The document discusses strategies for red teaming Active Directory security. It begins with an overview of Active Directory components and how they can be exploited by attackers. It then covers offensive PowerShell techniques and how PowerShell security can be bypassed. The document also provides methods for effective Active Directory reconnaissance, including discovering administrator accounts and network assets without port scanning. Finally, it discusses some Active Directory defenses that can be deployed and potential bypass techniques.
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
Cloud Security:
Some interesting instances of breach
Best practices to protect AWS account from unauthorized access and usage
What and How to look for security loopholes
Audit scripts
What one should learn to safeguard Cloud application?
XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.
This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
Electron is a framework to create the desktop application on Windows,OS X, Linux easily, and it has been used to develop the popular applications such as Atom Editor, Visual Studio Code, and Slack.
Although Electron includes Chromium and node.js and allow the web application developers to be able to develop the desktop application with accustomed methods, it contains a lot of security problems such as it allows arbitrary code execution if even one DOM-based XSS exist in the application. In fact, a lot of vulnerabilities which is able to load arbitrary code in applications made with Electron have been detected and reported.
In this talk, I focus on organize and understand the security problems which tend to occur on development using Electron.
--- Yosuke Hasegawa
Secure Sky Technology Inc, Technical Adviser. Known for finding numerous vulnerablities in Internet Explorer、Mozilla Firefox and other web applications.He has also presented at Black Hat Japan 2008, South Korea POC 2008, 2010 and others.
OWASP Kansai Chapter Leader, OWASP Japan Board member.
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
In this presentation, we showed multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user’s consent.
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
Cloud Security:
Some interesting instances of breach
Best practices to protect AWS account from unauthorized access and usage
What and How to look for security loopholes
Audit scripts
What one should learn to safeguard Cloud application?
XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.
This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
Electron is a framework to create the desktop application on Windows,OS X, Linux easily, and it has been used to develop the popular applications such as Atom Editor, Visual Studio Code, and Slack.
Although Electron includes Chromium and node.js and allow the web application developers to be able to develop the desktop application with accustomed methods, it contains a lot of security problems such as it allows arbitrary code execution if even one DOM-based XSS exist in the application. In fact, a lot of vulnerabilities which is able to load arbitrary code in applications made with Electron have been detected and reported.
In this talk, I focus on organize and understand the security problems which tend to occur on development using Electron.
--- Yosuke Hasegawa
Secure Sky Technology Inc, Technical Adviser. Known for finding numerous vulnerablities in Internet Explorer、Mozilla Firefox and other web applications.He has also presented at Black Hat Japan 2008, South Korea POC 2008, 2010 and others.
OWASP Kansai Chapter Leader, OWASP Japan Board member.
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
In this presentation, we showed multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user’s consent.
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
Your vulnerability scanner reports that there are no issues on your network. A pentester has spent the last week trying to exploit every system your organization owns with no luck. The check box for this year's compliance audit has been checked. While it is good that these things occurred, they do not complete the picture in regards to true risk.
Real attackers do not solely rely on software exploits to compromise an environment. In almost every breach you hear about the root of the compromise came from a phishing attack. This is why additional tests, post-infection, should be performed to assess just how far an attacker can go after gaining a foothold into your environment.
What command and control channels are available for an attacker to utilize to communicate with your internal systems? How easy is it for an attacker to move laterally within your environment and gain access to other systems? What are your detection capabilities when it comes to sensitive data being exfiltrated out of your environment? How do you test these attacker techniques using open-source tools?
This lecture will address these questions and more, including a showcase of attacker methodologies.
Wireless technology is inherently insecure in general, however this presentation details some unconventional attacks that have been around for years but are still incredibly effective. Discussing the basics of AP cloning, abusing captive portals, and more.
Alban Diquet, Data Theorem
Thomas Sileo, Data Theorem
Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.
We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.
First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.
Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.
Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.
Approaching the unknown - Windows Phone application security assessment guideSecuRing
Windows Phone should be gone by now.
But somehow it survived, hanging around few percent of mobile OS market share. Maybe good camera which is in those phones does it.
Sometimes even an application dedicated to WP platform shows up on pentest.
How to do it?
What tools to use?
What to check?
This talk will give you an overview of WP application security assessment, including some tips & tricks as well.
We will cover topics like:
- application internal structure
- data storage
- traffic interception
- testing on emulator vs testing on rooted phone
- code analysis of WP application
- overview of security mechanisms available on WP
There even will be a real phone with Windows Phone on it to see.
Mark Wodrich, Microsoft
Jasika Bawa, Microsoft
In the Windows 10 Fall Creators Update, we introduced Windows Defender Exploit Guard (WDEG)—a feature suite that enables you to reduce the attack surface of applications while allowing you to balance security with productivity in a realistic manner. With WDEG's smart attack surface reduction (ASR) rules and exploit protection, we are looking to provide security hardening for popularly used applications without losing sight of the complex environments being managed in most organizations. But what are these security hardening options? And how do we anticipate they will be put to work?
In this talk, we will discuss why and how we embarked upon the WDEG journey, starting all the way from our passionate Enhanced Mitigation Experience Toolkit (EMET) customers, through the conception of the WDEG feature set, to the internal mechanics behind the rich set of protections it offers. We will also demonstrate how WDEG's smart ASR rules and exploit mitigation settings can be used to reduce the likelihood of exploitation of commonplace legacy applications, now directly from Windows 10.
Dana Baril, Microsoft
Credential theft is an important part of the attacker playbook when attempting lateral movement. This process mostly involves dumping credentials saved locally on the machine. In many cases these passwords can be retrieved from the Windows Credential Manager, allowing attackers an easy path into the organization. This was evident in major attacks such as the NotPetya ransomware, and high-profile tools like Mimikatz.
In this talk, we explain how to detect credential theft out of the Windows Credential Manager using Windows Defender Advanced Threat Protection (WDATP). This involves modifying the Windows operating system to send telemetry to the WDATP cloud which was extended with new detection rules.
Author: Jakub Kaluzny
Let's talk about large-scale security programmes and maintaining security with tens of project teams - agile or waterfall, in-house or outsourced. I will discuss how to effectively track security requirements, organise threat modelling sessions, log output from those and translate it into penetration testing scope and test cases. We will dive deep into evil brainstorming, come up with abuser stories for each user story and define what makes the SDLC process secure or not. This talk is based on my work with different organisations in multiple countries and observations what works well in regards to security at scale and what does not.
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
Nate Warfield, Microsoft
Ben Ridgway, Microsoft
MongoDB, Redis, Elastic, Hadoop, SMBv1, IIS6.0, Samba. What do they all have in common? Thousands of them were pwned. In Azure. In 2017. Attackers have shifted tactics, leveraged nation-state leaked tools and are leveraging ransomware to monetize their attacks. Cloud networks are prime targets; the DMZ is gone, the firewall doesn't exist and customers may not realize they've exposed insecure services to the internet until it's too late. In this talk we'll discuss hunting, finding and remediating compromised customer systems in Azure - a non-trivial task with 1.59million exposed hosts and counting. Remediating system compromise is only the first stage so we'll also cover how we applied the lessons learned to proactively secure Azure Marketplace.
Securing DevOps through Privileged Access ManagementBeyondTrust
In this presentation from the webinar of Security MVP and Microsoft Security Trusted Advisor, Paula Januszkiewicz,get an overview of how privileged access management can help balance DevOps’ need for agility and speed with IT security’s need for visibility, access management, and compliance.
Key use cases covered include:
• Network Segmentation: Grouping assets, including application and resource servers, into logical units that do not trust one another
• Enforcing Appropriate Use of Credentials: IT organizations can leverage these controls to limit lateral movement in the case of a compromise and to provide a secure audit trail
• Elimination of Hard-Coded Passwords: Removing hardcoded passwords in DevOps tool configurations, build scripts, code files, test builds, production builds, etc.
You can watch the full, on-demand webinar here: https://www.beyondtrust.com/resources/webinar/securing-devops-privileged-access-management/
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
Your vulnerability scanner reports that there are no issues on your network. A pentester has spent the last week trying to exploit every system your organization owns with no luck. The check box for this year's compliance audit has been checked. While it is good that these things occurred, they do not complete the picture in regards to true risk.
Real attackers do not solely rely on software exploits to compromise an environment. In almost every breach you hear about the root of the compromise came from a phishing attack. This is why additional tests, post-infection, should be performed to assess just how far an attacker can go after gaining a foothold into your environment.
What command and control channels are available for an attacker to utilize to communicate with your internal systems? How easy is it for an attacker to move laterally within your environment and gain access to other systems? What are your detection capabilities when it comes to sensitive data being exfiltrated out of your environment? How do you test these attacker techniques using open-source tools?
This lecture will address these questions and more, including a showcase of attacker methodologies.
Wireless technology is inherently insecure in general, however this presentation details some unconventional attacks that have been around for years but are still incredibly effective. Discussing the basics of AP cloning, abusing captive portals, and more.
Alban Diquet, Data Theorem
Thomas Sileo, Data Theorem
Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.
We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.
First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.
Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.
Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.
Approaching the unknown - Windows Phone application security assessment guideSecuRing
Windows Phone should be gone by now.
But somehow it survived, hanging around few percent of mobile OS market share. Maybe good camera which is in those phones does it.
Sometimes even an application dedicated to WP platform shows up on pentest.
How to do it?
What tools to use?
What to check?
This talk will give you an overview of WP application security assessment, including some tips & tricks as well.
We will cover topics like:
- application internal structure
- data storage
- traffic interception
- testing on emulator vs testing on rooted phone
- code analysis of WP application
- overview of security mechanisms available on WP
There even will be a real phone with Windows Phone on it to see.
Mark Wodrich, Microsoft
Jasika Bawa, Microsoft
In the Windows 10 Fall Creators Update, we introduced Windows Defender Exploit Guard (WDEG)—a feature suite that enables you to reduce the attack surface of applications while allowing you to balance security with productivity in a realistic manner. With WDEG's smart attack surface reduction (ASR) rules and exploit protection, we are looking to provide security hardening for popularly used applications without losing sight of the complex environments being managed in most organizations. But what are these security hardening options? And how do we anticipate they will be put to work?
In this talk, we will discuss why and how we embarked upon the WDEG journey, starting all the way from our passionate Enhanced Mitigation Experience Toolkit (EMET) customers, through the conception of the WDEG feature set, to the internal mechanics behind the rich set of protections it offers. We will also demonstrate how WDEG's smart ASR rules and exploit mitigation settings can be used to reduce the likelihood of exploitation of commonplace legacy applications, now directly from Windows 10.
Dana Baril, Microsoft
Credential theft is an important part of the attacker playbook when attempting lateral movement. This process mostly involves dumping credentials saved locally on the machine. In many cases these passwords can be retrieved from the Windows Credential Manager, allowing attackers an easy path into the organization. This was evident in major attacks such as the NotPetya ransomware, and high-profile tools like Mimikatz.
In this talk, we explain how to detect credential theft out of the Windows Credential Manager using Windows Defender Advanced Threat Protection (WDATP). This involves modifying the Windows operating system to send telemetry to the WDATP cloud which was extended with new detection rules.
Author: Jakub Kaluzny
Let's talk about large-scale security programmes and maintaining security with tens of project teams - agile or waterfall, in-house or outsourced. I will discuss how to effectively track security requirements, organise threat modelling sessions, log output from those and translate it into penetration testing scope and test cases. We will dive deep into evil brainstorming, come up with abuser stories for each user story and define what makes the SDLC process secure or not. This talk is based on my work with different organisations in multiple countries and observations what works well in regards to security at scale and what does not.
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
Nate Warfield, Microsoft
Ben Ridgway, Microsoft
MongoDB, Redis, Elastic, Hadoop, SMBv1, IIS6.0, Samba. What do they all have in common? Thousands of them were pwned. In Azure. In 2017. Attackers have shifted tactics, leveraged nation-state leaked tools and are leveraging ransomware to monetize their attacks. Cloud networks are prime targets; the DMZ is gone, the firewall doesn't exist and customers may not realize they've exposed insecure services to the internet until it's too late. In this talk we'll discuss hunting, finding and remediating compromised customer systems in Azure - a non-trivial task with 1.59million exposed hosts and counting. Remediating system compromise is only the first stage so we'll also cover how we applied the lessons learned to proactively secure Azure Marketplace.
Securing DevOps through Privileged Access ManagementBeyondTrust
In this presentation from the webinar of Security MVP and Microsoft Security Trusted Advisor, Paula Januszkiewicz,get an overview of how privileged access management can help balance DevOps’ need for agility and speed with IT security’s need for visibility, access management, and compliance.
Key use cases covered include:
• Network Segmentation: Grouping assets, including application and resource servers, into logical units that do not trust one another
• Enforcing Appropriate Use of Credentials: IT organizations can leverage these controls to limit lateral movement in the case of a compromise and to provide a secure audit trail
• Elimination of Hard-Coded Passwords: Removing hardcoded passwords in DevOps tool configurations, build scripts, code files, test builds, production builds, etc.
You can watch the full, on-demand webinar here: https://www.beyondtrust.com/resources/webinar/securing-devops-privileged-access-management/
MongoDB Days UK: Securing Your Deployment with MongoDB EnterpriseMongoDB
Presented by Mat Keep, Principal Product Manager, MongoDB
Security is more critical than ever with new computing environments in the cloud and expanding access to the Internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. We'll walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments. Topics will include:
- General security tools
- How to configure those for MongoDB
- Security features available in MongoDB such as LDAP, SSL, x.509, authentication, and encryption
Securing Your Deployment with MongoDB EnterpriseMongoDB
Presented by Mat Keep, Principal Product Manager, MongoDB
Security is more critical than ever with new computing environments in the cloud and expanding access to the Internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. We'll walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments. Topics will include:
- General security tools
- How to configure those for MongoDB
- Security features available in MongoDB such as LDAP, SSL, x.509, authentication, and encryption
Webinar: Securing your data - Mitigating the risks with MongoDBMongoDB
In this webinar, we walked through examples of the general security threats to databases. And we looked at how you can mitigate them for MongoDB deployments.
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017Micro Focus
The cyber threats facing businesses today are
constantly evolving. They are being perpetrated
by highly skilled, well-organized and well-funded
groups.
In this session we’ll take a look at
some of these threats, and how you can
mitigate your risks.
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityCloudVillage
The cloud is compelling and in many cases necessary for organizations to effectively operate.
Cloud security, on the other hand, is not as clear. Many cloud services need a hook into the on-premises environment in order to synchronize users and groups. Additionally, cloud security controls vary by the provider in availability, capability, and cost. This results in a disjointed view of user authentication, security, and potential configuration issues.
This talk explores some common cloud configuration scenarios and associated security issues.
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...Amazon Web Services
This session covers what a real-world production deployment of a fully automated deployment pipeline looks like with instances that are deployed without SSH keys. By leveraging AWS CloudFormation along with Docker and AWS CodeDeploy, we show how we achieved semi-immutable and fully immutable infrastructures, and what the challenges and remediations were.
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
Often times, developers and auditors can be at odds. The agile, fast-moving environments that developers enjoy will typically give auditors heartburn. The more controlled and stable environments that auditors prefer to demonstrate and maintain compliance are traditionally not friendly to developers or innovation. We'll walk through how Netflix moved its PCI and SOX environments to the cloud and how we were able to leverage the benefits of the cloud and agile development to satisfy both auditors and developers. Topics covered will include shared responsibility, using compartmentalization and microservices for scope control, immutable infrastructure, and continuous security testing.
From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...Priyanka Aash
Organizations have been forced to adapt to the new reality: Anyone can be targeted and many can be compromised.
This has been the catalyst for many to tighten up operations and revamp ancient security practices. They bought boxes that blink and software that floods the SOC with alerts. Is it enough?
The overwhelming answer is: No.
The security controls that matter most are the ones that best protect those with the keys to the enterprise, the Active Directory administrators. With this access, an attacker can do anything they want in the environment: access all sensitive data, change access controls and security settings, embed to persist (for years), and often fully manage and control routers, switches, the virtualization platform (VMWare or Microsoft Hyper-V), and increasingly, the cloud platform.
Administrators are being dragged into a new paradigm where they have to more securely administer the environment. This involves protecting privileged credentials and limiting access. Again the question is: Are the new ways to securely administer Active Directory enough to protect against attackers? Join me in this session to find out.
Some of the areas explored in this talk:
* Explore how common methods of administration fail.
* Demonstrating how attackers can exploit flaws in typical Active Directory administration.
* Highlight common mistakes organizations make when administering Active Directory.
* Discuss what's required to protect admins from modern attacks.
* Provide the best methods to ensure secure administration and how to get executive, operations, and security team acceptance.
Exploiting Active Directory Administrator InsecuritiesPriyanka Aash
"Defenders have been slowly adapting to the new reality: Any organization is a target. They bought boxes that blink and software that floods the SOC with alerts. None of this matters as much as how administration is performed: Pop an admin, own the system. Admins are being dragged into a new paradigm where they have to more securely administer the environment. What does this mean for the pentester or Red Teamer?
Admins are gradually using better methods like two-factor and more secure administrative channels. Security is improving at many organizations, often quite rapidly. If we can quickly identify the way that administration is being performed, we can better highlight the flaws in the admin process.
This talk explores some common methods Active Directory administrators (and others) use to protect their admin credentials and the flaws with these approaches. New recon methods will be provided on how to identify if the org uses an AD Red Forest (aka Admin Forest) and what that means for one hired to test the organization's defenses, as well as how to successfully avoid the Red Forest and still be successful on an engagement.
Some of the areas explored in this talk:
Current methods organizations use to administer Active Directory and the weaknesses around them.
Using RODCs in the environment in ways the organization didn't plan for (including persistence).
Exploiting access to agents typically installed on Domain Controllers and other highly privileged systems to run/install code when that's not their typical purpose.
Discovering and exploiting an AD forest that leverages an AD Admin Forest (aka Red Forest) without touching the Admin Forest.
If you are wondering how to pentest/red team against organizations that are improving their defenses, this talk is for you. If you are a blue team looking for inspiration on effective defenses, this talk is also for you to gain better insight into how you can be attacked."
Securing Microservices using Play and Akka HTTPRafal Gancarz
Going down the microservices route makes a lot of things around creating and maintaining large systems easier but it comes at a cost too, particularly associated with challenges around security. While securing monolithic applications was a relatively well understood area, the same can't be said about microservice based architectures.
This presentation covers how implementing microservices affects the security of distributed systems, outlines pros and cons of several standards and common practices and offers practical suggestions for securing microservice based systems using Play and Akka HTTP.
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
Speaker: Jay Runkel, Principal Solution Architect, MongoDB
Level: 200 (Intermediate)
Track: Operations
When architecting a MongoDB application, one of the most difficult questions to answer is how much hardware (number of shards, number of replicas, and server specifications) am I going to need for an application. Similarly, when deploying in the cloud, how do you estimate your monthly AWS, Azure, or GCP costs given a description of a new application? While there isn’t a precise formula for mapping application features (e.g., document structure, schema, query volumes) into servers, there are various strategies you can use to estimate the MongoDB cluster sizing. This presentation will cover the questions you need to ask and describe how to use this information to estimate the required cluster size or cloud deployment cost.
What You Will Learn:
- How to architect a sharded cluster that provides the required computing resources while minimizing hardware or cloud computing costs
- How to use this information to estimate the overall cluster requirements for IOPS, RAM, cores, disk space, etc.
- What you need to know about the application to estimate a cluster size
Security is more critical than ever with new computing environments in the cloud and expanding access to the Internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. We'll walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments.
Similar to DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory (20)
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
1. Beyond the MCSE:
Red Teaming Active Directory
Sean Metcalf (@Pyrotek3)
s e a n @ adsecurity . org
www.ADSecurity.org
2. About Me
Founder Trimarc, a security company.
Microsoft MCM (AD) & MVP
Speaker:
BSides, Shakacon, Black Hat, DEF CON, DerbyCon
Security Consultant / Researcher
Own & Operate ADSecurity.org
(Microsoft platform security info)
| @PryoTek3 | sean @ adsecurity.org |
3. Agenda
Key AD Security components
Offensive PowerShell
Bypassing PowerShell security
Effective AD Recon
AD Defenses & Bypasses
Security Pro’s Checklist
| @PryoTek3 | sean @ adsecurity.org |
9. Differing Views of Active Directory
•Administrator
•Security Professional
•Attacker
Complete picture is not well understood by any single one of them
| @PryoTek3 | sean @ adsecurity.org |
10. AD Security in ~15 Minutes
| @PryoTek3 | sean @ adsecurity.org |
11. Forests & Domains
•Forest
•Single domain or collection of domains.
•Security boundary.
•Domain
•Replication & administrative policy
boundary.
| @PryoTek3 | sean @ adsecurity.org |
13. Trusts
• Connection between domains or forests to
extend authentication boundary (NTLM &
Kerberos v5).
• Exploit a trusted domain & jump the trust
to leverage access.
• Privilege escalation leveraging an exposed
trust password over Kerberos
(ADSecurity.org).
| @PryoTek3 | sean @ adsecurity.org |
14. Cloud Connectivity
•Corporate networks are connecting to
the cloud.
•Often extends corporate network into
cloud.
•Authentication support varies.
•Security posture often dependent on
cloud services.
| @PryoTek3 | sean @ adsecurity.org |
15. Sites & Subnets
• Map AD to physical locations for replication.
• Subnet-Site association for resource
discovery.
• Asset discovery:
• Domain Controllers
• Exchange Servers
• SCCM
• DFS shares
| @PryoTek3 | sean @ adsecurity.org |
16. Domain Controllers
•Member server -> DC via DCPromo
•FSMOs – single master roles.
•Global Catalog: forest-wide queries.
•Extraneous services = potential
compromise.
| @PryoTek3 | sean @ adsecurity.org |
17. Read-Only Domain Controllers
•Read-only DC, DNS, SYSVOL
•RODC Admin delegation to non DAs
•No passwords cached (default)
•KRBTGT cryptographically isolated
•RODC escalation via delegation
•msDS-AuthenticatedToAccountList
| @PryoTek3 | sean @ adsecurity.org |
20. Group Policy
•User & computer management
•Create GPO & link to OU
•Comprised of:
• Group Policy Object (GPO) in AD
• Group Policy Template (GPT) files in
SYSVOL
• Group Policy Client Side Extensions on
clients
•Modify GPO or GPT…
| @PryoTek3 | sean @ adsecurity.org |
21. Group Policy Capability
•Configure security settings.
•Add local Administrators.
•Add update services.
•Deploy scheduled tasks.
•Install software.
•Run user logon/logoff scripts.
•Run computer startup/shutdown scripts.
| @PryoTek3 | sean @ adsecurity.org |
25. Kerberos Key Points
• NTLM password hash for Kerberos RC4 encryption.
• Logon Ticket (TGT) provides user auth to DC.
• Kerberos policy only checked when TGT is created.
• DC validates user account when TGT > 20 mins.
• Service Ticket (TGS) PAC validation optional & rare.
• Server LSASS lsends PAC Validation request to
DC’s netlogon service (NRPC).
• If it runs as a service, PAC validation is optional
(disabled)
• If a service runs as System, it performs server
signature verification on the PAC (computer LTK).
| @PryoTek3 | sean @ adsecurity.org |
27. Quick PowerShell Attack History
• Summer 2010 - DEF CON 18: Dave Kennedy & Josh
Kelly “PowerShell OMFG!”
https://www.youtube.com/watch?v=JKlVONfD53w
• Describes many of the PowerShell attack techniques
used today (Bypass exec policy, -Enc, & IE).
• Released PowerDump to dump SAM database via
PowerShell.
• 2012 – PowerSploit, a GitHub repo started by
Matt Graeber, launched with Invoke-
Shellcode.
• “Inject shellcode into the process ID of your choosing or
within the context of the running PowerShell process.”
• 2013 - Invoke-Mimkatz released by Joe Bialek
which leverages Invoke-ReflectivePEInjection.
| @PryoTek3 | sean @ adsecurity.org |
38. Effective AD Recon
Gaining better target knowledge than the Admins…
| @PryoTek3 | sean @ adsecurity.org |
39. PowerShell for AD Recon
•MS Active Directory PowerShell module
•Quest AD PowerShell module
•Custom ADSI PowerShell queries
•PowerView – Will Harmjoy (@harmj0y)
| @PryoTek3 | sean @ adsecurity.org |
43. Digging for Gold in AD
•Default/Weak passwords
•Passwords stored in user attributes
•Sensitive data
•Incorrectly secured data
•Extension Attribute data
•Deleted Objects
| @PryoTek3 | sean @ adsecurity.org |
44. Discovering Data
•Invoke-UserHunter:
• User home directory servers & shares
• User profile path servers & shares
• Logon script paths
•Performs Get-NetSession against each.
•Discovering DFS shares
•Admin hunting… follow Will Harmjoy’s
work: blog.harmj0y.net
| @PryoTek3 | sean @ adsecurity.org |
47. Fun with User Attributes: SID History
• SID History attribute supports migration
scenarios.
• Security principals have SIDs determine
permissions & resources access.
• Enables access for one account to effectively
be cloned to another.
• Works for SIDs in the same domain as well as
across domains in the same forest.
| @PryoTek3 | sean @ adsecurity.org |
52. Cracking Service Account Passwords
(Kerberoast)
Request/Save TGS service tickets & crack offline.
“Kerberoast” python-based TGS password cracker.
No elevated rights required.
No traffic sent to target.
https://github.com/nidem/kerberoast | @PryoTek3 | sean @ adsecurity.org |
75. HoneyTokens, HoneyCredentials…
•Credentials injected into memory.
•Deployment method?
•May or may not be real on the network.
•Validate account data with AD.
•Avoid these.
| @PryoTek3 | sean @ adsecurity.org |
76. Randomized Local Admin PW (LAPS)
•PowerUp to local admin rights.
•Dump service credentials.
•Leverage credentials to escalate
privileges.
•Find AD accounts with LAPS password
view rights.
•Find secondary admin account not
managed by LAPS.
| @PryoTek3 | sean @ adsecurity.org |
77. Network Segmentation
•“High Value Targets” isolated on the
network.
•Admin systems on separate segments.
•Find admin accounts for these systems &
where they logon.
•Compromise patching system to gain
access. (see PowerSCCM in PowerSploit).
| @PryoTek3 | sean @ adsecurity.org |
78. No Domain Admins
•Check domain “Administrators”
membership.
•Look for custom delegation:
•“Tier” or “Level”
•Workstation/Server Admins
•Somebody has rights!
| @PryoTek3 | sean @ adsecurity.org |
79. Privileged Admin Workstation (PAW)
• Active Directory Admins only logon to PAWs.
• Should have limited/secured communication.
• Should be in their own OU.
• May be in another forest (Red/Admin Forest).
• Compromise install media or patching system.
• Compromise in/out comms.
| @PryoTek3 | sean @ adsecurity.org |
80. Jump (Admin) Servers
• If Admins are not using Admin workstations,
keylog for creds on admin’s workstation.
• Discover all potential remoting services.
• RDP
• WMI
• WinRM/PowerShell Remoting
• PSExec
• NamedPipe
• Compromise a Jump Server, 0wn the
domain!
| @PryoTek3 | sean @ adsecurity.org |
81. AD Admin Tiers
| @PryoTek3 | sean @ adsecurity.org |
https://technet.microsoft.com/en-us/library/mt631193.aspx
82. AD Admin Tiers
| @PryoTek3 | sean @ adsecurity.org |
https://technet.microsoft.com/en-us/library/mt631193.aspx
84. ESAE Admin Forest (aka “Red Forest”)
• The “best” way to secure & protect AD.
• Separate forest with one-way forest trust.
• Separate smart card PKI system.
• Separate updating & patching system.
• All administration performed w/ ESAE
accounts & ESAE computers.
• Completely isolated.
| @PryoTek3 | sean @ adsecurity.org |
85. Universal Bypass for Most Defenses
•Service Accounts
•Over-permissioned
•Not protected like Admins
•Weak passwords
•No 2FA/MFA
•Limited visibility/understanding
| @PryoTek3 | sean @ adsecurity.org |
86. Interesting AD Facts
•All Authenticated Users have read
access to:
• Most (all) objects & their attributes in AD
(even across trusts!).
• Most (all) contents in the domain share
“SYSVOL” which can contain interesting
scripts & files.
| @PryoTek3 | sean @ adsecurity.org |
87. Interesting AD Facts:
•Standard user account…
• Elevated rights through “SID History”
without being a member of any
groups.
• Ability to modify users/groups without
elevated rights w/ custom OU ACLs.
• Modify rights to an OU or domain-
linked GPO, compromise domain.
| @PryoTek3 | sean @ adsecurity.org |
88. A Security Pro’s AD Checklist
• Identify who has AD admin rights (domain/forest).
• Identify DC logon rights.
• Identify virtual host admins (virtual DCs).
• Scan Active Directory Domains, OUs,
AdminSDHolder, & GPOs for inappropriate custom
permissions.
• Ensure AD admins protect their credentials by not
logging into untrusted systems (workstations).
• Limit service account rights that are currently DA (or
equivalent).
| @PryoTek3 | sean @ adsecurity.org |
90. Summary
•AD stores the history of an organization.
•Ask the right questions to know more
than the admins.
•Quickly recon AD in hours (or less)
•Business requirements subvert security.
•Identify proper leverage and apply.
| @PryoTek3 | sean @ adsecurity.org |
91. Questions?
Sean Metcalf (@Pyrotek3)
s e a n @ adsecurity . org
www.ADSecurity.org
Slides: Presentations.ADSecurity.org
| @PryoTek3 | sean @ adsecurity.org |
92. References
• PowerShell Empire
http://PowerShellEmpire.com
• Active Directory Reading Library
https://adsecurity.org/?page_id=41
• Read-Only Domain Controller (RODC) Information
https://adsecurity.org/?p=274
• DEF CON 18: Dave Kennedy & Josh Kelly “PowerShell OMFG!”
https://www.youtube.com/watch?v=JKlVONfD53w
• PowerShell v5 Security Enhancements
http://blogs.msdn.com/b/powershell/archive/2015/06/09/powershell-
the-blue-team.aspx
• Detecting Offensive PowerShell Attack Tools
https://adsecurity.org/?p=2604
• Active Directory Recon Without Admin Rights
https://adsecurity.org/?p=2535
| @PryoTek3 | sean @ adsecurity.org |
93. References
• Mining Active Directory Service Principal Names
http://adsecurity.org/?p=230
• SPN Directory:
http://adsecurity.org/?page_id=183
• PowerView GitHub Repo (PowerSploit)
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
• Will Schroeder (@harmj0y): I have the PowerView (Offensive Active Directory
PowerShell) Presentation
http://www.slideshare.net/harmj0y/i-have-the-powerview
• MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of
Privilege
http://adsecurity.org/?tag=ms14068
• Microsoft Enhanced security patch KB2871997
http://adsecurity.org/?p=559
• Tim Medin’s DerbyCon 2014 presentation: “Attacking Microsoft Kerberos: Kicking
the Guard Dog of Hades”
https://www.youtube.com/watch?v=PUyhlN-E5MU
• Microsoft: Securing Privileged Access Reference Material
https://technet.microsoft.com/en-us/library/mt631193.aspx
• TechEd North America 2014 Presentation: TWC: Pass-the-Hash and Credential
Theft Mitigation Architectures (DCIM-B213) Speakers: Nicholas DiCola, Mark
Simos http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B213
| @PryoTek3 | sean @ adsecurity.org |
94. References
• Mimikatz
https://adsecurity.org/?page_id=1821
• Attack Methods for Gaining Domain Admin Rights in Active
Directory
https://adsecurity.org/?p=2362
• Microsoft Local Administrator Password Solution (LAPS)
https://adsecurity.org/?p=1790
• The Most Common Active Directory Security Issues and What
You Can Do to Fix Them
https://adsecurity.org/?p=1684
• How Attackers Dump Active Directory Database Credentials
https://adsecurity.org/?p=2398
• Sneaky Active Directory Persistence Tricks
https://adsecurity.org/?p=1929
| @PryoTek3 | sean @ adsecurity.org |
96. Detecting/Mitigating PS>Attack
• Discover PowerShell in non-standard processes.
• Get-Process modules like
“*Management.Automation*”
| @PryoTek3 | sean @ adsecurity.org |
97. Detecting EXEs Hosting PowerShell
•Event 800: HostApplication not standard
Microsoft tool
•Event 800: Version mismatch between
HostVersion & EngineVersion (maybe).
•System.Management.Automation.dll hosted
in non-standard processes.
•EXEs can natively call .Net & Windows APIs
directly without PowerShell.
| @PryoTek3 | sean @ adsecurity.org |