Creating Persistence with DCShadow
Now that we understand the basics of the DCShadow feature, let’s look at some ways in which attackers can leverage DCShadow in a real world attack scenario. As we learned, DCShadow requires elevated rights such as Domain Admin, so you can assume an attacker leveraging this already has complete control of your environment. So why would an attacker want to or need to use DCShadow?
One real world scenario would be for an attacker to create persistence within the domain so they cannot lose t…
3 Zero-Cost Tactics That Make it Difficult for Attackers to Move Laterally
Trying to Prevent Lateral Movement on a Budget?
They say the best things in life are free. And whether you believe it or not, it’s got to be true at least every once in a while, right? Well, when it comes to securing your credentials and data, there are in fact a number of things you can do that are not only highly effective, but cost conscious.
Not to oversimplify some otherwise complex concepts and subjects, there are three things pretty much every attacker relies upon being true in order…
Market Trends: Announcing StealthINTERCEPT 5.0 General Availability – With Enterprise Password Enforcer & LSASS Guardian™
Transforming Active Directory Security
Five years ago we introduced the StealthINTERCEPT product line, to address the growing requirement for a comprehensive Active Directory change and access monitoring solution. We know that Active Directory is safest when it is clean, properly configured, closely monitored, and tightly controlled – that is exactly what StealthINTERCEPT has been successfully doing for its users.
The security implications of a well maintained and monitored AD environment ha…
Attacking Microsoft SQL Server Databases
In the business of selling security solutions, not too long ago the phrase “defense in depth” dominated the messages. It was meant to evoke an image of defending each layer of the IT infrastructure with uniquely suited solutions. Now everyone recognizes that the notions about perimeter defenses are flawed. Real security is built into everything, not wrapped around it. However, there are many corners of the IT stack that seem to still behave as if security is going to be taken care of for them…
Finding Weak Passwords in Active Directory
So far in this series we’ve looked at how plain text passwords can be exposed within Active Directory, which represents a major vulnerability for most AD environments. However, even if you have proper controls to prevent plain text passwords in your network, attackers can still get them pretty efficiently. How do they do this? They guess. And you’d be surprised how well guessing works at cracking passwords.
As we covered in the introductory post for this series, gue…
Down the Bad Rabbit Hole
Update 2017-10-27 1:30pm EDT: Multiple researchers are reporting an exploit in the BadRabbit sample that is largely based on the EternalRomance exploit published in the ShadowBrokers leak.
On October 24, 2017, STEALTHbits was alerted to a ransomware campaign spreading across Eastern Europe and Russia. There are reports that the infection is leveraging the EternalBlue, the exploit generally believed to be developed by the U.S. National Security Agency (NSA), however there is no evidence to su…
4 Active Directory Password Attacks and How to Protect Against Them
Active Directory Password Attacks
So far in our travels through Active Directory security, we’ve looked at attacks against permissions, credentials, service accounts, and many of the open-source toolkits available for getting more hands-on exposure to these techniques. Inside each scenario, an attacker is attempting to increase their privileges and compromise sensitive information. Some techniques like Pass-the-Hash and Golden Tickets are designed to compromise accounts without ever knowing t…
Attack Step 1: Finding Where Data Lives – File System Attacks
Finding Where Interesting Information May Live
We’re going to make some assumptions at the start of this attack. We will assume we already have full access to any credentials we need. Why? Because we’ve already shown you how you can grab any credential you might need all the way up to the highest level of administrative rights. The question you now need to ask is this: what can you do with those rights?
Credentials are the means, but data is the ends. So the first thing you do with all these…
Learn How to Defeat Advanced Attacks against Active Directory at Microsoft Ignite 2017
There’s a lot of news coverage on threats like ransomware, malware, and phishing that are all about punching holes in organizations to grab quick spoils. But what isn’t getting a lot of coverage is the careful, patient planning attackers do once inside your Microsoft Active Directory (AD) environment. They fly under the radar scoping out your domain and amassing privileges so they can spread out, dig in, and access a smorgasbord of sensitive data. These meticulously executed—and ultimately mo…
File System Attacks
Credentials Are the Means to Attack Data
If you’ve been reading the attack blog series until now, you’ve seen we have focused on attacks against Active Directory – like attacking core AD infrastructure, leveraging AD service accounts to attack, attacking AD with misconfigured permissions, and our series on Mimikatz attacks. Of course, AD is the hub for so much access to data in any organization that it may feel like those attacks actually compromise everything else. Today we’re kicking off ou…
