Using CTFTOOL.exe to escalate privileges by leveraging Text Services Framework; and mitigation processes and steps

Using CTFTOOL.exe to escalate privileges by leveraging Text Services Framework; and mitigation processes and steps

Overview In this post, I will be looking at a new exploit that leverages a weakness in Microsoft Windows Text Services Framework to launch a child process that allows for the escalation of privileges. I will give a brief overview of what the Text Services Framework service does, what the exploit is, and how it could be used. Then, I will go into more detail about how to run the exploit and different methods that can be used for detection…

Read More Read More

Next-Gen Open Source C2 Frameworks in a Post PSEmpire World: Covenant

Next-Gen Open Source C2 Frameworks in a Post PSEmpire World: Covenant

Rest in Peace PowerShell Empire PowerShell Empire (PSEmpire) is a Command and Control (C2) Post Exploitation Framework that has been discussed in a variety of posts on the STEALTHbits Blog. What is PSEmpire? PSEmpire is a great tool with a wide variety of uses in the Information Security community including learning, red teaming and even more nefarious uses such as being used by the Ryuk Ransomware. Sadly, it has been officially announced the PSEmpire is no longer being supported and development has stopped….

Read More Read More

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 2

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 2

In the first blog of this series, we discussed how changes to groups with extensive privilege within an Active Directory (AD) environment are the target for many hackers. However, this is just one of the problems with monitoring critical systems. Challenge 2 – Group Policy Changes Group Policies are used to control and manage settings across all computers joined to Active Directory.  This includes critical security settings such as who has administrative access to systems and numerous others.  A simple…

Read More Read More

What is an FSMO Role in Active Directory?

What is an FSMO Role in Active Directory?

Active Directory allows object creations, updates, and deletions to be committed to any authoritative domain controller. This is possible because every Active Directory domain controller maintains a writable copy of its own domain’s partition – except, of course, Read-Only Domain Controllers. After a change has been committed, it is replicated automatically to other domain controllers through a process called multi-master replication. This behavior allows most operations to be processed reliably by multiple domain controllers and provides for high levels of…

Read More Read More

Understanding Passwords and Their Problems

Understanding Passwords and Their Problems

What’s The Problem? Today, with the Internet, social media, personal computers, online banking and everything else that exists, end-users need to create and maintain a large number of usernames and passwords for all of the accounts they have. This begins to create a problem. The many accounts we need to remember leads us to want to share passwords between different platforms, potentially including our work accounts. This is just one of the few contributors to the many password problems that…

Read More Read More

15 Cases for File Activity Monitoring: Part 3

15 Cases for File Activity Monitoring: Part 3

Today, we continue our discussion on real-life use cases for STEALTHbits file activity monitoring solutions. The cases outlined in the previous blog post provided examples of malicious access by internal users, administrators, and external bad actors. Case 11: Stale File Clean-Up Knowing which files are being actively accessed helps identify stale data for removal from active management, reclaiming storage space and reducing an organization’s risk surface. The file activity monitor allows organizations to identify stale data and files that have…

Read More Read More

How to Protect Office 365 by Classifying Your Data with Microsoft’s AIP Labels

How to Protect Office 365 by Classifying Your Data with Microsoft’s AIP Labels

Azure Information Protection labels or AIP labels can be created and applied to documents and emails. These labels can be used to classify content based on what the data is and how sensitive it is. This approach is extremely powerful when properly implemented as it provides security on your data even after it leaves your environment (if the label allows it to). In this post, I’ll walk through setting up Azure Information protection to use labels to classify and protect…

Read More Read More

Detecting Persistence through Active Directory Extended Rights

Detecting Persistence through Active Directory Extended Rights

Today, I came across an interesting article (since posting, the original post has been taken offline) where the author described how an attacker could manipulate the permissions on extended attributes to create persistence once they have compromised an Active Directory domain.  Read the article for a great breakdown of the attack, but here’s a quick summary. Step 1 – Domain Compromise An attacker compromised Domain Admin privileges within Active Directory and wants to make sure they create some backdoors in…

Read More Read More

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 1

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 1

As the methods that attackers use to compromise credentials and data continue to evolve, it is increasingly important to monitor critical systems such as Active Directory (AD) for signs of malicious activities. Most customers turn to security information and event management (SIEM) products to provide this monitoring.  While these solutions may be extremely powerful, they ultimately depend on the Windows event logs that are populated by Active Directory.  Event logs can be very complicated to work with, and ultimately do…

Read More Read More

15 Cases for File Activity Monitoring: Part 2

15 Cases for File Activity Monitoring: Part 2

If you read part 1 in this series, you caught a glimpse of how STEALTHbits file activity monitoring solutions help solve critical change and access issues without the use of native logs. Today we’ll delve deeper into the explanation of these solutions and reveal five more real-life cases where you could use our file activity monitoring solutions. Case 6: File Tampering File tampering is when a user modifies the contents of a file such as spreadsheet calculations or other data….

Read More Read More

Start a Free StealthAUDIT® Trial!

No risk. No obligation.