Suspicious Services in Windows - Tip #3

-

Suspicious Services in Windows


Many small/medium companies which don’t have policy, governance, control ..etc. in order to protect their data/services, surely these organizations will suffer from an unstable/insecure environment and in anytime might the whole environment become compromised. Might you have suspicious services are running in your environment but You don't know :). 

There are enterprise solutions might fulfill these requirements to scan such services but if you don't have it you can go ahead and try to play with WMI (Windows Management Instrumentation). Below script will provide all abnormal/suspicious services that are running in the remote desktops and not running in Windows or Program files folder or services are running by different accounts not built-in service logon accounts such localsystem nor networkservice..etc. You can amend on this script based on your requirements.


$Computer = Get-Content "D:\ \ListOfComputers.csv"

Get-WmiObject win32_service -computername $computer| where-object {($_.pathname -notlike "*C:\Windows*" -and $_.PathName -notlike "*C:\Program Files*\*") -or ($_.startname -notlike "*Local*" -and $_.startname -notlike "*NetworkService*")} | Select-object __Server, startname, pathname, name | Sort-object __server, name | Format-table –autosize

You can get list of Computers in specific OU by using below commands :

(Get-ADComputer -Filter * -Searchbase "OU=Computers,DC=ABC,DC=com").Name | Out-File D:\ListOfComputers.txt


Type of built-in Accounts in Windows which running services :
  •  Local System (Highest-privilege account on a Windows system)
  • Local Service (Minimum privileges on the local computer and allow anonymous credentials)
  • Network Service(Used when service require to authenticated with other computers on the network by using the computer's account in the domain )
Note : Services can be run by normal AD account or Managed service accounts and this is the best practices.

Requirements to communicate with remote server via WMI :
  • Make suer WMI services is running (Run services.msc and ensure Windows "Management Instrumentation" service Startup Type is set to Automatic)
  • WMI will use 135 port then will use a wide range of dynamic ports from 1024 to 65535, follow the below article to set up a fixed port for WMI..

https://docs.microsoft.com/en-us/windows/desktop/WmiSdk/setting-up-a-fixed-port-for-wmi

Comments

Post a Comment

Popular posts from this blog

How to Configure Azure MFA with Exchange Server 2013 and ADFS 2012 R2

-
Image
How to Configure Azure MFA with Exchange Server 2013 and ADFS 2012 R2 How to Configure Azure MFA with Exchange Server Introduction : I was struggling to configure Azure MFA and Exchange without to use ADFS due to Exchange doesn't have Page to type text, the only phone call will work, eventually I decided to use ADFS due to this is only the way to have MFA (OTP) with Exchange. This is a quick guide to configure Azure MFA with Exchange & ADFS In this article I will demonstrate how you will apply MFA with Exchange server which has configured to use ADFS authentication, nowadays security of any organization is mandatory especially if they have applications have published externally. MFA comes to add the additional layer of security for these applications and will make organization a tad bit secure than the traditional static password. I believe Azure MFA has most of the capabilities of MFA that any organization might be looking for. If we will talk abou...
Read more

How to exclude certain users from MFA in ADFS 3.0

-
Image
Although we do not recommend exclude any users from 2FA, but some organizations have their justifications for excluding certain users from MFA. In ADFS 3.0 (Win Server 2012 R2) doesn't have GUI to apply such policy and you need to amend on claims rule by power-shell, but it's available in Win server 2016 and later as GUI. Let assume that you applied MFA by adding group "domain users" in the edit authentication policy. You need to exclude specific users from MFA, create another security group then add required users, then apply the below custom rule : 1 :  Get the SID of domain users "S-1-5-21domain-513" and EX_MFA group. 2 : $MFAEX = 'exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "domain users' SID"]) && NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "EX_MFA's SID"]) => issue (Type = "http://sche...
Read more