From Botnets to DACL Backdoors: A Journey through Modern Active Directory Attacks – Part I

From Botnets to DACL Backdoors: A Journey through Modern Active Directory Attacks – Part I

Active Directory DACL Backdoors In my last blog post, we examined Active Directory (AD) backdoors and how to defend against them. The botnets’ primary communication mechanism relied on abusing AD attributes. Once established, these botnets allow attackers to communicate across internal security controls, exfiltrate data—and most importantly—gain a foothold that is very difficult to detect and remove. All accomplished without one line of malicious code. Now that’s a real life advanced persistent threat…only it isn’t as advanced as nation-state style…

Read More Read More

STEALTHbits ProTip: Filter out Event Noise with STEALTHbits File Activity Monitor (sFAM)

STEALTHbits ProTip: Filter out Event Noise with STEALTHbits File Activity Monitor (sFAM)

STEALTHbits File Activity Monitor The STEALTHbits File Activity Monitor has multiple configuration options to filter out noisy event operations from file servers. For example, Windows® native logs are typically big offenders when it comes to logging these noise events, creating more than 200 log entries when a user creates, reads, modifies, and then saves a file. The sFAM utility filters those operations into a more human-readable, event audit trail for those file operations. The sFAM utility also includes many scoping…

Read More Read More

Prevent Data Theft with File Activity Monitoring

Prevent Data Theft with File Activity Monitoring

Preventing Data Theft with File Activity Monitoring If you ask most folks who pay attention to cybersecurity what the recent big-name breaches and headline-grabbing malware have in common, you would get many answers. Some would say they were next-generation ransomware like NotPetya or WannaCry. Others would say that the HBO and Sony breaches started with a phishing email and ballooned from there. Even more would say that next-generation firewalls should have helped but didn’t. While these are all true, they…

Read More Read More

How Attackers are Stealing your Credentials with Mimikatz – Insider Threat Podcast #6

How Attackers are Stealing your Credentials with Mimikatz – Insider Threat Podcast #6

In our sixth edition of the Insider Threat Podcast, once again we spoke with our resident white hat hacker, Jeff Warren. Jeff has just finished another in our ongoing blog series about insider attacks on Active Directory (AD). This time, the focus was the Mimikatz toolkit and all the ways it’s being used to exploit weaknesses in AD. You can find out more in the main series of blog posts about Mimikatz attacks as well as supplementary posts covering Skeleton…

Read More Read More

Black Hat Roundup – Insider Threat Podcast #5

Black Hat Roundup – Insider Threat Podcast #5

In our fifth edition of the Insider Threat Podcast, we caught up with Gabriel Gumbs who has just spent the week at Black Hat 2017. Gabriel is the STEALTHbits VP of Product Strategy and his mission was to meet with some of our customers and partners at the show as well as bring back any interesting exploits and vulnerabilities that were on display for us to chew on. He certainly found a few. There were, of course, the usual set…

Read More Read More

Ways to Detect and Mitigate PowerShell Attacks

Ways to Detect and Mitigate PowerShell Attacks

Detect and Mitigate PowerShell Attacks PowerShell has grown as an attack platform against Windows systems as a way for attackers to “live off the land” and use tools that are natively available. We’ve already looked at Empire, DeathStar, and CrackMapExec and how those tools leverage PowerShell to invoke Mimikatz and initiate other attacks. In this post, we will explore what you can do to detect and protect against PowerShell attacks. What’s So Great about PowerShell? There are several reasons attackers…

Read More Read More

Lateral Movement with CrackMapExec

Lateral Movement with CrackMapExec

In the previous post, we explored how attackers can use Mimikatz to automatically escalate privileges to Domain Admins using Empire and DeathStar. In this post, I will take a look at another open-source tool that leverages Mimikatz to harvest credentials and move laterally through an Active Directory environment: CrackMapExec. Self-described as a “swiss army knife for pentesting networks”, CrackMapExec is a Python-based utility that is geared towards evaluating and exploiting weaknesses in Active Directory security. This approach involves gathering credentials…

Read More Read More

Market Trends: NYCRR 500

Market Trends: NYCRR 500

The New York State Department of Financial Services (DFS) new cybersecurity standard, New York Code Rules and Regulations 500 (NYCRR 500), extends past New York state limits to “subsidiaries or affiliates”. This regulation mandates each institution have a cyber security program, Chief Information Security Officer (CISO), access controls, asset management, data governance, software development practices, annual certification of their compliance, and more. As far as regulatory compliance standards, NYCRR 500 is one of the most well written regulations. Many other…

Read More Read More