Let’s look at recon in a cloud-type environment. You have a customer. They’ve hired you to come in and pen test, red team their environment, and they said, “We want to add cloud to the scope.” What does that mean? How do we identify what sort of cloud services they have? Continue reading…
May 2024 archive
May 28 2024
Detecting the Elusive: Active Directory Threat Hunting
This is “Detecting the Elusive: Active Directory Threat Hunting”, and I am Sean Metcalf. I’m the founder of Trimarc, a Security Company, a Microsoft-Certified Master (MCM) in Active Directory. There’s about 100 in the world. I’m also a Microsoft MVP. I’ve spoken about Active Directory attack and defense at a number of conferences. I’m a …
May 28 2024
Detecting Kerberoasting Activity
Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attack is effective since people tend to create poor passwords. The reason why this attack is successful is that most service account passwords are the same length as …
May 28 2024
Detecting Password Spraying with Security Event Auditing
A common method attackers leverage as well as many penetration testers and Red Teamers is called “password spraying”. Password spraying is interesting because it’s automated password guessing. This automated password guessing against all users typically avoids account lockout since the logon attempts with a specific password are performed against against every user and not one …
May 28 2024
Hardening Azure AD in the Face of Emerging Threats
In September of 2021, Trimarc Founder & CTO Sean Metcalf presented at Quest’s The Experts Conference. “This presentation covers some attacks that involve Microsoft cloud on-prem components as well as those against the Microsoft cloud directly. After discussing attacks and specific defenses, I will wrap up with some key recommendations. Note: There will be some …
Recent Comments