Nathan's Thoughts and Notes
IT tools and solutions, and thoughts on life.
Wednesday, March 20, 2024
New-ADComputer : A required attribute is missing
Sunday, August 20, 2023
Splitting AD integrated reverse DNS zones
When it comes to splitting the zone, there's a few things to remember with AD integrated DNS. All records are objects under a zone object. Making changes in the dns management console doesn't mean objects in AD will automatically be deleted or migrated for you. You can end up in situations where hidden old records still exist in ldap, but don't show up in the dns management console. This code example below will help guide you in extracting the records you want and putting them in a new ldap dns zone object, along with preserving the data, timestamps, and permissions on the objects.
This example below is splitting of all 10.1.x.x records from a 10.x.x.x reverse zone. Before running your modified code, create your new reverse dns zone, then stop the dns server on the domain controller that you are making this change on.
get-adobject -searchbase "DC=10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=Contoso,DC=Com" -ldapfilter "(objectclass=dnsnode)" |
where {$_.name -match "\.1$"} |
move-adobject -targetpath "DC=1.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=Contoso,DC=Com"
get-adobject -searchbase "DC=1.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=Contoso,DC=Com" -ldapfilter "(objectclass=dnsnode)" |
where {$_.name -match "\.1$"} | %{
$newname = $_.name.replace(".1","")
$_ | rename-adobject -newname $newname
}
Tuesday, April 25, 2023
Defender for Identity agent problems
Problem #1, service failing to start due to files not found. The updater service will auto update the agent version. If you look at the program's directory "C:\program files\Azure Advanced Threat Protection Sensor", you will one or more subfolders named with version ID's for the agent. Occasionally the updater fails in some way causing the windows service's registry information to point to a folder version that no longer exists. In these cases, just update the ImagePath registry entry in HKLM\System\CurrentControlSet\Services\AATPSensor and \AATPSensorUpdater to point to the highest version # folder that you have in the program's directory. This should allow the service to start, assuming there is no problem with the contents of that folder. If there is, you can try a different version # if there are others present.
Problem #2, "Error PerformanceCounterLib System.InvalidOperationException: Category does not exist" is showing up in the Microsoft.Tri.sensor.Updater.log file. This is an issue with windows performance counters. You may also see an error showing up if you open the Perfmon tool, and it complains about missing counters there as well. You can try these commands in an administrator cmd prompt to remediate this:
cd c:\windows\system32
lodctr.exe /R
cd c:\windows\syswow64
lodctr.exe /R
lodctr.exe /E:perfdisk
lodctr.exe /E:perfnet
lodctr.exe /E:perfOS
lodctr.exe /E:Tcpip
Start the updater service again to see if it starts.
Problem #3, service won't start, no clear reason why. When uninstalling and reinstalling the software, the program files directory for the application doesn't get created, but the software shows up in add/remove programs. You will not be able to install or uninstall at this point because both processes will complain about the software not being there, or already being installed. To work around this, copy the files from another machine. Manually create the service names using sc.exe. Once that is in place, do the uninstall again. This should trick the installer enough to uninstall the application. You can then try the install process again.
Windows Firewall - network card not detecting the correct connection profile
There are some additional configurations you will want to push as well:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\AlwaysExpectDomainController (REG_DWORD) = 0x1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\MaxNegativeCacheTTL (REG_DWORD) = 0x0
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\NegativeCachePeriod (REG_DWORD) = 0x0
These will add some additional stability for NLA.
Thursday, June 23, 2022
PetitPotam Defenses
Protection against coerced authentication on domain controllers:
Print Spooler:
Disable the service via group policy on all DC's
EFS RPC attack:
Create the two RPC filters by putting this in a text file (source):
rpc
filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e
add filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d
add filter
quit
Save the file and use "netsh -f filename.txt" to apply it
DFS RPC attack:
Create one RPC filter by putting this in a text file (source)
rpc
filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=4fc742e0-4a10-11cf-8273-00aa004ae673
add filter
quit
Save the file and use "netsh -f filename.txt" to apply it
This dfs filter has some impact on creation of new dfs namespaces. Otherwise it doesn't seem to cause other issues that I can tell.
Certificate Authority hardening:
Follow the MS guidance on hardening the CA against NTLM relay. Essentially you configure the web interfaces to allow kerberos only with extended protection. If possible, disable NTLM auth completely on the server. Beyond that, limiting access to client certificates and not allowing user supplied SAN's on them should be done.
Thursday, February 17, 2022
Creating virtual smart card for MIM CM
tpmvscmgr create /name myvsc /pin prompt /adminkey default /generate
When prompted for default admin key, use: 010203040506070801020304050607080102030405060708
When prompted for pin, it will need to be 8 characters long even if it says it can be less than that.
Wednesday, December 29, 2021
Finding expiring certificates in your CA
A while ago, I was working on a method of discovering and creating alerts for expiring smartcards. While looking at some of the various methods to pull details from FIM certificate manager or the AD certificate services CA that issues the certs, I ended up goinig with certutil as the tool of choice for pulling the data. The build in filtering of the results helped give the ability to confine the results to certain certificate types, and also to avoid anything that was revoked. Putting this together with output processing in powershell, it is pretty easy to pull together a list of certs and their expiration time. Using grouping, you can avoid the problem of having multiple results per user (for those who have already renewed). Since smartcards use UPN as an identifier, I went with that attribute to help get the user details. For other use cases that would need to be modifed and the Get-ADUser functionality wouldn't be required.
#this line needs to be modified to target the CA and the OID
#of the cert type that you want to look at (if you are restricting it
#Disposition of 20 means certs that are active
certutil -config "<CA server FQDN>\<CA NAME>" -view -out "user principal name,certificate expiration date" -restrict "certificatetemplate=<templateOID>,Disposition=20" > .\certdump.txt
$results = @()
$recordbound = $false
Try { $data = get-content .\testcertdump.txt -erroraction stop } catch {
#error handling
}
For ($i=0; $i -lt $data.count; $i++) {
#process the multiline record to get user UPN account name and certificate expirations
if ($recordbound) {
$result = new-object PSobject
$UPN = $data[$i].substring($data[$i].indexof('"')+1).trim('"')
$dateval = $data[$i+1].substring($data[$i+1].indexof(":")+1)
$dateval = [datetime]$dateval
add-member -input $result NoteProperty UPN $upn
add-member -input $result NoteProperty Expiration $dateval
$i = $i+2
$recordbound = $false
$results += $result
}
#start of a new multiline record
if ($data[$i] -match "^Row ") {
$recordbound = $true
}
}
#User may have renewed before, so there can be more than one cert...so group by user UPN
$groupdata = $results|group UPN
$curdate = get-date
#Look at all certificates for a given user and select the one with the furthest expiration date (I.e. last one issued to this UPN)
$groupdata = $groupdata | Select Name,@{name="expiration";expression={($_.group|sort expiration |select -last 1).expiration}}
foreach ($entry in $groupdata) {
$debugstr = "$($entry.name) Expiration $($entry.expiration)"
$timediff = new-timespan -start $entry.expiration -end $curdate
$days = 0 - $timediff.days
if ($days -lt 30) {
$debugstr += ". In expiration window."
#expiration warning, need to find primary account email and send it, if they are still active
$user = get-aduser -ldapfilter "(&(objectclass=user)(userprincipalname=$($entry.name)))" -properties enabled,manager
if ($user.enabled) {
$debugstr += " Account is enabled."
#do something with it
} else {
$debugstr += " User 431 is disabled, ignoring."
}
}
write-debug $debugstr
}