Tag Archive: ActiveDirectorySecurity

Sep 27

Some Favorite DerbyCon 6 Talks (2016)

This post is a collection of my favorite and interesting talks from DerbyCon 6 (2016). There were a lot of great talks and as I discover them, I’ll add them here. My goal is to collect and provide the talk videos and slides together for a single, easy reference. I’m sure I missed a few. …

Continue reading »

Mar 09

Sneaky Active Directory Persistence #16: Computer Accounts & Domain Controller Silver Tickets

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes. All posts in my Sneaky Active Directory Persistence Tricks series This post explores how an attacker could leverage computer account credentials to persist in an enterprise …

Continue reading »

Jan 22

ADSecurity.org in the Press!

IT World Canada reached out to me recently to help with an article on Active Directory attack & defense. Read the article: “IT not doing enough to secure Active Directory, says expert.” IIT World Canada also requested comments for a second story titled: “22 tips for preventing ransomware attacks“.

Jan 05

Mimikatz Update Fixes Forged Kerberos Ticket Domain Field Anomaly – Golden Ticket Invalid Domain Field Event Detection No Longer Works

In late 2014, I discovered that the domain field in many events in the Windows security event log are not properly populated when forged Kerberos tickets are used. The key indicator is that the domain field is blank or contains the FQDN instead of the short (netbios) name and depending on the tool used to …

Continue reading »

Oct 14

The Most Common Active Directory Security Issues and What You Can Do to Fix Them

The past couple of years of meeting with customers is enlightening since every environment, though unique, often has the same issues. These issues often boil down to legacy management of the enterprise Microsoft platform going back a decade or more. I spoke about Active Directory attack and defense at several security conferences this year including …

Continue reading »

Sep 10

Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method in Las Vegas at DEF CON 23 (2015). Complete list of Sneaky Active Directory Persistence Tricks posts   The Directory …

Continue reading »

Aug 19

Great Active Directory Attack & Defense Resources

I have found the following resources to be excellent when it comes to attacking & defending an enterprise with Microsoft products (Active Directory, Windows, etc). This was created in response to the many questions regarding who to follow (Twitter) or what blogs to read. 🙂 Microsoft Platform Security Resources:

Continue reading »

Aug 07

Kerberos Golden Tickets are Now More Golden

At my talk at Black Hat USA 2015, I highlighted new Golden Ticket capability in Mimikatz (“Enhanced Golden Tickets”). This post provides additional detailed on “enhanced” Golden Tickets. Over the past few months, I researched how SID History can be abused in modern enterprises. As part of this research, I reached out to Benjamin Delpy, …

Continue reading »

May 25

Summer Speaking Engagements

I am thrilled to announce I will be speaking about Active Directory security at the following security conferences: Shakacon (Waikiki Beach, HI) Black Hat USA (Las Vegas, NV) DEF CON (Las Vegas, NV) Each talk will cover current AD attack techniques and the latest defensive methods. Additionally, I will be sharing some exciting new information …

Continue reading »

May 08

Microsoft Ignite 2015 Security Sessions

Microsoft retired several conferences this year (TechEd, MEC, MMC, etc) and merged them into a single mega-conference called Microsoft Ignite 2015. About 23,000 people (~29k including all staff and support personnel) converged on the McCormick Place Conference Center in Chicago, IL during the week of May 4th (May the Fourth be With You!). I recently …

Continue reading »

Older posts «