Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…

Category: Technical Reference

Sep 10 2015

Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Security Conference Presentation/Video, Technical Reference

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method in Las Vegas at DEF CON 23 (2015). Complete list of Sneaky Active Directory Persistence Tricks posts The Directory …

ActiveDirectory, ActiveDirectoryAttack, ActiveDirectorySecurity, ADPersistence, ADSecurity, DEFCON, DEFCON23, DirectoryServicesRestoreMode, DirectoryServicesRestoreModePassword, DSRM, DSRMLogon, DSRMNetworkLogon, DSRMPassword, mimikatz, SneakyActiveDirectoryPersistence, SneakyADPersistence, toryAttack

Sep 02 2015

Windows Server 2016 Technical Preview 3 Download & Release Information

By Sean Metcalf in Microsoft Security, Technical Reference

Looks like we are getting closer to Windows Server 2016 RTM! Microsoft released Windows Server 2016 Technical Preview 3 in late August (Download & Release Notes).

Containers, Hyper-V, HyperV, MicrosoftPassport, NanoServer, PowerShellDirect, PowerShellv5, Server2016, ShieldedVMs, TGTTTL, time-boundgroup, VirtualTPM, Windows2016Download, WindowsServer2016, WindowsServerContainers

Aug 19 2015

Great Active Directory Attack & Defense Resources

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

I have found the following resources to be excellent when it comes to attacking & defending an enterprise with Microsoft products (Active Directory, Windows, etc). This was created in response to the many questions regarding who to follow (Twitter) or what blogs to read. 🙂 Microsoft Platform Security Resources:

ActiveDirectorySecurity, ADSecurityResources, Presentation, Resources, Slides, Twitter

Aug 13 2015

Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

At Black Hat USA 2015 this summer (2015), I spoke about the danger in having Kerberos Unconstrained Delegation configured in the environment. When Active Directory was first released with Windows 2000 Server, Microsoft had to provide a simple mechanism to support scenarios where a user authenticates to a Web Server via Kerberos and needs to …

Aug 09 2015

Black Hat USA 2015 & DEF CON 23 (2015) Presentation Slides Posted!

By Sean Metcalf in Microsoft Security, Security Conference Presentation/Video, Technical Reference

Slides from both of my talks this week in Vegas are now posted. There are some differences between the talks, though the primary content is similar/same. DEF CON 23 (2015) Talk Detail Black Hat USA 2015 Talk Detail Note that while some of the content is the same (mainly Blue Team information), I describe exploiting …

2015, ActiveDirectory, ActiveDirectoryAttacks, ActiveDirectoryDefense, Attack, BlackHatSlides, BlackHatUSA2015, BlueTeam, DEFCON23, DEFCONSlides, Defense, PresentationSlides, PurpleTeam, RedTeam, RedVsBlue, SecurityConference

Aug 07 2015

Kerberos Golden Tickets are Now More Golden

By Sean Metcalf in Microsoft Security, Security Conference Presentation/Video, Technical Reference

At my talk at Black Hat USA 2015, I highlighted new Golden Ticket capability in Mimikatz (“Enhanced Golden Tickets”). This post provides additional detailed on “enhanced” Golden Tickets. Over the past few months, I researched how SID History can be abused in modern enterprises. As part of this research, I reached out to Benjamin Delpy, …

May 11 2015

Detecting Mimikatz Use

By Sean Metcalf in Malware, Microsoft Security, Technical Reference

Benjamin Delpy published some YARA rules in detecting Mimikatz use in your environment. More information on Mimikatz capability is in the “Unofficial Mimikatz Guide & Command Reference” on this site. YARA is described as: YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA …

DetectMimikatz, HowToDetectMimikatz, KerberosTicket, KIRBI, LSASS, LSASSMiniDump, Miilib, mimikatz, WCE, YARA

May 07 2015

Windows 10 Microsoft Passport (aka Microsoft Next Generation Credential) In Detail

By Sean Metcalf in Microsoft Security, Technical Reference

At the Microsoft Ignite conference this week, there are several sessions covering Windows 10 features. One of biggest changes in Windows 10 is the new credential management method and the related “Next Generation Credential”, now named Microsoft Passport. There hasn’t been much information on how the new credential system works, so I challenged myself to …

ActiveDirectory, Authentication, AzureActiveDirectory, HighLevelOS, HLOS, IsolatedUserMode, IUM, Kerberos, LSALSO, LSASS, MicrosoftHello, MicrosoftPassport, ShieldedVMs, SKERNEL, SMART, TPMv2, VirtualSecureMode, VSM, Windows10, Windows10Authentication, WindowsCredentialStorage, WindowsServer2016

May 06 2015

Windows Server 2016 Technical Preview 2 Now Available for Download

By Sean Metcalf in Technical Reference

Windows Server 2016 Technical Preview 2 Now Available for Download (ISO or VHD): https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview What’s new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview: Privileged access management Privileged access management (PAM) helps mitigate security concerns for Active Directory environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and …

Download, TechnicalPreview2Download, WindowsServer10, WindowsServer2016

Apr 12 2015

SPN Scanning – Service Discovery without Network Port Scanning

By Sean Metcalf in Microsoft Security, Technical Reading, Technical Reference

The best way to discover services in an Active Directory environment is through what I call “SPN Scanning.” The primary benefit of SPN scanning for an attacker over network port scanning is that SPN scanning doesn’t require connections to every IP on the network to check service ports. SPN scanning performs service discovery via LDAP …

DiscoverSQLServers, Exchange, HyperV, NetworkPortScanning, PowerShellRemoting, RDP, SPNScanning, SQL, VMWare, WinRM, WSMan

Copyright

Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2020.

Made with by Graphene Themes.

Category: Technical Reference

Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)

Windows Server 2016 Technical Preview 3 Download & Release Information

Great Active Directory Attack & Defense Resources

Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)

Black Hat USA 2015 & DEF CON 23 (2015) Presentation Slides Posted!

Kerberos Golden Tickets are Now More Golden

Detecting Mimikatz Use

Windows 10 Microsoft Passport (aka Microsoft Next Generation Credential) In Detail

Windows Server 2016 Technical Preview 2 Now Available for Download

SPN Scanning – Service Discovery without Network Port Scanning

Recent Posts

Trimarc Active Directory Security Services

Popular Posts

Categories

Copyright

Category: Technical Reference

Recent Posts

Trimarc Active Directory Security Services

Popular Posts

Categories

Tags

Copyright