Using Active Directory Replication Metadata for hunting purposes

Introduction: This blog post is meant for AD Admins and Security Professionals to look for suspicious activities in Active Directory by using it’s replication metadata. What is Replication?Replication is an important functionality in Active Directory, because it allows changes that happens on one Domain Controller to be transferred on other Domain Controllers in a forest.Continue reading “Using Active Directory Replication Metadata for hunting purposes”

SetObjectSecurity.exe – SDDL

Introduction: In this blog post you will learn more about the security permission model in Windows and how can you view and set permissions on securable objects by using tools like SetObjectSecurity.exe A securable object is an object that can have a Security Descriptor. You can think of folders, registry keys, network shares, services, ActiveContinue reading “SetObjectSecurity.exe – SDDL”

Manage Active Directory objects with ADSI

Introduction: Back in the days, when I was still a Windows & AD Admin. I decided to make a document on using the ADSI accelerator to manage objects in Active Directory. There is a funny story behind it, because it was never been my intention to dive deep into this topic, but something triggered meContinue reading “Manage Active Directory objects with ADSI”

Hunting for techniques used by APT41

Introduction Today we are going to cover a few techniques that have been used by APT41. During this blog post, we will use the Advanced Hunting feature in Microsoft Defender ATP to hunt for the described techniques. APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity. ThisContinue reading “Hunting for techniques used by APT41”

Securing On-Premises AD with Azure Sentinel

Introduction: The majority of organizations are operating in a hybrid state, which means that a lot of organizations still have to deal with their On-Premises Active Directory environment. Active Directory exists for more than a decade, but it hasn’t always been secured properly. Multiple changes are configured everyday, and it’s hard to find out, whichContinue reading “Securing On-Premises AD with Azure Sentinel”

Treat your Privileged Authentication Admins as Global Admins

Introduction: I’ve been lately diving into different escalation paths in Azure AD and what I’ve realized is, that it’s possible to take-over a Global Admin account. Once a user is part of a directory role that’s called Privileged Authentication Administrator. This role is described by Microsoft as the following: As Microsoft has documented it soContinue reading “Treat your Privileged Authentication Admins as Global Admins”

Re-Post: Active Directory Security – Resources

Introduction An old document that I had removed from my previous website, but since people have asked for it. I have decided re-post my Active Directory Security Assessment (ADSA) documentation. ADSA provides a clear ”how-to” guidance to apply common best practices to improve the security of AD. The purpose of this documentation was mainly meantContinue reading “Re-Post: Active Directory Security – Resources”

Mitigate Credential theft with Administrative Tier Model

Introduction: A lot of organizations have a credential hygiene problem without knowing that they have it. It’s one of the common reasons why attackers are managing to obtain Domain Dominance so easily in a corporate environment, because credentials are everywhere. High-privileged accounts with the likes of Domain Admins & Enterprise Admins are login on everyContinue reading “Mitigate Credential theft with Administrative Tier Model”