Honey Token Threat Detection with StealthDEFEND
In this post we will discuss the concept of Honey Pots, and how StealthDEFEND utilizes Honey Tokens in its threat detection to provide an additional line of defense against attackers.
Introduction to Honey Pots
Wikipedia defines “Honey Pots”
as a computer security mechanism set to detect, deflect, or, in some
manner, counteract attempts at unauthorized use of information systems.
Honey Pots are not a new concept in the realm
of Information Security. Implementations of Honeypots …
The Open Share Epidemic
Open Access or unrestricted file share access is an inevitable condition that exists in most, if not all, enterprise environments. Many organizations create ‘Open Shares’ to allow end-users an easy way to access resources.
What is an Open Share?
These
shares are open in the sense that access to them is unrestricted at both the
Share and NTFS levels, meaning most end users can access them. This is achieved
by the use of ‘Open Access Groups’ such as the built-in groups listed below:
E…
Commando VM: Using the Testing Platform
Windows Offensive VM from Mandiant FireEye
Previously, I wrote a high-level overview of the testing platform
Commando VM and an installation guide to get started with it. Today, I’ll be
diving into a proof of concept of sorts to show off some of the tools and
flexibility that the testing platform offers. My goal with this post is to
highlight some things that can be done with the platform, situations
enterprises should try to be wary of, and some ways enterprises can identify
and prevent s…
ProTip: LDAP Reconnaissance
The start of Active Directory attacks, like LDAP Reconnaissance, involves finding vulnerabilities on a network and grabbing “intel” about sensitive accounts like Domain, Enterprise, and Schema Admins. After an attacker initially compromises a system on a network, they will pretty much have no privileges in the domain. This leaves an attacker hungry for more, and with the way Active Directory is designed, they can query objects inside a directory pretty easily.
LDAP queries are key in an a…
What is the California Consumer Privacy Act (CCPA)?
The EU GDPR took the world by storm, upping the compliance ‘ante’, causing other countries to follow suit in protecting consumer privacy. While the United States hasn’t implemented any federal regulation of this sort, many states have begun to implement their own regulations at the state level. For California, the clock has already begun ticking with the California Consumer Privacy Act (CCPA), a GDPR like regulation with a compliance timeline of January 1st, 2020.
The
CCPA int…
Domain Persistence with Subauthentication Packages
A lot of my posts have covered Mimikatz and how it can be
used to explore Active Directory and Windows security to learn how various
attacks work. Recently, the author of
Mimikatz released a new feature which exposes a new attack surface that could
be used to create persistence within AD.
This feature uses a subauthentication package to manipulate the Active
Directory login process and escalate user privileges based on arbitrary
conditions.
Basically, an attacker with ac…
Implement Password Policy Compliance Monitoring and Leverage Important Enhancements to Active Directory and LDAP Auditing with StealthINTERCEPT 6.1
There are two functional areas of Active Directory management and security that every organization struggles with; one is changing their password policies and the other is identifying the source of LDAP traffic. StealthINTERCEPT efficiently addresses both of these challenges in Version 6.1.
Password Pain? How to Improve Your Password Policy
The NIST 800-63B password guidelines walk back almost two decades of guidance about how companies should approach password security. And the realit…
How to Restore Deleted Active Directory Objects
AD Installation Overview
As the primary authentication service in the majority of
organizations worldwide, the health and operational integrity of Active
Directory has a direct impact on the overall security of your organization. The
capability to rollback and recover from changes to your Active Directory
infrastructure, whether accidental or malicious, is an important and often
overlooked aspect of your ability to maintain the security and performance of
your network
When Active D…
What is DCSync? An Introduction
In this blog post, we’ll be talking about the DCSync attack and how we can use StealthDEFEND to detect and respond to this type of attack. DCSync was the topic of previous STEALTHbits Blog post, so we’ll start this post with a review of DCSync and then cover what we can do about this attack with StealthDEFEND.
What is DCSync?
DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve passwo…
ProTip: Create PII Retention Policies in O365 to Help Abide with GDPR Guidelines
Automate the Process of Disposing of Data
With GDPR now in effect, organizations are legally required to remove personal data once its purpose for processing has been met. In March of 2019 a Danish Taxi company, Taxa 4×35, was fined $180,000 for failing to properly dispose of its customer’s personally identifiable data (PII). An audit found that the company was only removing the customer’s name from the documents, however other personally identifiable information such as telephone numbers …
