Is the door to your active directory wide open and unsecureDavid Rowe
You wouldn’t leave the front or back door of your house unlocked and wide open, would you? Then why aren’t you as diligent with your work environment? Idle permissions and forgotten accounts – which often aren’t cleaned up – are two key areas ripe for compromise in your identity system.
Learn how:
- An attacker can use back doors into your Active Directory environment to gain access to your systems, applications, and confidential information.
- Having your administrators make a few minor changes, can increase your security footprint and lower your attack surface.
Session Outcomes:
- Learn 5 free methods to secure your Active Directory.
- Deploy validated and tested policies that enhance your security footprint.
- Identify and define privileged groups in your organization.
Escalation defenses ad guardrails every company should deployDavid Rowe
Walking through a series of three common attacks on Active Directory, I guide you on deploying three very simple solutions to prevent the escalation of the bad actors privileges.
Secure Active Directory in one Day Without Spending a Single DollarDavid Rowe
Learn how to begin securing Active Directory with this presentation. Learn about microsoft's ESAE Red Forest framework, and the first steps you can deploy in your environment today.
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?BeyondTrust
In this presentation from her webinar, Paula Januszkiewicz, Security MVP, CEO at CQURE takes you on a technical deep dive in the Active Directory monitoring world. Topics covered include:
- The importance of properly tracking changes to AD
- Why (and how) changes to AD could impact the security of the environment
- How to monitor AND INSPECT some key situations in AD
- How to tell who, a group of Admins, has made specific changes
You can watch the on-demand webinar here: https://www.beyondtrust.com/resources/webinar/active-directory-auditing-tools-building-blocks-just-handful-dust/
This document summarizes a virtual event about preventing DDoS attacks against credit unions. The event covers 5 types of DDoS attacks and discusses practical steps credit unions can take to prepare for and prevent attacks. Presenters from RedZone Technologies discuss reviewing a credit union's security portfolio, identifying gaps, and developing a long-term investment roadmap to strengthen defenses against DDoS and other cyber threats. The event provides an overview of vendor solutions that can help protect against different attack types and questions attendees should consider.
This document provides a summary of strategies for preventing distributed denial of service (DDoS) attacks. It discusses both preventive defenses, such as securing systems against infection by patching vulnerabilities and monitoring for anomalous behavior, and reactive defenses, such as filtering spoofed traffic and increasing available resources. The key challenges are that preventive measures cannot always block all attacks and reactive strategies like filtering large traffic volumes can be expensive to implement effectively. Overall, the document outlines an approach to DDoS prevention through reducing infection risks and reacting to detected attacks.
DOS / DDOS introduction
How Easy it is to get information
Real Life Examples MyDoom , GitHub , Dyn , Windows Server and Windows 10 servers running Internet Information Services (IIS) are vulnerable to denial of service (DOS) attacks
Base of Attacks
Types of DOS / DDOS
Attack Tools , LOIC, XOIC, Stacheldracht
DOS/DDOS Weaknesses
Category of OS/ DDOS
What to defend?
Botnets and Botnets mitigations
Michael Calce, a.k.a. MafiaBoy
Point of entrance / OSI Model ( If time permit)
The document discusses distributed denial of service (DDoS) attacks. It begins by defining DDoS and DoS attacks, noting that a DDoS attack involves coordinating multiple parties to overwhelm a server or application with traffic. The document then discusses the scale of DDoS attacks over time, how attacks on the scale of terabits per second can be achieved, and how DDoS attacks have become a business. It also summarizes the impact of the Mirai botnet and techniques for mitigating DDoS attacks through detection methods, split intelligence versus resource constraints, and the lack of built-in accountability on the internet.
Is the door to your active directory wide open and unsecureDavid Rowe
You wouldn’t leave the front or back door of your house unlocked and wide open, would you? Then why aren’t you as diligent with your work environment? Idle permissions and forgotten accounts – which often aren’t cleaned up – are two key areas ripe for compromise in your identity system.
Learn how:
- An attacker can use back doors into your Active Directory environment to gain access to your systems, applications, and confidential information.
- Having your administrators make a few minor changes, can increase your security footprint and lower your attack surface.
Session Outcomes:
- Learn 5 free methods to secure your Active Directory.
- Deploy validated and tested policies that enhance your security footprint.
- Identify and define privileged groups in your organization.
Escalation defenses ad guardrails every company should deployDavid Rowe
Walking through a series of three common attacks on Active Directory, I guide you on deploying three very simple solutions to prevent the escalation of the bad actors privileges.
Secure Active Directory in one Day Without Spending a Single DollarDavid Rowe
Learn how to begin securing Active Directory with this presentation. Learn about microsoft's ESAE Red Forest framework, and the first steps you can deploy in your environment today.
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?BeyondTrust
In this presentation from her webinar, Paula Januszkiewicz, Security MVP, CEO at CQURE takes you on a technical deep dive in the Active Directory monitoring world. Topics covered include:
- The importance of properly tracking changes to AD
- Why (and how) changes to AD could impact the security of the environment
- How to monitor AND INSPECT some key situations in AD
- How to tell who, a group of Admins, has made specific changes
You can watch the on-demand webinar here: https://www.beyondtrust.com/resources/webinar/active-directory-auditing-tools-building-blocks-just-handful-dust/
This document summarizes a virtual event about preventing DDoS attacks against credit unions. The event covers 5 types of DDoS attacks and discusses practical steps credit unions can take to prepare for and prevent attacks. Presenters from RedZone Technologies discuss reviewing a credit union's security portfolio, identifying gaps, and developing a long-term investment roadmap to strengthen defenses against DDoS and other cyber threats. The event provides an overview of vendor solutions that can help protect against different attack types and questions attendees should consider.
This document provides a summary of strategies for preventing distributed denial of service (DDoS) attacks. It discusses both preventive defenses, such as securing systems against infection by patching vulnerabilities and monitoring for anomalous behavior, and reactive defenses, such as filtering spoofed traffic and increasing available resources. The key challenges are that preventive measures cannot always block all attacks and reactive strategies like filtering large traffic volumes can be expensive to implement effectively. Overall, the document outlines an approach to DDoS prevention through reducing infection risks and reacting to detected attacks.
DOS / DDOS introduction
How Easy it is to get information
Real Life Examples MyDoom , GitHub , Dyn , Windows Server and Windows 10 servers running Internet Information Services (IIS) are vulnerable to denial of service (DOS) attacks
Base of Attacks
Types of DOS / DDOS
Attack Tools , LOIC, XOIC, Stacheldracht
DOS/DDOS Weaknesses
Category of OS/ DDOS
What to defend?
Botnets and Botnets mitigations
Michael Calce, a.k.a. MafiaBoy
Point of entrance / OSI Model ( If time permit)
The document discusses distributed denial of service (DDoS) attacks. It begins by defining DDoS and DoS attacks, noting that a DDoS attack involves coordinating multiple parties to overwhelm a server or application with traffic. The document then discusses the scale of DDoS attacks over time, how attacks on the scale of terabits per second can be achieved, and how DDoS attacks have become a business. It also summarizes the impact of the Mirai botnet and techniques for mitigating DDoS attacks through detection methods, split intelligence versus resource constraints, and the lack of built-in accountability on the internet.
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemJennifer Nichols
This document discusses DNS security risks and how to better secure DNS infrastructure. It outlines five common DNS attack types, including TCP SYN floods, UDP floods, spoofed source address attacks, cache poisoning attacks, and man-in-the-middle attacks. It argues that general-purpose computers running operating systems like UNIX are not well-suited for DNS servers due to the complexity of securing the OS, difficulty of regularly updating both the OS and DNS software, and risk of compromise via user logins. Instead, it advocates for purpose-built appliances that are easier to secure and update to better prevent DNS attacks.
2016 state of the internet threat advisory dnssec ddos amplification attacksAndrey Apuhtin
The document discusses DNSSEC amplification DDoS attacks that have been observed over the past quarters. It notes that attackers have been leveraging a specific DNSSEC-configured .gov domain to launch over 400 attacks due to the large response size it provides. The domain has been used in attacks against customers in multiple industries. It then provides technical details on how DNSSEC works and how attackers are exploiting it to amplify DDoS attacks through DNS reflection techniques.
This document discusses advanced persistent threats (APTs) and strategies for cyber defense. It describes APTs as advanced, persistent, and threatening adversaries that are formally tasked to accomplish missions. The document outlines the lifecycle of APT attacks, including establishing backdoors in networks, maintaining long-term control, and exfiltrating data using encryption. It provides examples of APT groups and tools they use, such as exploiting vulnerabilities to escalate privileges and dump cached credentials from Windows networks. The overall summary is that APTs are dangerous, organized adversaries requiring persistent cyber defense strategies.
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
ATT&CK is valuable for those of us who are heads down in security day in and day out. But what about using ATT&CK to each college interns about security?
This presentation details how Tripwire used ATT&CK to build- out a new training regimen for summer interns. By going through and finding quick wins, Tripwire’s interns were actively engaged in learning about security. The detailed break downs of ATT&CK were greatly beneficial in helping teach security concepts to those who were not yet familiar with them. This session shows the program details and how you might be able to adapt it to your requirements.
Detection of Distributed Denial of Service Attacksijdmtaiir
Denial-of-Service attacks, a type of attack on
a network that is designed to bring the network to its knees by
flooding it with useless traffic. Many Dos attacks, such as
the Ping of Death ,Teardrop attacks etc., exploit the limitations
in the TCP/IP protocols. like viruses, new Dos attacks are
constantly being dreamed up by hackers.So the users have to
take own effort of a large number of protected system such as
Firewall or up-to-date antivirus software. . If the system or
links are affected from an attack then the legitimate clients may
not be able to connect it.. This detection system is the next
level of the security to protect the server from major problems
occurs such as Dos attacks, Flood IP attacks, and also the
Proxy Surfer. So these kinds of anonymous activities barred
out by using this Concept
This presentation will introduce the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK frameworks. By working through 4 different practical scenarios in a fictional company https://sensenet-library.com, the attendees will learn how they can use those frameworks to measure their security response in today's diverse security threat landscape. We'll go through categorising security controls, responding to a vulnerability report, assessing a threat intel report and decide on future of the company's toolset where you will be able to answer a question if you should continue investing in a tool or should you buy a new one.
This document summarizes three papers related to data compression and network security. The first paper studies how improper implementation of data decompression in network services can enable denial-of-service attacks. It identifies 12 categories of flaws and evaluates popular services finding 10 vulnerabilities. The second paper proposes the Bohatei system to improve defense against DDoS attacks using SDN/NFV. It presents a hierarchical decomposition approach and proactive tag-based steering. The third paper examines data compression as a source of security issues, studying past attacks like zip bombs and analyzing pitfalls in design, implementation, specification and configuration of compression in network services.
This document provides a checklist for hardening the security of Windows Server systems. It outlines best practices for organizational security, preparing, installing, and configuring Windows Server, as well as user account, network, registry, and general security settings. It also addresses audit policy, software security, and finalization steps like imaging servers. Implementing the guidelines can help reduce security vulnerabilities and the risk of attacks compromising critical systems and data.
The document discusses network security concepts including attacks, defenses, encryption techniques, and intrusion detection systems. It defines various types of attacks like man-in-the-middle, denial of service, and SQL injection. It also describes defenses such as firewalls, intrusion detection/prevention systems, and virtual private networks. The document provides an overview of encryption standards like AES, hashing algorithms like SHA-1, and digital signatures. It also discusses public key infrastructure and techniques for securely accessing networks remotely.
This document is a presentation on hacking techniques given by Martin G. Nystrom from Cisco Systems. It outlines methods for footprinting targets on the internet, hacking Windows systems, hacking Unix/Linux systems, and hacking networks. For Windows, it discusses scanning, enumeration, penetration, privilege escalation, pillaging systems, gaining interactive access, and expanding influence. For Unix/Linux, it outlines discovering the landscape, enumerating systems, attacking remotely and locally, and gaining privileges beyond root. It also discusses vulnerabilities in networks and dealing with firewalls.
Time-based DDoS Detection and Mitigation for SDN ControllerLippo Group Digital
This document proposes a method to detect and mitigate distributed denial of service (DDoS) attacks on software defined networking (SDN) controllers using time-based characteristics. The method considers not only the malicious packet destination but also the time needed to achieve high traffic rates and periodic attack patterns. The proposed solution architecture monitors packet rates over time windows to detect abnormal traffic increases. Future work includes optimizing detection thresholds, deeper analysis of DDoS attack time patterns, and evaluation of the method's performance in a simulation.
The document discusses threats to DNS security and solutions to mitigate those threats. It describes how distributed denial of service (DDoS) attacks target name servers and use name servers to amplify attacks. It then discusses solutions such as monitoring DNS traffic levels and top queriers, using anycast to distribute queries to the closest name server, and response rate limiting to reduce amplification effects. It also covers threats like cache poisoning and malware propagation and solutions like DNSSEC and response policy zones.
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
Adam Obszyński – pracuje w Infoblox jako Senior Systems Engineer odpowiedzialny za CEE. Wcześniej pracował w Cisco, u kilku integratorów (NXO, MCX, ATM) i operatorów (ATMAN, Polbox, Multinet). Posiada doświadczenie w projektowaniu i wdrażaniu rozwiązań sieciowych i aplikacyjnych. W branży od 20 lat. Certyfikowany inżynier CCIE #8557 oraz CISSP. Prowadził prezentacje i warsztaty na wielu konferencjach w kraju i za granicą (m.in. Cisco Live US & EU, Cisco Forum, Cisco Expo, PLNOG).
Temat prezentacji:Case Study – Infoblox Advanced DNS Protection
Język prezentacji: Polski
Abstrakt:
Słyszałeś o typach ataków wymienionych poniżej? A może doświadczyłeś ich w swojej sieci?
Phantom domain attack
NXDomain attack
DNS reflection/DrDoS attacks
DNS amplification
DNS cache poisoning
Protocol anomalies
DNS tunneling
DNS hijacking
Na poprzednim PLNOG mówiłem o unikalnej ochronie DNS za pomocą Infoblox ADP. Tym razem opowiem o tym co nowego zrobiliśmy w ramach ochrony DNS oraz zaprezentuje przypadki ze środowisk sieciowych naszych klientów.
Opowiem co się działo w sieci klientów i jak uporaliśmy się z problemami ataków na DNS.
Rozwiązanie Advanced DNS Protection od Infoblox dostarcza kompleksowe rozwiązanie do ochrony przed wieloma atakami na usługi DNS. System w inteligentny sposób odróżnia poprawny ruch DNS od złośliwego ruchu DDoS generowanego przez atakujących, takich jak DNS, exploity i słabości. Automatycznie usuwa ruch atakujący podczas gdy z pełną wydajnością odpowiada na poprawny ruch DNS. Ponadto, Advanced DNS Protection otrzymuje automatyczne aktualizacje swoich polityk/reguł, zapewniając stałą ochronę przed wszelkimi nowościami w tej dziedzinie. Infoblox jest pierwszym i jedynym producentem, który oferuje tak wyjątkowe i unkalne rozwiązanie dla najwyższej ochrony krytycznych usług DNS. Więcej szczegółów o rozwiązaniach dla operatorów: www.infoblox.com/sp
DNSMessenger is a new fileless remote access trojan that uses DNS tunneling to conduct malicious powershell commands on compromised machines. It establishes bidirectional communication between infected machines and attackers through DNS TXT record queries and responses. The malware infects systems through a malicious word document delivered via phishing emails. It then establishes persistence through changes to the registry and installing a backdoor in the WMI database that periodically queries command and control servers for further instructions. Detection can be done through monitoring DNS traffic size and payload as well as blocking unsigned powershell scripts.
This document provides an overview of lateral movement techniques in Windows systems using credentials. It discusses authentication methods like NTLM and Kerberos, how logon sessions and access tokens are created, and how an attacker can leverage pass-the-hash, pass-the-ticket, and other techniques to authenticate as other users without needing their passwords. It demonstrates how runas and other tools can be used to create new processes under a different user identity. The goal is to understand how credentials are handled in Windows and how an attacker can manipulate logon sessions and access tokens to perform lateral movement.
DDoS Threat Landscape - Ron Winward CHINOG16Radware
- DDoS attacks continue to grow in complexity and now utilize multi-vector attacks across all layers of the infrastructure. The top failure points for networks are internet pipe saturation and stateful firewalls.
- Common attack types include UDP, ICMP, reflection attacks, TCP weaknesses like SYN floods, low and slow attacks like Slowloris, and encrypted attacks such as HTTPS floods. Anonymous hacking tools enable these attacks.
- Successful mitigation of DDoS attacks requires proactive preparation across the network, including a hybrid solution of on-premise and cloud-based detection and mitigation, emergency response planning, and a single point of contact during attacks.
Secure active directory in one day without spending a single dollarDavid Rowe
This document discusses securing Active Directory without spending money. It describes Active Directory and why access control is important. Privilege creep can occur over time as user accounts gain more access to objects like computers, groups and other users. This expands the attack surface for attackers. The document outlines Microsoft's Enhanced Security Administrative Environment (ESAE) solution in 3 stages with 14 steps to better separate administrative duties and limit administrative access. It provides an example of how a breach could occur if an unpatched public web server is compromised, allowing an attacker to gain domain administrator access. The document recommends two initial steps: 1) limit the number of administrative users and 2) create separate administrative accounts to better restrict administrative privileges.
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
Everything and anything is hackable and vulnerable in some ways. Even with all the security governance and check points, businesses are still being cyberattacked & hacked regularly.
Did you know, a public IP is attacked by a hacker after the first five minutes of life on the internet.
This presentation directly explores the 7 dangerous ways to Cyberattack Azure and provides countermeasures.
More importantly, provides some guidance to start protecting your business in the Cloud!
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemJennifer Nichols
This document discusses DNS security risks and how to better secure DNS infrastructure. It outlines five common DNS attack types, including TCP SYN floods, UDP floods, spoofed source address attacks, cache poisoning attacks, and man-in-the-middle attacks. It argues that general-purpose computers running operating systems like UNIX are not well-suited for DNS servers due to the complexity of securing the OS, difficulty of regularly updating both the OS and DNS software, and risk of compromise via user logins. Instead, it advocates for purpose-built appliances that are easier to secure and update to better prevent DNS attacks.
2016 state of the internet threat advisory dnssec ddos amplification attacksAndrey Apuhtin
The document discusses DNSSEC amplification DDoS attacks that have been observed over the past quarters. It notes that attackers have been leveraging a specific DNSSEC-configured .gov domain to launch over 400 attacks due to the large response size it provides. The domain has been used in attacks against customers in multiple industries. It then provides technical details on how DNSSEC works and how attackers are exploiting it to amplify DDoS attacks through DNS reflection techniques.
This document discusses advanced persistent threats (APTs) and strategies for cyber defense. It describes APTs as advanced, persistent, and threatening adversaries that are formally tasked to accomplish missions. The document outlines the lifecycle of APT attacks, including establishing backdoors in networks, maintaining long-term control, and exfiltrating data using encryption. It provides examples of APT groups and tools they use, such as exploiting vulnerabilities to escalate privileges and dump cached credentials from Windows networks. The overall summary is that APTs are dangerous, organized adversaries requiring persistent cyber defense strategies.
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
ATT&CK is valuable for those of us who are heads down in security day in and day out. But what about using ATT&CK to each college interns about security?
This presentation details how Tripwire used ATT&CK to build- out a new training regimen for summer interns. By going through and finding quick wins, Tripwire’s interns were actively engaged in learning about security. The detailed break downs of ATT&CK were greatly beneficial in helping teach security concepts to those who were not yet familiar with them. This session shows the program details and how you might be able to adapt it to your requirements.
Detection of Distributed Denial of Service Attacksijdmtaiir
Denial-of-Service attacks, a type of attack on
a network that is designed to bring the network to its knees by
flooding it with useless traffic. Many Dos attacks, such as
the Ping of Death ,Teardrop attacks etc., exploit the limitations
in the TCP/IP protocols. like viruses, new Dos attacks are
constantly being dreamed up by hackers.So the users have to
take own effort of a large number of protected system such as
Firewall or up-to-date antivirus software. . If the system or
links are affected from an attack then the legitimate clients may
not be able to connect it.. This detection system is the next
level of the security to protect the server from major problems
occurs such as Dos attacks, Flood IP attacks, and also the
Proxy Surfer. So these kinds of anonymous activities barred
out by using this Concept
This presentation will introduce the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK frameworks. By working through 4 different practical scenarios in a fictional company https://sensenet-library.com, the attendees will learn how they can use those frameworks to measure their security response in today's diverse security threat landscape. We'll go through categorising security controls, responding to a vulnerability report, assessing a threat intel report and decide on future of the company's toolset where you will be able to answer a question if you should continue investing in a tool or should you buy a new one.
This document summarizes three papers related to data compression and network security. The first paper studies how improper implementation of data decompression in network services can enable denial-of-service attacks. It identifies 12 categories of flaws and evaluates popular services finding 10 vulnerabilities. The second paper proposes the Bohatei system to improve defense against DDoS attacks using SDN/NFV. It presents a hierarchical decomposition approach and proactive tag-based steering. The third paper examines data compression as a source of security issues, studying past attacks like zip bombs and analyzing pitfalls in design, implementation, specification and configuration of compression in network services.
This document provides a checklist for hardening the security of Windows Server systems. It outlines best practices for organizational security, preparing, installing, and configuring Windows Server, as well as user account, network, registry, and general security settings. It also addresses audit policy, software security, and finalization steps like imaging servers. Implementing the guidelines can help reduce security vulnerabilities and the risk of attacks compromising critical systems and data.
The document discusses network security concepts including attacks, defenses, encryption techniques, and intrusion detection systems. It defines various types of attacks like man-in-the-middle, denial of service, and SQL injection. It also describes defenses such as firewalls, intrusion detection/prevention systems, and virtual private networks. The document provides an overview of encryption standards like AES, hashing algorithms like SHA-1, and digital signatures. It also discusses public key infrastructure and techniques for securely accessing networks remotely.
This document is a presentation on hacking techniques given by Martin G. Nystrom from Cisco Systems. It outlines methods for footprinting targets on the internet, hacking Windows systems, hacking Unix/Linux systems, and hacking networks. For Windows, it discusses scanning, enumeration, penetration, privilege escalation, pillaging systems, gaining interactive access, and expanding influence. For Unix/Linux, it outlines discovering the landscape, enumerating systems, attacking remotely and locally, and gaining privileges beyond root. It also discusses vulnerabilities in networks and dealing with firewalls.
Time-based DDoS Detection and Mitigation for SDN ControllerLippo Group Digital
This document proposes a method to detect and mitigate distributed denial of service (DDoS) attacks on software defined networking (SDN) controllers using time-based characteristics. The method considers not only the malicious packet destination but also the time needed to achieve high traffic rates and periodic attack patterns. The proposed solution architecture monitors packet rates over time windows to detect abnormal traffic increases. Future work includes optimizing detection thresholds, deeper analysis of DDoS attack time patterns, and evaluation of the method's performance in a simulation.
The document discusses threats to DNS security and solutions to mitigate those threats. It describes how distributed denial of service (DDoS) attacks target name servers and use name servers to amplify attacks. It then discusses solutions such as monitoring DNS traffic levels and top queriers, using anycast to distribute queries to the closest name server, and response rate limiting to reduce amplification effects. It also covers threats like cache poisoning and malware propagation and solutions like DNSSEC and response policy zones.
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
Adam Obszyński – pracuje w Infoblox jako Senior Systems Engineer odpowiedzialny za CEE. Wcześniej pracował w Cisco, u kilku integratorów (NXO, MCX, ATM) i operatorów (ATMAN, Polbox, Multinet). Posiada doświadczenie w projektowaniu i wdrażaniu rozwiązań sieciowych i aplikacyjnych. W branży od 20 lat. Certyfikowany inżynier CCIE #8557 oraz CISSP. Prowadził prezentacje i warsztaty na wielu konferencjach w kraju i za granicą (m.in. Cisco Live US & EU, Cisco Forum, Cisco Expo, PLNOG).
Temat prezentacji:Case Study – Infoblox Advanced DNS Protection
Język prezentacji: Polski
Abstrakt:
Słyszałeś o typach ataków wymienionych poniżej? A może doświadczyłeś ich w swojej sieci?
Phantom domain attack
NXDomain attack
DNS reflection/DrDoS attacks
DNS amplification
DNS cache poisoning
Protocol anomalies
DNS tunneling
DNS hijacking
Na poprzednim PLNOG mówiłem o unikalnej ochronie DNS za pomocą Infoblox ADP. Tym razem opowiem o tym co nowego zrobiliśmy w ramach ochrony DNS oraz zaprezentuje przypadki ze środowisk sieciowych naszych klientów.
Opowiem co się działo w sieci klientów i jak uporaliśmy się z problemami ataków na DNS.
Rozwiązanie Advanced DNS Protection od Infoblox dostarcza kompleksowe rozwiązanie do ochrony przed wieloma atakami na usługi DNS. System w inteligentny sposób odróżnia poprawny ruch DNS od złośliwego ruchu DDoS generowanego przez atakujących, takich jak DNS, exploity i słabości. Automatycznie usuwa ruch atakujący podczas gdy z pełną wydajnością odpowiada na poprawny ruch DNS. Ponadto, Advanced DNS Protection otrzymuje automatyczne aktualizacje swoich polityk/reguł, zapewniając stałą ochronę przed wszelkimi nowościami w tej dziedzinie. Infoblox jest pierwszym i jedynym producentem, który oferuje tak wyjątkowe i unkalne rozwiązanie dla najwyższej ochrony krytycznych usług DNS. Więcej szczegółów o rozwiązaniach dla operatorów: www.infoblox.com/sp
DNSMessenger is a new fileless remote access trojan that uses DNS tunneling to conduct malicious powershell commands on compromised machines. It establishes bidirectional communication between infected machines and attackers through DNS TXT record queries and responses. The malware infects systems through a malicious word document delivered via phishing emails. It then establishes persistence through changes to the registry and installing a backdoor in the WMI database that periodically queries command and control servers for further instructions. Detection can be done through monitoring DNS traffic size and payload as well as blocking unsigned powershell scripts.
This document provides an overview of lateral movement techniques in Windows systems using credentials. It discusses authentication methods like NTLM and Kerberos, how logon sessions and access tokens are created, and how an attacker can leverage pass-the-hash, pass-the-ticket, and other techniques to authenticate as other users without needing their passwords. It demonstrates how runas and other tools can be used to create new processes under a different user identity. The goal is to understand how credentials are handled in Windows and how an attacker can manipulate logon sessions and access tokens to perform lateral movement.
DDoS Threat Landscape - Ron Winward CHINOG16Radware
- DDoS attacks continue to grow in complexity and now utilize multi-vector attacks across all layers of the infrastructure. The top failure points for networks are internet pipe saturation and stateful firewalls.
- Common attack types include UDP, ICMP, reflection attacks, TCP weaknesses like SYN floods, low and slow attacks like Slowloris, and encrypted attacks such as HTTPS floods. Anonymous hacking tools enable these attacks.
- Successful mitigation of DDoS attacks requires proactive preparation across the network, including a hybrid solution of on-premise and cloud-based detection and mitigation, emergency response planning, and a single point of contact during attacks.
Secure active directory in one day without spending a single dollarDavid Rowe
This document discusses securing Active Directory without spending money. It describes Active Directory and why access control is important. Privilege creep can occur over time as user accounts gain more access to objects like computers, groups and other users. This expands the attack surface for attackers. The document outlines Microsoft's Enhanced Security Administrative Environment (ESAE) solution in 3 stages with 14 steps to better separate administrative duties and limit administrative access. It provides an example of how a breach could occur if an unpatched public web server is compromised, allowing an attacker to gain domain administrator access. The document recommends two initial steps: 1) limit the number of administrative users and 2) create separate administrative accounts to better restrict administrative privileges.
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
Everything and anything is hackable and vulnerable in some ways. Even with all the security governance and check points, businesses are still being cyberattacked & hacked regularly.
Did you know, a public IP is attacked by a hacker after the first five minutes of life on the internet.
This presentation directly explores the 7 dangerous ways to Cyberattack Azure and provides countermeasures.
More importantly, provides some guidance to start protecting your business in the Cloud!
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksZoho Corporation
Derek Melber, Technical Evangelist for the AD Solutions team at ManageEngine and one of only 12 Microsoft Group Policy MVPs in the world, from his extensive knowledge in the Windows Active Directory security domain shares practical tips on the various ways to protect a computer / organization from Windows computer / password attacks. Gain strength from the detailed 14 tips and tricks!
Exploiting Active Directory Administrator InsecuritiesPriyanka Aash
"Defenders have been slowly adapting to the new reality: Any organization is a target. They bought boxes that blink and software that floods the SOC with alerts. None of this matters as much as how administration is performed: Pop an admin, own the system. Admins are being dragged into a new paradigm where they have to more securely administer the environment. What does this mean for the pentester or Red Teamer?
Admins are gradually using better methods like two-factor and more secure administrative channels. Security is improving at many organizations, often quite rapidly. If we can quickly identify the way that administration is being performed, we can better highlight the flaws in the admin process.
This talk explores some common methods Active Directory administrators (and others) use to protect their admin credentials and the flaws with these approaches. New recon methods will be provided on how to identify if the org uses an AD Red Forest (aka Admin Forest) and what that means for one hired to test the organization's defenses, as well as how to successfully avoid the Red Forest and still be successful on an engagement.
Some of the areas explored in this talk:
Current methods organizations use to administer Active Directory and the weaknesses around them.
Using RODCs in the environment in ways the organization didn't plan for (including persistence).
Exploiting access to agents typically installed on Domain Controllers and other highly privileged systems to run/install code when that's not their typical purpose.
Discovering and exploiting an AD forest that leverages an AD Admin Forest (aka Red Forest) without touching the Admin Forest.
If you are wondering how to pentest/red team against organizations that are improving their defenses, this talk is for you. If you are a blue team looking for inspiration on effective defenses, this talk is also for you to gain better insight into how you can be attacked."
This document discusses permissions and groups in Active Directory. It covers the different types of groups (distribution, security, etc.), and how a group's scope (domain local, global, universal) determines what objects it can include and what resources it can be assigned permissions for. The document also discusses domain and forest functional levels, inheritance and precedence of permissions, and how to use different types of groups effectively to structure access to resources.
This document discusses anatomy of cloud hacks by analyzing past data breaches and vulnerabilities. It begins by looking at known attacks where compromised infrastructure was based in the cloud. Specific case studies of attacks on Code Spaces, Olindata, and Tesla are described. The document then covers techniques for enumerating cloud services and resources like storage containers. Methods for gaining an initial foothold like leaked credential hunting and exploiting server-side request forgery are also outlined.
Security is more critical than ever with new computing environments in the cloud and expanding access to the Internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. We'll walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments.
Active Directory is a centralized directory service that stores objects like users, groups, computers, and policies. It provides security and simplifies administration. Groups contain users/computers and help apply policies. Group policies centrally manage settings. Organizational units logically organize objects and delegate administration. Trusts allow access between domains. From an attacker's perspective, they would get an initial foothold, enumerate privileged accounts and permissions, and exploit any misconfigurations to escalate privileges like taking over accounts. They could also use trusts to access other domains.
This document provides an overview of object naming and structuring in Active Directory domains. It discusses the different types of objects like computers, users, and groups. It emphasizes the importance of planning object naming conventions and describes different naming methods. The document also covers creating and managing user and computer accounts, as well as creating and using groups to administer permissions to resources. Best practices are provided around setting strong passwords, using templates for consistency, and importing accounts.
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...Vincent Giersch
University of Kent 2013 - CO899 System security
Presentation of the article:
Salah K, et al, Computers & Security (2012), http://dx.doi.org/10.1016/j.cose.2012.12.001
This document discusses Microsoft Active Directory (AD), a directory service that centrally manages network resources and users. AD utilizes a distributed architecture that replicates information across domain controllers to provide redundancy and availability. Key features of AD include integrating with DNS, providing user and resource management capabilities, and supporting authentication. The document also provides an example of how AD was implemented at a company to reduce IT costs and improve security. Open directory services from Apple are mentioned as an open source alternative to AD.
The document discusses Apache Sentry, an authorization module for the Hadoop ecosystem. It provides fine-grained, role-based authorization and multi-tenant administration capabilities. Sentry concepts include bindings, policies, roles, and users/groups. Privileges can be granted on specific objects like databases and tables. Sentry integrates with Hive through minor changes and existing hooks. This allows read-only access to Hive data for remote clients.
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
This talk will review the advanced security features in DataStax Enterprise and discuss best practices for secure deployments. In particular, topics reviewed will cover: Authentication with Kerberos & LDAP/Active Directory, Role-based Authorization and LDAP role assignment, Auditing, Securing network communication, Encrypting data files and using the Key-Management Interoperability Protocol (KMIP) for secure off-host key management. The talk will also suggest strategies for addressing security needs not met directly by the built-in features of the database such as how to address applications that require Attribute Based Access Control (ABAC).
About the Speaker
Matt Kennedy Sr. Product Manager, DataStax
Matt Kennedy works at DataStax as the product manager for DataStax Enterprise Core. Matt has been a Cassandra user and occasional contributor since version 0.7 and was named a Cassandra MVP in 2013 shortly before joining DataStax. Unlike Cassandra, Matt is not partition tolerant.
The document discusses various tactics, techniques and common knowledge for detecting cyber attacks. It outlines general security problems like authenticity, authorization, confidentiality, integrity and availability. It then discusses specific techniques used in cyber attacks like escalation of privilege, credential dumping, modifying file system permissions and disabling security tools. It provides details on how each technique works and potential ways to detect them, such as monitoring specific Windows registry keys or processes. The overall document serves as a guide on common cyber attack vectors and approaches for detection.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
A domain controller is a server that authenticates users and enforces security policies on a network domain. It stores user account information and allows access to domain resources. The primary responsibilities of a domain controller are to authenticate users when they log in and check their credentials to grant or deny network access. Domain controllers are typically deployed in clusters to ensure high availability. In Microsoft Windows environments, one domain controller acts as the primary domain controller while others act as backup domain controllers.
Similar to Creating a fortress in your active directory environment (20)
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
4. What is Active Directory?
Active Directory is a hierarchical structure that stores information
about objects on a network
• Users
• Computers
• Groups
Dictates security through object ownership and group membership
5. Why access is important
Active directory is set up as a discretionary access control model
• Based on the individual
• Each person has an account
• Accounts have access to objects
6. Why access is important
RBAC
• As administrators shift and rotate roles, they create different role
groups with different access across the domain(s)
• Ex: Helpdesk – reset passwords
• Ex: Server Team – log on to servers
Privilege creep
• Over time accounts gain more and more to objects.
• The rights are often overlooked and unknown by owners of AD
7. Why access is important
With users gaining more and more access to objects; computers,
groups and other users, attackers have more areas to exploit
8. For this Presentation - Keep in mind
There is a greater number of users on every domain that have
privileged access than you can guess
User rights, once granted, sit idle and can be used by anyone with
access to that account, group, or computer
9. Cached Creds Defined
Computer level setting:
Interactive logon: Number of previous logons to cache [store in
memory] (in case domain controller is not available) 1
Value indicates stored users credentials on device – (10)
Default stored as RC4 hash on system2
10. Cached Creds Vulnerabilities
Targeted Pass-the-hash -If you can’t crack it, encapsulate and pass it
RC4 Nomore – one type of RC4 Exploit – 52 Hrs to crack
Rainbow tables –When I was in one incident response team I observed evidence a
plaintext password 9 minutes after the hash was compromised
11. Kerberos
• Provides the default authentication services and
the authorization data
• Necessary for a user to access a resource
12. Kerberos Policy
Encryption
Type
Server
2000
Win XP Server
2003
Vista Server
2008
Windows
7
Server
2008 R2
DES_CBC_C
RC
O O O O X X X
DES_CBC_M
D5
O O O O O X X
RC4_HMAC_
MD5
O O O O O O O
AES128_HM
AC_SHA1
X X X O O O O
AES256_HM
AC_SHA1
X X X O O O O
Ref: https://goo.gl/UebQPs
13. Microsoft’s Solution – ESAE
Enhanced Security Administrative Environment
• Helps prevent compromise of administrative credentials from
cyber-attacks
• Thwart attacks by limiting exposure of admin credentials
(Cached Credentials)
Source:
https://goo.gl/UqHTJA
14. Microsoft’s Solution – 3 Stages, 14 steps
Stage # Step Imp. Cost/Ops Maint Cost
1**** Separate Admin accounts for
Workstations
$/$
1**** Separate Admin accounts for
Servers
$/$
1**** Separate Admin accounts for
Domain Controllers
$/$
2 Privileged Access Workstations for
Admins
$$/$$$
2**** Unique Local Passwords for Servers
& Workstations
$/$
2 Time Bound Privileges $$/$$$
2 Just Enough Administration $/$$
2**** Lower Attack Surfaces of DCs –
Limit Admin Count
$/$
2**** Attack Detection $$/$$
15. Microsoft’s Solution – 3 Stages
Stage # Step Imp. Cost/Ops Maint Cost
3* Modernize roles and delegation
model to be compliant with the
tiers
$$/$$
3 Smartcard authentication for all
admins
$$$/$
3 Admin Forest for AD admins $$/$$
3 Windows Defender Device Guard $$/$$
3 Shielded VMs $$/$$
18. The Breach
• An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin
access to the server (#5!)
• The attacker dumped the cached credentials on the
server, finding a local administrator password identical
across machines (#4! & #3!)
• Attacker moved laterally across the domain probing
servers until he/she finds a computer where a domain
administrator (DA) credential was stored (#2! & #1!)
• Attacker dumps DA hash from machine and cracks it
• The attacker now as full administrative access on the
domain
21. Built-in Groups’ Rights Overview
• Account Operators: Read LAPS attribute, administer domain
user and group accounts
• Administrators: Complete and unrestricted access
• Backup Operators: Override security restrictions for the sole
purpose of backing up or restoring files. Allow Logon Locally,
log on as batch job, shut down the system
• Domain Admins: member of every domain-joined computer’s
local Admin group
• Enterprise Admins: permissions to change forest-wide
configuration settings. Member of every domain’s
Administrator group
• Group Policy Creator Owners: Can create and modify GPOs on
the domain
22. Built-in Groups’ Rights Overview
• Schema Admins: make modifications to the AD Schema
• Server Operators: can administer domain servers
• Remote Desktop Users: Members of this group can remotely
log on to domain controllers in the domain. This group has no
default members
• Organization Management: This is a RBAC group for MS
Exchange Server. Members have admin access to the entire
Exchange organization, including modifying membership of
other exchange groups
23. What is a Shadow Admin?
shadow admin
sensitive privileges.
granted directly using ACLs on AD objects.
• Attacker steals Field Tech’s
Groups where stolen credential has access to
modify other objects
• Attacker hijacks those objects
• Attacker continues to elevate privileges to Tier 0
28. Tiered Guidelines
Accounts which have the ability to manage identity and permissions
enterprise-wide.
Objects: Domain Controllers and systems that manage DCs
Tier 0
Domain
Admins
Tier 1
Server
Admins
Accounts with control over resources or that manage critical data and
applications.
Objects: Servers
Tier 2
Workstation
Admins
Accounts with administrative privileges over standard user
accounts and standard-user devices.
Objects: Workstations
33. Common tools to exploit Cached Creds
Mimikatz
JtR
Hashcat
Ophcrack
Taskmanager… + lsass.exe
Pwdumpx + passwordPro
34. Report on your domain’s cache settings
Find machines on the domain that have cached creds enabled
*AD_Computer_CachedCredsFind Computers without Cached Cred
GPO.ps1
46. More presentations available at
secframe.com
https://github.com/davidprowe/AD_Sec_Tools
@customes
david [@] secframe.com
Editor's Notes
The thing that bothers me, is that I logged into a computer… years ago. It remembered my password. I logged into it with an old password, like really old. The computer wasn’t even on the network. I.T. asked me to log into it because they needed to get something off of it. Who can use this password? Who can pretend to be me?
Discretionary access control:
Each user has an account.
Each User is a member of groups
Groups access objects; Computers, Groups and users
Discretionary access control:
Each user has an account.
Each User is a member of groups
Groups access objects; Computers, Groups and users
Discretionary access control:
Each user has an account.
Each User is a member of groups
Groups access objects; Computers, Groups and users
Discretionary access control:
Each user has an account.
Each User is a member of groups
Groups access objects; Computers, Groups and users
100% of stage 1
50% of stage 2
Removing cached credentials
Separate admin accounts for DA, admins and workstation admins
Unique local computer passwords
Limit number of administrators
Audit and alert! - powershell
Add three and label with correct stuff
Add three and label with correct stuff
Add three and label with correct stuff
Add three and label with correct stuff
Add three and label with correct stuff
Add three and label with correct stuff
Implement, REBOOT
Implement, REBOOT
Dump clear-text passwords from memory using mimikatz and the Windows Task Manager to dump the LSASS process.
To do this, dump the lsass.exe process to a file using Windows built-in Task Manager with right-clicking “lsass.exe” then selecting “Create Dump File”
Dump clear-text passwords from memory using mimikatz and the Windows Task Manager to dump the LSASS process.
To do this, dump the lsass.exe process to a file using Windows built-in Task Manager with right-clicking “lsass.exe” then selecting “Create Dump File”
Dump clear-text passwords from memory using mimikatz and the Windows Task Manager to dump the LSASS process.
To do this, dump the lsass.exe process to a file using Windows built-in Task Manager with right-clicking “lsass.exe” then selecting “Create Dump File”
There are ways around the vss copy, but those methods include another form of elevation on the computer. Typically elevating to system. If you have auditing and alerting turned on for special logons, this should trigger an alert.
There are ways around the vss copy, but those methods include another form of elevation on the computer. Typically elevating to system. If you have auditing and alerting turned on for special logons, this should trigger an alert.
Event ID 8193 – vss started
There are ways around the vss copy, but those methods include another form of elevation on the computer. Typically elevating to system. If you have auditing and alerting turned on for special logons, this should trigger an alert.