Understanding the Risk of Active Directory Permissions and Shadow Access
I recently covered the topic of Active Directory permissions by giving an overview on how to apply them and view what already exists in your organization. In this blog, I’ll be taking a deeper dive into Active Directory permissions, outlining potential risks that exist when certain permissions are applied to certain objects.
Why Do Active Directory Permissions Create Risk?
So how do Active Directory permissions …
It’s often helpful to know which Active Directory groups your current user is a member of when joined to a domain. That information is typically easy to obtain, however you need to know where to look.
For many, having a graphical UI is helpful for any task. While this isn’t the quickest way to locate your AD group membership, it’s the best way if you want to avoid the command line (i.e. PowerShell or Command Prompt).
Let’s discuss several methods to achieve our goal, including via the U…
Part 2 – Active Directory
This is the second part of a three part series on Maersk, me, & notPetya, a blog post by Gavin Ashton about his experiences responding to and recovering from the NotPetya ransomware outbreak at Maersk.
Not everyone realizes that in the last several years ransomware has made significant advances in its ability to not just infect a single computer, but to also pivot from that computer and infect other workstations and servers. Following a common pattern …
Kerberos Explained
Kerberos is an authentication protocol enabling systems and users to prove their identity through a trusted third-party. The protocol was initially developed at the Massachusetts Institute of Technology (MIT) as part of a larger project called Project Athena. Project Athena was a joint initiative of MIT, Digital Equipment Corporation, and IBM to build a distributed computing environmen…
What is Changing?
In March, Microsoft will be releasing a patch that includes
new audit events, additional logging, and some changes to group policy
settings. Later in 2020, Microsoft will be changing the behavior of the default
values for LDAP channel binding and signing. They’re making these changes
because the current default settings allow for a potential man-in-the-middle
attack that can lead to privilege escalation. This means, once the default
settings are changed, that any new doma…
Discovery Solution for Microsoft’s March 2020 Update
Lightweight Directory Access Protocol (LDAP) – How did we
get here?
20 years ago, I embarked on the
fantastical journey that was migrating from NT4 to Active Directory. This is
also when I began learning the power of LDAP. While it was technically
available, very few companies implemented secure LDAP in the early days. Most
enterprise applications or internal applications took advantage of the
directory (and in a wide variety of ways)…
What is a Service Account?
In this blog post, I won’t go too much into the details of service accounts but will class a service account as a user, Managed Service Account or a Group Managed Service Account which is used to run a process whether it be a Service, Task, IIS App Pools or used inside of an application.
The Problem?
A lot of organisations will have hundreds and maybe even thousands of service accounts that may be in use across their Active Directory environment. It can be …
High-Level Overview of Azure AD
If you’re reading the Insider Threat Security Blog, I’m sure you’re familiar with Active Directory. We’ve covered many topics with on-premise Active Directory: from clean-up to advanced attacks and threat detection. But what about Azure Active Directory? Has your organization started to march into the cloud and begun the migration process? Perhaps you’re just looking to wrap your head around what Microsoft has to offer. STEALTHbits is here to help.
Azure …
This blog post is part of a series about Active Directory
attributes with values or behaviors that can be easily and inadvertently
misinterpreted and misused. This series will provide information about these
attributes, including both their limitations and their valid usages with respect
to the administration of Active Directory.
Active Directory is the primary authentication service used
by the vast majority of organizations, including more than 95% of Fortune 500
companies. Consequently…
Now
that we understand how monitoring authentication patterns and
authentication-based attacks can lead to an overwhelming amount of data which prevents
any meaningful analysis, we can focus on our fifth, and final challenge of
monitoring critical systems.
Challenge 5 – Permission
Changes and Object Changes
Some of the most important changes to monitor within Active Directory are the changes to the security of the containers and objects. Permissions control who can elevate privile…