Active Directory & Azure AD/Entra ID Security

Active Directory & Azure AD/Entra ID: Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…

Category: Microsoft Security

Sep 25 2015

Sneaky Active Directory Persistence #13: DSRM Persistence v2

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Security Conference Presentation/Video, Technical Reference

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method at DerbyCon (2015). I also presented and posted on DSRM as a persistence method previously. Complete list of Sneaky Active …

DCSync, DerbyCon, DSRM, DSRMPAssTheHash, DSRMPersistence, DSRMPTG, lsadump, mimikatz, mstsc, Pass-the-Hash, PassTheHash, pth, sam, SneakyADPersistence, SneakyPersistence, WindowsServer2012R2

Sep 25 2015

Mimikatz DCSync Usage, Exploitation, and Detection

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Security Conference Presentation/Video, Technical Reference

Note: I presented on this AD persistence method at DerbyCon (2015). A major feature added to Mimkatz in August 2015 is “DCSync” which effectively “impersonates” a Domain Controller and requests account password data from the targeted Domain Controller. DCSync was written by Benjamin Delpy and Vincent Le Toux. The exploit method prior to DCSync was …

DCE/RPC, DCSync, DCSyncAsUser, DCSyncRights, DetectDCSync, DomainControllerImpersonation, DRSUAPI, DSGetNCChanges, DSInternals, GSS-API, Impacket, ImpersonateDC, mimikatz, MimikatzDCSync, ReplicatingDirectoryChanges, ReplicatingDirectoryChangesALL, ReplicatingDirectoryChangesInFilteredSet

Sep 19 2015

Sneaky Active Directory Persistence #14: SID History

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Security Conference Presentation/Video

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method in Las Vegas at DEF CON 23 (2015). Complete list of Sneaky Active Directory Persistence Tricks posts SID History is …

Sep 16 2015

Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Security Conference Presentation/Video, Technical Reference

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method in Las Vegas at DEF CON 23 (2015). Complete list of Sneaky Active Directory Persistence Tricks posts The Security …

DEFCON, MaliciousSSP, mimikatz, mimilib.dll, PowerShell, Security Packages, SSP, SYSVOL

Sep 15 2015

Microsoft Local Administrator Password Solution (LAPS)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security

The Issue The real problem with local accounts on a computer in an enterprise environment is that the term “local” is a misnomer. If 50 computers on a network have the local administrator account of “Administrator” and a password of “P@55w0rd1!”, first of all that’s a HORRIBLE password. Second of all and more to the …

Sep 10 2015

Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Security Conference Presentation/Video, Technical Reference

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method in Las Vegas at DEF CON 23 (2015). Complete list of Sneaky Active Directory Persistence Tricks posts The Directory …

ActiveDirectory, ActiveDirectoryAttack, ActiveDirectorySecurity, ADPersistence, ADSecurity, DEFCON, DEFCON23, DirectoryServicesRestoreMode, DirectoryServicesRestoreModePassword, DSRM, DSRMLogon, DSRMNetworkLogon, DSRMPassword, mimikatz, SneakyActiveDirectoryPersistence, SneakyADPersistence, toryAttack

Sep 02 2015

Windows Server 2016 Technical Preview 3 Download & Release Information

By Sean Metcalf in Microsoft Security, Technical Reference

Looks like we are getting closer to Windows Server 2016 RTM! Microsoft released Windows Server 2016 Technical Preview 3 in late August (Download & Release Notes).

Containers, Hyper-V, HyperV, MicrosoftPassport, NanoServer, PowerShellDirect, PowerShellv5, Server2016, ShieldedVMs, TGTTTL, time-boundgroup, VirtualTPM, Windows2016Download, WindowsServer2016, WindowsServerContainers

Aug 19 2015

Great Active Directory Attack & Defense Resources

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

I have found the following resources to be excellent when it comes to attacking & defending an enterprise with Microsoft products (Active Directory, Windows, etc). This was created in response to the many questions regarding who to follow (Twitter) or what blogs to read. 🙂 Microsoft Platform Security Resources:

ActiveDirectorySecurity, ADSecurityResources, Presentation, Resources, Slides, Twitter

Aug 13 2015

Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

At Black Hat USA 2015 this summer (2015), I spoke about the danger in having Kerberos Unconstrained Delegation configured in the environment. When Active Directory was first released with Windows 2000 Server, Microsoft had to provide a simple mechanism to support scenarios where a user authenticates to a Web Server via Kerberos and needs to …

Aug 09 2015

Black Hat USA 2015 & DEF CON 23 (2015) Presentation Slides Posted!

By Sean Metcalf in Microsoft Security, Security Conference Presentation/Video, Technical Reference

Slides from both of my talks this week in Vegas are now posted. There are some differences between the talks, though the primary content is similar/same. DEF CON 23 (2015) Talk Detail Black Hat USA 2015 Talk Detail Note that while some of the content is the same (mainly Blue Team information), I describe exploiting …

2015, ActiveDirectory, ActiveDirectoryAttacks, ActiveDirectoryDefense, Attack, BlackHatSlides, BlackHatUSA2015, BlueTeam, DEFCON23, DEFCONSlides, Defense, PresentationSlides, PurpleTeam, RedTeam, RedVsBlue, SecurityConference

Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2025.

Made with by Graphene Themes.

Category: Microsoft Security

Sneaky Active Directory Persistence #13: DSRM Persistence v2

Mimikatz DCSync Usage, Exploitation, and Detection

Sneaky Active Directory Persistence #14: SID History

Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP)

Microsoft Local Administrator Password Solution (LAPS)

Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)

Windows Server 2016 Technical Preview 3 Download & Release Information

Great Active Directory Attack & Defense Resources

Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)

Black Hat USA 2015 & DEF CON 23 (2015) Presentation Slides Posted!

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Category: Microsoft Security

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright