Active Directory Credential Theft

Attacking Active Directory: Why Cyber Threats Target AD

[Updated February 21, 2024; originally published December 14, 2017] Active Directory is the most critical identity system for most enterprises. The problem is that in the two-plus decades since Active... The post Attacking Active Directory: Why Cyber Threats Target AD appeared first on Semperis ... Read More

3 Steps to Protect AD from Wiperware

| | Uncategorized
We’re barely a month into the new year, but wiperware is back in the news. DevPro Journal notes a “drastic increase” starting last year, likely driven by geopolitical conflict. What is wiperware—and how can you protect your organization? What is wiperware? Wiperware is often used as part of an advanced ... Read More

Top Tips for Protecting Active Directory

Active Directory is one of the most important components of your network. Yet protecting Active Directory can be one of the most challenging tasks on your to-do list. The problem is that AD changes so often and on such a large scale that it’s effectively immune to ordinary change management ... Read More
Hidden Active Directory User

Hiding in Plain Sight — Discovering Hidden Active Directory Objects

| | Active Directory
Note: Updated March 30, 2022 At a past Hybrid Identity Protection Conference, several of us spoke about the ongoing use of Active Directory as a subject of interest in malware attacks. Whether it’s mining AD for information about privileged access, compromising user accounts that lead to increasing levels of privilege ... Read More
Display Specifiers in the Configuration partition

Active Directory Security: Abusing Display Specifiers

I was reminded recently about a feature in AD that I haven’t used in nearly 20 years, one that can be abused by attackers. This feature is based on an area in the Configuration partition within a given Active Directory forest called Display Specifiers. I’m sure these have many roles ... Read More
Good Riddance, Red Forest: Understanding Microsoft’s New Privileged Access Management Strategy

Good Riddance, Red Forest: Understanding Microsoft’s New Privileged Access Management Strategy

| | Active Directory
As far back as 2012, Microsoft released the first version of its important “Mitigating Pass-the-Hash and Credential Theft” whitepapers. In this first version, Microsoft defined the problem of lateral movement and privilege escalation within a Windows Active Directory on-premises environment and included best practices for mitigating these kinds of attacks at the time. Two years later, Microsoft released version 2 ... Read More

Egregor Ransomware Attack on Kmart is a Reminder that Active Directory Needs to Be Protected and Recoverable

| | Ransomware
The latest ransomware-as-a-service attack leaves the well-known retailer, Kmart, with service outages and a compromised Active Directory.   In the wake of Maze ransomware “retiring” last month, many of its affiliates have moved to the new kid on the ransomware block, Egregor. Named after an occult term meaning the collective energy or force ... Read More
New Research: Detecting DCShadow on Rogue Hosts

New Research: Detecting DCShadow on Rogue Hosts

| | DCShadow Attack
10,000-foot view: Many of us are familiar with the variety of tools, attacks, and adversaries that focus on breaching Active Directory. With the release in 2018 of DCShadow, another highly effective vector was added to that ever-increasing list. To the credit of the research team, along with the exploit, they ... Read More

Vulnerabilities in Active Directory: The CISO’s Achilles Heel

| | Active Directory
Understanding how compromises occur is a fundamental part of forming a cybersecurity defense. With that in mind, I recently joined Andy Robbins, co-creator of the open source attack path discovery tool, BloodHound, for a webinar that outlined how attackers target Active Directory (AD). During the presentation, we spotlighted an uncomfortable ... Read More
James Forshaw A Link to the Past: Abusing Symbolic Links on Windows

Understanding Group Policy Privilege Escalation in CVE-2020-1317

| | group policy
Last month, Microsoft released an advisory for CVE-2020-1317 which describes a privilege escalation vulnerability in Group Policy. This was further detailed by the discoverer of the vulnerability on the Cyberark website. The nature of this issue is interesting and worth understanding. For years, Group Policy has had this dichotomy built ... Read More