Attack Defense & Detection

This page is meant to be a resource for Detecting & Defending against attacks.
I provide references for the attacks and a number of defense & detection techniques.

Active Directory & Windows Security

ATTACK

AD Recon

 

DCSync

 

DCShadow

 

DPAPI

 

Attacking Active Directory

 

Active Directory Privilege Escalation:

 

Kerberos (AD) Attacks

 

Forged Kerberos Tickets

 

 

DEFENSE

Windows Security

 

Windows 10 Security

 

Windows Event Auditing

 

Effective Defenses & Hunting

 

Application Whitelisting Resources

 

Building Robust Detection

 

ADFS

 

POWERSHELL

 

TOOLS

 

TWITTER ACCOUNTS TO FOLLOW

  • Aaron Margosis @AaronMargosis – co-author with Mark Russinovich on SysInternal books (and topics), publishes the Microsoft Windows security baselines (Windows 10, Windows Server 2016, etc), and AaronLocker (simpler method of deploying AppLocker).
  • Andy Robbins @_wald0 & Rohan Vazarkar @cptjesus – wrote Bloodhound
  • Benjamin Delpy @gentilkiwi – wrote Mimikatz & Kekeo
  • Carlos Perez @Carlos_Perez – Red/Blue/Purple teamer focused on Windows & AD security and more (& Microsoft MVP)
  • Dane @cryps1s – has published real-world Windows firewall, Windows Event Forwarding (WEF) references, and other Windows security topics.
  • DirectoryRanger @DirectoryRanger – tweets out useful info relating to AD security
  • Jason Fossen @JasonFossen – SANS Instructor on Windows security topics
  • Jess Dodson @girlgerms – blogger & speaker on Active Directory security topics (& Microsoft MVP)
  • Jessica Payne @jepayneMSFT – has promoted the use of the Windows Firewall and created WEFFLES.
  • Lee Christensen @tifkin_ – wrote many cool tools like unmanaged PowerShell used in most attack tools & discovered the DC Print Service/Unconstrained delegation privilege escalation.
  • Marcello @byt3bl33d3r – publishes offensive Windows & AD tools like CrackMapExec, DeathStar, Password Spraying Toolkit, etc.
  • Matt Graeber @mattifestation – founded PowerSploit, documented Device Guard, and numerous PowerShell and Device Guard bypasses (& Microsoft MVP)
  • Matt Nelson @enigma0x3 – discovered numerous Windows vulnerabilities and privilege escalations (top 100 Microsoft security researchers)
  • Oddvar Moe @Oddvarmoe – Windows security researcher (& Microsoft MVP)
  • Sean Metcalf @PyroTek3 – maintainer of ADSecurity.org and AD enthusiast.
  • SwiftOnSecurity @SwiftonSecurity – the parody account that’s worth following. Tons of Windows advice and recommendations not found elsewhere based on real world experience (& Microsoft MVP)
  • Vincent LeToux @mysmartlogon – wrote the DCSync & DCShadow components in Mimikatz
  • Will @Harmj0y – wrote PowerView, the original Bloodhound ingest PowerShell script, Rubeus and more!  (& Microsoft MVP)
  • Microsoft Azure AD @AzureAD – Microsoft’s Azure Active Directory account tweets info about… Azure AD topics.

Don’t follow @NerdPyle since he doesn’t talk AD anymore. 😉

(I’m sure there are a bunch I forgot)

 

MITRE ATT&CK ACTIVE DIRECTORY RELATED ELEMENTS

 

(Visited 635 times, 1,043 visits today)