CSS-Exchange vs New-KrbtgtKeys.ps1

CSS-Exchange

Exchange Server support tools and scripts (by microsoft)

This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation. (by microsoftarchive)

Suggest topics

DISCONTINUED

Suggest alternative

Edit details

InfluxDB - Power Real-Time Data Analytics at Scale

Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

www.influxdata.com

featured

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com

featured

CSS-Exchange		New-KrbtgtKeys.ps1
	Project
98	Mentions	15
1,195	Stars	347
0.3%	Growth	-
0.0	Activity	0.0
2 days ago	Latest Commit	about 2 months ago
PowerShell	Language	PowerShell
MIT License	License	MIT License

The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

CSS-Exchange

Posts with mentions or reviews of CSS-Exchange. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2022-08-12.

Has anyone ran the CVE-2023-23397 script against a large environment?
1 project | /r/sysadmin | 21 Mar 2023
CVE-2023-23397
1 project | /r/sysadmin | 16 Mar 2023

The MaxServicePointIdleTime property I changed because of what I saw suggested here: https://github.com/microsoft/CSS-Exchange/issues/1581.
CVE-2023-23397 - Critical Elevation of Privilege zero-day in Microsoft Outlook, severity 9.8
1 project | /r/cybersecurity | 16 Mar 2023

This is actively exploited, patch immediately. Microsoft also provided a script that checks Exchange items for malicious messaging items: https://github.com/microsoft/CSS-Exchange/blob/a4c096e8b6e6eddeba2f42910f165681ed64adf7/docs/Security/CVE-2023-23397.md
// SITUATIONAL AWARENESS // Hunting Microsoft Word NTLM Relay Vulnerability CVE-2023-23397
1 project | /r/crowdstrike | 15 Mar 2023

Microsoft has released a PowerShell script that can be run on Exchange infrastructure to scan email files for malicious UNC paths, however, patching is the preferred mitigation strategy.
Exchange 0day exploit in wild
1 project | /r/exchangeserver | 29 Sep 2022

I would expect that installing the URL Rewrite 2 module shouldn't cause any problems -- E2013 as such doesn't care about it. In fact, Microsoft's own EOMT script for the Hafnium mitigations suggests installing it. It'll likely require a reboot, though, or at the very least an IIS restart.
Health checker reports unsigned IIS modules (Exchange 2013 CU23)
2 projects | /r/exchangeserver | 12 Aug 2022

Yep, the August security update and OS updates were installed on all four nodes. But the order in which they were installed may have been different... I don't recall. Someone just posted above that this is a known problem with Windows 2012/R2: https://github.com/microsoft/CSS-Exchange/pull/1166
Critical privileged elevation patch incoming next week.
2 projects | /r/exchangeserver | 7 Aug 2022
Exchange Admin?
1 project | /r/sysadmin | 24 Jun 2022
May 2022 Security Update - detection
1 project | /r/exchangeserver | 26 May 2022

Which is the latest I can find on Github. This server is running Exchange 2019 CU 11. It has the March updates (KB5012698), but not the May one (KB5014261). You can also verify from the build number it's not up to date. There are no vulnerabilities reported and the only thing in "red" is that TCP keepalive warning.
Exchange 2019 still requires obsolete UCM4 installation
3 projects | /r/exchangeserver | 3 Sep 2021

https://github.com/microsoft/CSS-Exchange/issues/535 Even the maintainer David Paulson of the ExchangeHealtcheck script opened an issue on this matter, only waiting on feedback of the Exchange Team.

New-KrbtgtKeys.ps1

Posts with mentions or reviews of New-KrbtgtKeys.ps1. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-06-05.

Disabling RC4 Kerberos Encryption Type in your AD
1 project | /r/sysadmin | 5 Dec 2023

You should start rotating your krbtgt password (example script), if you haven't done so. You'll break everything if it's never been rotated. At least twice with a minimum of a day in-between. Never rotate twice under 10 hours or you'll break a lot.
Taking over from hostile IT - One man IT shop who holds the keys to the kingdom
1 project | /r/sysadmin | 28 Jun 2023

This is critical. Most AD domains never change this password, so if the domain's been around since Windows 2000, that's a lot of opportunity for someone to pick up and use it to grant themselves any access. Often the reason for not doing so is the havoc it can cause if you have a huge worldwide domain with hundreds of DCs and some don't get the replicated password change before you do it a second time. Microsoft has a tool that minimizes this risk.
Password change for KRBTGT account in Cyberark
2 projects | /r/CyberARk | 5 Jun 2023

You would likely need a PowerShell plugin, via TPC, that uses this Microsoft script: https://www.microsoft.com/en-us/security/blog/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/ . Though the script appears to be gone from MSFT, and can be found here: https://github.com/microsoft/New-KrbtgtKeys.ps1/blob/master/New-KrbtgtKeys.ps1 . Though Msft might have gotten their script originally from this author: Jorge de Almeida Pinto - more updated script here: https://github.com/zjorz/Public-AD-Scripts/blob/master/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1
PingCastle and Active Directory hardening
2 projects | /r/sysadmin | 11 May 2023

The first is about last change of the Kerberos password. Can I safely change such password with this script? Honestly I never did this before.
Changing very old krbtgt Password
1 project | /r/sysadmin | 14 Mar 2023

I've used the reccomended microsoft script here https://github.com/microsoft/New-KrbtgtKeys.ps1
Resetting Kerberos ticket issues - RPC connectivity
1 project | /r/sysadmin | 24 Feb 2023
ADDS resetting KRBTGT password concerns
1 project | /r/sysadmin | 17 Feb 2023

krbtgt script
Servers affected by ransomware
1 project | /r/msp | 11 Dec 2022

Reset the krbtgt keys twice: https://github.com/microsoft/New-KrbtgtKeys.ps1/blob/master/New-KrbtgtKeys.ps1
Resetting krbtgt password
3 projects | /r/sysadmin | 16 Nov 2022
KRBTGT password reset gone wrong?
1 project | /r/activedirectory | 2 Nov 2022

What are some alternatives?

When comparing CSS-Exchange and New-KrbtgtKeys.ps1 you can also consider the following projects:

HealthChecker - Exchange Server Performance Health Checker Script

Public-AD-Scripts - AD Scripts

GadgetToJScript - A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.

pingcastle - PingCastle - Get Active Directory Security at 80% in 20% of the time

exchange_webshell_detection - Detect webshells dropped on Microsoft Exchange servers exploited through "proxylogon" group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)

Metasploit - Metasploit Framework

badExchangePews

Cyber-Defence - Information released publicly by NCC Group's Cyber Incident Response Team

scanning

IISBackdoorDetect - Detects IIS modules such as IIS-RAID

postfix - Postfix MTA by Wietse Venema