INSIDER THREAT SECURITY BLOG

Over the years when presenting at conferences, user groups, and customer presentations I have often talked about some of the “new ways” to help learn tools and techniques in information security. One of the resources I specifically recommend is using Docker containers and Windows Subsystem for Linux to quickly experiment with tooling without the need to manage a virtual machine or other infrastructure. I have often been asked to expand upon this topic so I wanted to document some of these …

Windows Offensive VM from Mandiant FireEye Previously, I wrote a high-level overview of the testing platform Commando VM and an installation guide to get started with it. Today, I’ll be diving into a proof of concept of sorts to show off some of the tools and flexibility that the testing platform offers. My goal with this post is to highlight some things that can be done with the platform, situations enterprises should try to be wary of, and some ways enterprises can identify and prevent s…

The Privileged Attribute Certificate (PAC) is an extension to Kerberos tickets that contains useful information about a user’s privileges.  This information is added to Kerberos tickets by a domain controller when a user authenticates within an Active Directory domain.  When users use their Kerberos tickets to authenticate to other systems, the PAC can be read and used to determine their level of privileges without reaching out to the domain controller to query for that information …

Windows Offensive VM from Mandiant FireEye What is Commando VM? Commando VM is a Windows testing platform, created by Mandiant FireEye, meant for penetration testers who are more comfortable with Windows as an operating system. Commando VM is essentially the sister to Kali, a Linux testing platform widely used throughout the penetration testing community. These testing platforms are packaged with all the common tools and scripts that a tester would need to utilize during an engagement. …

Data is what drives business, and businesses are generating and consuming more data all of the time. The explosion of collaboration tools and big data analytics has only accelerated the desire for more employees to share more data across the enterprise. So it’s no surprise to IT teams that we are being asked to retain more data, of all types, make it freely available to employees in different departments and with outside business partners and, oh yeah, secure it all, without any more budget. …

Securing Windows workstations and servers should be a priority for any organization; preventing a machine from getting compromised and being used to move laterally within an environment is a major concern. What happens when a machine is already compromised? A persistence method called ‘RID Hijacking’ is a way for an attacker to persist within your environment by granting the Guest account, or another local account, local administrator privileges by ‘hijacking’ the RID (relative identifier) of…