Defense.md

Defense

---

Table of Contents

• 101 / Basics
• I Want to...
  • Not Get Hacked
  • (Personal)
    • Create an Asset Inventory
    • Track all my Assets
    • Create a Basic Security Plan
    • Create a Basic Security Strategy
  • Corp/Enterprise Environment
    • Create an Asset Inventory
    • Track all my Assets
    • Categorize All Assets/Define Asset Groups
    • Create an Asset Lifecycle for each
    • Create a Basic Security Plan
    • Create a Basic Security Strategy
    • Implement some Basic Security Plan
    • Create a Basic Security Policy
    • Create a Security Awareness Program For My Org
    • Create a Security Baseline For My Environment
    • Measure an Organization's Baseline Security Posture
    • Create a Running Tracker of My Org's Security
    • Identify Means of Improving My Organization's Baseline Security Posture
    • Implement a Vulnerability Management Program Within My Organization
    • Control Means of Software Execution on Org Owned Devices
    • Mitigate Phishing at Scale
• Specific Technical Defenses - 101 Level Stuff/Concepts - Access Controls - Application Execution Control - Application Monitoring & Logging - Firewalls - Malicious Devices - System Monitoring & Logging - Blue Team Tactics & Strategies - - Attack Surface Analysis & Reduction - - Linux - - macOS - - Windows - Impement Application Execution Control - - - - - Databases - Networks - SSH - Mitigate Phishing Attacks - Mitigate Ransomware Attacks - For Journalists - For Individuals Leaking Sensitive Information -
• General Hardening/Securing
  • 101
  • Hardening Cloud Services/SaaS
  • Linux
  • Hardening macOS
  • Hardening Windows
  • Hardening Web Applications

---

• To-Do
  • User Awareness training
  • Objective-See Tools
  • Cred defense
  • SPA
  • Ransomware
  • Fix ToC more.

---

101/Basics

• 101
  • Center for Internet Security
    • CIS Top 20 Controls
    • CIS Benchmark Guides
    • AuditScripts - CIS Critical Security Controls

---

I Want to...(Personal)

• Create an Asset Inventory
• Track all my Assets
• Create a Basic Security Plan
• Create a Basic Security Strategy

---

I Want to...(Enterprise/Organization)

• Create an Asset Inventory

• Categorize All Assets/Define Asset Groups

• Track all my Assets

• Create an Asset Lifecycle For Each

• Create a Basic Security Plan

• Create a Basic Security Strategy

• Create a Basic Security Policy

• Create a Security Awareness Program For My Org

• Create a Security Baseline For My Environment

  • Tech/User-Profiling
    • Articles/Blogposts/Writeups
      • Browser fingerprints for a more secure web - Julien Sobrier & Ping Yan(OWASP AppSecCali2019)
      • Stealthier Attacks and Smarter Defending with TLS Fingerprinting - Lee Brotherston(SecTor2015)
        • Slides from Derbycon for the same talk
      • Moloch + Suricata + JA3 - Anton
        • Inspired by the awesome Derbycon talk by John Althouse I wanted to give JA3 a try. After some Googling around the easiest way seemed like installing Moloch which has JA3 support baked in. This post is just a brief overview how to set this up and start exploring JA3 hashes. As a bonus, I also configured Suricata support for Moloch.
    • Talks/Presentations/Videos
      • Baselining Behavior Tradecraft through Simulations - Dave Kennedy(WWHF19)
        • With the adoption of endpoint detection and response tools as well as a higher focus on behavior detection within organizations, when simulating an adversary it's important to understand the systems you are targeting. This talk will focus on the next evolution of red teaming and how defeating defenders will take more work and effort. This is a good thing! It's also proof that working together (red and blue) collectively, we can make our security programs more robust in defending against attacks. This talk will dive into actual simulations where defenders have caught us as well as ways that we have circumvented even some of the best detection programs out there today. Let's dive into baselining behavior and refining our tradecraft to evade detection and how we can use that to make blue better.
  • Web Browser Extensions
    • Articles/Blogposts/Writeups
      • Finding Browser Extensions To Hunt Evil! - Brad Antoniewicz
    • Tools
      • Inventory-BrowserExts - keyboardcrunch
        • This script can inventory Firefox and/or Chrome extensions for each user from a list of machines. It returns all the information back in a csv file and prints to console a breakdown of that information.

• Measure an Organization's Baseline Security Posture

• Create a Running Tracker of My Org's Security

• Identify Means of Improving My Organization's Baseline Security Posture

• Implement a Vulnerability Management Program Within My Organization

  • 101
    • US-CERT VulnMGMT FAQ
    • The Five Stages of Vulnerability Management(tripwire)
    • Implementing a Vulnerability Management Process - SANS
    • CISO Mind Map and Vulnerability Management Maturity Model - SANS(2020)
    • Building a Model for Endpoint Security Maturity
  • Articles/Blogposts/Writeups
    • Vulnerability Management Program Best Practices – Irfahn Khimji
    • The Five Stages of Vulnerability Management - Irfahn Khimji
    • Who Fixes That Bug? - Part One: Them! - Ryan McGeehan
      • Part 2
  • Identifying Assets
    • Local Networks
      • PowerShell: Documenting your environment by running systeminfo on all Domain-Computers - Patrick Gruenauer
      • A Faster Way to Identify High Risk Windows Assets - Scott Sutherland
        • "In this blog I took a quick look at how common Active Directory mining techniques used by the pentest community can also be used by the blue teams to reduce the time it takes to identify high risk Windows systems in their environments."
    • Cloud
      • Lyft Cartography: Automating Security Visibility and Democratization - Sacha Faust(BSidesSF2019)
        • Lyft Security Intelligence team mission is to "Empower the company to make informed and automated security decisions." To achieve our mission, we invested in our cartography capabilities that aim at keeping track of our assets but most importantly, the relationship and interaction between them. The talk provides insight on an intelligence service solution implemented by Lyft Security Intelligence team to tackle knowledge consolidation and improve decision making. Attendees of this session will be introduced to the platform we implemented along with a broad set of scenarios that allow us to burndown security debt, detect assumptions drift, and enable teams to explore their service and environment. Furthermore, Lyft will release the platform to the open source community as part of the conference and provide details on how it can be extended to adapt to each need.
      • Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and Query - Erkang Zheng(2019)
  • Measuring Maturity
    • Vulnerability Management Maturity Models – Trip Wire: https://traviswhitney.com/2016/05/02/vulnerability-management-maturity-models-trip-wire/
    • Capability Maturity Model(Wikipedia): https://en.wikipedia.org/wiki/Capability_Maturity_Model
  • Nessus
    • Nessus v2 xml report format - Alex Leonov
    • Parsing Nessus v2 XML reports with python - Alex Leonov
    • Read .nessus file into Excel (with Power Query) - Johan Moritz
    • Nessus v2 File Format - Tenable
    • Have you configured Nessus to betray you? - ShorebreakSecurity
      • Stealing Nessus Auth creds through fake auth
  • Talks & Presentations
    • Securing Vendor Webapps - A Vulnerability Assessment on HELK - IppSec
      • IppSec gives his methodology for performing vulnerability assesments against web applications. Good for understanding mindset, process, and workflow.
    • SANS Webcast: Beyond Scanning Delivering Impact Driven Vulnerability Assessments - Matthew Toussain
    • Practical Approach to Automate the Discovery & Eradication of Open-Source Software Vulnerabilitie - Aladdin Almubayed
      • Over the last decade, there has been steady growth in the adoption of open-source components in modern web applications. Although this is generally a good trend for the industry, there are potential risks stemming from this practice that requires careful attention. In this talk, we will describe a simple but pragmatic approach to identifying and eliminating open-source vulnerabilities in Netflix applications at scale.
    • Network gravity: Exploiring a enterprise network - Casey Martin(BSides Tampa2020)
      • Enterprise networks are often complex, hard to understand, and worst of all - undocumented. Few organizations have network diagrams and asset management systems and even fewer organizations have those that are effective and up to date. Leveraging an organization's SIEM or logging solution, network diagrams and asset inventories can be extrapolated from this data through the 'gravity' of the network. Similar to our solar system and galaxy, even if you cannot confirm or physically see an object, you can measure the forces of gravity it exerts on the observable objects around it that we do know about. For example, unconfirmed endpoints can be enumerated by the authentication activity they register on known domain controllers. The inferred list of endpoints and their network addresses can begin to map out logical networks. The unpolished list of logical networks can be mapped against known egress points to identify physical networks and potentially identify undiscovered egress points and the technologies that exist at the egress points. As more objects are extrapolated and inferred, the more accurate the model of your enterprise network will become. Through this iterative and repeatable process, network diagrams and asset inventories can be drafted, further explored, refined, and ultimately managed. Even the weakest of observable forces can create fingerprints that security professionals can leverage to more effectively become guardians of the galaxy.
    • We detected a severe vulnerability, why is nobody listening? An Introduction to Product Management
      • Have you ever wondered why one of your high-priority vulnerabilities got rejected or delayed even though you thought it was foolish of your company not to implement it in a timely fashion? You probably got slowed down or stopped by the gatekeepers to engineering resources namely product management. However, what product management entails and what the goals of product management are, is rarely explained. I lead a group of product managers in a medical software company, and it is my job to decide which projects make it into the engineering/R&D backlog and which ones are being delayed or even eliminated. I will share the decision-making process and critical questions that need to be answered by any project to make it onto the shortlist. In this presentation, I will provide a view of product management from the inside. Once everybody understands what product management is, what product managers do, why he or she does it, and what his or her decision process is, we can improve the chances of critical IT projects or vulnerability fixes to be completed on time. I believe that together we can build better and more secure products when we understand each other's motivators and goals.
    • The Art of Vulnerability Management - Alexandra Nassar, Harshil Parikh(OWASP AppSecCali 2019)
      • To summarize, in this talk we will discuss the pain points that most organizations face in getting traction to vulnerability remediation, how we decided to tackle the challenge, the solution we built and how we drove accountability to improve metrics. We will talk about the key decisions we made that the audience can relate to and improve their own vulnerability management program. Finally, we will show templates of our Jira boards, metrics and charts that helped in measuring success of the program.
  • Papers
    • Implementing a Vulnerability Management Process - Tom Palmaers(SANS2013)
    • Building a VulnerabilityManagement Program: A project management approach - Wylie Shanks(2015)
      • Abstract: This paper examines the critical role of project management in building a successful vulnerability management program. This paper outlines how organizational risk and regulatory compliance needs can be addressed through a "Plan-Do-Check-Act" approach to a vulnerability management program.
  • CVSS-related
    • Towards Improving CVSS - CMU SEI
    • When CVSS Fits and When it Doesn’t(NCC Group)
    • Don’t Substitute CVSS for Risk: Scoring System Inflates Importance of CVE-2017-3735
    • Microsoft Exploitability Index
    • Towards Improving CVSS - J.M. Spring, E. Hatleback, A. Householder, A. Manion, D. Shick - CMU
  • Tools
    • Vuls
      • Agent-less vulnerability scanner for Linux, FreeBSD, Container Image, Running Container, WordPress, Programming language libraries, Network devices
    • ArcherySec
      • Centralize Vulnerability Assessment and Management for DevSecOps Team
    • Scumblr
      • Web framework that allows performing periodic syncs of data sources and performing analysis on the identified results
    • Predator
      • Predator is a prototype web application designed to demonstrate anti-crawling, anti-automation & bot detection techniques. It can be used a honeypot, anti-crawling system or a false positive test bed for vulnerability scanners.
    • DefectDojo
      • DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.

• Control Means of Software Execution on Org Owned Devices

  • 101
    • Guide to Application Whitelisting - NIST Special Publication 800 - 167
  • Linux
  • macOS
    • Tools
      • Santa
        • Santa is a binary whitelisting/blacklisting system for macOS. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.
        • Docs
  • Windows

---

Specific Technical Defenses

• 101 Level Stuff/Concepts

• Access Controls

• Application Execution Control

• Application Monitoring & Logging

• Firewalls

  • 101
  * **Implementation** * **Linux** * [OpenSnitch](https://github.com/evilsocket/opensnitch) * OpenSnitch is a GNU/Linux port of the Little Snitch application firewall * **macOS** * Littlesnitch * LuLu * **Windows** * [simplewall](https://github.com/henrypp/simplewall) * Simple tool to configure Windows Filtering Platform (WFP) which can configure network activity on your computer. The lightweight application is less than a megabyte, and it is compatible with Windows Vista and higher operating systems. You can download either the installer or portable version. For correct working, need administrator rights.
  • Management
    • Assimilator
      • The first restful API to control all firewall brands. Configure any firewall with restful API calls, no more manual rule configuration. Centralize all your firewalls into one API.

• Malicious Devices

• System Monitoring & Logging

---

Blue Team Tactics & Strategies

• General Concepts
  • Zero-Trust Model
    • 101
      • Build Security Into Your Network’s DNA: The Zero Trust Network Architecture - John Kindervag(2010)
      • NIST SP 800-207: Zero Trust Architecture(2020)
    • Articles/Blogposts/Writeups
      • Zero trust architecture design principles - UK NSC
        • Blogpost
        • Principles to help you design and deploy a zero trust architecture
      • Exploring The Zero Trust Model - securethelogs.com(2019)
      • Exploring The Zero Trust Model - securethelogs(2019``)
      • Awesome Zero trust
    • Papers
      • Google BeyondCorp Series
        1. BeyondCorp: A New Approach to Enterprise Security - Rory Ward, Betsy Beyer(2014)
        2. BeyondCorp: Design to Deployment at Google - Barclay Osborn, Justin McWilliams, Betsy Beyer, Max Saltonstall(2016)
        3. BeyondCorp: The Access Proxy - Batz Spear, Betsy (Adrienne Elizabeth) Beyer, Luca Cittadini, Max Saltonstall(2016)
        4. Migrating to BeyondCorp: Maintaining Productivity While Improving Security - Betsy (Adrienne Elizabeth) Beyer, Colin McCormick Beske, Jeff Peck, Max Saltonstall(2017)
        5. BeyondCorp: The User Experience - Victor Manuel Escobedo, Filip Zyzniewski, Betsy (Adrienne Elizabeth) Beyer, Max Saltonstall(2017)
        6. BeyondCorp 6: Building a Healthy Fleet(2018) - Michael Janosko, Hunter King, Betsy (Adrienne Elizabeth) Beyer, Max Saltonstall(2018)
    • Talks/Presentations/Videos
      • Towards Zero Trust at GitLab.com - Kathy Wang, Philippe Lafoucrière(Cloud Next '19)
• Articles/Blogposts/Writeups
  • Removing Backdoors – Powershell Empire Edition - n00py(2017)
  • Sysinternals Sysmon suspicious activity guide - blogs.technet
• Talks/Presentations/Videos
  • NSA TAO Chief on Disrupting Nation State Hackers - Rob Joyce(USENIX ENIGMA2016)
    • From his role as the Chief of NSA's Tailored Access Operation, home of the hackers at NSA, Mr. Joyce will talk about the security practices and capabilities that most effectively frustrate people seeking to exploit networks.
  • So you want to beat the Red Team - Cameron Moore - Bsides Philly 2016
  • DIY Blue Teaming - Vyrus(ShellCon2018)
    • "White hat", "black hat", "corporate", "criminal", no matter the context, "red" or offensive security practitioners tend to build their own tools in order to be successful. Weather it's to avoid paying high costs for "enterprise" level solutions, prototype new concepts, or simply "glue" solutions together that are otherwise not designed to play well with others, the accomplished attacker is also a tool smith. "What about the blue team!?" This talk aims to address just that by providing practical solutions to defender tasks that include but are not limited to: IPS/IDS, malware detection and defense, forensics, system hardening, and practical and expedient reverse engineering techniques.
  • Using an Expanded Cyber Kill Chain Model to Increase Attack Resiliency - Sean Malone - BHUSA16
    • We'll review what actions are taken in each phase, and what's necessary for the adversary to move from one phase to the next. We'll discuss multiple types of controls that you can implement today in your enterprise to frustrate the adversary's plan at each stage, to avoid needing to declare "game over" just because an adversary has gained access to the internal network. The primary limiting factor of the traditional Cyber Kill Chain is that it ends with Stage 7: Actions on Objectives, conveying that once the adversary reaches this stage and has access to a system on the internal network, the defending victim has already lost. In reality, there should be multiple layers of security zones on the internal network, to protect the most critical assets. The adversary often has to move through numerous additional phases in order to access and manipulate specific systems to achieve his objective. By increasing the time and effort required to move through these stages, we decrease the likelihood of the adversary causing material damage to the enterprise.
    • Slides
  • Finding a Domain's Worth of Malware - Jeff McJunkin(WWHF19)
    • Are you tired of demonstrations of products that take months or years to get effective data from? How many products have you seen half-implemented (but fully paid for!) that didn’t ever deliver any real value to your organization? Here, I’ll discuss multiple free products that you can use next week to find evil inside your organization. Some techniques will find less advanced adversaries, and some will trip up even some of the most advanced ones - but they’ll all deliver value in less than a week of implementation, and I’ll discuss how you can integrate them and find the malware you already have in your environment. “Assume breach”...then find it!
• Tools
  • NorkNork - Tool for identifying Empire persistence payloads

---

Attack Surface Analysis & Reduction

• Monitoring
  • Tools
    • Intrigue-core
      • Intrigue-core is a framework for automated attack surface discovery.

---

Linux

---

macOS

---

Windows

• Impement Application Execution Control

---

Databases(SQL/NoSQL)

• Specific
  • Mongo
    • MongoDB Security Checklist

---

Computer Networks

• General
  • Talks & Presentations
    • Defending the Enterprise Against Network Infrastructure Attacks - Paul Coggin - Troopers15
• ACLs
  • Tools
    • Capirca
      • Capirca is a tool designed to utilize common definitions of networks, services and high-level policy files to facilitate the development and manipulation of network access control lists (ACLs) for various platforms. It was developed by Google for internal use, and is now open source.
• Single Packet Authorization
  • Articles/Blogposts/Writeups
  • Papers
  • Tools
    • DrawBridge
      • A layer 4 Single Packet Authentication (SPA) Module, used to conceal TCP ports on public facing machines and add an extra layer of security.
• SSH
  • Articles/Blogposts/Writeups
    • Scalable and secure access with SSH - Facebook
  • Documents
    • Mozilla OpenSSH
      • The goal of this document is to help operational teams with the configuration of OpenSSH server and client. All Mozilla sites and deployment should follow the recommendations below. The Enterprise Information Security (Infosec) team maintains this document as a reference guide.
    • CERT-NZ SSH Hardening
      • CERT NZ documentation for hardening SSH server and client configuration, and using hardware tokens to protect private keys
  • Tools
    • ssh-audit
      • SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

---

Mitigate Phishing Attacks

• 101
  • See 'Phishing.md'
• Articles/Blogposts/Writeups
  • Blocking Spam and Phishing on a Budget - Reid Huyssen
  • Catching phishing before they catch you
  • Tracking Newly Registered Domains - SANS
  • When corporate communications look like a phish - William Tsing
• Tools
  • SwordPhish
    • SwordPhish is a very simple but effective button that sits within the users Outlook toolbar. One click and the suspicious e-mail is instantly reported to your designated recipient (i.e your internal security team, or SoC) and contains all metadata required for investigation.
  • Mercure
    • Mercure is a tool for security managers who want to teach their colleagues about phishing.
  • PPRT
    • This module is used to report phishing URLs to their WHOIS/RDAP abuse contact information.
  • PhishingKitHunter
    • PhishingKitHunter (or PKHunter) is a tool made for identifying phishing kits URLs used in phishing campaigns targeting your customers and using some of your own website files (as CSS, JS, ...). This tool - write in Python 3 - is based on the analysis of referer's URL which GET particular files on the legitimate website (as some style content) or redirect user after the phishing session. Log files (should) contains the referer URL where the user come from and where the phishing kit is deployed. PhishingKitHunter parse your logs file to identify particular and non-legitimate referers trying to get legitimate pages based on regular expressions you put into PhishingKitHunter's config file.
  • Hunting-Newly-Registered-Domains
    • The hnrd.py is a python utility for finding and analysing potential phishing domains used in phishing campaigns targeting your customers. This utility is written in python (2.7 and 3) and is based on the analysis of the features below by consuming a free daily list provided by the Whoisds site.
  • SwiftFilter
    • Exchange Transport rules using text matching and Regular Expressions to detect and enable response to basic phishing. Designed to augment EOP in Office 365.

---

Mitigate Ransomware Attacks

• Tools
  • Decryptonite
    • Decryptonite is a tool that uses heuristics and behavioural analysis to monitor for and stop ransomware.

<<<<<<< HEAD

Table of Contents

• Defense & Hardening
  • Access Control
  • AWS -Blue Team Tactics & Strategies
  • Application Whitelisting
  • Attack Surface Analysis/Reduction
  • General Hardening
  • Google-related
  • Journalist
  • Leaks
  • Linux/Unix
  • Malicious USBs -Microsoft Azure
  • Network
  • OS x
  • Phishing
  • Ransomware
  • User Awareness training
• Windows
  • Active Directory
• Vulnerability Management

---

For Journalists

* [Information Security For Journalist book - Centre for Investigative Journalism](http://files.gendo.nl/Books/InfoSec_for_Journalists_V1.1.pdf)

---

For Individuals Leaking Sensitive Information

• Performing
  • Tools
• Preventing
  • Talks/Presentations/Videos
    • You're Leaking Trade Secrets - Defcon22 Michael Schrenk
      • Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.
  • Tools
    • AIL framework - Analysis Information Leak framework
      • AIL is a modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams. AIL framework is flexible and can be extended to support other functionalities to mine sensitive information.
    • git-secrets
      • Prevents you from committing passwords and other sensitive information to a git repository.
    • keynuker
      • KeyNuker scans public activity across all Github users in your Github organization(s) and proactively deletes any AWS keys that are accidentally leaked. It gets the list of AWS keys to scan by directly connecting to the AWS API.

---

General Hardening

• 101
• Hardening Cloud Services/SaaS
  • Microsoft Azure
    • Manage emergency-access administrative accounts in Azure AD - docs.ms
    • Securing privileged access for hybrid and cloud deployments in Azure AD - docs.ms
    • How to require two-step verification for a user - docs.ms
    • What is conditional access in Azure Active Directory? - docs.ms
    • Detecting Kerberoasting activity using Azure Security Center - Moti Bani
  • G-Suite
    • Securing G Suite - Megan Roddie
  • Gmail
    • Adding a security key to Gmail - techsolidarity.org
      • This guide is designed for regular humans. It will walk you through the steps of effectively protecting your Gmail account with a security key, without explaining in detail the reasons for each step.
• Hardening Linux * Linux workstation security checklist * systemd service sandboxing and security hardening 101 - Daniel Aleksanderen
  • LUNAR
    • "This scripts generates a scored audit report of a Unix host's security. It is based on the CIS and other frameworks. Where possible there are references to the CIS and other benchmarks in the code documentation."
  • Filenames and Pathnames in Shell: How to do it Correctly
  • Monit
    • Monit is a small Open Source utility for managing and monitoring Unix systems. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations.
  • Red Hat Enterprise Linux 6 Security Guide
• Hardening macOS
  • General
    • macOS-Security-and-Privacy-Guide
      • A practical guide to securing macOS.
    • Apple Platform Security Guide(Spring2020)
  • Talks/Presentations/Videos
    • Behind the scenes of iOS and Mac Security - Ivan Krstić(BHUSA 19)
      • The Find My feature in iOS 13 and macOS Catalina enables users to receive help from other nearby Apple devices in finding their lost Macs, while rigorously protecting the privacy of all participants. We will discuss our efficient elliptic curve key diversification system that derives short non-linkable public keys from a user’s keypair, and allows users to find their offline devices without divulging sensitive information to Apple.
    • OS X Hardening: Securing a Large Global Mac Fleet - Greg Castle
  • Firewalls
    • LuLu
      • LuLu is the free open-source macOS firewall that aims to block unauthorized (outgoing) network traffic
  • Tools
    • netman
      • A userland network manager with monitoring and limiting capabilities for macOS.
    • netfil
      • A kernel network manager with monitoring and limiting capabilities for macOS.
    • OverSight
      • OverSight monitors a mac's mic and webcam, alerting the user when the internal mic is activated, or whenever a process accesses the webcam.
• Hardening Windows
  • 101
  • Guides
    • Windows 10 Hardening Checklist
    • Windows 10 Security Checklist Starter Kit - itprotoday
    • ERNW Repository of Hardening Guides
      • This repository contains various hardening guides compiled by ERNW for various purposes. Most of those guides strive to provide a baseline level of hardening and may lack certain hardening options which could increase the security posture even more (but may have impact on operations or required operational effort).
    • Awesome Windows Domain Hardening
  • Accounts & Credentials
    • General
      • MS Security Advisory 2871997
        • Update to Improve Credentials Protection and Management
      • Microsoft Security Advisory: Update to improve credentials protection and management: May 13, 2014 - support.ms
        • Disable WDigest storing credentials in memory
      • Credentials Protection and Management - docs.ms
      • Configuring Additional LSA Protection - docs.ms
      • KB2871997 and Wdigest – Part 1
      • Poking Around With 2 lsass Protection Options - Cedric Owens
      • Configuring Additional LSA Protection - docs.ms
    • Lockout
      • Account lockout duration - docs.ms
    • Usage of
      • Blocking Remote Use of Local Accounts
    • Tools
      • Invoke-HoneyCreds - Ben0xA
        • Use Invoke-HoneyCreds to distribute fake cred throughout environment as "legit" service account and monitor for use of creds
      • The CredDefense Toolkit - BlackHills
        • Credential and Red Teaming Defense for Windows Environments
    • Credential/Device Guard
      • Overview of Device Guard in Windows Server 2016
      • Protect derived domain credentials with Windows Defender Credential Guard - docs.ms
      • Windows Defender Device Guard deployment guide - docs ms
      • Windows Defender Credential Guard: Requirements - docs.ms
      • Windows 10 Device Guard and Credential Guard Demystified - blogs.technet
      • Manage Windows Defender Credential Guard - docs.ms
      • Busy Admin’s Guide to Device Guard and Credential Guard - adaptiva
      • Protect derived domain credentials with Windows Defender Credential Guard
      • Using a hypervisor to secure your desktop – Credential Guard in Windows 10 - blogs.msdn
      • Credential Guard lab companion - blogs.technet
      • DeviceGuardBypassMitigationRules
        • A reference Device Guard code integrity policy consisting of FilePublisher deny rules for published Device Guard configuration bypasses.
      • Credential Guard - Say Good Bye to PtH/T (Pass The Hash/Ticket) Attacks - JunaidJan(social.technet.ms)
      • Verification of Windows New Security Features – LSA Protection Mode and Credential Guard - JPCERT
    • Defeating Mimikatz
      • Preventing Mimikatz Attacks - Panagiotis Gkatziroulis
    • Golden/Silver Tickets
      • Defending against mimikatz
      • Kerberos Golden Ticket: Mitigating pass the ticket on Active Directory
      • Mitigating Kerberos Golden Tickets:
      • Protection from Kerberos Golden Ticket: Mitigating pass the ticket on Active Directory CERT-EU 2014
      • Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory
      • Using SCOM to Detect Golden Tickets
    • Pass the Hash
      • Mitigating Pass-the-Hash Attacks and other credential Theft-version2
        • Official MS paper.
      • Pass-the-Hash II: Admin’s Revenge - Skip Duckwall & Chris Campbell
        • Protecting against Pass-The-Hash and other techniques
      • Fixing Pass the Hash and Other Problems
      • Pass the Hash Guidance
        • Configuration guidance for implementing Pass-the-Hash mitigations. iadgov
    • Tools
      • OpenPasswordFilter
        • An open source custom password filter DLL and userspace service to better protect / control Active Directory domain passwords.
  • ACE & DACLs
    • Windows DACL Enum Project
      • A collection of tools to enumerate and analyse Windows DACLs
  • DLL Hijacking
    • Detecting DLL Hijackingon Windows
  • Windows Firewall * Windows Firewall Hook Enumeration * We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how these hooks could be identified and finally how the enumeration tool was developed.
  • Privilege Escalation
    • The Effectiveness of Tools in Detecting the 'Maleficent Seven' Privileges in the Windows Environment
  • Scripts & PowerShell
    • AMSI
      • AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It - labofapenetrationtester
    • Windows Defender
  • Services
• Web Applications
  • Password Storage https://codahale.com/how-to-safely-store-a-password/
  • Tools
    • Caja
      • The Caja Compiler is a tool for making third party HTML, CSS and JavaScript safe to embed in your website. It enables rich interaction between the embedding page and the embedded applications. Caja uses an object-capability security model to allow for a wide range of flexible security policies, so that your website can effectively control what embedded third party code can do with user data.
• Web Servers
  • 101
  • SSL/TLS
    • Apache and Let's Encrypt Best Practices for Security - aaronhorler.com
    • Security/Server Side TLS - Mozilla
      • The goal of this document is to help operational teams with the configuration of TLS. All Mozilla websites and deployments should follow the recommendations below. Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a configuration generator to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.
    • Hardening Your Web Server’s SSL Ciphers - Hynek Schlawack(2018)
  • Tools
• WAF
  • General
    • Practical Approach to Detecting and Preventing Web Application Attacks over HTTP2
    • OWASP Secure Headers Project
  • NAXSI
    • naxsi
      • NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
    • naxsi wiki
  • ModSecurity
    • ModSecurity
    • ModSecurity Reference Manual