Jeff Warren, Author at The Insider Threat Security Blog

How Attackers Are Bypassing PowerShell Protections

August 8, 2017 Jeff Warren Comments 0 Comment

Bypassing PowerShell Protections Now that we have explored various protections against malicious PowerShell, let’s look at how to get around every one of these PowerShell protections! Don’t worry, these PowerShell protections are still worth doing, and they will still make things harder on attackers and easier to detect. However, we need to be aware that they cannot stop everything. If an attacker wants to run Mimikatz and access your credentials, they will find a way. The more you know about…

Read More Read More

Ways to Detect and Mitigate PowerShell Attacks

August 1, 2017 Jeff Warren Comments 0 Comment

Detect and Mitigate PowerShell Attacks PowerShell has grown as an attack platform against Windows systems as a way for attackers to “live off the land” and use tools that are natively available. We’ve already looked at Empire, DeathStar, and CrackMapExec and how those tools leverage PowerShell to invoke Mimikatz and initiate other attacks. In this post, we will explore what you can do to detect and protect against PowerShell attacks. What’s So Great about PowerShell? There are several reasons attackers…

Read More Read More

CrackMapExec with Mimikatz and PowerSploit to harvest credentials

Lateral Movement with CrackMapExec

July 25, 2017 Jeff Warren Comments 0 Comment

In the previous post, we explored how attackers can use Mimikatz to automatically escalate privileges to Domain Admins using Empire and DeathStar. In this post, I will take a look at another open-source tool that leverages Mimikatz to harvest credentials and move laterally through an Active Directory environment: CrackMapExec. Self-described as a “swiss army knife for pentesting networks”, CrackMapExec is a Python-based utility that is geared towards evaluating and exploiting weaknesses in Active Directory security. This approach involves gathering credentials…

Read More Read More

Automating Mimikatz with Empire and DeathStar

July 18, 2017 Jeff Warren Comments 0 Comment

Automating Mimikatz Mimikatz is a very powerful post-exploitation tool on its own, allowing attackers to harvest credentials and move laterally through a compromised organization. However, there are also several limitations to what Mimikatz can do by itself: If you have compromised a machine but do not have Administrator rights, you can’t access any credentials If PowerShell protections are enabled, Mimikatz can be easily prevented Stealing credentials and figuring out where they work can be a long and arduous process This…

Read More Read More

Mimikatz is one of the best tools to gather credential data from Windows systems

How Attackers are Stealing Your Credentials with Mimikatz

July 11, 2017 Jeff Warren Comments 0 Comment

Stealing Credentials with Mimikatz Mimikatz is an open-source tool built to gather and exploit Windows credentials. Since its introduction in 2011 by author Benjamin Delpy, the attacks that Mimikatz is capable of have continued to grow. Also, the ways in which Mimikatz can be packaged and deployed have become even more creative and difficult to detect by security professionals. This has led to Mimikatz recently being tied to some of the most prevalent cyber attacks such as the Petya ransomware….

Read More Read More

Skeleton Key malware targeted at Active Directory domains

Unlocking All the Doors to Active Directory with the Skeleton Key Attack

July 11, 2017 Jeff Warren Comments 0 Comment

Introduction: Unlocking Active Directory with the Skeleton Key Attack There are several methods for compromising Active Directory accounts that attackers can use to elevate privileges and create persistence once they have established themselves in your domain. The Skeleton Key is a particularly scary piece of malware targeted at Active Directory domains to make it alarmingly easy to hijack any account. This malware injects itself into LSASS and creates a master password that will work for any account in the domain….

Read More Read More

Change user passwords and escalate privileges within Active Directory with Mimikatz commands SetNTLM and ChangeNTLM

Manipulating User Passwords with Mimikatz

July 11, 2017 Jeff Warren Comments 0 Comment

Introduction: Manipulating User Passwords with Mimikatz Mimikatz now supports the ability to manipulate user passwords with new commands: SetNTLM and ChangeNTLM. These commands give attackers a new way to change user passwords and escalate privileges within Active Directory. Let’s take a look at these NTLM commands and what they do. ChangeNTLM This performs a password change event. To use this command, you must know the old password in order to set a new one. One deviation is that this command…

Read More Read More

DCSync with rights to replicating directory changes for replicating directory changes all

Extracting User Password Data with Mimikatz DCSync

July 11, 2017 Jeff Warren Comments 0 Comment

Introduction: Extracting User Password Data with Mimikatz DCSync Mimikatz provides a variety of ways to extract and manipulate credentials, but probably one of the most useful and scary ways is using the DCSync command. This attack simulates the behavior of a domain controller and asks other domain controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Basically, it lets you pretend to be a domain controller and ask for user password data. Most importantly, this can be done…

Read More Read More

Security Support Provider (SSP) on a Windows host will log all passwords in clear text for any users who log on locally to that system

Stealing Credentials with a Security Support Provider (SSP)

July 11, 2017 Jeff Warren Comments 0 Comment

Introduction: SSP Attacks Mimikatz provides attackers several different ways to store credentials from memory and extract them from Active Directory. One of the more interesting tools provided is the MemSSP command, which will register a Security Support Provider (SSP) on a Windows host. Once registered, this SSP will log all passwords in clear text for any users who log on locally to that system. In this post, we will explore this attack and how it can be used by attackers…

Read More Read More

Unconstrained Delegation Permissions

June 27, 2017 Jeff Warren Comments 0 Comment

AD Permissions Attack #4: Unconstrained Delegation Permissions In this series, we’ve explored a few ways to take advantage of weak Access Control Lists (ACLs) to compromise Active Directory accounts and elevate our privileges. In this post, I will dive deeper into a more complex attack against Active Directory and show how permissions are once again critical to protecting yourself from a complete domain compromise. This particular attack leverages the delegation controls that can be applied to user and computer objects within…

Read More Read More

The Insider Threat Security Blog

And Other Things That Keep You Up At Night

Browsed by
Author: Jeff Warren

How Attackers Are Bypassing PowerShell Protections

August 8, 2017 Jeff Warren Comments 0 Comment

Lateral Movement with CrackMapExec

July 25, 2017 Jeff Warren Comments 0 Comment

How Attackers are Stealing Your Credentials with Mimikatz

July 11, 2017 Jeff Warren Comments 0 Comment

Unlocking All the Doors to Active Directory with the Skeleton Key Attack

July 11, 2017 Jeff Warren Comments 0 Comment

Manipulating User Passwords with Mimikatz

July 11, 2017 Jeff Warren Comments 0 Comment

Extracting User Password Data with Mimikatz DCSync

July 11, 2017 Jeff Warren Comments 0 Comment

Stealing Credentials with a Security Support Provider (SSP)

July 11, 2017 Jeff Warren Comments 0 Comment