Constrained Delegation Abuse: Abusing Constrained Delegation to Achieve Elevated Access

Constrained Delegation Abuse: Abusing Constrained Delegation to Achieve Elevated Access

Kerberos Delegation Recap Previously, I gave an overview of all of the various types of Kerberos delegation, how they’re configured, and how they can potentially be abused. Prior to that, I wrote about abusing resource-based constrained delegation and Jeff Warren has written about abusing unconstrained delegation. To round out the Kerberos delegation topic, I wanted to write a quick blog on how constrained delegation can be abused to get elevated access to a specific configured service. If you’re not familiar…

Read More Read More

Improve AD Security – Block Unauthorized Activities & Strengthen Passwords with StealthINTERCEPT 7.0

Improve AD Security – Block Unauthorized Activities & Strengthen Passwords with StealthINTERCEPT 7.0

Nearly everyone uses Microsoft’s Active Directory (AD), over 90% in fact[1], to manage user accounts and provide authentication and access to the majority of organizational resources. Microsoft tells us that 95 million AD accounts are under attack every day[2]. The latest Verizon Data Breach Investigations Report informs that 56% of breaches in 2018 took a month or longer to discover[3]. Being under constant attack, and taking months to discover it, is a recipe for disaster. Many organizations do some kind…

Read More Read More

ProTip – The Power of Character Substitution Checks in StealthINTERCEPT Enterprise Password Enforcer

ProTip – The Power of Character Substitution Checks in StealthINTERCEPT Enterprise Password Enforcer

I have had the benefit of visiting a number of customers to understand how they use our products. Specifically, how they use the breach password dictionary in StealthINTERCEPT Enterprise Password Enforcer. Many actively manage their breach password database to prevent breached passwords from use.  In reviewing these password databases, I noticed many contained entries with multiple variations of a single word.  Essentially, they were manually adding character substitution or “leetspeak.” For example, the word ‘password’ would have the following entries:…

Read More Read More

An Oracle DBA’s Guide to Microsoft SQL Server Security

An Oracle DBA’s Guide to Microsoft SQL Server Security

In today’s world, it is quite common for companies to use more than one type of relational database platform to host enterprise applications.  If you are an old-time Oracle DBA like me and are asked to administer Microsoft SQL Servers in addition to Oracle databases, the task can be pretty daunting from a SQL Server security perspective.  In this blog, I will try to explain the differences and similarities between the Oracle and SQL Server security models.  The difference in…

Read More Read More

Cleaning Up Unused Service Accounts Series – Part 1: Overview of the Process

Cleaning Up Unused Service Accounts Series – Part 1: Overview of the Process

What is a Service Account? In this blog post, I won’t go too much into the details of service accounts but will class a service account as a user, Managed Service Account or a Group Managed Service Account which is used to run a process whether it be a Service, Task, IIS App Pools or used inside of an application. The Problem? A lot of organisations will have hundreds and maybe even thousands of service accounts that may be in…

Read More Read More

What is Kerberos Delegation? An Overview of Kerberos Delegation

What is Kerberos Delegation? An Overview of Kerberos Delegation

Kerberos Delegation and Usage Kerberos delegation has been around for a long time (Windows Server 2000 to be exact), but more often than not, when speaking to engineers who manage or work with Active Directory, they’re not familiar with all the various implementations of Kerberos delegation, their uses, and some ways they can be abused. What I find funny, is that most people confuse Kerberos delegation with delegated permissions. The practical usage of Kerberos delegation is to enable an application…

Read More Read More

Cybersecurity Predictions for 2020

Cybersecurity Predictions for 2020

It’s that time of the year again! As we roll into 2020 we’re proud to present our 4th edition of “STEALTHbits’ Experts Cybersecurity Predictions.” We asked eight of our top industry voices here at STEALTHbits their thoughts on what’s to come in the world of cybersecurity in the next 365 days! Read on and come back at the start of 2021 to see how we did. Ransomware Will Continue To Wreak Havoc Using the Same Old Tricks Ransomware attacks will…

Read More Read More

How to Harden your SharePoint Online Environment by Disabling Legacy Authentication

How to Harden your SharePoint Online Environment by Disabling Legacy Authentication

Allowing legacy authentication to your SharePoint online tenant unnecessarily exposes it to a number of attacks and exploits that you can easily avoid by simply disabling legacy authentication to your tenant. Microsoft has made it clear that all roads lead to the cloud, and with that Azure Active Directory has become an even more critical piece as the identity provider to O365. Microsoft has introduced a number of security-focused features into its cloud platform over the last couple of years…

Read More Read More

What is a Data Repository and What is it Used for?

What is a Data Repository and What is it Used for?

Online businesses are rapidly overtaking the revenue of brick-and-mortar businesses in today’s internet age. The changes brought forth by internet-driven communication are driving businesses to become data-driven organizations.  Organizations that master how to collect and manipulate data to their advantage will triumph over their competitors. The sheer volume of data being collected by businesses today goes beyond what traditional relational databases can handle, giving rise to a series of different data repositories – Relational Databases, Data Warehouses, Data Lakes, Data…

Read More Read More

A Guide to Active Directory Linked Attributes

A Guide to Active Directory Linked Attributes

This blog post is part of a series about Active Directory attributes with values or behaviors that can be easily and inadvertently misinterpreted and misused. This series will provide information about these attributes, including both their limitations and their valid usages with respect to the administration of Active Directory. This post will discuss a special type of Active Directory attribute, the Active Directory linked attribute. Linked attributes generally exist in associated pairs; one of the associated attributes is known as…

Read More Read More

Start a Free StealthAUDIT® Trial!

No risk. No obligation.

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other