Browsed by
Author: Jeff Warren

Jeff Warren is STEALTHbits’ General Manager, Products. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development. With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions. Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
Bypassing MFA with Pass-the-Cookie
Bypassing MFA with Pass-the-Cookie

Bypassing MFA with Pass-the-Cookie

Comments 0 Comment

Multi-factor Authentication (MFA) is a great way to increase security on web applications, remote desktop sessions, VPN, and virtually anywhere a user can log into. By introducing one or more additional factors into the authentication process you can prove somebody actually is who they say they are, and prevent a significant amount of impersonation and credential-based attacks.  However, when adopting and implementing MFA technology it is important to understand exactly what it does and does not do, and what security gaps…

Read More Read More

Detecting Persistence through Active Directory Extended Rights
Detecting Persistence through Active Directory Extended Rights

Detecting Persistence through Active Directory Extended Rights

Comments 0 Comment

Today, I came across an interesting article (since posting, the original post has been taken offline) where the author described how an attacker could manipulate the permissions on extended attributes to create persistence once they have compromised an Active Directory domain.  Read the article for a great breakdown of the attack, but here’s a quick summary. Step 1 – Domain Compromise An attacker compromised Domain Admin privileges within Active Directory and wants to make sure they create some backdoors in…

Read More Read More

Lateral Movement Through Pass-the-Cache
Lateral Movement Through Pass-the-Cache

Lateral Movement Through Pass-the-Cache

Comments 0 Comment

Lateral movement techniques like Pass-the-Hash, Pass-the-Ticket, and Overpass-the-Hash provide attackers with ways to take stolen or compromised credentials and spread out across a network to achieve privilege escalation.  I recently found myself testing some Active Directory attacks from a Kali Linux host, and needed a way to use compromised credentials from this Linux system on my Windows boxes.  Luckily, this is something supported by Mimikatz and surprisingly easy to perform.  This technique, known as Pass-the-Cache, allows an attacker to take…

Read More Read More

Cracking Active Directory Passwords with AS-REP Roasting
Cracking Active Directory Passwords with AS-REP Roasting

Cracking Active Directory Passwords with AS-REP Roasting

Comments 0 Comment

While looking at Pass-the-Ticket we explored a tool Rubeus by Harmj0y which can be used to experiment with Kerberos security in Active Directory and explore various attack vectors.  One of the areas I found interesting when testing Rubeus was the different password cracking options it made available.  This includes two primary methods: Kerberoasting and AS-REP Roasting.  The most frightening part of both of these techniques is that they can be performed without any special privileges on the domain, making them…

Read More Read More

What is the Kerberos PAC?

What is the Kerberos PAC?

Comments 0 Comment

The Privileged Attribute Certificate (PAC) is an extension to Kerberos tickets that contains useful information about a user’s privileges.  This information is added to Kerberos tickets by a domain controller when a user authenticates within an Active Directory domain.  When users use their Kerberos tickets to authenticate to other systems, the PAC can be read and used to determine their level of privileges without reaching out to the domain controller to query for that information (more on that to follow)….

Read More Read More

Domain Persistence with Subauthentication Packages

Domain Persistence with Subauthentication Packages

Comments 3 comments

A lot of my posts have covered Mimikatz and how it can be used to explore Active Directory and Windows security to learn how various attacks work.  Recently, the author of Mimikatz released a new feature which exposes a new attack surface that could be used to create persistence within AD.  This feature uses a subauthentication package to manipulate the Active Directory login process and escalate user privileges based on arbitrary conditions.  Basically, an attacker with access to your domain…

Read More Read More

How to Detect Overpass-the-Hash Attacks

How to Detect Overpass-the-Hash Attacks

Comments 0 Comment

Now that we’ve looked at how pass-the-hash and pass-the-ticket attacks work and what to do to detect them, let’s take a look at overpass-the-hash.  Basically, this is a combination of both attacks. The idea of overpass-the-hash is for an attacker to leverage the NTLM hash of another user account to obtain a Kerberos ticket which can be used to access network resources. This can come in handy if you are only able to obtain the NTLM hash for an account,…

Read More Read More

How to Detect Pass-the-Ticket Attacks

How to Detect Pass-the-Ticket Attacks

Comments 4 comments

In our first post of the series, we looked at some interesting ways to detect the pass-the-hash attack. Pass-the-hash is an effective approach for exploiting NTLM authentication within an Active Directory domain. Pass-the-ticket is an alternate approach which leverages Kerberos authentication to perform lateral movement.  In this post we will dive into how this attack works and what you can do to detect it. How Pass-the-Ticket Works In a pass-the-ticket attack, an attacker is able to extract a Kerberos Ticket Granting Ticket…

Read More Read More

How to Detect Pass-the-Hash Attacks

How to Detect Pass-the-Hash Attacks

Comments 7 comments

This is the first in a 3-part blog series, that will be followed by a webinar February 28th. Lateral movement techniques are one of the most common approaches attackers can use to infiltrate your network and obtain privileged access to your credentials and data. This has been seen recently with modern ransomware such as SamSam and Ryuk. We’ve looked recently at how to detect pass-the-hash attacks using honeypots and in doing research into the most effective ways to detect this type…

Read More Read More

Deploying Pass the Hash Honeypots
Deploying Pass-the-Hash Honeypots

Deploying Pass-the-Hash Honeypots

Comments 0 Comment

So far in this series, we’ve learned about the HoneyHash, a useful honeypot technique for detecting Pass-the-Hash and credential theft within a Windows environment.  We then looked into how to monitor for an attacker triggering the honeypot, and how to gather the necessary forensic details to investigate the attack.  Now let’s look at what you need to do to roll out the honeypot across multiple endpoints in your environment. There are some basic challenges we need to consider.  First, we…

Read More Read More

Start a Free Stealthbits Trial!

No risk. No obligation.