The Integrated Digital Lab (IDL) environment you are using to perform this lab has a number of features to help ensure that you complete the steps accurately and get the most out of the lab experience. In this brief exercise, you will familiarize yourself with some of the interactive features used in the IDL lab environment that are designed to promote and realize the learning goals of the lab. If you are already familiar with the IDL lab environment, please ensure that you perform the first step in this exercise to sign in to DC01 and then click Done to progress through the remaining steps in the exercise to advance to the next exercise of the lab: Implement Storage Spaces Direct.
Click the Switch to Machine icon to the right of this instruction to ensure that you are on the SRV01 virtual machine. If necessary, sign in as CONTOSO\LabAdmin using Passw0rd! as the password.
LODSProperties
* VM = SRV01
This IDL features both knowledge and automation. Whenever you see the Action [Bolt] icon next to text, all or part of the step has been automated, and you can click the Action icon to perform the step. Whenever you see the Knowledge [Bulb in Head] icon, the Alert [Triangle] icon, the Screenshot [Camera] icon, or the Video [Movie Camera] icon, additional information has been provided to enhance your lab experience. Click the Action [Bolt] icon, Knowledge [Bulb in Head] icon, and Screenshot [Camera] icon now.
This is an alert. Alerts are mandatory elements that will pop up to draw your attention to critical information or to provide warnings.
This is an information item. Unlike alerts, information items are optional. They are used to provide additional information and context for specific lab tasks.
LODSProperties
* Uri = 91a7d80d.jpg
* ShowAutomatically = No
PowerShell -Command "Write-Host 'Nice work, you ran this command.'"
Open a Command Prompt window, if one is not already open. Click in the Command Prompt window. Click the Type Text icon to the right of this instruction, and then press ENTER. The network information for SRV01 is displayed.
LODSProperties
* Uri = 7a9c46b9.PNG
* ShowAutomatically = No
ipconfig /all
Close all open windows.
In this exercise, you will observer how Credential Guard can protect the credential derivatives—for example, an NTLM hash and a Kerberos ticket—in memory, and prevent a Pass-the-Hash attack. You will perform the following task on SRV02:
- Retrieve hashed credentials from the Local Security Authority.
- Use the hashed credentials to gain access to the domain and grant permissions.
- Enable Credential Guard using Group Policy.
- Verify that credential hashes are protected by using Credential Guard.
Virtual Machines:
- SRV01
- SRV02
Congratulations! You have successfully protected in-memory LSA hashes by using Credential Guard.
Sign in to SRV02 as Contoso\AdamBarr using Passw0rd! as the password.
Adam Barr has local administrative permissions on SRV02. However, he only belongs to the Domain Users group. In subsequent steps, Adam will use a Pass-the-Hash attack to make himself a member of the Domain Admins group.
LODSProperties
* VM = SRV02
Switch to SRV01 by clicking the Switch to Machine icon to the right of this instruction.
There are many ways to leave account information on a server—local logon, remote logon, remote share connection, etc. In this exercise, you will use remote logon, described in the following tasks, to leave administrative account information on SRV02.
LODSProperties
* VM = SRV01
On SRV01, ensure you are signed in as CONTOSO\LabAdmin using Passw0rd! as the password.
On the desktop of SRV01, double-click SRV02.rdp. In a few moments, an RDP session is established to SRV02. Click OK to complete the sign-in to SRV02.
Please ensure you click OK to complete the sign in process.
Contoso\LabAdmin is a member of the Domain Admins groups. You are establishing a remote connection to SRV02 so that the credential hash for this account will be in memory on SRV02, and thus subject to theft.
Click the Switch to Machine icon to the right of this instruction to switch to SRV02.
In the next few tasks, you will see how attackers can review NTLM hashes stored in SRV02, and perform a Pass-the-Hash attack to elevate a domain user to become a domain admin.
LODSProperties
* VM = SRV02
On SRV02, on the taskbar, right-click Windows PowerShell, and then click Run as Administrator. Click Yes when prompted by User Account Control (UAC).
At the Windows PowerShell command prompt, type Enter-PsSession DC, and then press ENTER. The command fails because Contoso\AdamBarr does not have administrative permissions on the domain controller.
LODSProperties
* Uri = 665259.PNG
Enter-PsSession DC
Close Windows PowerShell
Proceed to the next step to start the Mimikatz tool to verify credential information. Please click the Knowledge [Bulb in Head] icon to learn more about Mimikatz and its use in this lab.
Mimikatz is a free tool that is used to reveal credential information stored in Windows memory. It is used widely in credential theft attacks.
The use of Mimikatz in this lab is intended to emphasize the importance of having a defense-in-depth strategy to mitigate risk. In the real world, an attacker first needs the ability to execute the Mimikatz tool on a machine either locally or through a remote session. For example, the attacker has to get the tool on the server in the first place by exploiting a vulnerability such as a weak password or an email attachment, or even by physically tampering with an administrative station as the user steps away from their computer. Physical security of hosts is important in order to control access to the server boot process and the running operating system.
Both physical and technological controls have to be in place to mitigate the risk of Mimikatz and similar tools and malware from being installed in the first place. As well, additional controls need to be in place to ensure that people who have administrative access are trustworthy. Security is not just about processes and technology—it is also about people.
Double-click the LabFiles folder shortcut on the desktop, and then navigate to mimikatz\x64. Alternatively, click the Action icon to the right of this instruction.
LODSProperties
* Uri = 665261.PNG
explorer.exe "c:\labfiles\mimikatz\x64" Right-click mimikatz.exe, and then click Run as Administrator. Click Yes when prompted by UAC.
By default, Mimikatz and other similar tools are considered malware and would automatically be removed by Windows Defender. In this lab, the folder containing the Mimikatz tool is excluded from malware scanning; otherwise it would have been removed from the system. You may see summary messages from Windows Defender about the presence of this tool. You can ignore these messages.
Type privilege::debug. The text Privilege ‘20’ OK should be displayed.
LODSProperties
* Uri = 666199.PNG
privilege::debug
In Mimikatz, type sekurlsa::logonpasswords, and then press ENTER.
LODSProperties
* Uri = 665263.PNG
sekurlsa::logonpasswords
Scroll through the Mimikatz output and locate the username LabAdmin. Notice the NTLM hash for the LabAdmin password.
LODSProperties
* Uri = 652751.PNG
* ShowAutomatically = Always
Select the NTLM hash value only, and then press ENTER to copy it to the clipboard.
Do not select the preceding * NTLM : label, select only the hash value.
Copy the LabAdmin NTLM hash.
LODSProperties
* Uri = 652752.PNG
In the Mimikatz window, type sekurlsa::pth /user:labadmin /domain:contoso /ntlm:Paste_the_hash_here /run:powershell.exe. Use the arrow keys to move the cursor to where you want to paste the hash. Delete the placeholder text, and then press CTRL+V to paste the hash value. Press ENTER to run the command.
Use the arrow keys to move the cursor to where you want to paste the hash. Delete the placeholder text, and then press CTRL+V to paste the hash value.
The pth switch stands for pass the hash. This means that the logged-on user can start a process or application as another user by supplying that account hash instead of the account password. There is no need to determine the password in this case, and Windows PowerShell will be started with privilege of the LabAdmin account, which is a member of the Domain Admins group.
LODSProperties
* Uri = 652753.PNG
sekurlsa::pth /user:LabAdmin /domain:contoso /ntlm:Paste\_the\_hash\_here /run:powershell.exe
In the newly opened Windows PowerShell window, type Enter-PsSession DC, and then press ENTER.
Remote access to a domain controller has now been given to someone who does not know the administrator password, but knows only the NTLM hash.
Enter-PsSession DC
At the Windows PowerShell command prompt, type whoami, and then press ENTER.
You are signed in to the DC as Contoso\LabAdmin by using a remote Windows PowerShell session. You did not need to enter a password to establish this connection.
LODSProperties
* Uri = 656174.PNG
At the Windows PowerShell command prompt, type the following command, and then press ENTER.
Add-ADGroupMember -Identity "Domain Admins" -Members "AdamBarr"
As an attacker, you had access to the AdamBarr domain user account before the attack, and now you have access to a domain admin account as AdamBarr.
Add-ADGroupMember -Identity "Domain Admins" -Members "AdamBarr"
At the Windows PowerShell command prompt, type Get-ADGroupMember -Identity "Domain Admins", and then press ENTER. The Adam Barr account is listed as a member of the Domain Admins group.
LODSProperties
* Uri = 665265.PNG
Get-ADGroupMember -Identity "Domain Admins"
Sign out of SRV02 and then sign back in as Contoso\AdamBarr using Passw0rd! as the password.
Adam must sign out and sign back in again in order for his security token to be updated with his membership in the Domain Admins group.
On SRV02, on the taskbar, right-click Windows PowerShell, click Run as Administrator, and then click Yes.
At the Windows PowerShell command prompt, type Enter-PsSession DC, and then press ENTER. The command succeeds because the Adam Barr account is now a member of the Domain Admins group.
By establishing a PowerShell remoting session, you have verified that Adam Barr now has complete access to a domain controller, and thus can take control over the domain, as well as get access to all the information in this domain. In the next part of the exercise, you will see how Credential Guard can protect the credentials from this type of attack.
LODSProperties
* Uri = 665268.PNG
Enter-PsSession DC
At the Windows PowerShell command prompt, typeExit-PsSession, and then press ENTER.
Exit-PsSession
Right-click Start, and then click Run. In the Run dialog box, type, type gpedit.msc, and then press ENTER. Alternatively, click the Action icon to the right of this instruction to open gpedit.msc.
Device Guard settings can and should be configured by using a Group Policy Object in Active Directory. You are using a local policy to simplify the lab instructions.
gpedit.msc In Computer Configuration, expandAdministrative Templates, expand System, and then click Device Guard.
LODSProperties
* Uri = 652757.PNG
In the details pane, double-click Turn On Virtualization Based Security. Select the Enabled radio button.
Under Credential Guard Configuration, in the Select Platform Security Level list, select Secure Boot, and then in the Credential Guard Configuration list, select Enable with UEFI lock. Click OK.
The Enable with UEFI lock option prevents Credential Guard from being disabled remotely; configuration data is stored in the local UEFI.
LODSProperties
* Uri = 652759.png
* ShowAutomatically = Always
Right-click Start, click Shutdown or sign out, and then click Restart. Note that if LabAdmin is still signed in to a remote session, you may be prompted to restart anyway.
For the policy update, you can run gpupdate /force cmd. The reason you need to restart the computer is to clear the account information in memory , which will make it easier to see the difference when the credential derivatives are protected by Credential Guard.
Restart-Computer -force After the server restarts, sign in to SRV02 as CONTOSO\AdamBarr usingPassw0rd! as the password**.**
LODSProperties
* VM = SRV01
On the taskbar, right-click Windows PowerShell, and then click Run as Administrator. Click Yes when prompted by UAC.
At the Windows PowerShell command prompt, typemsinfo32, and then press ENTER. The System Information screen opens.
msinfo32
Under System Summary, verify the following values:
Device Guard Security Services Configured: Credential Guard
Device Guard Security Services Running: Credential Guard
The underlying physical or virtual machine must have the firmware Secure Boot option enabled for Credential Guard to be running.
You can also type Get-ComputerInfo DeviceGuard* in Windows PowerShell to verify that Credential Guard is configured.
LODSProperties
* Uri = 652786.PNG
* ShowAutomatically = Always
Click the X in the upper-right corner to close the tool.
At the Windows PowerShell command prompt, type Get-ComputerInfo DeviceGuard*, and then pressENTER. Notice that Credential Guard is configured and running.
LODSProperties
* Uri = 655174.PNG
Get-ComputerInfo DeviceGuard\*
You will run Mimikatz again on the computer that has Credential Guard enabled to see how the credentials are protected in memory, thus making it impossible for the attacker to simply copy the hash and use it to gain access.
Open File Explorer, and then navigate to C:\LabFiles\mimikatz\x64.
explorer.exe C:\LabFiles\mimikatz\x64 In C:\LabFiles\mimikatz\x64, right-click mimikatz, and then click Run as Administrator. Click Yes when prompted by UAC.
Type privilege::debug. The text Privilege ‘20’ OK should be displayed.
privilege::debug
Type sekurlsa::logonpasswords. A list of account credentials is displayed.
sekurlsa::logonpasswords
Scroll up to the entry for the username AdamBarr. Notice that the encrypted value is now displayed instead of the NTLM hash.
Credential Guard is an important defense-in-depth mitigation strategy to prevent against Pass-the-Hash attacks and other threat vectors.
Also note that, if you were to establish a remote session from SRV01, the NTLM hashes of those remote credentials would also be encrypted. To test this, switch to SRV01, double-click SRV02.rdp on the desktop, and then click OK to sign in. Switch to SRV02 and retrieve the NTLM hashes by using Mimikatz.
LODSProperties
* Uri = 652769.PNG
* ShowAutomatically = Always
Type exit to close the Mimikatz tool. Close the Windows Explorer window if it is still open.
On SRV02, right-click Start. Click Shut down or sign out, and then click Sign out.
In this exercise, you will observe how Remote Credential Guard can better protect the credentials in RDP connections. You will use SRV02 as the RDP client, and SRV01 as the RDP server to perform the following tasks:
- Establish an RDP connection without Remote Credential Guard, and see the credential derivatives—an NTLM hash and Kerberos ticket—that are available for attackers on the RDP server.
- Configure the RDP server to allow RDP client connections by using Remote Credential Guard.
- Establish an RDP connection by using Remote Credential Guard and verify that no credential derivatives are stored on the RDP server.
- Connect to file shares from within the RDP session by using Remote Credential Guard to observe the single sign-on experience.
Virtual Machines:
- SRV01
- SRV02
Congratulations! You have successfully enabled and tested the Remote Guard feature.
Click the Switch to Machine icon to the right of this instruction to switch to SRV02.
LODSProperties
* VM = SRV02
On SRV02, on the sign-in screen, click Other user. Sign in to SRV02 as CONTOSO\BenSmith, using Passw0rd! as the password.
On the taskbar, click Windows PowerShell.
At the Windows PowerShell command prompt, typemstsc /v:srv01, and then press ENTER. When prompted, type Passw0rd! as the password, and then click OK.
LODSProperties
* Uri = 655133.png
* ShowAutomatically = Always
Proceed to the next step in which you will start the Mimikatz tool to verify credential information on the RDP server when the RDP connection is not protected by Remote Credential Guard. Click the Knowledge [Bulb in Head] icon to learn more about Mimikatz and its use in this lab.
Mimikatz is a free tool that is used to reveal credential information stored in Windows memory. It is used widely in credential theft attacks.
The use of Mimikatz in this lab is intended to emphasize the importance of having a defense-in-depth strategy to mitigate risk. In the real world, an attacker first needs the ability to execute the Mimikatz tool on a machine either locally or through a remote session. For example, the attacker has to get the tool on the server in the first place by exploiting a vulnerability such as a weak password or an email attachment, or even by physically tampering with an administrative station as the user steps away from their computer. Physical security of hosts is important in order to control access to the server boot process and the running operating system.
Both physical and technological controls have to be in place to mitigate the risk of this and similar tools and malware from being installed in the first place. As well, additional controls need to be in place to ensure that people who have administrative access are trustworthy. Security is not just about processes and technology—it is also about people.
Double-click the LabFiles shortcut on the desktop. Navigate to mimikatz\x64, right-click mimikatz, and then click Run as administrator. When prompted, sign in as CONTOSO\Administrator using Passw0rd! as the password.
Type privilege::debug. The text Privilege ‘20’ OK should be displayed.
In Mimikatz, type sekurlsa::logonpasswords, and then press ENTER.
Scroll up and view Ben's NTLM hash. Click the Knowledge icon to view an explanation of the reason why allowing the hash to become known to a threat agent is a significant security problem.
The Mimikatz tool and other similar tools are able to retrieve NTLM hashes. As you will see in the next exercise, an attacker who is in possession of an NTLM hash can launch a Pass-the-Hash attack to sign in to a system. It is not necessary for the attacker to know the password. If the attacker can successfully present the hash to the authentication server, the attacker can assume the identity associated with the hash.
LODSProperties
* Uri = 655139.PNG
* ShowAutomatically = Always
In the SRV01 RPD session, right-click Start, click Shut down or sign out, and then click Sign out. Alternatively, open Windows PowerShell, type logoff, and then press ENTER.
Click the Switch to Machine icon to switch to SRV01. If necessary, sign in to SRV01 as CONTOSO\LabAdmin using Passw0rd! as the password.
LODSProperties
* VM = SRV01
On the taskbar, right-click Windows PowerShell, click Run as Administrator, and then click Yes.
At the Windows PowerShell command prompt, type \DC\C$\LabFiles\Ben\RemoteGuardConfig.ps1, and then press ENTER. The RemoteGuardConfig.ps1 script will set the registry on the RDP server which allows the RDP client to use Remote Guard for the RDP connection.
To save time and ensure accuracy, you are using a script to enable Remote Credential Guard. The script will enable the RDP server to accept an RDP connection that uses Remote Credential Guard.
The script adds a new DWORD value named DisableRestrictedAdmin to HKLM\System\CurrentControlSet\Control\Lsa and sets this value to 0. The Screenshot shows the DWORD that is added.
For more information on how to enable Remote Credential Guard and restricted admin mode, please see https://technet.microsoft.com/en-us/itpro/windows/keep-secure/remote-credential-guard.
LODSProperties
* Uri = 652806.PNG
\\DC\C$\LabFiles\Ben\RemoteGuardConfig.ps1
Leave Windows PowerShell open for subsequent tasks.
Click the Switch to Machine icon to switch to SRV02. If necessary, sign in as CONTOSO\BenSmith, using Passw0rd! as the password.
LODSProperties
* VM = SRV02
On the taskbar, right-click Windows PowerShell, and then click Run as Administrator. In the User Account Control dialog box, type CONTOSO\Administrator as the username andPassw0rd! as the password, and then click Yes. After completing this step, you will have two Windows PowerShell sessions open. Leave the other Windows PowerShell session open. You will use it in subsequent steps.
Please ensure you launch a new Windows PowerShell session as an administrator; otherwise, subsequent steps will fail.
You need to launch Windows PowerShell as an administrator in order to perform the next steps in this lab exercise.
LODSProperties
* Uri = 655179.PNG
At the Administrative Windows PowerShell command prompt, type gpedit.msc, and then press ENTER. The Local Group Policy Editor will fail to open properly unless you launch it from an administrative Windows PowerShell command prompt.
gpedit.msc
In the Local Group Policy Editor, expand Computer Configuration, expand Administrative Templates, expandSystem, and then click Credentials Delegation.
In a production environment, you would use a Group Policy Object defined at the domain, site, or organizational unit level to enforce this policy setting. You are using a local policy to simplify lab steps.
LODSProperties
* Uri = 660646.PNG
Double-clickRestrict delegation of credentials to remote servers. Select Enabled. Under Use the following restricted mode, select Require Remote Credential Guard, and then click OK.
In this step, you are specifying that Remote Credential Guard is the only method to use for the connection.
LODSProperties
* Uri = 660647.PNG
Close the Local Group Policy Editor.
At the Administrative Windows PowerShell command prompt, type gpupdate /force, and then press ENTER.
gpupdate /force
Close the Administrative Windows PowerShell Command Prompt window.
At the Windows PowerShell command prompt, type mstsc /v:srv01. This opens a Remote Desktop session to SRV01 by using the Remote Guard feature, without requiring you to enter your credentials for the remote session.
IMPORTANT: Please ensure that you are NOT using an administrative Windows PowerShell command prompt. If you use a non-administrative Windows PowerShell command prompt, you are not required to enter credentials for the RDP session. This is a consequence of enabling Remote Guard and is intended. Please click the Knowledge icon to see additional information.
Remote Credential Guard protects credentials over an RDP connection by redirecting the Kerberos requests back to the device—in this case SRV02—that is requesting access. If the target device is compromised—for example, by the presence of malware that can read NTLM hashes in memory—the requestor’s credentials are not compromised because the credentials are never sent to the target device.
Also note that, if you had not configured the policy to require Remote Credential Guard from the client device, you could have used the mstsc /remoteguard switch to ensure that you connected to the target server by using Remote Credential Guard.
On the taskbar, right-click Windows PowerShell, and then click Run as Administrator. In the User Account Control dialog box, type CONTOSO\Administrator as the username and Passw0rd! as the password, and then click Yes.
At the Windows PowerShell command prompt, type the following command, and then press ENTER.
Get-WinEvent -Logname Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | where {$_.ID -eq '1149'} | FL
You see the Remote Desktop logon events for the Ben Smith user object. The latest entries show a blank user and domain name. This is expected. Recall that when Remote Credential Guard is enabled, the Kerberos requests are redirected back to the device requesting the connection. The user credentials or credential derivatives are not sent to the target device.
LODSProperties
* Uri = 660669.PNG
Get-WinEvent -Logname Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | where {$\_.ID -eq '1149'} | FL
Close the Administrative Windows PowerShell Command Prompt window.
Double-click the LabFiles shortcut on the desktop. Navigate to mimikatz\x64, right-click mimikatz, and then click Run as administrator. When prompted, sign in as CONTOSO\Administrator using Passw0rd! as the password.
In Mimikatz, type privilege::debug, press ENTER, type sekurlsa::logonpasswords, and then press ENTER.
Scroll up and review Ben's session information. The NTLM hash is no longer visible; instead the credentials are encrypted. This is because the Remote Guard feature is being used for the RDP session.
The other password hashes on SRV01 are still plainly visible. In the next exercise, you will enable Credential Guard to remove this type of vulnerability from the system.
LODSProperties
* Uri = 655145.PNG
* ShowAutomatically = Always
In the remote session, right-click Start, clickShut down or sign out, and then click Sign out.
In this exercise, you will create and deploy a code integrity policy, and then observe how it will report on files not covered by the code integrity policy when the policy is set to audit mode, and how it will prevent those files from running when the policy is set to enforce mode.
You will perform the following tasks:
- Create a new code integrity policy configured for audit mode.
- Verify that applications not allowed by the code integrity policy—for example, Notepad++ and Mimikatz—are being reported in the event log.
- Change the audit code integrity policy to enforcement mode.
- Review the event log after attempting to run the same applications again.
Congratulations! You have successfully configured Device Guard to control and restrict application execution.
Switch to SRV01. If necessary, sign in to SRV01 asCONTOSO\LabAdmin using Passw0rd! as the password.
LODSProperties
* VM = SRV01
On the taskbar, right-click Windows PowerShell, click Run as Administrator, and then click Yes.
At the Windows PowerShell command prompt, type New-CIPolicy –Filepath C:\ci\audit.xml –Level Publisher –UserPEs –Fallback hash, and then press ENTER. After a few moments, press Ctrl+C to cancel the job. You may need to press Ctrl+C a few times.
This cmdlet will run for 30 minutes as it scans for software. To save time in the lab, the code integrity policy file that is located at C:\CI\SRV01-Audit.xml has been created for you as part of the lab setup.
The -Level Publisher parameter uses the Publisher metadata from the software to generate rules for installed applications.
The -UserPEs parameter scans for not only kernel mode files, but also user mode files.
The -Fallback hash parameter uses a hash value for generating rules if publisher information is unavailable.
New-CIPolicy -Filepath "c:\ci\audit.xml" -Level Publisher -UserPEs -Fallback hash
On SRV01, double-click C:\CI\SRV01-Audit.xml. The file opens in Internet Explorer. Notice the entry Enabled: Audit Mode. Close Internet Explorer and Windows Explorer.
Audit mode does not block applications from running. Instead, entries are logged to the event viewer logs.
LODSProperties
* Uri = 653390.png
* ShowAutomatically = Always
explorer c:\ci At the Windows PowerShell command prompt, type ConvertFrom-CIPolicy -XmlFilePath “C:\CI\Srv01-audit.xml” -BinaryFilePath “C:\CI\Srv01-audit.bin", and then press ENTER. The command takes a few minutes to run.
ConvertFrom-CIPolicy -XmlFilePath "C:\CI\Srv01-audit.xml" -BinaryFilePath "C:\CI\Srv01-audit.bin"
At the Windows PowerShell command prompt, type Copy-item “C:\CI\Srv01-audit.bin” “C:\Windows\System32\CodeIntegrity\Sipolicy.p7b”, and then press ENTER.
Make sure the filename and location matches the instructions.
Copy-item "C:\CI\Srv01-audit.bin" "C:\Windows\System32\CodeIntegrity\Sipolicy.p7b"
At the Windows PowerShell command prompt, type restart-computer -force.
restart-computer -force
Sign in to SRV01 as CONTOSO\LabAdmin using Passw0rd! as the password.
After restart, the machine is running with code integrity in audit mode. Any files not covered by the code integrity policy will be logged to the eventlog.
LODSProperties
* VM = SRV01
Open File Explorer, and then navigate to C:\LabFiles\mimikatz\x64.
explorer.exe c:\LabFiles\mimikatz\x64 Double-click mimikatz.exe.
You are launching Mimikatz to verify whether it will generate an entry in the code integrity audit log.
Close the Mimikatz window.
In File Explorer, navigate to \DC\C$\LabFiles\Ben. Double-clicknpp.EXE. When prompted, click Run. Accept all installation defaults in the installation wizard. After installation, uncheck the option to Run Notepad++, and then click Finish. Close the Command Prompt window.
Notepad++ (npp.exe) is being installed to show how a code integrity violation entry will be logged. Notepad++ is not blocked because the configuration is set to audit mode.
explorer \\DC\C$\LabFiles\Ben\npp.EXE
On the taskbar, right-click Windows PowerShell, click Run as Administrator, and then click Yes.
At the Windows PowerShell command prompt, type the following command, and then press ENTER.
Get-WinEvent -Logname Microsoft-Windows-CodeIntegrity/Operational | where {$_.ID -eq '3076'} | FL
The audit file reports that the files displayed in the output would be blocked in enforcement mode. You should see a number of entries regarding Notepad++ (npp.exe) and an entry regarding mimikatz.exe.
LODSProperties
* Uri = 655203.PNG
Get-WinEvent -Logname Microsoft-Windows-CodeIntegrity/Operational | where {$\_.ID -eq '3076'} | FL
At the Windows PowerShell command prompt, type Copy-item "C:\CI\Srv01-audit.xml" "C:\CI\Srv01-enforced.xml", and then press ENTER.
Copy-item "C:\CI\Srv01-audit.xml" "C:\CI\Srv01-enforced.xml"
At the Windows PowerShell command prompt, type Set-RuleOption -FilePath "C:\CI\Srv01-enforced.xml" -Option 3 -Delete, and then pressENTER. Close all open Command Prompt windows.
Set-RuleOption -FilePath "C:\CI\Srv01-enforced.xml" -Option 3 -Delete
At the Windows PowerShell command prompt, type ConvertFrom-CIPolicy "C:\CI\Srv01-enforced.xml" "C:\CI\Srv01-enforced.bin", and then press ENTER. This will take a few minutes to complete.
ConvertFrom-CIPolicy "C:\CI\Srv01-enforced.xml" "C:\CI\Srv01-enforced.bin"
In Windows PowerShell, type Copy-item "C:\CI\Srv01-enforced.bin" "C:\Windows\System32\CodeIntegrity\Sipolicy.p7b"
Copy-item "C:\CI\Srv01-enforced.bin" "C:\Windows\System32\CodeIntegrity\Sipolicy.p7b"
At the Windows PowerShell command prompt, type restart-computer -force, and then press ENTER.
restart-computer -force Sign in to SRV01 as CONTOSO\Administrator usingPassw0rd! as the password.
After restart, the machine is running with code integrity in enforcement mode. Any files not covered by the code integrity policy will not be loaded on the server.
LODSProperties
* VM = SRV01
On the Start menu, click Notepad++. Nothing happens because the application is not allowed to run—it is not whitelisted in the policy.
Open File Explorer, and then navigate to C:\LabFiles\mimikatz\x64.
explorer.exe C:\LabFiles\Mimikatz\x64 Double-click mimikatz.exe. The launch fails. Mimikatz was added to SRV01 after the code integrity audit policy was created for this exercise.
LODSProperties
* Uri = 655206.PNG
On the taskbar, right-click Windows PowerShell, click Run as Administrator, and then click Yes.
At the Windows PowerShell command prompt, type the following command, and then press ENTER.
Get-WinEvent -Logname Microsoft-Windows-CodeIntegrity/Operational | where {$_.ID -eq '3077'} | FL
LODSProperties
* Uri = 653398.PNG
* ShowAutomatically = Always
Get-WinEvent -Logname Microsoft-Windows-CodeIntegrity/Operational | where {$\_.ID -eq '3077'} | FL
Click Done to finalize and close the lab.