Introducing StealthAUDIT 11.5! Complete your cloud security puzzle. LEARN MORE
Stealthbits

INSIDER THREAT SECURITY BLOG

And other things that keep you up at night

Blog >Search

Featured Blog

Detecting Persistence through Active Directory Extended Rights

Today, I came across an interesting article (since posting, the original post has been taken offline) where the author described how an attacker could manipulate the permissions on extended attributes to create persistence once they have compromised an Active Directory domain.  Read the article for a great breakdown of the attack, but here’s a quick summary. Step 1 – Domain Compromise An attacker compromised Domain Admin privileges within Active Directory and wants to make sure the…

Honey Token Threat Detection with StealthDEFEND

In this post we will discuss the concept of Honey Pots, and how StealthDEFEND utilizes Honey Tokens in its threat detection to provide an additional line of defense against attackers. Introduction to Honey Pots Wikipedia defines “Honey Pots” as a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Honey Pots are not a new concept in the realm of Information Security. Implementations of Honeypots …

Commando VM: Using the Testing Platform

Windows Offensive VM from Mandiant FireEye Previously, I wrote a high-level overview of the testing platform Commando VM and an installation guide to get started with it. Today, I’ll be diving into a proof of concept of sorts to show off some of the tools and flexibility that the testing platform offers. My goal with this post is to highlight some things that can be done with the platform, situations enterprises should try to be wary of, and some ways enterprises can identify and prevent s…

Domain Persistence with Subauthentication Packages

A lot of my posts have covered Mimikatz and how it can be used to explore Active Directory and Windows security to learn how various attacks work.  Recently, the author of Mimikatz released a new feature which exposes a new attack surface that could be used to create persistence within AD.  This feature uses a subauthentication package to manipulate the Active Directory login process and escalate user privileges based on arbitrary conditions.  Basically, an attacker with ac…

What is DCSync? An Introduction

In this blog post, we’ll be talking about the DCSync attack and how we can use StealthDEFEND to detect and respond to this type of attack. DCSync was the topic of previous STEALTHbits Blog post, so we’ll start this post with a review of DCSync and then cover what we can do about this attack with StealthDEFEND. What is DCSync? DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve passwo…

New – Purpose-Built Active Directory Threat Detection & Response Platform

| Adam Laub | | Leave a Comment
Active Directory has always been at the center of it all, but with the advent of highly powerful, incredibly clever tools like Mimikatz, BloodHound, CrackMapExec, and the like, Active Directory has now become the center of attention. Since 2005, STEALTHbits has been providing organizations of all sizes the best products and tools available to understand, manage, and secure their increasingly complex, ever-changing, ever-growing Active Directory environments.  Now in 2019, at precisely…

How to Detect Pass-the-Hash Attacks

This is the first in a 3-part blog series, that will be followed by a webinar February 28th. Lateral movement techniques are one of the most common approaches attackers can use to infiltrate your network and obtain privileged access to your credentials and data. This has been seen recently with modern ransomware such as SamSam and Ryuk. We’ve looked recently at how to detect pass-the-hash attacks using honeypots and in doing research into the most effective ways to detect this type…

New Exchange Authentication Vulnerability uses AD Admin to Gain Privileges

STEALTHbits mitigates a new vulnerability that uses Exchange Authentication to gain AD Admin privileges A new attack has been posted by Dirk-jan Mollemma, an independent security researcher that exploits how Exchange uses NTLM over HTTP to authenticate to the Active Directory Domain. Read the complete details. This attack combines known vulnerabilities in a new way to achieve privilege escalation that can be used to attack AD. Here is how the attack works. An attacker sends a re…

Stealthbits Cyber Kill Chain Attack Catalog: Active Directory Attacks and More

Cyber Attack Reference Guide for Security Practitioners For over a year now, we’ve been documenting all the most common and clever techniques attackers have developed to compromise Active Directory credentials on their way to complete domain dominance.  Frustratingly, but not surprisingly, the number of attack methods to choose from and the frequency of attack prevalence have only risen over the past 12 months, which got us thinking… How – besides continuing to provide cutting edge solu…

2018 Threat Hunting Report

67% of organizations are not confident in their ability to uncover insider threats? In response to new challenges, threat hunting is a developing security practice that focuses on proactively detecting and isolating advanced threats. Detecting, preventing and mitigating “insider threats” is the most common reason for an organization to have a threat hunting program. However, in practice, what some call an “insider threat,” others may call “internal security monitoring.” Definitions of what…

Subscribe

DON’T MISS A POST. SUBSCRIBE TO THE BLOG!


Loading

© 2022 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.

FREE TRIAL