Browsed by
Author: jeff-warren

Jeff Warren is STEALTHbits’ Vice President of Product Management. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development. With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions. Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
Deploying Pass the Hash Honeypots
Deploying Pass-the-Hash Honeypots

Deploying Pass-the-Hash Honeypots

Comments 0 Comment

So far in this series, we’ve learned about the HoneyHash, a useful honeypot technique for detecting Pass-the-Hash and credential theft within a Windows environment.  We then looked into how to monitor for an attacker triggering the honeypot, and how to gather the necessary forensic details to investigate the attack.  Now let’s look at what you need to do to roll out the honeypot across multiple endpoints in your environment. There are some basic challenges we need to consider.  First, we…

Read More Read More

Implementing Detections for the Honeyhash

Implementing Detections for the Honeyhash

Comments 0 Comment

In our first post of this series, we explored the Honeyhash, and how it can be used to create a honeypot to catch attackers performing credential theft and pass-the-hash attacks.  Now that our trap is set, we need to make sure we can catch any attacker in the act who may fall for it. The concept of detection for the Honeyhash is simple.  We put a fake account in memory on a system, so let’s see if anybody tries to…

Read More Read More

Detecting Pass-the-Hash with Honeypots

Detecting Pass-the-Hash with Honeypots

Comments 0 Comment

Credential theft within Windows and Active Directory continues to be one of the most difficult security problems to solve.  This is made clear in the Verizon DBIR where it is reported that the use of stolen credentials is the #1 action identified across data breaches. Microsoft has acknowledged this challenge and responded with a guide on how to mitigate the Pass-the-Hash attack.  They have expanded on their recommendations and outlined steps to set up a tiered Active Directory environment and…

Read More Read More

Detecting DCShadow with Event Logs

Detecting DCShadow with Event Logs

Comments 0 Comment

In this series, we’ve learned about DCShadow and covered attack scenarios to demonstrate how this can be used for an attacker to create persistence as well as elevate privileges across forests.  Now that we know the risks involved with DCShadow, let’s cover what you can do to detect this in your environment. First, let’s recap the basics: The purpose of DCShadow is to make changes that will not be detected by event logs, so you will not be able to…

Read More Read More

Privilege Escalation with DCShadow

Privilege Escalation with DCShadow

Comments 0 Comment

So far we’ve covered how DCShadow works as well as ways this can enable attackers to create persistence within a domain without detection once they’ve obtained admin credentials.  DCShadow can enable attack scenarios beyond just creating persistence, and can actually be used to elevate access for an attacker. How can a Domain Admin elevate their access even higher? By obtaining admin rights in other forests. Leveraging SID History, an attacker can add administrative SIDs to their user account and obtain…

Read More Read More

Creating Persistence with DCShadow

Creating Persistence with DCShadow

Comments 0 Comment

Now that we understand the basics of the DCShadow feature, let’s look at some ways in which attackers can leverage DCShadow in a real world attack scenario.  As we learned, DCShadow requires elevated rights such as Domain Admin, so you can assume an attacker leveraging this already has complete control of your environment.  So why would an attacker want to or need to use DCShadow? One real world scenario would be for an attacker to create persistence within the domain…

Read More Read More

DCShadow: Attacking Active Directory with Rogue DCs

DCShadow: Attacking Active Directory with Rogue DCs

Comments 0 Comment

If you’re familiar with Mimikatz, you’ve already seen some of the ways it exposes weaknesses in Active Directory security (if you’re not, read up!).  Recently, a new feature was added to Mimikatz titled DCShadow and was presented by its authors Benjamin Delpy and Vincent LeToux at the Bluehat IL 2018 conference. DCShadow enables Mimikatz to make changes to Active Directory by simulating a domain controller.  We’ve seen this in the past from Mimikatz, with the DCSync feature, which allows you…

Read More Read More

Attacking Local Account Passwords
Attacking Local Account Passwords

Attacking Local Account Passwords

Comments 0 Comment

So far in this series, we’ve learned how attackers can target weak domain passwords in Active Directory.  To complete the story, we need to look beyond domain accounts and understand the ways to attack local accounts on Windows servers and desktops.  For this post, we will focus on the most important local account: Administrator.  The Administrator account is built into every Windows operating system and provides full control over the system, including the ability to compromise domain accounts through pass-the-hash…

Read More Read More

Attacking Weak Passwords in Active Directory
Attacking Weak Passwords in Active Directory

Attacking Weak Passwords in Active Directory

Comments 0 Comment

In our last post, we learned about password spraying and how effective this can be to compromise AD accounts with weak and commonly used passwords.  Now let’s take a look at how an attacker could take this approach and put it into practice to compromise your domain.  For that, we are going to use BloodHound, a very useful open-source application for penetration testing AD security and planning attack paths to compromise high value accounts.  We’ve covered BloodHound in our permission…

Read More Read More

Finding Weak Passwords in Active Directory

Finding Weak Passwords in Active Directory

Comments 0 Comment

So far in this series we’ve looked at how plain text passwords can be exposed within Active Directory, which represents a major vulnerability for most AD environments.  However, even if you have proper controls to prevent plain text passwords in your network, attackers can still get them pretty efficiently.  How do they do this?  They guess.  And you’d be surprised how well guessing works at cracking passwords. As we covered in the introductory post for this series, guessing can be…

Read More Read More

Start a Free StealthAUDIT® Trial!

No risk. No obligation.