The best way to develop the best defense is to study the offense’s methods. Here are several recent reports that detail current modern network attacks: Mandiant APT Whitepaper Microsoft Security Intelligence Report Verizon Enterprise DBIR 2014
November 2014 archive
Nov 07 2014
The Ultimate Movie Hacking Tool – Command Shell at Windows Logon Screen (via “StickyKeys”)
How many times have you seen a movie where the “hacker” connects to a system with a logon screen, hits a couple of keys, and gets a command shell. Here’s how this can be done for real in Windows. The issue is that the Windows Ease of Use tools are accessible at the logon screen. …
Nov 06 2014
How Attackers Extract Credentials (Hashes) From LSASS
I performed extensive research on how attackers dump credentials from LSASS and Active Directory, including pulling the Active Directory database (ntds.dit) remotely. This information is covered in two newer and greatly expanded posts: How Attackers Dump Active Directory Database Credentials Attack Methods for Gaining Domain Admin Rights in Active Directory Attackers can pull credentials …
Nov 06 2014
How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller
I performed extensive research on how attackers dump AD credentials, including pulling the Active Directory database (ntds.dit) remotely. This information is covered in two newer and greatly expanded posts: How Attackers Dump Active Directory Database Credentials Attack Methods for Gaining Domain Admin Rights in Active Directory The original post data follows: How Attackers Pull …
Nov 05 2014
Black Hat 2014 Presentation Video Play List
Attending Black Hat USA 2014 was a sobering and exciting experience. Here’s a playlist of interesting presentations from Black Hat conferences in 2014: KEYNOTE: Cybersecurity as Realpolitik by Dan Geer presented at Black Hat USA 2014 BadUSB – On Accessories that Turn Evil by Karsten Nohl + Jakob Lell Windows: Abusing Microsoft Kerberos Sorry You …
Nov 04 2014
BackupExec Service Account Security FAIL
Yes. It actually says that if the BackupExec account is a member of Schema Admins, do not remove! To be fair, it starts off with this Solution which covers the rights required: From Symantec (http://www.symantec.com/business/support/index?page=content&id=TECH88242)
Nov 03 2014
PowerShell Code: ADSI Convert Domain Distinguished Name to Fully Qualified Domain Name
Convert Domain Distinguished Name to Fully Qualified Domain Name: $ADObjectDN = “CN=Object1,OU=OrgUnit1,DC=child,DC=domain,DC=com” [array]$ADObjectDNArray = $ADObjectDN -Split(“,DC=”) [int]$DomainNameFECount = 0 ForEach ($ADObjectDNArrayItem in $ADObjectDNArray) { IF ($DomainNameFECount -gt 0) …
Nov 03 2014
Virtualization Updates to Active Directory 2012
As part of the many updates to Active Directory, one of the most interesting is virtualization safeguarding in Windows Server 2012. Active Directory Domain Controllers running Windows Server 2012 can now identify if they are virtualized and have been improperly restored or cloned (copied). Windows Server 2012 introduces a new feature called the VM Generation …
Nov 03 2014
PowerShell for Pentesters
PowerShell is extremely useful for admins. This power is also extremely useful for attackers. There are several PowerShell tools specifically for increasing access on a network: PowerSploit PowerSploit – PowerShell based pentest tool set developed by Mattifestation. PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, …
Nov 02 2014
Domain Controller Virtual Cloning
One of the best new features of Windows Server 2012 is virtual cloning. The ASKPFE blog has an excellent article covering this new feature: Tom Moser here with a post on one of the new ADDS features in Windows Server 2012; Virtual Domain Controller Cloning. Until now, cloning, snapshotting, copying, or pretty much doing anything …
Recent Comments