Hunting for techniques used by APT41

Introduction Today we are going to cover a few techniques that have been used by APT41. During this blog post, we will use the Advanced Hunting feature in Microsoft Defender ATP to hunt for the described techniques. APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity. ThisContinue reading “Hunting for techniques used by APT41”

Treat your Privileged Authentication Admins as Global Admins

Introduction: I’ve been lately diving into different escalation paths in Azure AD and what I’ve realized is, that it’s possible to take-over a Global Admin account. Once a user is part of a directory role that’s called Privileged Authentication Administrator. This role is described by Microsoft as the following: As Microsoft has documented it soContinue reading “Treat your Privileged Authentication Admins as Global Admins”

Stop being lazy and deploy LAPS

Introduction: Local Administrator Password Solution (LAPS) is a password manager that can be used to automatically rotate the Built-in Administrator (RID-500) account on each individual workstation or server. What’s great about LAPS is, that it doesn’t require any additional infrastructure to store passwords, and you don’t have to pay for it, because it’s free! LAPSContinue reading “Stop being lazy and deploy LAPS”

How attackers are moving laterally via Kerberos

Introduction Kerberos exist for a long time and it has been the default authentication protocol for Windows, Active Directory. Attackers have been abusing the Kerberos protocol for a while, but it’s not that Kerberos is immediately insecure. It’s the way how it has been designed. Before we’re diving into the ways of how an attackerContinue reading “How attackers are moving laterally via Kerberos”

Pass-the-Hash is still a threat

Introduction Pass-the-Hash is a very old technique that was originally published by Paul Ashton in 1997. Despite that Pass-the-Hash exists over more than a decade. It is used a lot in most ransomware attacks, like for example on the University of Maastricht. But why is this still a problem? First of all, lets have aContinue reading “Pass-the-Hash is still a threat”

Mitigate RDP attacks on Azure VM’s with Just-in-Time Access

Introduction There are organizations who have migrated some of their on-premise machines to the Cloud of Azure, because it can reduce the workload. What’s great about this is the fact, that you don’t need to maintain all the physical hardware anymore. However it’s becomes a shared responsibility, when you have resources running in Azure. ThisContinue reading “Mitigate RDP attacks on Azure VM’s with Just-in-Time Access”

Computer accounts can move laterally too!

Introduction Computer accounts in Active Directory can be abused as well, but it’s not something we hear often, because lets face it. It’s not the first thing that comes up in to our mind, when we’re thinking about moving laterally to another machine with a computer account. Before we go further in to all theContinue reading “Computer accounts can move laterally too!”

Pass-the-Hash with RID-500 account

Introduction In my previous post, I’ve blogged about how Pass-the-Hash is still a nuclear bomb on most networks around the world. Despite that Microsoft has released mitigation guidance’s around this security threat. I always felt that most companies didn’t (fully) understood the whole problem about this, which has led that many companies didn’t implemented theContinue reading “Pass-the-Hash with RID-500 account”