Browsed by
Author: Kevin Joyce

Kevin Joyce is a Senior Technical Product Manager at STEALTHbits Technologies. He is responsible for building and delivering on the roadmap of STEALTHbits products and solutions. Kevin is passionate about cyber-security and holds a Bachelor of Science degree in Digital Forensics from Bloomsburg University of Pennsylvania.
Protecting Against DCShadow

Protecting Against DCShadow

What Organizations Can Do to Stop a DCShadow Attack Recently, I came across a post outlining how companies CANNOT effectively defend against a DCShadow attack but instead need to take a reactive approach to identify when it may have occurred by monitoring their environment, and rolling back any unwanted changes once they were identified. Unfortunately, reacting to an incident could mean the damage is already done and a malicious actor has run off with the ‘keys to the kingdom’. The…

Read More Read More

Understanding Passwords and Their Problems

Understanding Passwords and Their Problems

What’s The Problem? Today, with the Internet, social media, personal computers, online banking and everything else that exists, end-users need to create and maintain a large number of usernames and passwords for all of the accounts they have. This begins to create a problem. The many accounts we need to remember leads us to want to share passwords between different platforms, potentially including our work accounts. This is just one of the few contributors to the many password problems that…

Read More Read More

Resource-Based Constrained Delegation Abuse

Resource-Based Constrained Delegation Abuse

Abusing RBCD and MachineAccountQuota Delegation is an area that is confusing and complicated for most Active Directory administrators. Unconstrained delegation, constrained delegation, and even resource-based constrained delegation all play a role in not only your Active Directory infrastructure, but also its security posture. For example, unconstrained delegation is very insecure, and can be abused relatively easily. If you’re unfamiliar with the different types of delegation and how they work, I suggest reading harmj0ys Another Word on Delegation as he’s done…

Read More Read More

Commando VM: Using the Testing Platform

Commando VM: Using the Testing Platform

Windows Offensive VM from Mandiant FireEye Previously, I wrote a high-level overview of the testing platform Commando VM and an installation guide to get started with it. Today, I’ll be diving into a proof of concept of sorts to show off some of the tools and flexibility that the testing platform offers. My goal with this post is to highlight some things that can be done with the platform, situations enterprises should try to be wary of, and some ways…

Read More Read More

Commando VM: Installation & Configuration

Commando VM: Installation & Configuration

Windows Offensive VM from Mandiant FireEye Last time, I wrote a high-level overview of Commando VM and why it is important for both red and blue teamers to be familiar with the tools that come pre-packaged in testing platforms like this one. Today, I’ll be covering the installation and any configuration needed to get up and running with Commando VM. Prerequisites Commando VM can be installed on a virtual machine or physical machine but for ease of use and deployment,…

Read More Read More

Commando VM: Introduction

Commando VM: Introduction

Windows Offensive VM from Mandiant FireEye What is Commando VM? Commando VM is a Windows testing platform, created by Mandiant FireEye, meant for penetration testers who are more comfortable with Windows as an operating system. Commando VM is essentially the sister to Kali, a Linux testing platform widely used throughout the penetration testing community. These testing platforms are packaged with all the common tools and scripts that a tester would need to utilize during an engagement. Commando VM can be…

Read More Read More

Running LAPS in the Race to Security

Running LAPS in the Race to Security

Managed Passwords for Local Administrator Accounts What is Microsoft LAPS? Microsoft Local Administrator Password Solution (LAPS) is a password manager that utilizes Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints. LAPS is a great mitigation tool against lateral movement and privilege escalation, by forcing all local Administrator accounts to have unique, complex passwords, so an attacker compromising one local Administrator account can’t move laterally to other endpoints and accounts that may…

Read More Read More

Defender Credential Guard: Protecting Your Hashes

Defender Credential Guard: Protecting Your Hashes

Virtualization-Based Security to Protect Your Secrets What is Windows Defender Credential Guard? Windows Defender Credential Guard is a security feature in Windows 10 Enterprise and Windows Server 2016 and above that uses virtualization-based security to protect your credentials. With Credential Guard enabled, only trusted, privileged applications and processes are allowed to access user secrets, or credentials. Without Credential Guard enabled, Windows stores credentials in the Local Security Authority (LSA) which is a process in memory. With Credential Guard enabled, it…

Read More Read More

Unconstrained Delegation Exploit

Unconstrained Delegation Exploit

Microsoft released another security advisory today that affects Active Directory security. Similar to the Exchange advisory, this is coming from research done by third-party security researchers.  Here is the original post explaining the exploit. In addition, a more detailed explanation of the conditions and setting necessary for this attack to occur was posted by Roberto Rodriguez, a colleague of harmj0y’s at Specterops: Hunting in Active Directory: Unconstrained Delegation & Forests Trusts Microsoft was first notified of this attack back in October…

Read More Read More

WDigest Clear-Text Passwords: Stealing More Than a Hash

WDigest Clear-Text Passwords: Stealing More Than a Hash

What happens when a malicious user has access to more than just an NTLM hash? What is WDigest? Digest Authentication is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and web-based authentication. It utilizes Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges to authenticate. At a high level, a client requests access to something, the authenticating server challenges the client, and the client responds to the challenge by encrypting its response with…

Read More Read More

Start a Free StealthAUDIT® Trial!

No risk. No obligation.