mimikatz – Page 2 – Active Directory Security

Nov 30 2015

Real-World Example of How Active Directory Can Be Compromised (RSA Conference Presentation)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, RealWorld

At the RSA Conference in Abu Dhabi earlier this month, Stefano Maccaglia (Incident Response Consultant with RSA) presented “Evolving Threats: dissection of a Cyber-Espionage attack.” The slides for this talk are available on the RSA Conference site (UPDATE: RSA removed the slides from their site, Presentation Slides on Yumpu). This post covers and adds some …

ActiveDirectory, DomainControllerExploit, mimikatz, MS14068, RealWorld, RSAConference, spearphish

Nov 22 2015

Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

The two key goals of any attack is access and persistence. This post covers elements of each. In a post-exploitation scenario where the attacker has compromised the domain or an account with delegated rights, it’s possible to dump the clear-text passwords of admins without being a Domain Admin*. This method requires the Active Directory Domain …

Nov 17 2015

How Attackers Use Kerberos Silver Tickets to Exploit Systems

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reading, Technical Reference

Usually Golden Tickets (forged Kerberos TGTs) get all the press, but this post is about Silver Tickets and how attackers use them to exploit systems. I have talked about how Silver Tickets can be used to persist and even re-exploit an Active Directory enterprise in presentations at security conferences this year. This post continues this …

Sep 25 2015

Sneaky Active Directory Persistence #13: DSRM Persistence v2

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Security Conference Presentation/Video, Technical Reference

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method at DerbyCon (2015). I also presented and posted on DSRM as a persistence method previously. Complete list of Sneaky Active …

DCSync, DerbyCon, DSRM, DSRMPAssTheHash, DSRMPersistence, DSRMPTG, lsadump, mimikatz, mstsc, Pass-the-Hash, PassTheHash, pth, sam, SneakyADPersistence, SneakyPersistence, WindowsServer2012R2

Sep 25 2015

Mimikatz DCSync Usage, Exploitation, and Detection

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Security Conference Presentation/Video, Technical Reference

Note: I presented on this AD persistence method at DerbyCon (2015). A major feature added to Mimkatz in August 2015 is “DCSync” which effectively “impersonates” a Domain Controller and requests account password data from the targeted Domain Controller. DCSync was written by Benjamin Delpy and Vincent Le Toux. The exploit method prior to DCSync was …

DCE/RPC, DCSync, DCSyncAsUser, DCSyncRights, DetectDCSync, DomainControllerImpersonation, DRSUAPI, DSGetNCChanges, DSInternals, GSS-API, Impacket, ImpersonateDC, mimikatz, MimikatzDCSync, ReplicatingDirectoryChanges, ReplicatingDirectoryChangesALL, ReplicatingDirectoryChangesInFilteredSet

Sep 16 2015

Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Security Conference Presentation/Video, Technical Reference

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method in Las Vegas at DEF CON 23 (2015). Complete list of Sneaky Active Directory Persistence Tricks posts The Security …

DEFCON, MaliciousSSP, mimikatz, mimilib.dll, PowerShell, Security Packages, SSP, SYSVOL

Sep 10 2015

Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Security Conference Presentation/Video, Technical Reference

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method in Las Vegas at DEF CON 23 (2015). Complete list of Sneaky Active Directory Persistence Tricks posts The Directory …

ActiveDirectory, ActiveDirectoryAttack, ActiveDirectorySecurity, ADPersistence, ADSecurity, DEFCON, DEFCON23, DirectoryServicesRestoreMode, DirectoryServicesRestoreModePassword, DSRM, DSRMLogon, DSRMNetworkLogon, DSRMPassword, mimikatz, SneakyActiveDirectoryPersistence, SneakyADPersistence, toryAttack

Aug 07 2015

Kerberos Golden Tickets are Now More Golden

By Sean Metcalf in Microsoft Security, Security Conference Presentation/Video, Technical Reference

At my talk at Black Hat USA 2015, I highlighted new Golden Ticket capability in Mimikatz (“Enhanced Golden Tickets”). This post provides additional detailed on “enhanced” Golden Tickets. Over the past few months, I researched how SID History can be abused in modern enterprises. As part of this research, I reached out to Benjamin Delpy, …

Jul 15 2015

It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts

By Sean Metcalf in Microsoft Security, Technical Reading

In early 2015, I theorized that it’s possible to forge inter-realm (inter-trust) Kerberos tickets in a similar manner to how intra-domain TGTs (Golden Tickets) and TGSs (Silver Tickets) are forged. Around the same time, Benjamin Delpy updated Mimikatz to dump trust keys from a Domain Controller. Soon after, Mimikatz gained capability to forge inter-realm trust …

AskTGS, ForgeKerberosTicket, Inter-RealmKey, Kekeo, Kerberos, mimikatz, TGS, TGT, TrustKey, TrustPassword, TrustTicket
5 comments

May 11 2015

Detecting Mimikatz Use

By Sean Metcalf in Malware, Microsoft Security, Technical Reference

Benjamin Delpy published some YARA rules in detecting Mimikatz use in your environment. More information on Mimikatz capability is in the “Unofficial Mimikatz Guide & Command Reference” on this site. YARA is described as: YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA …

DetectMimikatz, HowToDetectMimikatz, KerberosTicket, KIRBI, LSASS, LSASSMiniDump, Miilib, mimikatz, WCE, YARA

Tag: mimikatz

Real-World Example of How Active Directory Can Be Compromised (RSA Conference Presentation)

Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync

How Attackers Use Kerberos Silver Tickets to Exploit Systems

Sneaky Active Directory Persistence #13: DSRM Persistence v2

Mimikatz DCSync Usage, Exploitation, and Detection

Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP)

Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)

Kerberos Golden Tickets are Now More Golden

It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts

Detecting Mimikatz Use

Recent Posts

Trimarc Active Directory Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Tag: mimikatz

Recent Posts

Trimarc Active Directory Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright