Netwrix and Stealthbits merge to better secure sensitive data. LEARN MORE
Stealthbits

INSIDER THREAT SECURITY BLOG

And other things that keep you up at night

Blog >Search

Featured Blog

SERVER (UN)TRUST ACCOUNT

Active Directory persistence through userAccountControl manipulation I’ve been doing some research on group Managed Service Accounts (gMSAs) recently and reading the MS-SAMR protocol specification for some information. I happened to stumble across some interesting information in the userAccountControl section which made us drop what we were doing to test it: Figure 1 – Part of the userAccountControl section of the MS-SAMR specification Effectively, when the UF_SERVER_TRUST…

Lateral Movement to the Cloud with Pass-the-PRT

There are several well-documented ways attackers and malware can spread laterally across Windows servers and desktops.  Approaches like pass-the-ticket, pass-the-hash, overpass-the-hash, and Golden Tickets continue to be effective lateral movement techniques.  Lateral movement has become increasingly present in targeted ransomware threats, such as Ryuk and WastedLocker.  And as if that wasn’t enough to worry about, new research has…

Securing gMSA Passwords

| Kevin Joyce | | Leave a Comment
Abusing gMSA Passwords to Gain Elevated Access gMSA Recap If you’re not familiar with Group Managed Service Accounts (gMSA), you can review my last post which gave a high-level overview of how they work. In case you need a quick recap, a gMSA is a special Active Directory object used for securely running automated tasks, services and applications. The most important thing to note about these accounts, which plays into to their increased security, is the automatically generate…
Bypassing MFA with Pass-the-Cookie

Bypassing MFA with Pass-the-Cookie

| Jeff Warren | | Leave a Comment
Multi-factor Authentication (MFA) is a great way to increase security on web applications, remote desktop sessions, VPN, and virtually anywhere a user can log into. By introducing one or more additional factors into the authentication process you can prove somebody actually is who they say they are, and prevent a significant amount of impersonation and credential-based attacks.  However, when adopting and implementing MFA technology it is important to understand exactly what it …
What is a Data Breach And How to Prevent One

What is a Ransomware Attack?

| Todd Kovalsky | | Leave a Comment
Million-dollar ransomware payouts, government protection, and ease of access will continue to fuel the growth of cybercrime. Imagine coming to work and turning on the computer only to see a message that says “repairing file system on C:” or “oops, your important files are encrypted” demanding a payment in bitcoin to decrypt them. A typical message displayed during a Ransomware attack When you read the headlines of six-figure ransomware payouts, you might begin to wonder how hacker …
Constrained Delegation Abuse: Abusing Constrained Delegation to Achieve Elevated Access

Constrained Delegation Abuse: Abusing Constrained Delegation to Achieve Elevated Access

Kerberos Delegation Recap Previously, I gave an overview of all of the various types of Kerberos delegation, how they’re configured, and how they can potentially be abused. Prior to that, I wrote about abusing resource-based constrained delegation and Jeff Warren has written about abusing unconstrained delegation. To round out the Kerberos delegation topic, I wanted to write a quick blog on how constrained delegation can be abused to get elevated access to a specific configured service. I…

Setup, Configuration, and Task Execution with Covenant: The Complete Guide

In this blog post, we are taking a deeper dive into Covenant. Covenant is one of the latest and greatest Command and Control (C2) Post Exploitation Frameworks which I covered in In my previous blog post. In that post, we discussed Covenant on a high level but now let’s go through the process of configuring and using Covenant to execute payloads on compromised hosts. NOTE: This post demonstrates the capabilities of Covenant in Mid-September 2019. Getting Setup and Starting Covenant …

Protecting Against DCShadow

What Organizations Can Do to Stop a DCShadow Attack Recently, I came across a post outlining how companies CANNOT effectively defend against a DCShadow attack but instead need to take a reactive approach to identify when it may have occurred by monitoring their environment, and rolling back any unwanted changes once they were identified. Unfortunately, reacting to an incident could mean the damage is already done and a malicious actor has run off with the ‘keys to the kingdom’. The best c…
What is a DCShadow Attack and How to Defend Against it

What is a DCShadow Attack and How to Defend Against it

In this blog post, we’ll be covering the DCShadow attack and how we can use StealthDEFEND to detect and respond to this type of attack. DCShadow was the topic of previous STEALTHbits Blog post, so in this post, we’ll start with a review of DCShadow and then focus on how we can DETECT and RESPOND to this attack with StealthDEFEND. Introduction to DCShadow DCShadow is another late-stage kill chain attack that allows an attacker with privi…
Next-Gen Open Source C2 Frameworks in a Post PSEmpire World Covenant

Next-Gen Open Source C2 Frameworks in a Post PSEmpire World: Covenant

Rest in Peace PowerShell Empire PowerShell Empire (PSEmpire) is a Command and Control (C2) Post Exploitation Framework that has been discussed in a variety of posts on the STEALTHbits Blog. What is PSEmpire? PSEmpire is a great tool with a wide variety of uses in the Information Security community including learning, red teaming and even more nefarious uses such as being used by the Ryuk Ransomware. Sadly, it has been officially announced the PSEmpire is no longer …

Subscribe

DON’T MISS A POST. SUBSCRIBE TO THE BLOG!

 

Loading

© 2021 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.

FREE TRIAL