search

OsbornePro / BTPS-SecPack

This repository contains a collection of PowerShell tools that can be utilized to protect and defend an environment based on the recommendations of multiple cyber security researchers at Microsoft. These tools were created with a small to medium size enterprise environment in mind as smaller organizations do not always have the type of funding available to overly spend on security. The goal of this project is to help add value to an smaller organizations security by creating more visibility for the average IT Administrator. Organizations with 1,000’s of devices may find that this entire suite does not apply to them.
https://btpssecpack.osbornepro.com
GNU General Public License v2.0
48 stars 11 forks source link
active-directory alert alerting alerts blueteam cmdlets cybersecurity defense defense-in-depth microsoft powershell protections ps1 security security-tools smaller-organizations wef windowseventforwarding windowsevents winrm

readme

The Blue Team PowerShell Security Package

OsbornePro

Using Microsoft Teams for Alerts Instead of Email

If you wish to use Microsoft Teams for sending alerts instead of using email you will want to load the microsoft-teams branch for this repository which has the Teams alert modifications. It will take me a little while to implement this as a configuration option in the install script. Using Microsoft Teams for alert posts does not remove the need for certain email notifications in this repository. Email will still be used for some of the actions. These Teams Posts are able to be completed after you first create a webhook. So-called webhooks offer the possibility to send alerts or other notifications to a Microsoft Teams channel. I personally still prefer emails after using this message because they are easier to sort through, in my opinion.

You can create a webhook using the following steps (if you are an admin)

  1. Open the Microsoft Teams application
  2. In the left hand pane click "Teams"
  3. Click the more options icon represented by 3 dots "..." next to one of the desired Teams Channels. Example Channel Name: General
  4. Clicking those 3 dots will display a dropdown menu. Click "Connectors"
  5. Click the "Add" button next to "Incoming Webhook"
  6. Click "Add" on the Incoming Webhook pop up screen
  7. On the Incoming Webhook screen perform the following actions a. Define a name for your webhook. In the below image this value is "PowerShell-TeamsMessagePost" b. Click "Create" c. Optionally you can also use "Upload Image" to select an image for the Incoming Webhook. In the below image I left the default icon which is the light blue triangle on white background. d. Click "Create"
  8. The Incoming Webhook URL is created. Copy the URL and click "Done"

You can now use the above URL in the B.T.P.S Security Package scripts I provide. You can quickly update the value in the scripts by executing the below commands

$WebHook = Read-Host -Prompt "Paster your Webhook URL here: "
$SIEM = Read-Host -Prompt "If you have a SIEM in your environment enter the link here: "
$BTPSHome = Read-Host -Prompt "Where did you save the BTPS Security Pacakge git repo? EXAMPLE: C:\Users\Administrator\Downloads\BTPS-SecPack-microsoft-teams"
$Files = (Get-ChildItem -Path $BTPSHome -Include "AttemptedPasswordChange.ps1","AttemptedPasswordReset.ps1","Failed.Username.and.Password.ps1","User.Account.Created.ps1 ","User.Account.Locked.ps1","User.Account.Unlocked.ps1","DNSZoneTransferAlert.ps1","NewComputerAlert.ps1","Query-InsecureLDAPBinds.ps1","UnusualUserSignInAlert.ps1","Watch-PortScan.ps1 " -Recurse -ErrorAction SilentlyContinue -Force).FullName
ForEach ($File in $Files) {

    ((Get-Content -Path $File -Raw) -Replace "WEBHOOK_URL_REPLACE","$WebHook") | Set-Content -Path $File -Force
    ((Get-Content -Path $File -Raw) -Replace "SIEM TOOL LINK","$SIEM") | Set-Content -Path $File -Force

}  # End ForEach

You alert in Microsoft Teams will something look like this

CONTRIBUTE TO THE PROJECT

If you wish to help contribute to the contents of this project feel free to reach out to me at rosborne@osbornepro.com with your thoughts and ideas. For more general information on this feel free to refer to the CONTRIBUTING documentation.

DONATIONS

If you wish to donate to this project to help me keep a nice looking site for the documentation your donations will be graciously accepted.
SEND ETHERUM TO : 0xBeDbCfA5366fF1187957BB3ed8811c51B4dBe4D4

The B.T.P.S. Sec Pack

This repo contains a collection of PowerShell tools that can be utilized to protect defend an environment based Microsoft's recommendations.
This repo also assumes that you have referenced the Windows Event Logging Cheat Sheet for logging in your environment. Use LOG-MD or CIS-CAT to ensure the recommended logging is configured.

Installer.ps1

I wrote an initial install script to automatically set up as much of these protections automatically as possible. Most of these scripts are email alerts. When running Installer.ps1 you will be questioned on how you want to authenticate to your SMTP server. This can be done through the use of a credential file or using IP address authentication. This script should be run on a domain controller as this is where many of the alerts are located. I would suggest using WinRM over HTTPS in your environment. I have a video and setup instructions for WinRM over HTTPS on this projects site HERE. This script will let you know if LDAP over SSL is being utilized in your environment. If you wish to configure LDAP over SSL in your environment, which I highly recommend, I did a video on how to do this safely and securely HERE. The Installer.ps1 scritp will help you set up each section of this package with pauses in the script that wait on you to complete a task if one is needed. One such wait for example is for you to set up a group policy to be pushed out. After being run the majority of the below protections will be applied to your environment. The "Unusual Sign In Alert" will require you to modify the UserComputerList.csv file so it contains contents on what users are expected to be signing into what devices in your environment.

What Protections Are Included After Running Installer.ps1?