There are several well-documented ways attackers and malware can spread laterally across Windows servers and desktops.  Approaches like pass-the-ticket, pass-the-hash, overpass-the-hash, and Golden Tickets continue to be effective lateral movement techniques.  Lateral movement has become increasingly present in targeted ransomware threats, such as Ryuk and WastedLocker.  And as if that wasn’t enough to worry about, new research has shown similar techniques that are […]

Passwords are everywhere and nobody likes them.  Not only are they a pain to remember and manage, but they also continue to be a primary source of data breaches.  This affects companies whether they are storing their data in the cloud or on-premises. According to the 2020 Verizon DBIR, 77% of cloud breaches involved stolen […]

Multi-factor Authentication (MFA) is a great way to increase security on web applications, remote desktop sessions, VPN, and virtually anywhere a user can log into. By introducing one or more additional factors into the authentication process you can prove somebody actually is who they say they are, and prevent a significant amount of impersonation and credential-based […]

Today, I came across an interesting article (since posting, the original post has been taken offline) where the author described how an attacker could manipulate the permissions on extended attributes to create persistence once they have compromised an Active Directory domain.  Read the article for a great breakdown of the attack, but here’s a quick […]

Lateral movement techniques like Pass-the-Hash, Pass-the-Ticket, and Overpass-the-Hash provide attackers with ways to take stolen or compromised credentials and spread out across a network to achieve privilege escalation.  I recently found myself testing some Active Directory attacks from a Kali Linux host, and needed a way to use compromised credentials from this Linux system on […]

While looking at Pass-the-Ticket we explored a tool Rubeus by Harmj0y which can be used to experiment with Kerberos security in Active Directory and explore various attack vectors.  One of the areas I found interesting when testing Rubeus was the different password cracking options it made available.  This includes two primary methods: Kerberoasting and AS-REP […]

The Privileged Attribute Certificate (PAC) is an extension to Kerberos tickets that contains useful information about a user’s privileges.  This information is added to Kerberos tickets by a domain controller when a user authenticates within an Active Directory domain.  When users use their Kerberos tickets to authenticate to other systems, the PAC can be read […]

A lot of my posts have covered Mimikatz and how it can be used to explore Active Directory and Windows security to learn how various attacks work.  Recently, the author of Mimikatz released a new feature which exposes a new attack surface that could be used to create persistence within AD.  This feature uses a […]

Now that we’ve looked at how pass-the-hash and pass-the-ticket attacks work and what to do to detect them, let’s take a look at overpass-the-hash.  Basically, this is a combination of both attacks. The idea of overpass-the-hash is for an attacker to leverage the NTLM hash of another user account to obtain a Kerberos ticket which […]

In our first post of the series, we looked at some interesting ways to detect the pass-the-hash attack. Pass-the-hash is an effective approach for exploiting NTLM authentication within an Active Directory domain. Pass-the-ticket is an alternate approach which leverages Kerberos authentication to perform lateral movement.  In this post we will dive into how this attack works and […]