Browsed by
Author: Jeff Warren

Jeff Warren is STEALTHbits’ General Manager, Products. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development. With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions. Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
How Attackers Are Bypassing PowerShell Protections

How Attackers Are Bypassing PowerShell Protections

Bypassing PowerShell Protections Now that we have explored various protections against malicious PowerShell, let’s look at how to get around every one of these PowerShell protections! Don’t worry, these PowerShell protections are still worth doing, and they will still make things harder on attackers and easier to detect. However, we need to be aware that they cannot stop everything. If an attacker wants to run Mimikatz and access your credentials, they will find a way. The more you know about…

Read More Read More

Ways to Detect and Mitigate PowerShell Attacks

Ways to Detect and Mitigate PowerShell Attacks

Detect and Mitigate PowerShell Attacks PowerShell has grown as an attack platform against Windows systems as a way for attackers to “live off the land” and use tools that are natively available. We’ve already looked at Empire, DeathStar, and CrackMapExec and how those tools leverage PowerShell to invoke Mimikatz and initiate other attacks. In this post, we will explore what you can do to detect and protect against PowerShell attacks. What’s So Great about PowerShell? There are several reasons attackers…

Read More Read More

Lateral Movement with CrackMapExec

Lateral Movement with CrackMapExec

In the previous post, we explored how attackers can use Mimikatz to automatically escalate privileges to Domain Admins using Empire and DeathStar. In this post, I will take a look at another open-source tool that leverages Mimikatz to harvest credentials and move laterally through an Active Directory environment: CrackMapExec. Self-described as a “swiss army knife for pentesting networks”, CrackMapExec is a Python-based utility that is geared towards evaluating and exploiting weaknesses in Active Directory security. This approach involves gathering credentials…

Read More Read More

Automating Mimikatz with Empire and DeathStar

Automating Mimikatz with Empire and DeathStar

Automating Mimikatz Mimikatz is a very powerful post-exploitation tool on its own, allowing attackers to harvest credentials and move laterally through a compromised organization. However, there are also several limitations to what Mimikatz can do by itself: If you have compromised a machine but do not have Administrator rights, you can’t access any credentials If PowerShell protections are enabled, Mimikatz can be easily prevented Stealing credentials and figuring out where they work can be a long and arduous process This…

Read More Read More

How Attackers are Stealing Your Credentials with Mimikatz

How Attackers are Stealing Your Credentials with Mimikatz

Stealing Credentials with Mimikatz Mimikatz is an open-source tool built to gather and exploit Windows credentials. Since its introduction in 2011 by author Benjamin Delpy, the attacks that Mimikatz is capable of have continued to grow. Also, the ways in which Mimikatz can be packaged and deployed have become even more creative and difficult to detect by security professionals. This has led to Mimikatz recently being tied to some of the most prevalent cyber attacks such as the Petya ransomware….

Read More Read More

Unlocking All the Doors to Active Directory with the Skeleton Key Attack

Unlocking All the Doors to Active Directory with the Skeleton Key Attack

Introduction: Unlocking Active Directory with the Skeleton Key Attack There are several methods for compromising Active Directory accounts that attackers can use to elevate privileges and create persistence once they have established themselves in your domain. The Skeleton Key is a particularly scary piece of malware targeted at Active Directory domains to make it alarmingly easy to hijack any account. This malware injects itself into LSASS and creates a master password that will work for any account in the domain….

Read More Read More

Manipulating User Passwords with Mimikatz

Manipulating User Passwords with Mimikatz

Introduction: Manipulating User Passwords with Mimikatz Mimikatz now supports the ability to manipulate user passwords with new commands: SetNTLM and ChangeNTLM. These commands give attackers a new way to change user passwords and escalate privileges within Active Directory. Let’s take a look at these NTLM commands and what they do. ChangeNTLM This performs a password change event. To use this command, you must know the old password in order to set a new one. One deviation is that this command…

Read More Read More

Extracting User Password Data with Mimikatz DCSync

Extracting User Password Data with Mimikatz DCSync

Introduction: Extracting User Password Data with Mimikatz DCSync Mimikatz provides a variety of ways to extract and manipulate credentials, but probably one of the most useful and scary ways is using the DCSync command. This attack simulates the behavior of a domain controller and asks other domain controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Basically, it lets you pretend to be a domain controller and ask for user password data. Most importantly, this can be done…

Read More Read More

Stealing Credentials with a Security Support Provider (SSP)

Stealing Credentials with a Security Support Provider (SSP)

Introduction: SSP Attacks Mimikatz provides attackers several different ways to store credentials from memory and extract them from Active Directory. One of the more interesting tools provided is the MemSSP command, which will register a Security Support Provider (SSP) on a Windows host. Once registered, this SSP will log all passwords in clear text for any users who log on locally to that system. In this post, we will explore this attack and how it can be used by attackers…

Read More Read More

Unconstrained Delegation Permissions

Unconstrained Delegation Permissions

AD Permissions Attack #4: Unconstrained Delegation Permissions In this series, we’ve explored a few ways to take advantage of weak Access Control Lists (ACLs) to compromise Active Directory accounts and elevate our privileges. In this post, I will dive deeper into a more complex attack against Active Directory and show how permissions are once again critical to protecting yourself from a complete domain compromise. This particular attack leverages the delegation controls that can be applied to user and computer objects within…

Read More Read More

Start a Free StealthAUDIT® Trial!

No risk. No obligation.