Zerologon: From Zero to Hero – Part 3
Stealthbits’ Zerologon Detection and Mitigation Solution
In my two previous blogs, we’ve gone over the new patch and update plans from Microsoft (Part 1), as well as the attack itself (Part 2). Now let’s talk about how we at Stealthbits can help. We’re actively working in the lab and investigating ways we can audit, detect, and potentially mitigate the Zerologon vulnerability. Check out the updates for each of our products below and see how they can help or what we have in the works!
A…
Zerologon: From Zero to Hero – Part 2
How Does it Work?
In Part 1 of this blog series (What is Zerologon?), we discussed how Zerologon exploits a vulnerability in NetLogon that allows a malicious actor on your network to take over a Domain Controller (DC), and eventually your entire domain. Now let’s dive into the specifics of how Zerologon works.
Using Mimikatz to Execute the Zerologon Exploit
For starters, you can easily identify if a target domain controller is vulnerable to the Zerologon exploit with Mimikatz by run…
Zerologon: From Zero to Hero – Part 1
What is Zerologon?
Zerologon exploits a vulnerability in NetLogon that allows a malicious actor on your network to take over a Domain Controller (DC), and eventually your entire domain. Since this attack requires no authentication and only network access, it has been given a CVSS score of 10.0 (the highest score available). At a high level, an unauthenticated attacker is able to use NetLogon Remote Protocol to connect to a Domain Controller and change the DC password to something they kno…
Is Privileged Access Management in Need of a Fresh New Approach?
Software products to address privileged access have been around for 20 years. From Password Vaulting to Proxy Servers to Dedicated Administrative Accounts, popular Privileged Access Management (PAM) products are overly expensive and complicated. Many of the current PAM solutions available were first developed more than a decade ago and are based on antiquated architectures and years of code bloat that over-complicate even the simplest of tasks. Don’t get me started o…
Adding a Linux Host to an Active Directory Domain
The Linux operating system has come a long way since 1991 when it was first introduced by Linux Torvalds as a free operating system. Today, some form of Linux is used in devices ranging from high-end servers to IoT devices. More often than not, common database platforms such as Oracle, PostgreSQL, MySQL, and MongoDB, are deployed on servers running Linux. One notable exception was the Microsoft SQL Server. That changed recently after Microsoft announced support for Linux st…
Where do My Files Sent Using Teams Chat Go?
Do you know what happens when you share a file via a Microsoft Team’s – Team Chat? That file is not just saved in the Teams chat but is also uploaded to either SharePoint or OneDrive depending if the chat was directly with another person or with a Team. In this blog, we will cover the locations that you can access shared files for future use.
OneDrive:
When sharing a file directly with another person using the Teams chat, the file you send is uploaded to both you and your target user’s…
SERVER (UN)TRUST ACCOUNT
Active Directory persistence through userAccountControl manipulation
I’ve been doing some research on group Managed Service Accounts (gMSAs) recently and reading the MS-SAMR protocol specification for some information. I happened to stumble across some interesting information in the userAccountControl section which made us drop what we were doing to test it:
Figure 1 – Part of the userAccountControl section of the MS-SAMR specification
Effectively, when the UF_SERVER_TRUST…
ProTip: How to Setup User Activity & Server Logon Scan in StealthAUDIT for Oracle
Now that you have been using StealthAUDIT for Oracle for a while, you might be wondering how to squeeze more value out of the product by enhancing the information it is collecting and reporting on.
StealthAUDIT for Oracle relies on the Oracle Traditional Auditing or Unified Auditing capabilities to collect and report on user activity, as well as successful or unsuccessful server or database logon activity. Neither Traditional Auditing nor …
What is a Data Protection Impact Assessment (DPIA)?
Article 35 of the EU General Data Protection Regulation (GDPR) describes the requirement for organizations to “carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”. This process referred to as a Data Protection Impact Assessment (DPIA), is an integral component of the GDPR, and if not carried out when required, can leave an organization open to enforcement action such as potentially steep fines.
In this blo…
What is Privacy by Design?
In this era of big data, it is in an organization’s best interest to seek to safeguard their critical data assets, especially sensitive data, to the best of their ability. However, data breaches continue to occur, and according to certain studies, are happening every minute. And now with more consumer data being collected than ever, these breaches pose a real problem not only to an organization’s operations but to their credibility. But imagine if data security, and possibly more i…
