2018 Threat Hunting Report
67% of organizations are not confident in their ability to uncover insider threats?
In response to new challenges, threat hunting is a developing security practice that focuses on proactively detecting and isolating advanced threats.
Detecting, preventing and mitigating “insider threats” is the most common reason for an organization to have a threat hunting program. However, in practice, what some call an “insider threat,” others may call “internal security monitoring.” Definitions of what…
Privilege Escalation with DCShadow
o far we’ve covered how DCShadow works as well as ways this can enable attackers to create persistence within a domain without detection once they’ve obtained admin credentials. DCShadow can enable attack scenarios beyond just creating persistence, and can actually be used to elevate access for an attacker.
How can a Domain Admin elevate their access even higher? By obtaining admin rights in other forests.
Leveraging SID History, an attacker can add administrative SIDs to their user a…
Creating Persistence with DCShadow
Now that we understand the basics of the DCShadow feature, let’s look at some ways in which attackers can leverage DCShadow in a real world attack scenario. As we learned, DCShadow requires elevated rights such as Domain Admin, so you can assume an attacker leveraging this already has complete control of your environment. So why would an attacker want to or need to use DCShadow?
One real world scenario would be for an attacker to create persistence within the domain so they cannot lose …
DCShadow: Attacking Active Directory with Rogue DCs
If you’re familiar with Mimikatz, you’ve already seen some of the ways it exposes weaknesses in Active Directory security (if you’re not, read up!). Recently, a new feature was added to Mimikatz titled DCShadow and was presented by its authors Benjamin Delpy and Vincent LeToux at the Bluehat IL 2018 conference.
DCShadow enables Mimikatz to make changes to Active Directory by simulating a domain controller. We’ve seen this in the past from Mimikatz, with the DCSync feature, whi…
3 Zero-Cost Tactics That Make it Difficult for Attackers to Move Laterally
Trying to Prevent Lateral Movement on a Budget?
They say the best things in life are free. And whether you believe it or not, it’s got to be true at least every once in a while, right? Well, when it comes to securing your credentials and data, there are in fact a number of things you can do that are not only highly effective, but cost conscious.
Not to oversimplify some otherwise complex concepts and subjects, there are three things pretty much every attacker relies upon being true in order…
Market Trends: Announcing StealthINTERCEPT 5.0 General Availability – With Enterprise Password Enforcer & LSASS Guardian™
Transforming Active Directory Security
Five years ago we introduced the StealthINTERCEPT product line, to address the growing requirement for a comprehensive Active Directory change and access monitoring solution. We know that Active Directory is safest when it is clean, properly configured, closely monitored, and tightly controlled – that is exactly what StealthINTERCEPT has been successfully doing for its users.
The security implications of a well maintained and monitored AD environment ha…
Compromise with PowerUpSQL – SQL Attacks
Completely Owning MS SQL Server
If what you’re after is a toolkit to own Microsoft SQL Server from end to end, then what you need is PowerUpSQL. Implemented in PowerShell and as complete as they come, PowerUpSQL has tools to discover, compromise, elevate, target, and own just about any SQL system. It’s the whole kill chain in one tool. Just as I could have run all the initial discovery and compromise through metasploit but chose to break it up, I chose to use PowerUpSQL for this middle piece…
Attacking Microsoft SQL Server Databases
In the business of selling security solutions, not too long ago the phrase “defense in depth” dominated the messages. It was meant to evoke an image of defending each layer of the IT infrastructure with uniquely suited solutions. Now everyone recognizes that the notions about perimeter defenses are flawed. Real security is built into everything, not wrapped around it. However, there are many corners of the IT stack that seem to still behave as if security is going to be taken care of for them…
Attacking Local Account Passwords
So far in this series, we’ve learned how attackers can target weak domain passwords in Active Directory. To complete the story, we need to look beyond domain accounts and understand the ways to attack local accounts on Windows servers and desktops. For this post, we will focus on the most important local account: Administrator. The Administrator account is built into every Windows operating system and provides full control over the system, including the ability to compromise domain accoun…
Finding Weak Passwords in Active Directory
So far in this series we’ve looked at how plain text passwords can be exposed within Active Directory, which represents a major vulnerability for most AD environments. However, even if you have proper controls to prevent plain text passwords in your network, attackers can still get them pretty efficiently. How do they do this? They guess. And you’d be surprised how well guessing works at cracking passwords.
As we covered in the introductory post for this series, gu…
