Going remote is the new reality as we continue to grapple with a devastating global pandemic. The transition to remote learning in our nation’s schools, in particular, has created a new level of upheaval and burden that’s impacted most every home and community. Luckily, most of Stealthbits’ existing corporate customers switched to digital work rather seamlessly after testing and reinforcing the security of their networks and IT infrastructure. Educational institutions, on the other hand, were…
In our sixth edition of the Insider Threat Podcast, once again we spoke with our resident white hat hacker, Jeff Warren. Jeff has just finished another in our ongoing blog series about insider attacks on Active Directory (AD). This time, the focus was the Mimikatz toolkit and all the ways it’s being used to exploit weaknesses in AD. You can find out more in the main series of blog posts about Mimikatz attacks as well as supplementary posts covering Skeleton Key, changing passwords, DCSYNC and…
Stealing Credentials with Mimikatz
Mimikatz is an open-source tool built to gather and exploit Windows credentials. Since its introduction in 2011 by author Benjamin Delpy, the attacks that Mimikatz is capable of have continued to grow. Also, the ways in which Mimikatz can be packaged and deployed have become even more creative and difficult to detect by security professionals. This has led to Mimikatz recently being tied to some of the most prevalent cyber attacks such as the Petya ransomwar…
Introduction: Extracting User Password Data with Mimikatz DCSync
Mimikatz provides a variety of ways to extract and manipulate credentials, but probably one of the most useful and scary ways is using the DCSync command. This attack simulates the behavior of a domain controller and asks other domain controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Basically, it lets you pretend to be a domain controller and ask for user password da…
Attack #4: Pass-the-Hash with Mimikatz
In my previous post, we learned how to extract password hashes for all domain accounts from the Ntds.dit file. In this post, we’re going to see what you can do with those hashes once you have them. Mimikatz has become the standard tool for extracting passwords and hashes from memory, performing pass-the-hash attacks and creating domain persistence through Golden Tickets. Mimikatz can be executed in a variety of ways to evade detection, including entir…
Understanding the Risk of Active Directory Permissions and Shadow Access
I recently covered the topic of Active Directory permissions by giving an overview on how to apply them and view what already exists in your organization. In this blog, I’ll be taking a deeper dive into Active Directory permissions, outlining potential risks that exist when certain permissions are applied to certain objects.
Why Do Active Directory Permissions Create Risk?
So how do Active Directory permissions …
Active Directory persistence through userAccountControl manipulation
I’ve been doing some research on group Managed Service Accounts (gMSAs) recently and reading the MS-SAMR protocol specification for some information. I happened to stumble across some interesting information in the userAccountControl section which made us drop what we were doing to test it:
Figure 1 – Part of the userAccountControl section of the MS-SAMR specification
Effectively, when the UF_SERVER_TRUST_…
Million-dollar ransomware payouts, government protection, and ease of access will continue to fuel the growth of cybercrime.
Imagine coming to work and turning on the computer only to see a message that says “repairing file system on C:” or “oops, your important files are encrypted” demanding a payment in bitcoin to decrypt them.
A typical message displayed during a Ransomware attack
When you read the headlines of six-figure ransomware payouts, you might begin to wonder how hacker g…
In this blog post, we are taking a deeper dive into Covenant. Covenant is one of the
latest and greatest Command and Control (C2) Post Exploitation Frameworks which
I covered in In my previous
blog post. In that post, we discussed
Covenant on a high level but now let’s go through the process of configuring
and using Covenant to execute payloads on compromised hosts.
NOTE: This post demonstrates the capabilities of
Covenant in Mid-September 2019.
Getting Setup and Starting Covenant
T…
What Organizations Can Do to Stop a DCShadow Attack
Recently, I came across a post outlining how companies CANNOT effectively defend against a DCShadow attack but instead need to take a reactive approach to identify when it may have occurred by monitoring their environment, and rolling back any unwanted changes once they were identified. Unfortunately, reacting to an incident could mean the damage is already done and a malicious actor has run off with the ‘keys to the kingdom’. The best co…
What’s The Problem?
Today, with the Internet, social media, personal computers, online banking and everything else that exists, end-users need to create and maintain a large number of usernames and passwords for all of the accounts they have. This begins to create a problem. The many accounts we need to remember leads us to want to share passwords between different platforms, potentially including our work accounts. This is just one of the few contributors to the many password problems tha…