There are several well-documented ways attackers and malware can spread laterally across Windows servers and desktops.  Approaches like pass-the-ticket, pass-the-hash, overpass-the-hash, and Golden Tickets continue to be effective lateral movement techniques.  Lateral movement has become increasingly present in targeted ransomware threats, such as Ryuk and WastedLocker.  And as if that wasn’t enough to worry about, new research has shown similar techniques that are […]

Multi-factor Authentication (MFA) is a great way to increase security on web applications, remote desktop sessions, VPN, and virtually anywhere a user can log into. By introducing one or more additional factors into the authentication process you can prove somebody actually is who they say they are, and prevent a significant amount of impersonation and credential-based […]

Today, I came across an interesting article (since posting, the original post has been taken offline) where the author described how an attacker could manipulate the permissions on extended attributes to create persistence once they have compromised an Active Directory domain.  Read the article for a great breakdown of the attack, but here’s a quick […]

Lateral movement techniques like Pass-the-Hash, Pass-the-Ticket, and Overpass-the-Hash provide attackers with ways to take stolen or compromised credentials and spread out across a network to achieve privilege escalation.  I recently found myself testing some Active Directory attacks from a Kali Linux host, and needed a way to use compromised credentials from this Linux system on […]

While looking at Pass-the-Ticket we explored a tool Rubeus by Harmj0y which can be used to experiment with Kerberos security in Active Directory and explore various attack vectors.  One of the areas I found interesting when testing Rubeus was the different password cracking options it made available.  This includes two primary methods: Kerberoasting and AS-REP […]

The Privileged Attribute Certificate (PAC) is an extension to Kerberos tickets that contains useful information about a user’s privileges.  This information is added to Kerberos tickets by a domain controller when a user authenticates within an Active Directory domain.  When users use their Kerberos tickets to authenticate to other systems, the PAC can be read […]

A lot of my posts have covered Mimikatz and how it can be used to explore Active Directory and Windows security to learn how various attacks work.  Recently, the author of Mimikatz released a new feature which exposes a new attack surface that could be used to create persistence within AD.  This feature uses a […]

Now that we’ve looked at how pass-the-hash and pass-the-ticket attacks work and what to do to detect them, let’s take a look at overpass-the-hash.  Basically, this is a combination of both attacks. The idea of overpass-the-hash is for an attacker to leverage the NTLM hash of another user account to obtain a Kerberos ticket which […]

This is the first in a 3-part blog series, that will be followed by a webinar February 28th. Lateral movement techniques are one of the most common approaches attackers can use to infiltrate your network and obtain privileged access to your credentials and data. This has been seen recently with modern ransomware such as SamSam and […]

So far in this series, we’ve learned about the HoneyHash, a useful honeypot technique for detecting Pass-the-Hash and credential theft within a Windows environment.  We then looked into how to monitor for an attacker triggering the honeypot, and how to gather the necessary forensic details to investigate the attack.  Now let’s look at what you […]