CSS-Exchange
New-KrbtgtKeys.ps1
CSS-Exchange | New-KrbtgtKeys.ps1 | |
---|---|---|
98 | 15 | |
1,195 | 347 | |
0.3% | - | |
0.0 | 0.0 | |
2 days ago | about 2 months ago | |
PowerShell | PowerShell | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
CSS-Exchange
- Has anyone ran the CVE-2023-23397 script against a large environment?
-
CVE-2023-23397
The MaxServicePointIdleTime property I changed because of what I saw suggested here: https://github.com/microsoft/CSS-Exchange/issues/1581.
-
CVE-2023-23397 - Critical Elevation of Privilege zero-day in Microsoft Outlook, severity 9.8
This is actively exploited, patch immediately. Microsoft also provided a script that checks Exchange items for malicious messaging items: https://github.com/microsoft/CSS-Exchange/blob/a4c096e8b6e6eddeba2f42910f165681ed64adf7/docs/Security/CVE-2023-23397.md
-
// SITUATIONAL AWARENESS // Hunting Microsoft Word NTLM Relay Vulnerability CVE-2023-23397
Microsoft has released a PowerShell script that can be run on Exchange infrastructure to scan email files for malicious UNC paths, however, patching is the preferred mitigation strategy.
-
Exchange 0day exploit in wild
I would expect that installing the URL Rewrite 2 module shouldn't cause any problems -- E2013 as such doesn't care about it. In fact, Microsoft's own EOMT script for the Hafnium mitigations suggests installing it. It'll likely require a reboot, though, or at the very least an IIS restart.
-
Health checker reports unsigned IIS modules (Exchange 2013 CU23)
Yep, the August security update and OS updates were installed on all four nodes. But the order in which they were installed may have been different... I don't recall. Someone just posted above that this is a known problem with Windows 2012/R2: https://github.com/microsoft/CSS-Exchange/pull/1166
- Critical privileged elevation patch incoming next week.
- Exchange Admin?
-
May 2022 Security Update - detection
Which is the latest I can find on Github. This server is running Exchange 2019 CU 11. It has the March updates (KB5012698), but not the May one (KB5014261). You can also verify from the build number it's not up to date. There are no vulnerabilities reported and the only thing in "red" is that TCP keepalive warning.
-
Exchange 2019 still requires obsolete UCM4 installation
https://github.com/microsoft/CSS-Exchange/issues/535 Even the maintainer David Paulson of the ExchangeHealtcheck script opened an issue on this matter, only waiting on feedback of the Exchange Team.
New-KrbtgtKeys.ps1
-
Disabling RC4 Kerberos Encryption Type in your AD
You should start rotating your krbtgt password (example script), if you haven't done so. You'll break everything if it's never been rotated. At least twice with a minimum of a day in-between. Never rotate twice under 10 hours or you'll break a lot.
-
Taking over from hostile IT - One man IT shop who holds the keys to the kingdom
This is critical. Most AD domains never change this password, so if the domain's been around since Windows 2000, that's a lot of opportunity for someone to pick up and use it to grant themselves any access. Often the reason for not doing so is the havoc it can cause if you have a huge worldwide domain with hundreds of DCs and some don't get the replicated password change before you do it a second time. Microsoft has a tool that minimizes this risk.
-
Password change for KRBTGT account in Cyberark
You would likely need a PowerShell plugin, via TPC, that uses this Microsoft script: https://www.microsoft.com/en-us/security/blog/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/ . Though the script appears to be gone from MSFT, and can be found here: https://github.com/microsoft/New-KrbtgtKeys.ps1/blob/master/New-KrbtgtKeys.ps1 . Though Msft might have gotten their script originally from this author: Jorge de Almeida Pinto - more updated script here: https://github.com/zjorz/Public-AD-Scripts/blob/master/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1
-
PingCastle and Active Directory hardening
The first is about last change of the Kerberos password. Can I safely change such password with this script? Honestly I never did this before.
-
Changing very old krbtgt Password
I've used the reccomended microsoft script here https://github.com/microsoft/New-KrbtgtKeys.ps1
- Resetting Kerberos ticket issues - RPC connectivity
-
ADDS resetting KRBTGT password concerns
krbtgt script
-
Servers affected by ransomware
Reset the krbtgt keys twice: https://github.com/microsoft/New-KrbtgtKeys.ps1/blob/master/New-KrbtgtKeys.ps1
- Resetting krbtgt password
- KRBTGT password reset gone wrong?
What are some alternatives?
HealthChecker - Exchange Server Performance Health Checker Script
Public-AD-Scripts - AD Scripts
GadgetToJScript - A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.
pingcastle - PingCastle - Get Active Directory Security at 80% in 20% of the time
exchange_webshell_detection - Detect webshells dropped on Microsoft Exchange servers exploited through "proxylogon" group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
Metasploit - Metasploit Framework
badExchangePews
Cyber-Defence - Information released publicly by NCC Group's Cyber Incident Response Team
scanning
IISBackdoorDetect - Detects IIS modules such as IIS-RAID
postfix - Postfix MTA by Wietse Venema