Detecting Pass-the-Hash with Honeypots

Detecting Pass-the-Hash with Honeypots

Credential theft within Windows and Active Directory continues to be one of the most difficult security problems to solve.  This is made clear in the Verizon DBIR where it is reported that the use of stolen credentials is the #1 action identified across data breaches. Microsoft has acknowledged this challenge and responded with a guide on how to mitigate the Pass-the-Hash attack.  They have expanded on their recommendations and outlined steps to set up a tiered Active Directory environment and…

Read More Read More

Performing Pass-the-Hash Attacks with Mimikatz

Performing Pass-the-Hash Attacks with Mimikatz

Attack #4: Pass-the-Hash with Mimikatz In my previous post, we learned how to extract password hashes for all domain accounts from the Ntds.dit file. In this post, we’re going to see what you can do with those hashes once you have them. Mimikatz has become the standard tool for extracting passwords and hashes from memory, performing pass-the-hash attacks and creating domain persistence through Golden Tickets. Mimikatz can be executed in a variety of ways to evade detection, including entirely in…

Read More Read More

Extracting Password Hashes from the Ntds.dit File

Extracting Password Hashes from the Ntds.dit File

AD Attack #3 – Ntds.dit Extraction With so much attention paid to detecting credential-based attacks such as Pass-the-Hash (PtH) and Pass-the-Ticket (PtT), other more serious and effective attacks are often overlooked. One such attack is focused on exfiltrating the Ntds.dit file from Active Directory Domain Controllers. Let’s take a look at what this threat entails and how it can be performed. Then we can review some mitigating controls to be sure you are protecting your own environment from such attacks. What is the…

Read More Read More

Attack Mapping with BloodHound

Attack Mapping with BloodHound

AD Attack #2 – Local Admin Mapping Once an attacker has established a foothold inside your domain, their primary objective is to compromise their target as quickly as possible without detection. Whether the target is sensitive data stored on a file server or compromising a Domain Admin account, the attacker must first formulate a plan of attack. This often involves strategic lateral moves throughout the network, slowly increasing privileges at each stop. BloodHound is a web application that discovers and visualizes…

Read More Read More

Performing Domain Reconnaissance Using PowerShell

Performing Domain Reconnaissance Using PowerShell

AD Attack #1 – LDAP Reconnaissance The first thing any attacker will do once he gains a foothold within an Active Directory domain is to try to elevate his access. It is surprisingly easy to perform domain reconnaissance using PowerShell, and often without any elevated privileges required. In this post, we will cover a few of the different ways that PowerShell can be used by attackers to map out your environment and chose their targets. The Basics of Reconnaissance using…

Read More Read More

4 AD Attacks and How to Protect Against Them

4 AD Attacks and How to Protect Against Them

I was speaking with an Active Directory Security Engineer from a large, global pharmaceutical company recently and asked him the most classic question in the Product Management handbook: “What keeps you up at night?” So cliché (I know), but sometimes instead of an eye roll, you get a real gem, which is exactly what happened. He said, “We’ve got a lot of good protections in place and run a pretty tight ship, but the worst thing that I think could…

Read More Read More

Start a Free StealthAUDIT® Trial!

No risk. No obligation.