Browsed by
Category: Active Directory

Any AD themed blogs

Ready for Microsoft’s LDAP Changes? What You Need to Know

Ready for Microsoft’s LDAP Changes? What You Need to Know

What is Changing? In March, Microsoft will be releasing a patch that includes new audit events, additional logging, and some changes to group policy settings. Later in 2020, Microsoft will be changing the behavior of the default values for LDAP channel binding and signing. They’re making these changes because the current default settings allow for a potential man-in-the-middle attack that can lead to privilege escalation. This means, once the default settings are changed, that any new domain controllers will have…

Read More Read More

Microsoft LDAP Channel Binding and Signing Patch

Microsoft LDAP Channel Binding and Signing Patch

Discovery Solution for Microsoft’s March 2020 Update Lightweight Directory Access Protocol (LDAP) – How did we get here? 20 years ago, I embarked on the fantastical journey that was migrating from NT4 to Active Directory. This is also when I began learning the power of LDAP. While it was technically available, very few companies implemented secure LDAP in the early days. Most enterprise applications or internal applications took advantage of the directory (and in a wide variety of ways), but…

Read More Read More

Cleaning Up Unused Service Accounts – Part 2: Detecting Common Locations Where Service Accounts Are Used

Cleaning Up Unused Service Accounts – Part 2: Detecting Common Locations Where Service Accounts Are Used

In this post, I will continue the series for how to do a service account clean up in Active Directory by going into details of common locations in a Windows OS that can be used to configure service accounts as well as then showing how to collect these using PowerShell to enable an easy collection of data for later collation as well as being able to help your company documentation for service accounts. Windows Services One of the most common…

Read More Read More

Constrained Delegation Abuse: Abusing Constrained Delegation to Achieve Elevated Access

Constrained Delegation Abuse: Abusing Constrained Delegation to Achieve Elevated Access

Kerberos Delegation Recap Previously, I gave an overview of all of the various types of Kerberos delegation, how they’re configured, and how they can potentially be abused. Prior to that, I wrote about abusing resource-based constrained delegation and Jeff Warren has written about abusing unconstrained delegation. To round out the Kerberos delegation topic, I wanted to write a quick blog on how constrained delegation can be abused to get elevated access to a specific configured service. If you’re not familiar…

Read More Read More

Cleaning Up Unused Service Accounts Series – Part 1: Overview of the Process

Cleaning Up Unused Service Accounts Series – Part 1: Overview of the Process

What is a Service Account? In this blog post, I won’t go too much into the details of service accounts but will class a service account as a user, Managed Service Account or a Group Managed Service Account which is used to run a process whether it be a Service, Task, IIS App Pools or used inside of an application. The Problem? A lot of organisations will have hundreds and maybe even thousands of service accounts that may be in…

Read More Read More

A Guide to Active Directory Linked Attributes

A Guide to Active Directory Linked Attributes

This blog post is part of a series about Active Directory attributes with values or behaviors that can be easily and inadvertently misinterpreted and misused. This series will provide information about these attributes, including both their limitations and their valid usages with respect to the administration of Active Directory. This post will discuss a special type of Active Directory attribute, the Active Directory linked attribute. Linked attributes generally exist in associated pairs; one of the associated attributes is known as…

Read More Read More

What is Azure Active Directory?

What is Azure Active Directory?

High-Level Overview of Azure AD If you’re reading the Insider Threat Security Blog, I’m sure you’re familiar with Active Directory. We’ve covered many topics with on-premise Active Directory: from clean-up to advanced attacks and threat detection. But what about Azure Active Directory? Has your organization started to march into the cloud and begun the migration process? Perhaps you’re just looking to wrap your head around what Microsoft has to offer. STEALTHbits is here to help. Azure AD Overview At a…

Read More Read More

Fun with Active Directory’s AdminCount Attribute

Fun with Active Directory’s AdminCount Attribute

This blog post is part of a series about Active Directory attributes with values or behaviors that can be easily and inadvertently misinterpreted and misused. This series will provide information about these attributes, including both their limitations and their valid usages with respect to the administration of Active Directory. Active Directory is the primary authentication service used by the vast majority of organizations, including more than 95% of Fortune 500 companies. Consequently, Active Directory objects with elevated administrative privileges are…

Read More Read More

A Guide to Active Directory User Logon Metadata

A Guide to Active Directory User Logon Metadata

This blog post is the first in a series about Active Directory attributes with values or behaviors that can be easily and inadvertently misinterpreted and misused. This series will provide information about these attributes, including both their limitations and their valid usages with respect to the administration of Active Directory. Active Directory user objects possess a number of logon metadata attributes that are often leveraged in Active Directory audit reporting and administration. One of their most common uses is to…

Read More Read More

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 5

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 5

Now that we understand how monitoring authentication patterns and authentication-based attacks can lead to an overwhelming amount of data which prevents any meaningful analysis, we can focus on our fifth, and final challenge of monitoring critical systems. Challenge 5 – Permission Changes and Object Changes Some of the most important changes to monitor within Active Directory are the changes to the security of the containers and objects.  Permissions control who can elevate privileges by changing group policies, adding members to…

Read More Read More

Start a Free StealthAUDIT® Trial!

No risk. No obligation.