The Techniques Attackers Use and Best Practices for Defending Your Organization
Introduction
An attacker who gets into your network is seldom content with their initial foothold. To achieve their ultimate objective, whether that’s stealing sensitive information or planting malware, they need to leverage the account they have compromised to move laterally through your environment and escalate their privileges until they gain access to more data or resources.
In other words, the accoun…
Active Directory persistence through userAccountControl manipulation
I’ve been doing some research on group Managed Service Accounts (gMSAs) recently and reading the MS-SAMR protocol specification for some information. I happened to stumble across some interesting information in the userAccountControl section which made us drop what we were doing to test it:
Figure 1 – Part of the userAccountControl section of the MS-SAMR specification
Effectively, when the UF_SERVER_TRUST_…
What is Internal Reconnaissance?
Internal Reconnaissance is one of the first
steps an attacker will take once they have compromised a user or computer on
the internal network. This usually involves using tools or scripts to enumerate
and collect information to help them identify where they should try and
compromise next on the internal network to get what they need. An example of a
tool that is commonly used for internal reconnaissance is BloodHound which can map
out paths for an attacker….
In this blog post, we are taking a deeper dive into Covenant. Covenant is one of the
latest and greatest Command and Control (C2) Post Exploitation Frameworks which
I covered in In my previous
blog post. In that post, we discussed
Covenant on a high level but now let’s go through the process of configuring
and using Covenant to execute payloads on compromised hosts.
NOTE: This post demonstrates the capabilities of
Covenant in Mid-September 2019.
Getting Setup and Starting Covenant
T…
What Organizations Can Do to Stop a DCShadow Attack
Recently, I came across a post outlining how companies CANNOT effectively defend against a DCShadow attack but instead need to take a reactive approach to identify when it may have occurred by monitoring their environment, and rolling back any unwanted changes once they were identified. Unfortunately, reacting to an incident could mean the damage is already done and a malicious actor has run off with the ‘keys to the kingdom’. The best co…
In this blog post, we’ll be covering the DCShadow attack and how we can use StealthDEFEND to detect and respond to this type of attack. DCShadow was the topic of previous STEALTHbits Blog post, so in this post, we’ll start with a review of DCShadow and then focus on how we can DETECT and RESPOND to this attack with StealthDEFEND.
Introduction to DCShadow
DCShadow is another late-stage kill chain attack that allows an attacker with privil…
Rest in Peace PowerShell Empire
PowerShell Empire (PSEmpire) is a Command and Control (C2)
Post Exploitation Framework that has been discussed in a variety of posts on
the STEALTHbits Blog.
What is PSEmpire?
PSEmpire is a great tool with a wide variety
of uses in the Information Security community including learning, red teaming
and even more nefarious uses such as being used by the Ryuk Ransomware.
Sadly, it has been officially announced the
PSEmpire is no longer b…
Today, I came across an interesting article (since posting, the original post has been taken offline) where the author described how an attacker could manipulate the permissions on extended attributes to create persistence once they have compromised an Active Directory domain. Read the article for a great breakdown of the attack, but here’s a quick summary.
Step 1 – Domain
Compromise
An attacker compromised Domain Admin privileges within
Active Directory and wants to make sure the…
Lateral movement techniques like Pass-the-Hash,
Pass-the-Ticket,
and Overpass-the-Hash
provide attackers with ways to take stolen or compromised credentials and
spread out across a network to achieve privilege escalation. I recently found myself testing some Active
Directory attacks from a Kali Linux host, and needed a way to use compromised
credentials from this Linux system on my Windows boxes. Luckily, this is something supported by Mimikatz and surprisingly
easy to perform.&nb…
Abusing RBCD and MachineAccountQuota
Delegation is an area that is confusing and complicated for most Active Directory administrators. Unconstrained delegation, constrained delegation, and even resource-based constrained delegation all play a role in not only your Active Directory infrastructure, but also its security posture. For example, unconstrained delegation is very insecure, and can be abused relatively easily. If you’re unfamiliar with the different types of delegation and how they…