Detecting Persistence through Active Directory Extended Rights
Today, I came across an interesting article (since posting, the original post has been taken offline) where the author described how an attacker could manipulate the permissions on extended attributes to create persistence once they have compromised an Active Directory domain. Read the article for a great breakdown of the attack, but here’s a quick summary.
Step 1 – Domain
Compromise
An attacker compromised Domain Admin privileges within
Active Directory and wants to make sure the…
15 Cases for File Activity Monitoring: Part 2
If you read part 1 in this series, you caught a glimpse of how STEALTHbits file activity monitoring solutions help solve critical change and access issues without the use of native logs. Today we’ll delve deeper into the explanation of these solutions and reveal five more real-life cases where you could use our file activity monitoring solutions.
Case 6: File Tampering
File tampering is when a user modifies the contents of
a file such as spreadsheet calculations or other data.
The ST…
ProTip: Utilizing the New Active Directory Activity Reporting in StealthAUDIT 9.0
The recent release of StealthAUDIT 9.0 brings a lot of new features and exciting improvements. Among them, include enhancements and capabilities aligning to our Active Directory (AD) & Azure, Box, Dropbox, Exchange, File Systems, SharePoint, and Windows modules. We even introduced a new module for Oracle database auditing and compliance reporting which is very exciting for our users, enabling them to understand permissions, activity events, sensitive data and configuration related inform…
Using Docker and Windows Subsystem for Linux to Learn and Experiment with New Information Security Tools
Over the
years when presenting at conferences, user groups, and customer presentations I
have often talked about some of the “new ways” to help learn tools
and techniques in information security. One of the resources I specifically
recommend is using Docker containers and Windows Subsystem for Linux to quickly
experiment with tooling without the need to manage a virtual machine or other
infrastructure.
I have
often been asked to expand upon this topic so I wanted to document some of
these …
Resource-Based Constrained Delegation Abuse
Abusing RBCD and MachineAccountQuota
Delegation is an area that is confusing and complicated for most Active Directory administrators. Unconstrained delegation, constrained delegation, and even resource-based constrained delegation all play a role in not only your Active Directory infrastructure, but also its security posture. For example, unconstrained delegation is very insecure, and can be abused relatively easily. If you’re unfamiliar with the different types of delegation and how they…
Announcing StealthAUDIT 9.0
StealthAUDIT 9.0 – Something for Everyone
If you know StealthAUDIT, you know it’s one of the most versatile technologies around for addressing a broad range of data collection and analysis, reporting, and governance needs. StealthAUDIT appeals to the requirements of multiple audiences within an organization, simultaneously facilitating successful outcomes for security, compliance, and operationally focused teams. While its usefulness to so…
Announcing StealthDEFEND 2.1
When we released StealthDEFEND 2.0 earlier this year, we knew we were breaking new ground in the Active Directory security space. We had delivered a solution purpose-built to detect the most advanced attacks against Active Directory in real-time, drastically reducing time to detection while increasing the ability for organizations to respond to these attacks quickly and efficiently. The response (pun int…
What is a Global Catalog Server?
The global catalog is a feature of Active Directory (“AD”) domain controllers that allows for a domain controller to provide information on any object in the forest, regardless of whether the object is a member of the domain controller’s domain.
Domain controllers with the global catalog feature enabled
are referred to as global catalog servers and can perform several functions
that are especially important in a multi-domain forest environment:
Authentication. During an interactive …
15 Cases for File Activity Monitoring: Part 1
For many organizations, monitoring file activity is challenging due to the configuration complexity and performance concerns associated with native auditing. As a result, administrators do not have a way to answer some of their most critical questions. In this three-part blog series, we’ll discuss 15 real-life use cases where STEALTHbits file activity monitoring solutions can play a key role in solving critical change and access issues without the use of native logs.
Case
1: Pre-Departure …
How to Secure SharePoint
SharePoint continues to remain one of the most popular
content collaboration platforms (CCP) at the enterprise-level, continuing to
grow in adoption year over year. This adoption shows not only growth in the
expected area of SharePoint Online, but continued expansion in SharePoint
On-Premises as well.
As SharePoint continues to grow, one of the largest areas of concern is around the security of the platform. A well designed, maintained, and governed SharePoint farm is usually a very safe e…
