Darren Mar-Elia, Author at Security Boulevard
Good Riddance, Red Forest: Understanding Microsoft’s New Privileged Access Management Strategy

Good Riddance, Red Forest: Understanding Microsoft’s New Privileged Access Management Strategy

| | Active Directory
As far back as 2012, Microsoft released the first version of its important “Mitigating Pass-the-Hash and Credential Theft” whitepapers. In this first version, Microsoft defined the problem of lateral movement and privilege escalation within a Windows Active Directory on-premises environment and included best practices for mitigating these kinds of attacks at the time. Two years later, Microsoft released version 2 ... Read More

Egregor Ransomware Attack on Kmart is a Reminder that Active Directory Needs to Be Protected and Recoverable

| | Ransomware
The latest ransomware-as-a-service attack leaves the well-known retailer, Kmart, with service outages and a compromised Active Directory.   In the wake of Maze ransomware “retiring” last month, many of its affiliates have moved to the new kid on the ransomware block, Egregor. Named after an occult term meaning the collective energy or force ... Read More
New Research: Detecting DCShadow on Rogue Hosts

New Research: Detecting DCShadow on Rogue Hosts

| | DCShadow Attack
10,000-foot view: Many of us are familiar with the variety of tools, attacks, and adversaries that focus on breaching Active Directory. With the release in 2018 of DCShadow, another highly effective vector was added to that ever-increasing list. To the credit of the research team, along with the exploit, they ... Read More

Vulnerabilities in Active Directory: The CISO’s Achilles Heel

| | Active Directory
Understanding how compromises occur is a fundamental part of forming a cybersecurity defense. With that in mind, I recently joined Andy Robbins, co-creator of the open source attack path discovery tool, BloodHound, for a webinar that outlined how attackers target Active Directory (AD). During the presentation, we spotlighted an uncomfortable ... Read More
James Forshaw A Link to the Past: Abusing Symbolic Links on Windows

Understanding Group Policy Privilege Escalation in CVE-2020-1317

| | group policy
Last month, Microsoft released an advisory for CVE-2020-1317 which describes a privilege escalation vulnerability in Group Policy. This was further detailed by the discoverer of the vulnerability on the Cyberark website. The nature of this issue is interesting and worth understanding. For years, Group Policy has had this dichotomy built ... Read More
What's New: DSP 3.0

Take back the keys to your kingdom with the latest release of Semperis Directory Services Protector

| | Uncategorized
Active Directory is foundational to everything you do and the #1 new target for attackers. Since it wasn’t originally built with today’s threats in mind, Active Directory is riddled with inherent soft spots and risky configurations that attackers are readily taking advantage of. We, here at Semperis, are excited to ... Read More
What's New: DSP 3.0

Take Back the Keys to Your Kingdom With the Latest Release of Semperis Directory Services Protector

Active Directory is foundational to everything you do and the #1 new target for attackers. Since it wasn’t originally built with today’s threats in mind, Active Directory is riddled with inherent soft spots and risky configurations that attackers are readily taking advantage of. We, here at Semperis, are excited to ... Read More
Semperis DEMO: Recovering Active Directory cleanly: without re-introducing malware

Cyber Scenarios Expose Shortcomings of BMR

Ransomware and wiper attacks are causing organizations to re-evaluate their backup and recovery capabilities. An obvious concern is whether backups are safe – for example, are they offline where they can’t be encrypted or wiped. While this is a good first step, it’s just that. We also need to evaluate ... Read More
Why Most Organizations Still Can’t Defend against DCShadow – Part 2

Why Most Organizations Still Can’t Defend against DCShadow – Part 2

In part 1 of this blog post, I talked about the threat that DCShadow poses to organizations that use Microsoft Active Directory (AD). Here in part 2, I’ll talk about steps you can take to protect your organization. (Quick recap: DCShadow is a feature of the Mimikatz post-exploitation tool that ... Read More
DCShadow Blog - Adding Domain Admin SID

Why Most Organizations Still Can’t Defend against DCShadow

DCShadow is a readily available technique that allows an attacker to establish persistent privileged access in Active Directory (AD). Specifically, DCShadow allows an attacker with privileged access to create and edit arbitrary objects in AD without anyone knowing. This allows the attacker to create backdoors all over AD that can’t ... Read More