I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter. Read the About page (top left) for information about me. :) https://adsecurity.org/?page_id=8
Sean Metcalf
Author's posts
Nov 09 2014
PowerShell Code: Check KRBTGT Domain Kerberos Account Last Password Change
From my GitHub Repo: Get-PSADForestKRBTGTInfo This function discovers all of the KRBTGT accounts in the forest using ADSI and returns the account info, specifically the last password change. Currently, the script performs the following actions: * Queries a Global Catalog in the Active Directory root domain for all KRBTGT accounts in the forest by querying …
Nov 08 2014
Mandiant MIRCon 2014 Presentation Slides
Using some Google-Fu, I was able to find some MIRCon 2014 presentation slides (sorry, no videos yet). Mandiant MIRCon 2014 Presentation Slides: R&D Track: An Insight into Symbiotic APT Groups IR Track: The Best and Worst APT Malware OSX Malware Plists, Shell Scripts and Object-C Oh-My! APT Detection with Whitelisting and Log Monitoring Management Track: …
Nov 08 2014
Hack Attack Method Whitepapers
The best way to develop the best defense is to study the offense’s methods. Here are several recent reports that detail current modern network attacks: Mandiant APT Whitepaper Microsoft Security Intelligence Report Verizon Enterprise DBIR 2014
Nov 07 2014
The Ultimate Movie Hacking Tool – Command Shell at Windows Logon Screen (via “StickyKeys”)
How many times have you seen a movie where the “hacker” connects to a system with a logon screen, hits a couple of keys, and gets a command shell. Here’s how this can be done for real in Windows. The issue is that the Windows Ease of Use tools are accessible at the logon screen. …
Nov 06 2014
How Attackers Extract Credentials (Hashes) From LSASS
I performed extensive research on how attackers dump credentials from LSASS and Active Directory, including pulling the Active Directory database (ntds.dit) remotely. This information is covered in two newer and greatly expanded posts: How Attackers Dump Active Directory Database Credentials Attack Methods for Gaining Domain Admin Rights in Active Directory Attackers can pull credentials …
Nov 06 2014
How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller
I performed extensive research on how attackers dump AD credentials, including pulling the Active Directory database (ntds.dit) remotely. This information is covered in two newer and greatly expanded posts: How Attackers Dump Active Directory Database Credentials Attack Methods for Gaining Domain Admin Rights in Active Directory The original post data follows: How Attackers Pull …
Nov 05 2014
Black Hat 2014 Presentation Video Play List
Attending Black Hat USA 2014 was a sobering and exciting experience. Here’s a playlist of interesting presentations from Black Hat conferences in 2014: KEYNOTE: Cybersecurity as Realpolitik by Dan Geer presented at Black Hat USA 2014 BadUSB – On Accessories that Turn Evil by Karsten Nohl + Jakob Lell Windows: Abusing Microsoft Kerberos Sorry You …
Nov 04 2014
BackupExec Service Account Security FAIL
Yes. It actually says that if the BackupExec account is a member of Schema Admins, do not remove! To be fair, it starts off with this Solution which covers the rights required: From Symantec (http://www.symantec.com/business/support/index?page=content&id=TECH88242)
Nov 03 2014
PowerShell Code: ADSI Convert Domain Distinguished Name to Fully Qualified Domain Name
Convert Domain Distinguished Name to Fully Qualified Domain Name: $ADObjectDN = “CN=Object1,OU=OrgUnit1,DC=child,DC=domain,DC=com” [array]$ADObjectDNArray = $ADObjectDN -Split(“,DC=”) [int]$DomainNameFECount = 0 ForEach ($ADObjectDNArrayItem in $ADObjectDNArray) { IF ($DomainNameFECount -gt 0) …
Nov 03 2014
Virtualization Updates to Active Directory 2012
As part of the many updates to Active Directory, one of the most interesting is virtualization safeguarding in Windows Server 2012. Active Directory Domain Controllers running Windows Server 2012 can now identify if they are virtualized and have been improperly restored or cloned (copied). Windows Server 2012 introduces a new feature called the VM Generation …
Recent Comments