Azure AD Kerberos Tickets: Pivoting to the Cloud

If you’ve ever been doing an Internal Penetration test where you’ve reached Domain Admin status and you have a cloud presence, your entire Azure cloud can still be compromised. In this blog, I’ll take you through this scenario and show you the dangers of machine account SSO compromise. We will do so without extracting any…

The post Azure AD Kerberos Tickets: Pivoting to the Cloud appeared first on TrustedSec.

Continue reading Azure AD Kerberos Tickets: Pivoting to the Cloud

2023 Resolutions for Script Kiddies

Introduction 2022 was a tough year. It seemed like no one was safe. Nvidia, Samsung, Ubisoft, T-Mobile, Microsoft, Okta, Uber—and those were just some of Lapsus$’s breaches. What’s a Script Kiddie to do to be better protected in 2023? Another year in the books, and it was another big year for cybersecurity. While 2022 did…

The post 2023 Resolutions for Script Kiddies appeared first on TrustedSec.

Continue reading 2023 Resolutions for Script Kiddies

A LAPS(e) in Judgement

As security practitioners, we live in a time where there is an abundance of tools and solutions to help us secure our homes, organizations, and critical data. We know the dangers of unpatched applications and devices as well as the virtues of things like password managers and encrypted databases to protect our passwords and other…

The post A LAPS(e) in Judgement appeared first on TrustedSec.

Continue reading A LAPS(e) in Judgement

More Active Directory for Script Kiddies

Introduction So… Active Directory is amazing. It tells me everything I want to know—a regular Ask Jeeves for the whole domain—but I’m sure there is more that it can do. What else am I missing? In a previous article, I described the Active Directory (AD) service and how a Script Kiddie might use it to…

The post More Active Directory for Script Kiddies appeared first on TrustedSec.

Continue reading More Active Directory for Script Kiddies

Active Directory for Script Kiddies

Introduction It seems like all these corporate types are using Active Directory. What is this “Active Directory”? And how can I use it to make my job as a Script Kiddie easier? Active Directory (AD) is a directory service developed by Microsoft for Windows networks and computers. A directory service is a shared database for…

The post Active Directory for Script Kiddies appeared first on TrustedSec.

Continue reading Active Directory for Script Kiddies

The Curious Case of the Password Database

Nowadays, password managers are king. We use password managers to secure our most sensitive credentials to a myriad of services and sites; a compromise of the password manager could prove devastating. Due to recently disclosed critical Common Vulnerabilities and Exposures (CVEs) involving ManageEngine’s Password Manager Pro software, a client came to us at TrustedSec, wondering:…

The post The Curious Case of the Password Database appeared first on TrustedSec.

Continue reading The Curious Case of the Password Database

I Wanna Go Fast, Really Fast, like (Kerberos) FAST

1    Introduction At TrustedSec, we weigh an information security program’s ability to defend against a single specified attack by measuring detection, deflection, and deterrence. Now while a majority of my blog posts have been concentrated around detection this post is more ‘deterrence’ focused. I first heard about Kerberos FAST from Steve Syfuhs (@SteveSyfuhs) of Microsoft…

The post I Wanna Go Fast, Really Fast, like (Kerberos) FAST appeared first on TrustedSec.

Continue reading I Wanna Go Fast, Really Fast, like (Kerberos) FAST

Splunk SPL Queries for Detecting gMSA Attacks

1    Introduction What is a group Managed Service Account (gMSA)? If your job is to break into networks, a gMSA can be a prime target for a path to escalate privileges, perform credential access, move laterally or even persist in a domain via a ‘golden’ opportunity. If you’re an enterprise defender, it’s something you need…

The post Splunk SPL Queries for Detecting gMSA Attacks appeared first on TrustedSec.

Continue reading Splunk SPL Queries for Detecting gMSA Attacks

An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278

1.0 Introduction On Friday, December 10, 2021, Charlie Clark (@exploitph) published a blog post detailing the weaponization of CVEs 2021-42287 and 2021-42278. In the blog post, Charlie extensively covered the background of the vulnerabilities, how the vulnerabilities were weaponized into Rubeus, with help from Ceri Coburn (@_EthicalChaos_), the full ‘attack chain,’ mitigations, and some detections….

The post An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278 appeared first on TrustedSec.

Continue reading An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278

The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1

They say, “Everything old is new again.” Or, if you are a Game of Thrones fan, “What is dead may never die.” For me, however, a mentor once told me, “Everyone is going forward. I’m going backward.” Enter NetSync… I find Twitter to be a good source for InfoSec tactics, techniques, and procedures (TTPs). Anytime…

The post The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1 appeared first on TrustedSec.

Continue reading The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1