Introducing StealthAUDIT 11.5! Complete your cloud security puzzle. LEARN MORE


And other things that keep you up at night

Blog >Search

Featured Blog

Insider Threat Podcast

How Attackers are Stealing your Credentials with Mimikatz – Insider Threat Podcast #6

In our sixth edition of the Insider Threat Podcast, once again we spoke with our resident white hat hacker, Jeff Warren. Jeff has just finished another in our ongoing blog series about insider attacks on Active Directory (AD). This time, the focus was the Mimikatz toolkit and all the ways it’s being used to exploit weaknesses in AD. You can find out more in the main series of blog posts about Mimikatz attacks as well as supplementary posts covering Skeleton Key, changing passwords, DCSYNC and…

Automating Mimikatz with Empire and DeathStar

Automating Mimikatz Mimikatz is a very powerful post-exploitation tool on its own, allowing attackers to harvest credentials and move laterally through a compromised organization. However, there are also several limitations to what Mimikatz can do by itself: If you have compromised a machine but do not have Administrator rights, you can’t access any credentialsIf PowerShell protections are enabled, Mimikatz can be easily preventedStealing credentials and figuring out where they work can…
Mimikatz is one of the best tools to gather credential data from Windows systems

How Attackers are Stealing Your Credentials with Mimikatz

Stealing Credentials with Mimikatz Mimikatz is an open-source tool built to gather and exploit Windows credentials. Since its introduction in 2011 by author Benjamin Delpy, the attacks that Mimikatz is capable of have continued to grow. Also, the ways in which Mimikatz can be packaged and deployed have become even more creative and difficult to detect by security professionals. This has led to Mimikatz recently being tied to some of the most prevalent cyber attacks such as the Petya ransomwar…
Change user passwords and escalate privileges within Active Directory with Mimikatz commands SetNTLM and ChangeNTLM

Manipulating User Passwords with Mimikatz

Introduction: Manipulating User Passwords with Mimikatz Mimikatz now supports the ability to manipulate user passwords with new commands: SetNTLM and ChangeNTLM. These commands give attackers a new way to change user passwords and escalate privileges within Active Directory. Let’s take a look at these NTLM commands and what they do. ChangeNTLM This performs a password change event. To use this command, you must know the old password in order to set a new one. One deviation is tha…
DCSync with rights to replicating directory changes for replicating directory changes all

Extracting User Password Data with Mimikatz DCSync

Introduction: Extracting User Password Data with Mimikatz DCSync Mimikatz provides a variety of ways to extract and manipulate credentials, but probably one of the most useful and scary ways is using the DCSync command. This attack simulates the behavior of a domain controller and asks other domain controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Basically, it lets you pretend to be a domain controller and ask for user password da…

Performing Pass-the-Hash Attacks with Mimikatz

Attack #4: Pass-the-Hash with Mimikatz In my previous post, we learned how to extract password hashes for all domain accounts from the Ntds.dit file. In this post, we’re going to see what you can do with those hashes once you have them. Mimikatz has become the standard tool for extracting passwords and hashes from memory, performing pass-the-hash attacks and creating domain persistence through Golden Tickets. Mimikatz can be executed in a variety of ways to evade detection, including entir…

Understanding Lateral Movement and Privilege Escalation

The Techniques Attackers Use and Best Practices for Defending Your Organization Introduction An attacker who gets into your network is seldom content with their initial foothold. To achieve their ultimate objective, whether that’s stealing sensitive information or planting malware, they need to leverage the account they have compromised to move laterally through your environment and escalate their privileges until they gain access to more data or resources. In other words, the accoun…
Detecting Advanced Process Tampering Tactics with Microsoft’s Sysmon 13

Detecting Advanced Process Tampering Tactics with Microsoft’s Sysmon 13

| Dan Piazza | | Leave a Comment
Sysmon is an important tool within Microsoft’s Sysinternals Suite, a comprehensive set of utilities and tools used to monitor, manage, and troubleshoot the Windows operating system. Per Microsoft’s own definition, Sysmon “provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous acti…
Active Directory Permissions - Hiding in the Shadows

Active Directory Permissions – Hiding in the Shadows

Understanding the Risk of Active Directory Permissions and Shadow Access I recently covered the topic of Active Directory permissions by giving an overview on how to apply them and view what already exists in your organization. In this blog, I’ll be taking a deeper dive into Active Directory permissions, outlining potential risks that exist when certain permissions are applied to certain objects. Why Do Active Directory Permissions Create Risk? So how do Active Directory permissions …
Using & Securing Remote Desktop Protocol (RDP)

Using & Securing Remote Desktop Protocol (RDP)

| Dan Piazza | | Leave a Comment
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, allowing users to remotely connect to Windows workstations and servers. RDP is included in most versions of Windows, going as far back as Windows NT 4.0, and doesn’t come with additional costs or licensing requirements. In Windows networks, this means organizations don’t need to pay for third-party software like TeamViewer, LogMeIn, or AnyDesk in order to enable their users with remote access capabilities. As a…




© 2022 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.