Active Directory & Azure AD/Entra ID Security

Active Directory & Azure AD/Entra ID: Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…

Category: Technical Reference

Sep 16 2015

Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Security Conference Presentation/Video, Technical Reference

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method in Las Vegas at DEF CON 23 (2015). Complete list of Sneaky Active Directory Persistence Tricks posts The Security …

DEFCON, MaliciousSSP, mimikatz, mimilib.dll, PowerShell, Security Packages, SSP, SYSVOL

Sep 10 2015

DerbyCon V (2015): Red vs. Blue: Modern Active Directory Attacks & Defense Talk Detail

By Sean Metcalf in ActiveDirectorySecurity, Security Conference Presentation/Video, Technical Reference

In a couple of weeks, I will be speaking at DerbyCon about Active Directory attack & defense in my talk Red vs. Blue: Modern Active Directory Attacks & Defense”. This is the 5th iteration of this talk and includes the latest updates to attack methods and defensive strategies. This DerbyCon version is a blend of …

ADSecurity, DerbyCon2015, DerbyCon5, RedVsBlue

Sep 10 2015

Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Security Conference Presentation/Video, Technical Reference

ActiveDirectory, ActiveDirectoryAttack, ActiveDirectorySecurity, ADPersistence, ADSecurity, DEFCON, DEFCON23, DirectoryServicesRestoreMode, DirectoryServicesRestoreModePassword, DSRM, DSRMLogon, DSRMNetworkLogon, DSRMPassword, mimikatz, SneakyActiveDirectoryPersistence, SneakyADPersistence, toryAttack

Sep 02 2015

Windows Server 2016 Technical Preview 3 Download & Release Information

By Sean Metcalf in Microsoft Security, Technical Reference

Looks like we are getting closer to Windows Server 2016 RTM! Microsoft released Windows Server 2016 Technical Preview 3 in late August (Download & Release Notes).

Containers, Hyper-V, HyperV, MicrosoftPassport, NanoServer, PowerShellDirect, PowerShellv5, Server2016, ShieldedVMs, TGTTTL, time-boundgroup, VirtualTPM, Windows2016Download, WindowsServer2016, WindowsServerContainers

Aug 19 2015

Great Active Directory Attack & Defense Resources

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

I have found the following resources to be excellent when it comes to attacking & defending an enterprise with Microsoft products (Active Directory, Windows, etc). This was created in response to the many questions regarding who to follow (Twitter) or what blogs to read. 🙂 Microsoft Platform Security Resources:

ActiveDirectorySecurity, ADSecurityResources, Presentation, Resources, Slides, Twitter

Aug 13 2015

Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

At Black Hat USA 2015 this summer (2015), I spoke about the danger in having Kerberos Unconstrained Delegation configured in the environment. When Active Directory was first released with Windows 2000 Server, Microsoft had to provide a simple mechanism to support scenarios where a user authenticates to a Web Server via Kerberos and needs to …

Aug 09 2015

Black Hat USA 2015 & DEF CON 23 (2015) Presentation Slides Posted!

By Sean Metcalf in Microsoft Security, Security Conference Presentation/Video, Technical Reference

Slides from both of my talks this week in Vegas are now posted. There are some differences between the talks, though the primary content is similar/same. DEF CON 23 (2015) Talk Detail Black Hat USA 2015 Talk Detail Note that while some of the content is the same (mainly Blue Team information), I describe exploiting …

2015, ActiveDirectory, ActiveDirectoryAttacks, ActiveDirectoryDefense, Attack, BlackHatSlides, BlackHatUSA2015, BlueTeam, DEFCON23, DEFCONSlides, Defense, PresentationSlides, PurpleTeam, RedTeam, RedVsBlue, SecurityConference

Aug 07 2015

Kerberos Golden Tickets are Now More Golden

By Sean Metcalf in Microsoft Security, Security Conference Presentation/Video, Technical Reference

At my talk at Black Hat USA 2015, I highlighted new Golden Ticket capability in Mimikatz (“Enhanced Golden Tickets”). This post provides additional detailed on “enhanced” Golden Tickets. Over the past few months, I researched how SID History can be abused in modern enterprises. As part of this research, I reached out to Benjamin Delpy, …

May 11 2015

Detecting Mimikatz Use

By Sean Metcalf in Malware, Microsoft Security, Technical Reference

Benjamin Delpy published some YARA rules in detecting Mimikatz use in your environment. More information on Mimikatz capability is in the “Unofficial Mimikatz Guide & Command Reference” on this site. YARA is described as: YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA …

DetectMimikatz, HowToDetectMimikatz, KerberosTicket, KIRBI, LSASS, LSASSMiniDump, Miilib, mimikatz, WCE, YARA

May 07 2015

Windows 10 Microsoft Passport (aka Microsoft Next Generation Credential) In Detail

By Sean Metcalf in Microsoft Security, Technical Reference

At the Microsoft Ignite conference this week, there are several sessions covering Windows 10 features. One of biggest changes in Windows 10 is the new credential management method and the related “Next Generation Credential”, now named Microsoft Passport. There hasn’t been much information on how the new credential system works, so I challenged myself to …

ActiveDirectory, Authentication, AzureActiveDirectory, HighLevelOS, HLOS, IsolatedUserMode, IUM, Kerberos, LSALSO, LSASS, MicrosoftHello, MicrosoftPassport, ShieldedVMs, SKERNEL, SMART, TPMv2, VirtualSecureMode, VSM, Windows10, Windows10Authentication, WindowsCredentialStorage, WindowsServer2016

Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2025.

Made with by Graphene Themes.

Category: Technical Reference

Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP)

DerbyCon V (2015): Red vs. Blue: Modern Active Directory Attacks & Defense Talk Detail

Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)

Windows Server 2016 Technical Preview 3 Download & Release Information

Great Active Directory Attack & Defense Resources

Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)

Black Hat USA 2015 & DEF CON 23 (2015) Presentation Slides Posted!

Kerberos Golden Tickets are Now More Golden

Detecting Mimikatz Use

Windows 10 Microsoft Passport (aka Microsoft Next Generation Credential) In Detail

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Category: Technical Reference

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright