Reset WSUS Authorization and get new WSUS SID

Details
Written by: po3dno
Category: Power Shell
Hits: 949
net stop wuauserv 
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f 
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f 
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f  
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIDValidation /f 
net start wuauserv 
wuauclt.exe /resetauthorization /detectnow 
pause

Convert AD BASE64 SID to SDDL format and back.

Details
Written by: po3dno
Category: Power Shell
Hits: 882

#Convert from Base64 to SID
[byte[]]$sid = [System.Convert]::FromBase64String("AQUAAAAAAAUVAAAAuwkCIyAUg1vk+E/VWQQAAA==")
$si = New-Object Security.Principal.SecurityIdentifier($sid,0)
$si.ToString()


#Convert from SID to Base64 (Needed for squid)
$sidconvert = New-Object Security.Principal.SecurityIdentifier("S-1-5-21-587336123-1535317024-3578788068-1112")
$sid_out = New-Object 'byte[]' $sidconvert.BinaryLength
$sidconvert.GetBinaryForm($sid_out,0)
[System.Convert]::ToBase64String($sid_out)

 

Disable NLA

Details
Written by: po3dno
Category: Power Shell
Hits: 918

(Get-WmiObject -ComputerName . -class "Win32_TSGeneralSetting" -Namespace root\CIMV2\TerminalServices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)

How to clean out golden tickets after a succesful attack on your active directory

Details
Written by: po3dno
Category: Power Shell
Hits: 1034

If an attack made it into your active directory‍ environment and got a golden ticket‍, there is a specific set of steps you need to take to make sure you've cleaned out the adversary:

  1. Disconnect the affected networks. Entirely.
  2. Remediate any persistence mechanisms left behind
  3. Reset passwords of ALL high privileged access accounts
  4. Reset passwords of all VPN access credentials (+other remote access you may have)
  5. Change the krbtgt‍ hash using https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 run in it the order of using first option 1, then option 2 and then option 3: (https://cdn-images-1.medium.com/max/1000/1*Gk48jksjPuThTrPnJNHW-w.png)
  6. Wait minimum 10 hours
  7. Change the krbtgt hash again using https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 run in it the order of using first option 1, then option 2 and then option 3: (https://cdn-images-1.medium.com/max/1000/1*Gk48jksjPuThTrPnJNHW-w.png)

mount vhd

Details
Written by: po3dno
Category: Power Shell
Hits: 859
Sysprep /generalize /shutdown /oobe

First, mount the vhd using

Mount-WindowsImage -ImagePath C:\VHDs\BigHomies.vhdx -Path C:\VHDMount -Index 1

Then, capture it into a wim with

New-WindowsImage -CapturePath C:\VHDMount -Name Win7Image -ImagePath C:\CapturedWIMs\Win7.wim -Description "Yet another Windows 7 Image" -Verify

And let it do it's thing. When you are done you can unmount the vhd and discard any changes using:

Dismount-WindowsImage -Path C:\VHDMount -Discard
  1. Disable NETBIOS
  2. InstallWinUpdates
  3. winrm
  4. Windows 10 Allows File Paths Longer Than 260 Characters (With a Registry Hack)

Page 3 of 11

Login Form

Statistics

  • Users 2
  • Articles 160
  • Articles View Hits 124358