How Attackers Are Bypassing PowerShell Protections
Bypassing PowerShell Protections
Now that we have explored various protections against malicious PowerShell, let’s look at how to get around every one of these PowerShell protections! Don’t worry, these PowerShell protections are still worth doing, and they will still make things harder on attackers and easier to detect. However, we need to be aware that they cannot stop everything. If an attacker wants to run Mimikatz and access your credentials, they will find a way. The more you know ab…
The Value of the Active Directory Attack Blog Series
Active Directory Attack Blog Series
Spending time with customers in Texas last week left me speechless – literally. One customer asked me a question for which I was not prepared. They have been following our Active Directory attack blog series. They found it very interesting, but they had one major question. Why should they spend so much time thinking about what attackers do? If they spend all your time creating good security programs and practices, isn’t that the best they can do? I have …
Stealing Credentials with a Security Support Provider (SSP)
Introduction: SSP Attacks
Mimikatz provides attackers several different ways to store credentials from memory and extract them from Active Directory. One of the more interesting tools provided is the MemSSP command, which will register a Security Support Provider (SSP) on a Windows host. Once registered, this SSP will log all passwords in clear text for any users who log on locally to that system. In this post, we will explore this attack and how it can be used by attackers to elevate thei…
Podcast: How to Stop Active Directory Attacks
We have just done the first episode of our Insider Threat podcast, and it was a little scary. I’m no stranger to doing a show; so that wasn’t scary. What was frightening is how easily the bad guys can exploit our Active Directory and Microsoft platforms. I sat down with Jeff Warren, who wrote our recent blog series, 4 Active Directory Attacks and How to Prevent Them, and asked him how difficult it was to find and deploy the attacks he described. Now, I know it isn’t hard to find ways to explo…
Extracting Password Hashes from the Ntds.dit File
AD Attack #3 – Ntds.dit Extraction
With so much attention paid to detecting credential-based attacks such as Pass-the-Hash (PtH) and Pass-the-Ticket (PtT), other more serious and effective attacks are often overlooked. One such attack is focused on exfiltrating the Ntds.dit file from Active Directory Domain Controllers. Let’s take a look at what this threat entails and how it can be performed. Then we can review some mitigating controls to be sure you are protecting your own…
Performing Domain Reconnaissance Using PowerShell
AD Attack #1 – LDAP Reconnaissance
The first thing any attacker will do once he gains a foothold within an Active Directory domain is to try to elevate his access. It is surprisingly easy to perform domain reconnaissance using PowerShell, and often without any elevated privileges required. In this post, we will cover a few of the different ways that PowerShell can be used by attackers to map out your environment and chose their targets.
The Basics of Reconnaissance using PowerShell
First, let…
10 Security Risks Almost Everyone Has
If you’re responsible for the management and security of an Active Directory (AD) or Windows infrastructure, you already know you’ve got a tough job. And with thousands of configurations and potential conditions to worry about across dozens of AD and Operating System (OS) versions, where do you even begin an effort to address your most at-risk conditions? What are they to begin with? If you’re at a loss, I’d suggest you start right here…
Below I’ve listed 10 checks you can perform to high…
5 Steps for Adopting Privileged Local Account Auditing Best Practices
In listening to Brad Bussie’s recent webinar, I learned that securing privileged access is a complex and serious problem for organizations of any size. In a recent cybersecurity study by Praetorian, they ranked privileged system access among the top five most prevalent threats to corporate data. Why? Because system-level access has sprawled significantly over the years and most organizations have no way to govern or clean up privileged access that is no longer needed, making these systems a p…
PIM is Great. Cake is Too.
Just like a great piece of cake, PIM (Privileged Identity Management) has its proper ingredients too. Without the flour, is your cake really cake? Without understanding which accounts in your environment are actually privileged, are you really managing privileged identities? Certainly this is a matter of opinion, as we shouldn’t allow ourselves to operate in an all-or-nothing mindset – things don’t have to be perfect for them to be effective – but the point is that fundamentals make a differe…
Cutting the Bad Guys off at the Pass
I spent part of my Father’s Day weekend as a quintessential dad: lying on the couch watching “300”, the fictional portrayal of the Battle of Thermopylae, where – in the movie – a force of 300 elite Spartan warriors held off a massive Persian army by forcing the Persians to pass through a narrow canyon road to affect their invasion of Greece. The pass at Thermopylae was the smart place to fight the Persians since the bad guys – at least as portrayed in movie – had no choice but to pass through…
