Sunday, August 20, 2023

Splitting AD integrated reverse DNS zones

If you have an environment with a reverse dns zone that was created with broad network range, you may decided at a later point in time that you want to split the zone. The reasons for this might be: ease of management in terms of loading the zone in the dns management console, easier to find records, requring differences in record age and scavenging control, etc. For a zone that is AD integrated, it will be in one of 3 partitions (domain partion, domaindns partition, or forestdns partition). You can adjust the code to the appropriate distinguishedname of the zone. Distinguishednames can be retrieved using get-dnsserverzone and reading the distinguishedname property on the returned object.

When it comes to splitting the zone, there's a few things to remember with AD integrated DNS. All records are objects under a zone object. Making changes in the dns management console doesn't mean objects in AD will automatically be deleted or migrated for you. You can end up in situations where hidden old records still exist in ldap, but don't show up in the dns management console. This code example below will help guide you in extracting the records you want and putting them in a new ldap dns zone object, along with preserving the data, timestamps, and permissions on the objects.

This example below is splitting of all 10.1.x.x records from a 10.x.x.x reverse zone. Before running your modified code, create your new reverse dns zone, then stop the dns server on the domain controller that you are making this change on.


get-adobject -searchbase "DC=10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=Contoso,DC=Com" -ldapfilter "(objectclass=dnsnode)" | 
    where {$_.name -match "\.1$"} | 
    move-adobject -targetpath "DC=1.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=Contoso,DC=Com"
 

get-adobject -searchbase "DC=1.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=Contoso,DC=Com" -ldapfilter "(objectclass=dnsnode)" | 
  where {$_.name -match "\.1$"} | %{

               $newname = $_.name.replace(".1","")
               $_ | rename-adobject -newname $newname
              
  }
Once this completes, start the dns server service to force rereading of ldap information. Dns zone reload is not sufficient. Other domain controllers should not require restart of dns service as they pick up the changes as it replicates. Test this in a lab environment first and run at your own risk.

Tuesday, April 25, 2023

Defender for Identity agent problems

I've run in to a few issues with Azure Advanced Threat Protection Sensor services not starting (aka Defender for Identity). Here are a few tips to work through various issues.

Problem #1, service failing to start due to files not found. The updater service will auto update the agent version. If you look at the program's directory "C:\program files\Azure Advanced Threat Protection Sensor", you will one or more subfolders named with version ID's for the agent. Occasionally the updater fails in some way causing the windows service's registry information to point to a folder version that no longer exists. In these cases, just update the ImagePath registry entry in HKLM\System\CurrentControlSet\Services\AATPSensor and \AATPSensorUpdater to point to the highest version # folder that you have in the program's directory. This should allow the service to start, assuming there is no problem with the contents of that folder. If there is, you can try a different version # if there are others present.

Problem #2, "Error PerformanceCounterLib System.InvalidOperationException: Category does not exist" is showing up in the Microsoft.Tri.sensor.Updater.log file. This is an issue with windows performance counters. You may also see an error showing up if you open the Perfmon tool, and it complains about missing counters there as well. You can try these commands in an administrator cmd prompt to remediate this:

cd c:\windows\system32
lodctr.exe /R
cd c:\windows\syswow64
lodctr.exe /R
lodctr.exe /E:perfdisk
lodctr.exe /E:perfnet
lodctr.exe /E:perfOS
lodctr.exe /E:Tcpip

Start the updater service again to see if it starts.

Problem #3, service won't start, no clear reason why. When uninstalling and reinstalling the software, the program files directory for the application doesn't get created, but the software shows up in add/remove programs. You will not be able to install or uninstall at this point because both processes will complain about the software not being there, or already being installed. To work around this, copy the files from another machine. Manually create the service names using sc.exe. Once that is in place, do the uninstall again. This should trick the installer enough to uninstall the application. You can then try the install process again.

Windows Firewall - network card not detecting the correct connection profile

For people familiar with Windows firewall, there are 3 profiles that you can create rules for: Private, Public, and Domain. The operating system uses the Network Location Awareness service (NLAsvc) to attempt to identify what type of connection each NIC is on. If you machine is domain joined to an Active directory on-prem domain, it will make connection attempts to domain controllers to see if a specific NIC can reach one. For other tests, it will try to connect to websites to see if there internet connectivity. The problem with windows firewall and its domain checks is that you might not have a well enough functioning network connection when the NLAsvc tries to perform its checks. On a domain controller, this is particularly problematic. To work around this you cand modify the service settings in the registry to add some additional service dependencies. This will delay the start up of the NLAsvc process and give the system more time to be ready for the checks. To do this, open regedit and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc. Edit the "DependOnService" REG_MULTI_SZ value. For new entries, you will add one entry per line. The values you will want to add are: NSI, RpcSs, TcpIp, Dhcp, Eventlog, DNS, Netlogon.

There are some additional configurations you will want to push as well:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\AlwaysExpectDomainController (REG_DWORD) = 0x1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\MaxNegativeCacheTTL (REG_DWORD) = 0x0
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\NegativeCachePeriod (REG_DWORD) = 0x0

These will add some additional stability for NLA.

Thursday, June 23, 2022

PetitPotam Defenses

Protection against coerced authentication on domain controllers:



Print Spooler:


Disable the service via group policy on all DC's

EFS RPC attack:



Create the two RPC filters by putting this in a text file (source):

rpc
filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e
add filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d
add filter
quit


Save the file and use "netsh -f filename.txt" to apply it


DFS RPC attack:



Create one RPC filter by putting this in a text file (source)

rpc
filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=4fc742e0-4a10-11cf-8273-00aa004ae673
add filter
quit


Save the file and use "netsh -f filename.txt" to apply it

This dfs filter has some impact on creation of new dfs namespaces. Otherwise it doesn't seem to cause other issues that I can tell.


Certificate Authority hardening:


Follow the MS guidance on hardening the CA against NTLM relay. Essentially you configure the web interfaces to allow kerberos only with extended protection. If possible, disable NTLM auth completely on the server. Beyond that, limiting access to client certificates and not allowing user supplied SAN's on them should be done.

Thursday, February 17, 2022

Creating virtual smart card for MIM CM

To use a virtual card on existing profiles that prompt for pin in the certificate manager portal site, use this to create the virtual card:

tpmvscmgr create /name myvsc /pin prompt /adminkey default /generate

When prompted for default admin key, use: 010203040506070801020304050607080102030405060708

When prompted for pin, it will need to be 8 characters long even if it says it can be less than that.

Wednesday, December 29, 2021

Finding expiring certificates in your CA

A while ago, I was working on a method of discovering and creating alerts for expiring smartcards.  While looking at some of the various methods to pull details from FIM certificate manager or the AD certificate services CA that issues the certs, I ended up goinig with certutil as the tool of choice for pulling the data.  The build in filtering of the results helped give the ability to confine the results to certain certificate types, and also to avoid anything that was revoked.  Putting this together with output processing in powershell, it is pretty easy to pull together a list of certs and their expiration time.  Using grouping, you can avoid the problem of having multiple results per user (for those who have already renewed).  Since smartcards use UPN as an identifier, I went with that attribute to help get the user details.  For other use cases that would need to be modifed and the Get-ADUser functionality wouldn't be required.




#this line needs to be modified to target the CA and the OID
#of the cert type that you want to look at (if you are restricting it
#Disposition of 20 means certs that are active
certutil -config "<CA server FQDN>\<CA NAME>" -view -out "user principal name,certificate expiration date" -restrict "certificatetemplate=<templateOID>,Disposition=20"  > .\certdump.txt

$results = @()
$recordbound = $false
Try { $data = get-content .\testcertdump.txt -erroraction stop } catch { 
		#error handling
	}
For ($i=0; $i -lt $data.count; $i++) {
	#process the multiline record to get user UPN account name and certificate expirations
	if ($recordbound) {
		$result = new-object PSobject
		$UPN = $data[$i].substring($data[$i].indexof('"')+1).trim('"')
		$dateval = $data[$i+1].substring($data[$i+1].indexof(":")+1)
		$dateval = [datetime]$dateval
		add-member -input $result NoteProperty UPN $upn
		add-member -input $result NoteProperty Expiration $dateval
		$i = $i+2
		$recordbound = $false
		$results += $result
	}

	#start of a new multiline record
	if ($data[$i] -match "^Row ") {
		$recordbound = $true
	}
}

#User may have renewed before, so there can be more than one cert...so group by user UPN
$groupdata = $results|group UPN
$curdate = get-date

#Look at all certificates for a given user and select the one with the furthest expiration date (I.e. last one issued to this UPN)
$groupdata = $groupdata | Select Name,@{name="expiration";expression={($_.group|sort expiration |select -last 1).expiration}}

foreach ($entry in $groupdata) {
	$debugstr = "$($entry.name)  Expiration $($entry.expiration)"
	$timediff = new-timespan -start $entry.expiration -end $curdate
	$days = 0 - $timediff.days
	if ($days -lt 30) {
		$debugstr += ".  In expiration window."
		#expiration warning, need to find primary account email and send it, if they are still active
		$user = get-aduser -ldapfilter "(&(objectclass=user)(userprincipalname=$($entry.name)))" -properties enabled,manager
		if ($user.enabled) {
			$debugstr += "  Account is enabled."
			#do something with it
		} else {
			$debugstr += " User 431 is disabled, ignoring."
		}
	}
	write-debug $debugstr
}

Tuesday, September 28, 2021

Task scheduler repeat popup "task scheduler service is not available. Verify the service is running."

Recently I noticed a few different errors on task scheduler on some machines that had gone through in place operating system upgrades from Windows 2008 to Windows 2016. After the upgrade, when opening the task scheduler gui tool, it either gave popup messages repeatedly saying the service was not available despite the service being started. Clicking through many of these, it would eventually show some tasks in the list, but not all. Also schtasks.exe was working fine and showing all the tasks. On some of the machines, the gui tool was just giving snap-in errors and nothing would load in the tool. 



The issue turned out to be from some of the legacy jobs. In older versions of windows, simple scheduled tasks could be created through the at.exe command. If some jobs existed on the machine prior to the upgrade, they would still be in the windows directory, and will still show up in schtasks.exe. You can't edit or delete them with the schtasks command line tool, and they won't show up at all in the GUI after you click through the errors. If you try to use at.exe command it says its no longer supported and won't run. You can just delete the job files from the c:\windows\tasks folder. After that, the errors in the gui tool will go away.