Browsed by
Author: Kevin Joyce

Kevin Joyce is a Senior Technical Product Manager at STEALTHbits Technologies. He is responsible for building and delivering on the roadmap of STEALTHbits products and solutions. Kevin is passionate about cyber-security and holds a Bachelor of Science degree in Digital Forensics from Bloomsburg University of Pennsylvania.
Commando VM: Using the Testing Platform

Commando VM: Using the Testing Platform

Windows Offensive VM from Mandiant FireEye Previously, I wrote a high-level overview of the testing platform Commando VM and an installation guide to get started with it. Today, I’ll be diving into a proof of concept of sorts to show off some of the tools and flexibility that the testing platform offers. My goal with this post is to highlight some things that can be done with the platform, situations enterprises should try to be wary of, and some ways…

Read More Read More

Commando VM: Installation & Configuration

Commando VM: Installation & Configuration

Windows Offensive VM from Mandiant FireEye Last time, I wrote a high-level overview of Commando VM and why it is important for both red and blue teamers to be familiar with the tools that come pre-packaged in testing platforms like this one. Today, I’ll be covering the installation and any configuration needed to get up and running with Commando VM. Prerequisites Commando VM can be installed on a virtual machine or physical machine but for ease of use and deployment,…

Read More Read More

Commando VM: Introduction

Commando VM: Introduction

Windows Offensive VM from Mandiant FireEye What is Commando VM? Commando VM is a Windows testing platform, created by Mandiant FireEye, meant for penetration testers who are more comfortable with Windows as an operating system. Commando VM is essentially the sister to Kali, a Linux testing platform widely used throughout the penetration testing community. These testing platforms are packaged with all the common tools and scripts that a tester would need to utilize during an engagement. Commando VM can be…

Read More Read More

Running LAPS in the Race to Security

Running LAPS in the Race to Security

Managed Passwords for Local Administrator Accounts What is Microsoft LAPS? Microsoft Local Administrator Password Solution (LAPS) is a password manager that utilizes Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints. LAPS is a great mitigation tool against lateral movement and privilege escalation, by forcing all local Administrator accounts to have unique, complex passwords, so an attacker compromising one local Administrator account can’t move laterally to other endpoints and accounts that may…

Read More Read More

Defender Credential Guard: Protecting Your Hashes

Defender Credential Guard: Protecting Your Hashes

Virtualization-Based Security to Protect Your Secrets What is Windows Defender Credential Guard? Windows Defender Credential Guard is a security feature in Windows 10 Enterprise and Windows Server 2016 and above that uses virtualization-based security to protect your credentials. With Credential Guard enabled, only trusted, privileged applications and processes are allowed to access user secrets, or credentials. Without Credential Guard enabled, Windows stores credentials in the Local Security Authority (LSA) which is a process in memory. With Credential Guard enabled, it…

Read More Read More

Unconstrained Delegation Exploit

Unconstrained Delegation Exploit

Microsoft released another security advisory today that affects Active Directory security. Similar to the Exchange advisory, this is coming from research done by third-party security researchers.  Here is the original post explaining the exploit. In addition, a more detailed explanation of the conditions and setting necessary for this attack to occur was posted by Roberto Rodriguez, a colleague of harmj0y’s at Specterops: Hunting in Active Directory: Unconstrained Delegation & Forests Trusts Microsoft was first notified of this attack back in October…

Read More Read More

WDigest Clear-Text Passwords: Stealing More Than a Hash

WDigest Clear-Text Passwords: Stealing More Than a Hash

What happens when a malicious user has access to more than just an NTLM hash? What is WDigest? Digest Authentication is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and web-based authentication. It utilizes Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges to authenticate. At a high level, a client requests access to something, the authenticating server challenges the client, and the client responds to the challenge by encrypting its response with…

Read More Read More

RID Hijacking: When Guests Become Admins

RID Hijacking: When Guests Become Admins

Securing Windows workstations and servers should be a priority for any organization; preventing a machine from getting compromised and being used to move laterally within an environment is a major concern. What happens when a machine is already compromised? A persistence method called ‘RID Hijacking’ is a way for an attacker to persist within your environment by granting the Guest account, or another local account, local administrator privileges by ‘hijacking’ the RID (relative identifier) of the Administrator account. Creating persistence…

Read More Read More

Start a Free StealthAUDIT® Trial!

No risk. No obligation.