And other things that keep you up at night

Blog >Search

Featured Blog

Insider Threat Podcast

How Attackers are Stealing your Credentials with Mimikatz – Insider Threat Podcast #6

In our sixth edition of the Insider Threat Podcast, once again we spoke with our resident white hat hacker, Jeff Warren. Jeff has just finished another in our ongoing blog series about insider attacks on Active Directory (AD). This time, the focus was the Mimikatz toolkit and all the ways it’s being used to exploit weaknesses in AD. You can find out more in the main series of blog posts about Mimikatz attacks as well as supplementary posts covering Skeleton Key, changing passwords, DCSYNC and…

Automating Mimikatz with Empire and DeathStar

Automating Mimikatz Mimikatz is a very powerful post-exploitation tool on its own, allowing attackers to harvest credentials and move laterally through a compromised organization. However, there are also several limitations to what Mimikatz can do by itself: If you have compromised a machine but do not have Administrator rights, you can’t access any credentials If PowerShell protections are enabled, Mimikatz can be easily prevented Stealing credentials and figuring out where they work …
Mimikatz is one of the best tools to gather credential data from Windows systems

How Attackers are Stealing Your Credentials with Mimikatz

Stealing Credentials with Mimikatz Mimikatz is an open-source tool built to gather and exploit Windows credentials. Since its introduction in 2011 by author Benjamin Delpy, the attacks that Mimikatz is capable of have continued to grow. Also, the ways in which Mimikatz can be packaged and deployed have become even more creative and difficult to detect by security professionals. This has led to Mimikatz recently being tied to some of the most prevalent cyber attacks such as the Petya ransomwar…
Change user passwords and escalate privileges within Active Directory with Mimikatz commands SetNTLM and ChangeNTLM

Manipulating User Passwords with Mimikatz

Introduction: Manipulating User Passwords with Mimikatz Mimikatz now supports the ability to manipulate user passwords with new commands: SetNTLM and ChangeNTLM. These commands give attackers a new way to change user passwords and escalate privileges within Active Directory. Let’s take a look at these NTLM commands and what they do. ChangeNTLM This performs a password change event. To use this command, you must know the old password in order to set a new one. One deviation is that this comman…
DCSync with rights to replicating directory changes for replicating directory changes all

Extracting User Password Data with Mimikatz DCSync

Introduction: Extracting User Password Data with Mimikatz DCSync Mimikatz provides a variety of ways to extract and manipulate credentials, but probably one of the most useful and scary ways is using the DCSync command. This attack simulates the behavior of a domain controller and asks other domain controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Basically, it lets you pretend to be a domain controller and ask for user password data. Most…

Performing Pass-the-Hash Attacks with Mimikatz

Attack #4: Pass-the-Hash with Mimikatz In my previous post, we learned how to extract password hashes for all domain accounts from the Ntds.dit file. In this post, we’re going to see what you can do with those hashes once you have them. Mimikatz has become the standard tool for extracting passwords and hashes from memory, performing pass-the-hash attacks and creating domain persistence through Golden Tickets. Mimikatz can be executed in a variety of ways to evade detection, including entirely…
Using & Securing Remote Desktop Protocol (RDP)

Using & Securing Remote Desktop Protocol (RDP)

| Dan Piazza | | Leave a Comment
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, allowing users to remotely connect to Windows workstations and servers. RDP is included in most versions of Windows, going as far back as Windows NT 4.0, and doesn’t come with additional costs or licensing requirements. In Windows networks, this means organizations don’t need to pay for third-party software like TeamViewer, LogMeIn, or AnyDesk in order to enable their users with remote access capabilities. As …

Zerologon: From Zero to Hero – Part 2

| Kevin Joyce | | Leave a Comment
How Does it Work? In Part 1 of this blog series (What is Zerologon?), we discussed how Zerologon exploits a vulnerability in NetLogon that allows a malicious actor on your network to take over a Domain Controller (DC), and eventually your entire domain. Now let’s dive into the specifics of how Zerologon works. Using Mimikatz to Execute the Zerologon Exploit For starters, you can easily identify if a target domain controller is vulnerable to the Zerologon exploit with Mimikatz by run…

Zerologon: From Zero to Hero – Part 1

| Kevin Joyce | | Leave a Comment
What is Zerologon? Zerologon exploits a vulnerability in NetLogon that allows a malicious actor on your network to take over a Domain Controller (DC), and eventually your entire domain. Since this attack requires no authentication and only network access, it has been given a CVSS score of 10.0 (the highest score available). At a high level, an unauthenticated attacker is able to use NetLogon Remote Protocol to connect to a Domain Controller and change the DC password to something they kno…


Active Directory persistence through userAccountControl manipulation I’ve been doing some research on group Managed Service Accounts (gMSAs) recently and reading the MS-SAMR protocol specification for some information. I happened to stumble across some interesting information in the userAccountControl section which made us drop what we were doing to test it: Figure 1 – Part of the userAccountControl section of the MS-SAMR specification Effectively, when the UF_SERVER_TRUST…





© 2020 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.