Going remote is the new reality as we continue to grapple with a devastating global pandemic. The transition to remote learning in our nation’s schools, in particular, has created a new level of upheaval and burden that’s impacted most every home and community. Luckily, most of Stealthbits’ existing corporate customers switched to digital work rather seamlessly after testing and reinforcing the security of their networks and IT infrastructure. Educational institutions, on the other hand, were…
Today, I came across an interesting article (since posting, the original post has been taken offline) where the author described how an attacker could manipulate the permissions on extended attributes to create persistence once they have compromised an Active Directory domain. Read the article for a great breakdown of the attack, but here’s a quick summary.
Step 1 – Domain
Compromise
An attacker compromised Domain Admin privileges within
Active Directory and wants to make sure the…
In this post we will discuss the concept of Honey Pots, and how StealthDEFEND utilizes Honey Tokens in its threat detection to provide an additional line of defense against attackers.
Introduction to Honey Pots
Wikipedia defines “Honey Pots”
as a computer security mechanism set to detect, deflect, or, in some
manner, counteract attempts at unauthorized use of information systems.
Honey Pots are not a new concept in the realm
of Information Security. Implementations of Honeypots …
Windows Offensive VM from Mandiant FireEye
Previously, I wrote a high-level overview of the testing platform
Commando VM and an installation guide to get started with it. Today, I’ll be
diving into a proof of concept of sorts to show off some of the tools and
flexibility that the testing platform offers. My goal with this post is to
highlight some things that can be done with the platform, situations
enterprises should try to be wary of, and some ways enterprises can identify
and prevent s…
A lot of my posts have covered Mimikatz and how it can be
used to explore Active Directory and Windows security to learn how various
attacks work. Recently, the author of
Mimikatz released a new feature which exposes a new attack surface that could
be used to create persistence within AD.
This feature uses a subauthentication package to manipulate the Active
Directory login process and escalate user privileges based on arbitrary
conditions.
Basically, an attacker with ac…
In this blog post, we’ll be talking about the DCSync attack and how we can use StealthDEFEND to detect and respond to this type of attack. DCSync was the topic of previous STEALTHbits Blog post, so we’ll start this post with a review of DCSync and then cover what we can do about this attack with StealthDEFEND.
What is DCSync?
DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve passwo…
Active Directory has always been at the center of it all, but with the advent of highly powerful, incredibly clever tools like Mimikatz, BloodHound, CrackMapExec, and the like, Active Directory has now become the center of attention.
Since 2005, STEALTHbits has been providing organizations of
all sizes the best products and tools available to understand, manage, and
secure their increasingly complex, ever-changing, ever-growing Active Directory
environments. Now in 2019, at precisely…
This is the first in a 3-part blog series, that will be followed by a webinar February 28th.
Lateral movement techniques are one of the most common approaches attackers can use to infiltrate your network and obtain privileged access to your credentials and data. This has been seen recently with modern ransomware such as SamSam and Ryuk.
We’ve looked recently at how to detect pass-the-hash attacks using honeypots and in doing research into the most effective ways to detect this type…
STEALTHbits mitigates a new
vulnerability that uses Exchange Authentication to gain AD Admin privileges
A new attack has been posted by Dirk-jan Mollemma, an independent security researcher that exploits how Exchange uses NTLM over HTTP to authenticate to the Active Directory Domain. Read the complete details.
This attack combines known vulnerabilities in a new way to achieve privilege escalation that can be used to attack AD. Here is how the attack works.
An attacker sends a re…
Cyber Attack Reference Guide for Security Practitioners
For over a year now, we’ve been documenting all the most common and clever techniques attackers have developed to compromise Active Directory credentials on their way to complete domain dominance. Frustratingly, but not surprisingly, the number of attack methods to choose from and the frequency of attack prevalence have only risen over the past 12 months, which got us thinking…
How – besides continuing to provide cutting edge solu…
67% of organizations are not confident in their ability to uncover insider threats?
In response to new challenges, threat hunting is a developing security practice that focuses on proactively detecting and isolating advanced threats.
Detecting, preventing and mitigating “insider threats” is the most common reason for an organization to have a threat hunting program. However, in practice, what some call an “insider threat,” others may call “internal security monitoring.” Definitions of what…