PowerSploit – Active Directory Security

Aug 13 2016

PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection

By Sean Metcalf in Microsoft Security, PowerShell, Technical Reference

This post is a follow-up of sorts from my earlier posts on PowerShell, my PowerShell presentation at BSides Baltimore, and my presentation at DEF CON 24. Hopefully this post provides current information on PowerShell usage for both Blue and Red teams. Related posts: BSides Charm Presentation Posted: PowerShell Security: Defending the Enterprise from the Latest …

Apr 24 2016

BSides Charm Presentation Posted: PowerShell Security: Defending the Enterprise from the Latest Attack Platform

By Sean Metcalf in Microsoft Security, PowerShell, Security Conference Presentation/Video

This was my second year speaking at BSides Charm in Baltimore. Last year I spoke about Active Directory attack & defense and it was my first time speaking at a conference. 🙂 The presentation slides for my talk “PowerShell Security: Defending the Enterprise from the Latest Attack Platform” are now on the Presentations tab here …

Bsides Baltimore, BSides Charm, Invoke-Mimikatz, Invoke-NinjayCopy, Monad, Nishang, PowerShell, PowerShell attack, PowerShell attack and defense, PowerShell attack detection, PowerShell defenses, PowerShell Empire, PowerShell logging, PowerShell OMFG, PowerShell remoting, PowerShell v5, PowerShell version 5 security, PowerShell.exe, PowerSploit, PowerTools, PowerUp, PowerView, RDP /RestrictedAdmin, Real world PowerShell attacks, script block logging, system transcript

Feb 11 2016

Detecting Offensive PowerShell Attack Tools

By Sean Metcalf in ActiveDirectorySecurity, Malware, Microsoft Security, PowerShell, Technical Reference

At DerbyCon V (2015), I presented on Active Directory Attack & Defense and part of this included how to detect & defend against PowerShell attacks. Update: I presented at BSides Charm (Baltimore) on PowerShell attack & defense in April 2016. More information on PowerShell Security: PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection The most …

Bypass PowerShell ExecutionPolicy, Detect Invoke-Mimikatz, Detect offensive PowerShell, detect PowerShell attack tools, ExecutionPolicyBypass, Invoke-Expression, Invoke-Mimikatz, InvokeMimikatz, New-Object Net.WebClient DownloadString, Offensive PowerShell, PowerShell Attack Tool, PowerShell Attacks, PowerShell Constrained Language Mode, PowerShell Execution Policy, PowerShell GPO, PowerShell Logging Group Policy, PowerShell Mimikatz, PowerShell.exe, PowershellLogging, PowerShellMafia, PowerShellSecurity, PowerShellv5, PowerSploit, script block logging, System-wide transcript, System.Management.Automation.dll, Windows10

Jan 03 2016

How Attackers Dump Active Directory Database Credentials

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

I previously posted some information on dumping AD database credentials before in a couple of posts: “How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller” and “Attack Methods for Gaining Domain Admin Rights in Active Directory“. This post covers many different ways that an attacker can dump credentials from Active Directory, both …

500, 502, ActiveDirectorydatabase, Administrator, copy ntds.dit, CopyNTDS.dit, DCSync, DITSnapshotViewer, dumpActiveDirectory, DumpADCredentials, DumpADCreds, DumpCredentials, DumpCreds, Esentutl, Invoke-Mimikatz, Invoke-NinjaCopy, Invoke-ReflectivePEInjection, KRBTGT, lsadump::dcsync, lsadump::lsa, mimikatz, MimikatzDCSync, ntds.dit, ntdsutil, PassTheTicket, PowerShellRemoting, PowerSploit, sekurlsa::logonpasswords, VolumeShadowCopy, VSS, VSSNTDS.dit, WMI, WMIC, WMICPassTheTicket, WMIPTT

Jan 01 2016

Attack Methods for Gaining Domain Admin Rights in Active Directory

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

There are many ways an attacker can gain Domain Admin rights in Active Directory. This post is meant to describe some of the more popular ones in current use. The techniques described here “assume breach” where an attacker already has a foothold on an internal system and has gained domain user credentials (aka post-exploitation). The …

Aug 02 2015

DEF CON 23 (2015) Red vs Blue: Modern Active Directory Attacks & Defense Talk Detail

By Sean Metcalf in Microsoft Security, Security Conference Presentation/Video

This week at DEF CON 23, I will be speaking about Active Directory attack & defense in my talk “Red vs Blue: Modern Active Directory Attacks & Defense”. This is the 4th iteration of this talk and includes the latest updates to attack methods and defensive strategies.This DEF CON version has a new segment I …

ActiveDirectoryAttack, ActiveDirectoryCompromise, ActiveDirectoryDefense, ADPersistence, AdvancedPersistence, CredentialTheft, DEFCON, DEFCON2015, DEFCON23, Empire, ForgedKerberos, GoldenTicket, IUM, KerberosHacking, KerberosTicket, OverPassTheHash, PowerShellEmpire, PowerSploit, RedVsBlue, SIDHistory, SilverTicket, TrustTicket, VSM, Windows10, WMI

Nov 15 2014

Owning Networks and Evading Incident Response with PowerShell

By Sean Metcalf in Microsoft Security, PowerShell, Technical Reference

PowerShell provides an easy method to bypass antivirus and other protection methods: Up until several months ago, I was a member of a penetration test team tasked with compromising data centers and evading detection. Industry standard tools such as Metasploit (an attack toolkit that includes a backdoor named Meterpreter) and Mimikatz (a password dumper) …

Invoke-ReflectivePEInjection, Meterpreter, PowerShellMagazine, PowerSploit

Nov 06 2014

How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller

By Sean Metcalf in PowerShell

I performed extensive research on how attackers dump AD credentials, including pulling the Active Directory database (ntds.dit) remotely. This information is covered in two newer and greatly expanded posts: How Attackers Dump Active Directory Database Credentials Attack Methods for Gaining Domain Admin Rights in Active Directory The original post data follows: How Attackers Pull …

Esentutl, InvokeNinjaCopy, ntdsutil, PowerShellHacking, PowerSploit, VSSCopyNTDS.dit

Tag: PowerSploit

PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection

BSides Charm Presentation Posted: PowerShell Security: Defending the Enterprise from the Latest Attack Platform

Detecting Offensive PowerShell Attack Tools

How Attackers Dump Active Directory Database Credentials

Attack Methods for Gaining Domain Admin Rights in Active Directory

DEF CON 23 (2015) Red vs Blue: Modern Active Directory Attacks & Defense Talk Detail

Owning Networks and Evading Incident Response with PowerShell

How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller

Recent Posts

Trimarc Active Directory Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Tag: PowerSploit

Recent Posts

Trimarc Active Directory Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright