How to Detect Overpass-the-Hash Attacks

How to Detect Overpass-the-Hash Attacks

Now that we’ve looked at how pass-the-hash and pass-the-ticket attacks work and what to do to detect them, let’s take a look at overpass-the-hash.  Basically, this is a combination of both attacks. The idea of overpass-the-hash is for an attacker to leverage the NTLM hash of another user account to obtain a Kerberos ticket which can be used to access network resources. This can come in handy if you are only able to obtain the NTLM hash for an account,…

Read More Read More

Active Directory Object Recovery

Active Directory Object Recovery

Editor’s Note: This is the 2nd in a series of blog around Active Directory (AD) backup and recovery using STEALTHbits, StealthRECOVER. Read the 1st blog, An Introduction to Active Directory Backup and Recovery. NOTE: For the purposes of this post I’m going to assume that the Active Recovery Recycle Bin has not been enabled within the domain. The AD Recycle Bin and its impact on object recovery will be covered in this series’ next post. When an object is deleted…

Read More Read More

Taking a Data Centric Audit and Protection (DCAP) Approach Avoids the Weaknesses of a Siloed Data Security Strategy

Taking a Data Centric Audit and Protection (DCAP) Approach Avoids the Weaknesses of a Siloed Data Security Strategy

Data Centric Audit and Protection (DCAP) is a term defined by Gartner back in 2017 in response to the weaknesses of the Data Security Governance practices at the time. At that time, data protection strategies focused on the security of the application, or storage system that contained the data. This focus led to a variety of technology-specific security tools which tended to be owned and managed by different teams within IT. This siloed approach to data security worked well as…

Read More Read More

External Sharing Best Practices for SharePoint Online & O365

External Sharing Best Practices for SharePoint Online & O365

The policy of ‘Data protection by design and by default’ in article 25 of the GDPR is driving vendors like Microsoft to align data security with innovation to not only develop better products but also more secure products. Along these lines organizations should adopt the policy of Privacy by Design, that is, organizational processes that are designed with protecting privacy in mind. Just as external sharing is a critical and unavoidable piece of business success, so too is achieving compliance…

Read More Read More

New – Purpose-Built Active Directory Threat Detection & Response Platform

New – Purpose-Built Active Directory Threat Detection & Response Platform

Active Directory has always been at the center of it all, but with the advent of highly powerful, incredibly clever tools like Mimikatz, BloodHound, CrackMapExec, and the like, Active Directory has now become the center of attention. Since 2005, STEALTHbits has been providing organizations of all sizes the best products and tools available to understand, manage, and secure their increasingly complex, ever-changing, ever-growing Active Directory environments.  Now in 2019, at precisely the time its needed most, we’re both proud and…

Read More Read More

How to Detect Pass-the-Ticket Attacks

How to Detect Pass-the-Ticket Attacks

In our first post of the series, we looked at some interesting ways to detect the pass-the-hash attack. Pass-the-hash is an effective approach for exploiting NTLM authentication within an Active Directory domain. Pass-the-ticket is an alternate approach which leverages Kerberos authentication to perform lateral movement.  In this post we will dive into how this attack works and what you can do to detect it. How Pass-the-Ticket Works In a pass-the-ticket attack, an attacker is able to extract a Kerberos Ticket Granting Ticket…

Read More Read More

Unconstrained Delegation Exploit

Unconstrained Delegation Exploit

Microsoft released another security advisory today that affects Active Directory security. Similar to the Exchange advisory, this is coming from research done by third-party security researchers.  Here is the original post explaining the exploit. In addition, a more detailed explanation of the conditions and setting necessary for this attack to occur was posted by Roberto Rodriguez, a colleague of harmj0y’s at Specterops: Hunting in Active Directory: Unconstrained Delegation & Forests Trusts Microsoft was first notified of this attack back in October…

Read More Read More

Introduction to Active Directory Backup and Recovery

Introduction to Active Directory Backup and Recovery

When I was a little kid, I knew what I wanted to be when I grew up. No, not an astronaut. Definitely not a doctor or a lawyer. When I grew up, I wanted to be the Product Manager of an Active Directory backup and recovery tool. Just kidding. I’m pretty sure I wanted to be a Transformer. Now that I’m grown up older and not a Transformer, I’ve been tasked with writing a series of blog posts which explain…

Read More Read More

How to Detect Pass-the-Hash Attacks

How to Detect Pass-the-Hash Attacks

This is the first in a 3-part blog series, that will be followed by a webinar February 28th. Lateral movement techniques are one of the most common approaches attackers can use to infiltrate your network and obtain privileged access to your credentials and data. This has been seen recently with modern ransomware such as SamSam and Ryuk. We’ve looked recently at how to detect pass-the-hash attacks using honeypots and in doing research into the most effective ways to detect this type…

Read More Read More

New Exchange Authentication Vulnerability uses AD Admin to Gain Privileges

New Exchange Authentication Vulnerability uses AD Admin to Gain Privileges

STEALTHbits mitigates a new vulnerability that uses Exchange Authentication to gain AD Admin privileges A new attack has been posted by Dirk-jan Mollemma, an independent security researcher that exploits how Exchange uses NTLM over HTTP to authenticate to the Active Directory Domain. Read the complete details. This attack combines known vulnerabilities in a new way to achieve privilege escalation that can be used to attack AD. Here is how the attack works. An attacker sends a request to Exchange that causes…

Read More Read More

Start a Free StealthAUDIT® Trial!

No risk. No obligation.