Hacking and Securing Active Directory

Hacking techniques for AD: “state of the art” (but scary!) with possible mitigation (when possible) + a few new methods… https://leonjza.github.io/blog/2016/01/09/kerberos-kerberoast-and-golden-tickets/ https://adsecurity.org/wp-content/uploads/2015/08/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf https://github.com/infosecn1nja/AD-Attack-Defense https://specterops.io/resources/research-and-development https://github.com/wavestone-cdt/AD-security-workshop https://www.labofapenetrationtester.com/ https://github.com/fireeye/commando-vm For GPO Audit : https://github.com/l0ss/Grouper2 Spraykatz: https://www.slideshare.net/sylvaincortes/spraykatz-installation-basic-usage https://github.com/aas-n/spraykatz ReverseTCP shell: https://www.youtube.com/watch?v=T9qb4DIAXTg&feature=youtu.be https://github.com/ZHacker13/ReverseTCPShell Securing AD: AD Explorer: https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer https://digital-forensics.sans.org/blog/2013/06/20/overview-of-microsofts-best-practices-for-securing-active-directory http://video.ch9.ms/sessions/teched/na/2014/DCIM-B213.pptx https://www.pingcastle.com/ AD Authentication silos and more: https://www.sstic.org/user/abordes MS white-paper bestContinue reading “Hacking and Securing Active Directory”

AD – Advanced Threat Analytics (ATA) and Azure ATP

An alternative to Azure ATP / ATA => Alsid: https://www.alsid.com/alsid-solution    =================================== Azure ATP ======================================= What is Azure ATP: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/what-is-amp Azure ATP release notes: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-whats-new Suspicious activity guide: https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide   Unified on MCAS, Azure ATP and Azure AD identity protection: Microsoft has three identity-centric security products offering detection capabilities across on-premise and in the cloud: Azure AdvancedContinue reading “AD – Advanced Threat Analytics (ATA) and Azure ATP”

Detecting hackers (or intrusions) using Windows event log monitoring

The NSA released a PDF entitled “Spotting the Adversary with Windows Event Log Monitoring” earlier this year. The good news is it’s probably one of the most detailed documents I’ve seen in a long time. Everything from setting up Event Subscriptions, to a hardened use of Windows Remote Management, including the use of authentication andContinue reading “Detecting hackers (or intrusions) using Windows event log monitoring”

APT “advanced persistent threat” the new Microsoft soft!

http://blogs.technet.com/b/ad/archive/2015/05/04/microsoft-advanced-threat-analytics-public-preview-release-is-now-available.aspx   Reference: https://technet.microsoft.com/en-US/library/dn707705.aspx In this article, MS does reference following VMware articles: http://blogs.vmware.com/vsphere/2013/01/vsphere-5-1-vds-feature-enhancements-port-mirroring-part-1.html https://blogs.vmware.com/vsphere/2013/02/vsphere-5-1-vds-feature-enhancements-port-mirroring-part-2.html http://blogs.vmware.com/vsphere/2013/02/vsphere-5-1-vds-feature-enhancements-port-mirroring-part-3.html