Securing On-Premises AD with Azure Sentinel

Introduction: The majority of organizations are operating in a hybrid state, which means that a lot of organizations still have to deal with their On-Premises Active Directory environment. Active Directory exists for more than a decade, but it hasn’t always been secured properly. Multiple changes are configured everyday, and it’s hard to find out, whichContinue reading “Securing On-Premises AD with Azure Sentinel”

Treat your Privileged Authentication Admins as Global Admins

Introduction: I’ve been lately diving into different escalation paths in Azure AD and what I’ve realized is, that it’s possible to take-over a Global Admin account. Once a user is part of a directory role that’s called Privileged Authentication Administrator. This role is described by Microsoft as the following: As Microsoft has documented it soContinue reading “Treat your Privileged Authentication Admins as Global Admins”

Hunting TTPs with Azure Sentinel

Introduction: Azure Sentinel is a cloud native SIEM solution that leverages, the power of Artificial Intelligence to analyze large data volumes at scale. It provides a lot of capabilities and it’s a solution that I highly can recommend to both SOC Analysts and Threat Hunters. Today in my blog post. I’m going to describe aContinue reading “Hunting TTPs with Azure Sentinel”

Kusto Query Internals – Azure Sentinel Reference

Folks, Since a lot of people are into Azure Sentinel. I’ve decided to share a documentation that walks you through the different steps to understand the basic concepts of Kusto Query Language (KQL). KQL is the core fundamentals in Azure Sentinel to search and analyze data. This is also why it’s worth to understand howContinue reading “Kusto Query Internals – Azure Sentinel Reference”

Re-Post: Active Directory Security – Resources

Introduction An old document that I had removed from my previous website, but since people have asked for it. I have decided re-post my Active Directory Security Assessment (ADSA) documentation. ADSA provides a clear ”how-to” guidance to apply common best practices to improve the security of AD. The purpose of this documentation was mainly meantContinue reading “Re-Post: Active Directory Security – Resources”

Mitigate Credential theft with Administrative Tier Model

Introduction: A lot of organizations have a credential hygiene problem without knowing that they have it. It’s one of the common reasons why attackers are managing to obtain Domain Dominance so easily in a corporate environment, because credentials are everywhere. High-privileged accounts with the likes of Domain Admins & Enterprise Admins are login on everyContinue reading “Mitigate Credential theft with Administrative Tier Model”

Stop being lazy and deploy LAPS

Introduction: Local Administrator Password Solution (LAPS) is a password manager that can be used to automatically rotate the Built-in Administrator (RID-500) account on each individual workstation or server. What’s great about LAPS is, that it doesn’t require any additional infrastructure to store passwords, and you don’t have to pay for it, because it’s free! LAPSContinue reading “Stop being lazy and deploy LAPS”

How attackers are moving laterally via Kerberos

Introduction Kerberos exist for a long time and it has been the default authentication protocol for Windows, Active Directory. Attackers have been abusing the Kerberos protocol for a while, but it’s not that Kerberos is immediately insecure. It’s the way how it has been designed. Before we’re diving into the ways of how an attackerContinue reading “How attackers are moving laterally via Kerberos”

Pass-the-Hash is still a threat

Introduction Pass-the-Hash is a very old technique that was originally published by Paul Ashton in 1997. Despite that Pass-the-Hash exists over more than a decade. It is used a lot in most ransomware attacks, like for example on the University of Maastricht. But why is this still a problem? First of all, lets have aContinue reading “Pass-the-Hash is still a threat”