Windows Security, Networking, and Surveys Primer Guide U.S. Army Cyber School 2021 Cyber Common Technical Core (CCTC) Terminal Learning Objectives Define security identifiers (SIDs) and relative identifiers (RIDs), to include creation, assignment, and storage View and modify access permissions using the command line Associate a user SID with a user profile [[TLO4]Windows’ mandatory and discretionary access control systems and how they impact operations Access control as it relates to object security How access control is implemented Windows memory protections (e.g., Address Space Layout Randomization [ASLR] and Data Execution Prevention [DEP]) and how they can impact operations Utilize command line tools to ensure the integrity of system processes Assess effective permissions given various user and group situations Purpose of and Windows Resource Protection (WRP) Features and functionality of WRP View and modify Windows Firewall settings using both GUI and CLI tools Capabilities of Windows Defender, on which systems it is likely to be found, and how it can impact operations Define Memory Forensics Describe the features and functionality of the Volatility Framework Table of Contents 1. Security Identifiers / Relative Identifiers 1.1 Security Identifiers (SIDs) 1.2 Relative Identifier (RID) 2. View and modify access permissions using the command line 2.1 Command Line Interface (CLI) 2.2 POWERSHELL 3. Windows mandatory and discretionary access control systems and how they impact operations 3.1 Discretionary Access Control List (DACL) 3.2 Icacls 4. Associate a user SID with a user profile 5. Access control and object security 5.1 How access control is implemented 6. Windows memory protections (e.g., Address Space Layout) 7. Randomization [ASLR] and Data Execution Prevention [DEP] and how they can impact operations 7.1 Address Space Layout Randomization (ASLR) 7.2 ASLR Shortcomings 7.3 Demonstrate the ability to utilize command line tools to 7.4 Assess effective permissions given various user and 8. Windows Resource Protection (WRP) 8.1 Features and functionality of WRP 9. Windows Firewall settings using both GUI and CLI tools 10. Windows Defender 10.1 Systems Windows Defender is found and impact on operations 1. Security Identifiers / Relative Identifiers TLO’s for this Module: 1 2 1.1 Security Identifiers (SIDs) A security identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account. Each account, group, or process running in the security context of the account, has a unique SID that is issued by an authority, such as a Windows domain controller and are stored in a security database. The system generates a SID that identifies a particular account or group at the time the account or group is created. When a SID has been used as the unique identifier for a user or group, it can never be used again to identify another user or group. Each time a user signs in, the system creates an access token for that user. The access token contains the user’s SID, user rights, and the SIDs for any groups the user belongs to. This token provides the security context for whatever actions the user performs on that computer. In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and World SIDs identify a group that includes all users. Well-known SIDs have values that remain constant across all operating systems. Users refer to accounts by using the account name, but the operating system internally refers to accounts and processes in the security context of the account by using their security identifiers (SIDs). Regarding Domain accounts; the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account. The SID for a local account or group is generated by the Local Security Authority (LSA) on the computer, and it is stored with other account information in a secure area of the registry. The SID for a domain account or group is generated by the domain security authority, and it is stored as an attribute of the User or Group object in Active Directory Domain Services. The SID for an account or group that is created in one domain will never match the SID for an account or group created in any other domain in the enterprise. The components of a SID are easier to visualize when SIDs are converted from a binary to a string format by using standard notation: S-R-X-Y1-Y2-Yn-1-Yn In this notation, the components of a SID are represented as shown in the following table. Comment Description S Indicates that the string is a SID R Indicates the revision level X Indicates the identifier authority value Y Represents a series of sub authority values, where n is the number of values The SID's most important information is contained in the series of sub authority values. The first part of the series (-Y1-Y2-Yn-1) is the domain identifier. This element of the SID becomes significant in an enterprise with several domains, because the domain identifier differentiates SIDs that are issued by one domain from SIDs that are issued by all other domains in the enterprise. No two domains in an enterprise share the same domain identifier. The last item in the series of sub-authority values (-Yn) is the relative identifier. It distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same relative identifier. For example, the SID for the built-in Administrators group is represented in standardized SID notation as the following string: S-1-5-32-544 This SID has four components: A revision level (1) An identifier authority value (5, NT Authority) A domain identifier (32, Built-in) A relative identifier (544, Administrators) In another example, consider the SID for the global group, Domain Admins. Every domain in an enterprise has a Domain Admins group, and the SID for each group is different. The following example represents the SID for the Domain Admins group in the Contoso, Ltd. domain (Contoso\Domain Admins): S-1-5-21-1004336348-1177238915-682003330-512 The SID for Contoso\Domain Admins has: A revision level (1) An identifier authority (5, NT Authority) A domain identifier (21-1004336348-1177238915-682003330, Contoso) A relative identifier (512, Domain Admins) 1.2 Relative Identifier (RID) When accounts and groups are stored in an account database that is managed by a local Security Accounts Manager (SAM), it is fairly easy for the system to generate a unique relative identifier for each account and in a group that it creates on a stand-alone computer. The SAM on a stand-alone computer can track the relative identifier values that it has used before and make sure that it never uses them again. In a network domain; however, generating unique relative identifiers is a more complex process. Windows Server network domains can have several domain controllers. Each domain controller stores Active Directory account information. This means that, in a network domain, there are as many copies of the account database as there are domain controllers. In addition to this, every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes that are made to Active Directory on one domain controller are replicated to all other domain controllers in the domain. The process of replicating changes in one master copy of the account database to all other master copies is called a multi-master operation. The process of generating unique relative identifiers is a single-master operation. One domain controller is assigned the role of relative identifier (RID) master, and it allocates a sequence of relative identifiers to each domain controller in the domain. When a new domain account or group is created in one domain controller’s replica of Active Directory, it is assigned a SID. The relative identifier for the new SID is taken from the domain controller’s allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller requests another block from the RID master. Each domain controller uses each value in a block of relative identifiers only once. The RID master allocates each block of relative identifier values only once. This process assures that every account and group created in the domain has a unique relative identifier. 2. View and modify access permissions using the command line 2.1 Command Line Interface (CLI) The Net user command is available from within the Command Prompt in most versions of Windows including Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP, Windows Server operating systems, and some older versions of Windows. To run net user, open a command prompt, type net user with the appropriate parameters, and then press ENTER. The availability of certain net user command switches and other net user command syntax may differ from operating system to operating system. Net User syntax examples: net user [<UserName> {<Password> | *} [<Options>]] [/domain] net user [<UserName> {<Password> | *} /add [<Options>] [/domain]] net user [<UserName> [/delete] [/domain]] C:\Users\student\Desktop>net user /? The syntax of this command is: NET USER [username [password | *] [options]] [/DOMAIN] username {password | *} /ADD [options] [/DOMAIN] username [/DELETE] [/DOMAIN] username [/TIMES:{times | ALL}] username [/ACTIVE: {YES | NO}] This first example of the net user command shows that at its simplest form, it will produce a list of all the users on the computer: C:\Users\student\Desktop>net user User accounts for \\WINOPSSTATION ------------------------------------------------------------------------------- Admin Administrator cloudbase-init DefaultAccount Guest sshd student WDAGUtilityAccount The command completed successfully. There are several user accounts available, but we can focus on the one’s of interest by modifying the command: C:\Users\student\Desktop>net user Guest User name Guest Full Name Comment Built-in account for guest access to the computer/domain User's comment Country/region code 000 (System Default) Account active No Account expires Never Password last set 9/29/2021 10:57:27 AM Password expires Never Password changeable 9/29/2021 10:57:27 AM Password required No User may change password No Workstations allowed All Logon script User profile Home directory Last logon Never Logon hours allowed All Local Group Memberships *Guests Global Group memberships *None The command completed successfully. Here we get a lot of useful specific information about our chosen account to query To add a user/ change password or delete a user the syntax is as follows: Add an account by logging in as an administrator, open an elevated command prompt and type the following: Add a user whose full name is Billy Stevens and whose user account name is billst, with logon rights from 8 A.M. to 5 P.M., Monday through Friday (no spaces in time designations), a mandatory password (password), and the user’s full name. net user billst PassWord123! /add /passwordreq:yes /times:monday-friday,8am-5pm/fullname:"Billy Stevens" To change the password of a user: net user user_name * /domain -You will be asked to type a password for the user. Type the new password and later again retype the password to confirm. -You could also use the following command. But in this case, you will not be prompted. The password will be directly changed right away. net user user_name new_password To delete an account: net user billst /delete 2.2 POWERSHELL There are 15 cmdlets in the LocalAccounts module. You can view the full list by running the following command: PS C:\Users\student\Desktop> Get-Command -Module Microsoft.PowerShell.LocalAccounts CommandType Name Version Source ----------- ---- ------- ------ Cmdlet Add-LocalGroupMember 1.0.0.0 Microsoft.PowerShell.LocalAccounts Cmdlet Disable-LocalUser 1.0.0.0 Microsoft.PowerShell.LocalAccounts Cmdlet Enable-LocalUser 1.0.0.0 Microsoft.PowerShell.LocalAccounts Cmdlet Get-LocalGroup 1.0.0.0 Microsoft.PowerShell.LocalAccounts Cmdlet Get-LocalGroupMember 1.0.0.0 Microsoft.PowerShell.LocalAccounts Cmdlet Get-LocalUser 1.0.0.0 Microsoft.PowerShell.LocalAccounts Cmdlet New-LocalGroup 1.0.0.0 Microsoft.PowerShell.LocalAccounts Cmdlet New-LocalUser 1.0.0.0 Microsoft.PowerShell.LocalAccounts Cmdlet Remove-LocalGroup 1.0.0.0 Microsoft.PowerShell.LocalAccounts Cmdlet Remove-LocalGroupMember 1.0.0.0 Microsoft.PowerShell.LocalAccounts Cmdlet Remove-LocalUser 1.0.0.0 Microsoft.PowerShell.LocalAccounts Cmdlet Rename-LocalGroup 1.0.0.0 Microsoft.PowerShell.LocalAccounts Cmdlet Rename-LocalUser 1.0.0.0 Microsoft.PowerShell.LocalAccounts Cmdlet Set-LocalGroup 1.0.0.0 Microsoft.PowerShell.LocalAccounts Cmdlet Set-LocalUser 1.0.0.0 Microsoft.PowerShell.LocalAccounts As shown in the above display we have some options, here is what they mean: Table 1. Defined Command Definition Add-LocalGroupMember Add a user to the local group Disable-LocalUser Disable a local user account Enable-LocalUser Enable a local user account Get-LocalGroup View local group preferences Get-LocalGroupMember View the list of all local group members Get-LocalUser View a local user account’s preferences New-LocalGroup Create a new local group New-LocalUser Create a new local user account Remove-LocalGroup Remove a local group Remove-LocalGroupMember Remove a member from a local group Remove-LocalUser Remove a local user account Rename-LocalGroup Rename a local group Rename-LocalUser Rename a local user account Set-LocalGroup Change the settings of a local group Set-LocalUser Change the account settings of a local user So lets begin by getting a list of local user accounts: PS C:\Users\student\Desktop> get-localuser Name Enabled Description ---- ------- ----------- Admin False Admin user Administrator False Built-in account for administering the computer/domain cloudbase-init True DefaultAccount False A user account managed by the system. Guest False Built-in account for guest access to the computer/domain sshd True student True WDAGUtilityAccount False A user account managed and used by the system for Windows Defender Application Guard scenarios. As shown above; there are three accounts that are enabled, cloudbase-init, sshd , and student To output all the properties and their values for a local user account, we can use Get-LocalUser cmdlet with the following parameters: PS C:\Users\student\Desktop> Get-LocalUser -Name student | Select-Object * AccountExpires : Description : Enabled : True FullName : PasswordChangeableDate : 9/22/2021 9:45:22 AM PasswordExpires : 11/3/2021 9:45:22 AM UserMayChangePassword : True PasswordRequired : False PasswordLastSet : 9/22/2021 9:45:22 AM LastLogon : 9/29/2021 11:05:31 AM Name : student SID : S-1-5-21-2639212546-2609384528-1476523986-1004 PrincipalSource : Local ObjectClass : User If we want to get the value of a particular local user account attribute, type its name after the Select-Object parameter. PasswordExpires PS C:\Users\student\Desktop> Get-LocalUser -Name student | Select-Object PassWordExpires PasswordExpires --------------- 11/3/2021 9:45:22 AM Create a new user with the New-LocalUser cmdlet. This cmdlet can create the following types of user accounts: Windows local user accounts Microsoft accounts Azure Active Directory accounts When creating a local user account, never type in the password as plain text; always convert it to a secure string using the AsSecureString or ConvertTo-SecureString parameter. Create a new local user account: $UserPassword = Read-Host –AsSecureString New-LocalUser "Billy" -Password $UserPassword -FullName "Billy Stevens" -Description "Noob" Read-Host will allow to input a password that is -asSecurestring into a variable which is called on with the second command. 3. Windows mandatory and discretionary access control systems and how they impact operations 3.1 Discretionary Access Control List (DACL) A DACL stands for Discretionary Access Control List. It is an internal list attached to an object in Active Directory that specifies which users and groups can access the object and what kinds of operations they can perform on the object. How DACL works. In Windows, each object in Active Directory or a local NTFS volume has an attribute called Security Descriptor that stores information about the object’s owner (the security identifier or the owner) and the groups to which the owner belongs. The discretionary access control list (DACL) of the object lists the security principals (users, groups, and computers) that have access to the object and their level of access. The system access control list (SACL), lists the security principals that should trigger audit events when accessing the list. DACL Access image::dacl.png [500,500.align="center"] The illustration shows a DACL that denies access to one user and grants access to two groups. The members of Group A get Read, Write, and Execute access rights by accumulating the rights allowed to Group A and rights allowed to Everyone. The exception is Andrew, who is denied access by the access-denied ACE in spite of being a member of the Everyone Group. The DACL for an object consists of a list of access control entries (ACEs). A given ACE applies to a class of objects, an object, or an attribute of an object. Each ACE specifies the security identifier (SID) of the security principal to which the ACE applies, as well as the level of access to the object permitted for the security principal. Commonly, DACLs are sometimes simply referred to as access control lists or ACLs, though this is not strictly correct. The owner of an object always has permission to modify its DACL by granting permissions to other users and groups. If a Windows object does not have a discretionary access control list (DACL), the system allows everyone full access to it. If an object has a DACL, the system allows only the access that is explicitly allowed by the access control entries (ACEs) in the DACL. If there are no ACEs in the DACL, the system does not allow access to anyone. If a DACL has ACEs that allow access to a limited set of users or groups, the system implicitly denies access to all trustees not included in the ACEs. 3.2 Icacls The command line can be used to view or modify access control lists on files or folders. There are multiple variants of the control access list (CACL) tool used to view and modify the ACE’s within a files security descriptor. cacls -control access control list (legacy) xcacls -extended control access list (legacy) icacls -integrity control access control list Icacls is the current release of the CACL tool set. It is built upon the .NET framework and provides the user with the ability to modify the permitted accesses to a file or object. Unlike cacls and xcacs, icacls also allows the operator to set the integrit level for an object and apply inheritance settings to directories. There are far too many options for the icacls to list here. To access the icacls menu type icacls.exe /? 4. Associate a user SID with a user profile PS C:\windows> get-localuser | Select name , sid Name SID ---- --- Admin S-1-5-21-2583244847-126966061-4153001442-1000 Administrator S-1-5-21-2583244847-126966061-4153001442-500 andy.dwyer S-1-5-21-2583244847-126966061-4153001442-1005 cloudbase-init S-1-5-21-2583244847-126966061-4153001442-1002 DefaultAccount S-1-5-21-2583244847-126966061-4153001442-503 Guest S-1-5-21-2583244847-126966061-4153001442-501 sshd S-1-5-21-2583244847-126966061-4153001442-1003 student S-1-5-21-2583244847-126966061-4153001442-1004 WDAGUtilityAccount S-1-5-21-2583244847-126966061-4153001442-504 5. Access control and object security 5.1 How access control is implemented Computers that are running a supported version of Windows can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. After a user is authenticated, the Windows operating system uses built-in authorization and access control technologies to implement the second phase of protecting resources: determining if an authenticated user has the correct permissions to access a resource. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They are assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it. Security principals perform actions (which include Read, Write, Modify, or Full control) on objects. Objects include files, folders, printers, registry keys, and Active Directory Domain Services (AD DS) objects. Shared resources use access control lists (ACLs) to assign permissions. This enables resource managers to enforce access control in the following ways: Deny access to unauthorized users and groups Set well-defined limits on the access that is provided to authorized users and groups Administrators who use the supported version of Windows can refine the application and management of access control to objects and subjects to provide the following security: Protect a greater number and variety of network resources from misuse. Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Enable users to access resources from a variety of devices in numerous locations. Update users’ ability to access resources on a regular basis as an organization’s policies change or as users’ jobs change. Account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones). Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs. 6. Windows memory protections (e.g., Address Space Layout) 7. Randomization [ASLR] and Data Execution Prevention [DEP] and how they can impact operations 7.1 Address Space Layout Randomization (ASLR) ASLR is a computer security technique which involves randomly positioning the base address of an executable and the position of libraries, heap, and stack, in a process’s address space. The random mixing of memory addresses performed by ASLR means that an attack no longer knows where the address space of the required code is actually located. This way, rather than removing vulnerabilities from the system, ASLR attempts to make it more challenging to exploit existing vulnerabilities. 7.2 ASLR Shortcomings *Boot-time based randomization * With Address Space Layout Randomization, the base addresses of DLLs are based on boot-time randomization. * Practically, this means that the base addresses of libraries will be randomized at the next reboot. * This is an Achilles heel that can be exploited by attackers, simply by combining vulnerabilities such as memory disclosure or brute force attacks. *Unsupported executables/libraries, low-entropy * ASLR is not supported when the executable or DLLs are not built with ASLR support. Although Windows 8 and Windows 10 try to overcome this limitation there are still exceptions that many times render the ASLR protection ineffective. * Older versions of Windows and legacy programs are particularly prone to this limitation. * In addition, ASLR on 32-bit systems suffers from low entropy, making it vulnerable to brute force and similar attacks. *Not trapping the attack * ASLR aims to prevent an attack from reliably reaching its target memory address. * ASLR does not focus on trapping the attack, rather on making the attack unlikely to work. * Once the shellcode jumps to the wrong address during the exploit (due to the memory randomization), the program behavior is undefined. * The process might receive an exception, crash, get stuck or simply continue with inconsistent behavior as a result. *ASLR does not alert to an attack * When a vulnerability is exploited and fails (due to ASLR’s memory randomization), no alert or attack indication is received. *ASLR does not provide information about an attack * Forensic information about an attack, exploitation and shellcode is crucial for any serious forensic investigation. * Exploited processes, memory dumps and call stacks can be used to identify, fingerprint and tag exploits. * ASLR cannot provide this information because it doesn’t actually know if an attack happens or at which point it was stopped. *ASLR is being bypassed by exploits daily * Since ASLR was introduced in Windows OS, it has been bypassed countless times by real-world exploits and attacks. * Attackers continuously develop new techniques to defeat ASLR defense. 7.3 Demonstrate the ability to utilize command line tools to ensure the integrity of system processes (CTFD’s)+ 7.4 Assess effective permissions given various user and group situations (CTFD’s) 8. Windows Resource Protection (WRP) Windows Resource Protection works by registering for notification of file changes in ------ changes are detected to a protected system file, the modified file is restored from a cached copy located in a compressed folder at %WinDir%\System32\dllcache. 8.1 Features and functionality of WRP WRP works by setting discretionary access control lists (DACLs) and access control lists (ACLs) defined for protected resources. Permission for full access to modify WRP-protected resources is restricted to the processes using the Windows Modules Installer service (TrustedInstaller.exe). Administrators no longer have full rights to system files, they have to use the SetupAPI or take ownership of the resource and add the appropriate Access Control Entries (ACEs) to modify or replace it. The "Trusted Installer" account is used to secure core operating system files and registry keys. WRP protects a large number of file types: WRP1.png 9. Windows Firewall settings using both GUI and CLI tools 10. Windows Defender 10.1 Systems Windows Defender is found and impact on operations Resources https://networkencyclopedia.com/discretionary-access-control-list-dacl/#:~:text=A%20DACL%20stands%20for%20Discretionary,can%20perform%20on%20the%20object. https://docs.microsoft.com/en-us/windows/win32/secauthz/dacls-and-aces