndvm.contoso.local /AdeP

New-ADUser -Name 'test01' -Server jarek7sndvm.contoso.local;repadmin /syncall jarek7sndvm.contoso.local /AdeP

Troubleshooting network/cert connections

 Check your Chrome/Firefox params:

https://1.1.1.1/help

https://dnsviz.net/d/indysoft.com/dnssec/

https://dnssec-debugger.verisignlabs.com/

install oh-my-posh

 choco install oh-my-posh -y

choco install microsoft-windows-terminal -y

choco install nerd-fonts-3270 -y

choco install nerd-fonts-meslo -y

Add-MpPreference -ExclusionProcess oh-my-posh.exe

Set-Content -Path $profile -Value 'oh-my-posh init pwsh | Invoke-Expression'

Get-Content $profile

Start-BitsTransfer "https://github.com/ryanoasis/nerd-fonts/releases/download/v2.1.0/Meslo.zip" -Destination c:\temp\meslo.zip

Start-BitsTransfer "https://github.com/microsoft/cascadia-code/releases/download/v2111.01/CascadiaCode-2111.01.zip" -Destination c:\temp\CascadiaCode-2111.01.zip

Expand-Archive C:\temp\meslo.zip -DestinationPath C:\temp\Fonts

Expand-Archive C:\temp\CascadiaCode-2111.01.zip -DestinationPath c:\temp\cascadia\

Check what permissions are assigned to Azure SQL database

 

SELECT DP1.name AS DatabaseRoleName,   

    isnull (DP2.name, 'No members') AS DatabaseUserName   

FROM sys.database_role_members AS DRM  

RIGHT OUTER JOIN sys.database_principals AS DP1  

    ON DRM.role_principal_id = DP1.principal_id  

LEFT OUTER JOIN sys.database_principals AS DP2  

    ON DRM.member_principal_id = DP2.principal_id  

WHERE DP1.type = 'R'

ORDER BY DP1.name;

Find what process is listeninig on specific port using Powershell

 get-nettcpconnection | where {($_.State -eq "Listen")} | select LocalAddress,LocalPort,RemoteAddress,RemotePort,State,@{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}} | ft 

get-nettcpconnection | where {($_.State -eq "Listen") -and ($_.LocalPort -eq "80")}  | select LocalAddress,LocalPort,RemoteAddress,RemotePort,State,@{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}} | ft

backup and restore of mysql

 #BACKUP

mysqldump  --routines --triggers  --host "hostname" --password --user "mysqladmin@hostname" databasename > /tmp/databasename_dump_27022023

optional:

mysqldump  --column-statistics=0  --routines --triggers  --host "hostname" --password --user "mysqladmin@hostname" databasename > /tmp/databasename_dump_27022023

provide pass

#RESTORE

mysql -u mysqladmin -p  -A -Dnewdatabasename --host newhostname-fqdn < /tmp/databasename_dump_27022023

mysqldump -u... -p... --routines --triggers db1 > /root/db1.sql

login:

mysql  -h hostname.mysql.database.azure.com -u youruser -D yourDB -P 3306 -p -A