Podcasts about domain admin

In this episode, we dive deep into Azure security, incident response, and the evolving cloud threat landscape with Katie Knowles, Security Researcher and former Azure Incident Responder. We spoke about common Azure incident response scenarios you need to prepare for, how identity and privilege escalation work in Azure, how Active Directory and Entra ID expose new risks and what security teams need to know about Azure networking and logging.Guest Socials: ⁠⁠⁠⁠⁠⁠⁠⁠⁠Katie's LinkedinPodcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:-⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Podcast- Youtube⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠If you are interested in AI Cybersecurity, you can check out our sister podcast -⁠⁠⁠⁠⁠⁠⁠ AI Cybersecurity PodcastQuestions asked:(00:00) Introduction(02:27) A bit about Katie(03:17) Domain Admin in Azure(07:03) Common causes of incidents in Azure(08:53) Identities in Azure(11:44) Third Party Identities in Azure(17:34) Azure Networking and Incident Response(22:35) Common Incidents in Azure(26:53) AI specific incidents in Azure(28:45) Privilege escalation in Azure(39:37) Where to start with Azure Research?(48:20) The Fun Questions

Summary In this episode, the hosts discuss the Edge password vault and its pros and cons. They highlight the ability to sync passwords to an enterprise ID and the encryption of passwords on the disk. However, they also mention limitations such as the lack of MFA support and the inability to share passwords. The conversation then shifts to best practices for IT admins, including the separation of roles and credentials and the use of password managers. The hosts also emphasize the importance of implementing single sign-on and federating SaaS apps to improve security. Takeaways -The Edge password vault offers convenient password syncing to an enterprise ID and encryption of passwords on the disk. -However, it lacks features such as MFA support and password sharing, making it less suitable for enterprise use. -IT admins should separate roles and credentials, implement single sign-on, and federate SaaS apps to improve security. -Password expiration policies should be reevaluated, as it is no longer necessary to change passwords every 90 days. ------------------------------------------- Youtube Video Link: https://youtu.be/YLIUq5soGhs⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ------------------------------------------- Documentation: ⁠https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-password-manager-security https://learn.microsoft.com/en-us/entra/identity/users/users-sharing-accounts https://twitter.com/thetomzone/status/1760833981904228508?t=wVpJpdH7u2mDZZDEtx3bMg https://twitter.com/techspence/status/1761034174331535802?t=wVpJpdH7u2mDZZDEtx3bMg ---------------------- Contact Us: Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://bluesecuritypod.com⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/bluesecuritypod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Threads: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.threads.net/@bluesecuritypodcast⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Linkedin: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/company/bluesecpod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Youtube: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.youtube.com/c/BlueSecurityPodcast⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Twitch: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.twitch.tv/bluesecuritypod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ------------------------------------------- Andy Jaw Mastodon: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://infosec.exchange/@ajawzero⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/ajawzero⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/andyjaw/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Email: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠andy@bluesecuritypod.com⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ------------------------------------------- Adam Brewer Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/ajbrewer⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/adamjbrewer/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Email: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠adam@bluesecuritypod.com --- Send in a voice message: https://podcasters.spotify.com/pod/show/blue-security-podcast/message

Check out this interview from the ESW Vault, hand picked by main host Adrian Sanabria! This segment was originally published on August 11, 2022. Following in the footsteps of an attacker and uncovering their digital footprints, this episode will uncover an attacker's techniques used and how they went from zero to full domain admin compromise, which resulted in a nasty ransomware incident. It will also cover general lessons learned from Ransomware Incident Response.   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/vault-esw-3 

Check out this interview from the ESW Vault, hand picked by main host Adrian Sanabria! This segment was originally published on August 11, 2022. Following in the footsteps of an attacker and uncovering their digital footprints, this episode will uncover an attacker's techniques used and how they went from zero to full domain admin compromise, which resulted in a nasty ransomware incident. It will also cover general lessons learned from Ransomware Incident Response.   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/vault-esw-3 

Check out this interview from the ESW Vault, hand picked by main host Adrian Sanabria! This segment was originally published on August 11, 2022. Following in the footsteps of an attacker and uncovering their digital footprints, this episode will uncover an attacker's techniques used and how they went from zero to full domain admin compromise, which resulted in a nasty ransomware incident. It will also cover general lessons learned from Ransomware Incident Response.   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/vault-esw-3 

Check out this interview from the ESW Vault, hand picked by main host Adrian Sanabria! This segment was originally published on August 11, 2022. Following in the footsteps of an attacker and uncovering their digital footprints, this episode will uncover an attacker's techniques used and how they went from zero to full domain admin compromise, which resulted in a nasty ransomware incident. It will also cover general lessons learned from Ransomware Incident Response.   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/vault-esw-3 

Today's soap box is an absolute cracker. We're talking to Andy Robbins, the principal product architect at SpecterOps and one of the three original creators of the original open source version of Bloodhound. If you don't know what Bloodhound is, it's a tool that grabs Active Directory information and turns it into a navigable graph. So if you're an attacker you land on a network, enumerate directory information, and then map out a path to domain admin. Bloodhound has been extremely popular with red teamers for years – to the point that it's just a standard tool in the red team toolkit. But the team behind Bloodhound is now turning their attention to making Bloodhound a defensive tool as well as an offensive tool.

Today's soap box is an absolute cracker. We're talking to Andy Robbins, the principal product architect at SpecterOps and one of the three original creators of the original open source version of Bloodhound. If you don't know what Bloodhound is, it's a tool that grabs Active Directory information and turns it into a navigable graph. So if you're an attacker you land on a network, enumerate directory information, and then map out a path to domain admin. Bloodhound has been extremely popular with red teamers for years – to the point that it's just a standard tool in the red team toolkit. But the team behind Bloodhound is now turning their attention to making Bloodhound a defensive tool as well as an offensive tool.

Special Thanks to our podcast sponsor, Cymulate.  On this episode, Dave Klein stops by to discuss the 3 Digital Challenges that organizations face: Cyber threats evolve on a daily basis and this constant threat to our environment appears to be only accelerating The level of vulnerabilities today is 30x what it was 10 years ago.  We have more IT infrastructure, complexity, and developers in our current environment. In the pursuit of digital innovation, we are changing our IT infrastructure by the hour.  For Example: Infrastructure as Code capabilities (Chef, Puppet, Terraform, etc.) allow developers to deploy faster and create more opportunities for misconfigured code at scale.   Breach and Attack Simulation tooling address these 3 digital challenges by focusing on Breach Attack Simulation, Vulnerability Prioritization, & Threat Exposure Management.  This combined approach allows a cyber organization to ensure its security is fully optimized and its risk exposure is minimized.  Key benefits of adopting Breach and Attack Simulation software include: Managing organizational cyber-risk end to end Rationalizing security spend Prioritizing mitigations based on validated risks Protecting against the latest threats in near real-time Preventing environmental drift   Welcome back listeners and thank you for continuing your education in CISO Tradecraft.  Today we are excited to share with you a great episode focused on Breach and Attack Simulation software.  To begin we will provide a solid background on Breach and Attack Simulation then we are going to bring on our special guest Dave Klein who will give us the pro tips that help CISOs maximize the value from Breach and Attack Simulation Software.   Starting from the beginning.  What is Breach and Attack Simulation software and why is this needed?  At the end of the day most companies are not on an island.  They need to connect to clients, partners, and vendors.  They need the ability for employees to visit websites.  They need to host public facing websites to sell products and services.  Each of these activities result in creating organizational assets such as IT equipment that has internet connectivity.  Now internet connectivity isn't a bad thing.  Remember internet connectivity allows companies to generate income which allows the organization to exist.  This income goes to funding expenses like the cyber organization so that is a good thing.     If bad actors with the intent and capability to cause your company harm can find your company's internet connected assets which have vulnerabilities, then you have a risk to your organization.  So enter vulnerability assessment and penetration testing tools that companies can buy to identify and address this risk.  Now sometimes you will hear the terms Cyber Asset Attack Surface Management or (CAASM).  It's also commonly referred to as continuous threat exposure management.  Essentially these two categories of tools are the latest evolution of vulnerability management tooling that have the additional benefit of ingesting data from multiple sources.  Essentially they are designed to address key questions such as:  How do we get an inventory of what we have? How do we know our vulnerabilities? and  How do we know which vulnerabilities might be exploited by threat actors?     Now if you want to take this line of questioning one step further, then you should consider adopting Breach and Attack Simulation software.  Note Breach and Attack Simulation software overlaps with many of the CAASM capabilities, but it does something unique.  Breach and Attack Simulation software allows you to pose as bad actors on your network and perform red team exercises.  Essentially you learn how bad actors can bypass your cyber tooling and safeguards.  This means you go from knowing where you are vulnerable to actually seeing how well your incident response activities perform.  Example if I can take a normal user's laptop and spawn a Powershell Script or run a tool like MimiKatz to gain Domain Admin level privileges, then I want to know if the Cyber Security Incident Response team was alerted to that activity.  I also want to know if the Incident Response team blocked or disabled this account in a timely manner.  According to the 2022 Microsoft Digital Defense Report the median time it takes for an attacker to access your private data if you fall victim to a phishing email is 1 hour 12 minutes.  The report also stated that the median time for an attacker to begin moving laterally within your corporate network once a device is compromised is 1 hour 42 minutes.  Remember the difference to responding to these attacks in minutes vs hours can be the difference between how much files get encrypted when ransomware actors get into your environment.     Another thing that CISOs need to ensure is that vulnerabilities get fixed.  How do you test that?  You have to replay the attack.     You can think of fire drills as the comparison.  If an organization only did one fire drill every 24 months, then chances are the company's time to exit the building isn't going to decrease all that much.  It's likely to stay the same.  Now if an organization does 8-12 fire drills over the course of 24 months, then you would generally see a good decrease in departure times as people get familiar with knowing how to leave the building in a timely fashion.  The good thing on Breach and Attack Simulation tools is they have the ability to replay numerous attacks with the click of a button.  This can save your penetration testing team hours over manual exploitation activities which would have to be repeated to confirm successful patches and mitigations.   If we look at Breach and Attack Simulation software the tools have typically come in two flavors.  One is an agent based approach.  Example.  A company might install an attack agent on a laptop inside the corporate environment that runs Data Loss Protection software.  The attack agent might look at how much data it can exfiltrate which is not stopped by the DLP tool.  The attack agent could also run similar attacks with how much malware the Antivirus detects, how much sensitive email it send outside the company despite there being an email protection solution.  These attack agents can also be placed on servers to determine how effective web applications firewalls are at stopping attacks.   Essentially having an attack agent on the internal side of a trusted network and one on the outside allows an organization to evaluate the effectiveness of various cyber tools.  Now there's a few concerns with this type of approach.  One, companies don't want to add more agents across their network because it steals critical system resources and makes things slower.  Two, the time it takes to install and test agents means the value you can get out of these tools is delayed because cyber needs approvals from the desktop team, the network team, the firewall team, etc. before these solutions can be deployed.  Three, by having an agent you don't always truly simulate what an attacker would do since you don't have to live off the land and gain permissions the attacker did.  Your agent may not be know to antivirus or EDR tools, but using windows libraries to gain access does.    Now let's compare this with an agentless approach.  This approach is quite popular since labs where agents are run don't always look like a production environment.  Example they lack the amount of traffic, don't possess the same amount of production data, or contain last month's versions of software.     Here attacker software may start with the premise what happens if someone from the Accounting Team opens an Excel document containing a malicious macro.  Let's see how we can automate an attack after that initial compromise step occurs.  Then let's walk through every attack identified by the Mitre Attack Framework and see what gets caught and what doesn't.  The tooling can then look at the technical safeguards in the organization that should have been applied and provide recommendations on how to increase their effectiveness.  This might be something simple like adding a Windows Group Policy to stop an attack.  Also breach and attack simulation tools can provide alerting recommendations to the SIEM that help identify when an endpoint attack occurred.  Example: Instead of knowing that bad actors can run an attack, the Breach and Attack Simulation software actually gives you the Splunk Signature that your SOC team can leverage.  That's a great add to minimize the amount of time to improve your alerting capabilities.     Now when the breach and attack simulation software replays attacks each month, cyber leadership can look at how fast the Incident Response team detected and remediated the attack.  It might be as simple as we stopped this attack before it could happen by applying the new Windows Group Policy or it took the team 4 hours to determine XYZ account had been taken over.  These metrics allow you to know how well your Response plans work.  So you get the value of a penetration test with the automation & scaling of vulnerability management tools.     What's even more impressive is how these tools are evolving to meet the larger mission of cyber organizations.     Example: Most Financial and Health Care organizations have to demonstrate evidence that IT controls are working effectively.  Generally this is a manual process done in the Governance Risk and Compliance (GRC) team within a cyber organization.  GRC teams have to ask developers to provide evidence to various IT controls such as are you monitoring and alerting to privilege activity.  Now imagine if you had an automated tool that showed evidence that monitoring tools are installed on 99% of endpoints and these tools actually stopped various MITRE attacks immediately.  That evidence would minimize the data call which takes time from the developer teams.   

Following in the footsteps of an attacker and uncovering their digital footprints, this episode will uncover an attacker's techniques used and how they went from zero to full domain admin compromise, which resulted in a nasty ransomware incident. It will also cover general lessons learned from Ransomware Incident Response.   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw284

Following in the footsteps of an attacker and uncovering their digital footprints, this episode will uncover an attacker's techniques used and how they went from zero to full domain admin compromise, which resulted in a nasty ransomware incident. It will also cover general lessons learned from Ransomware Incident Response.   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw284

[Referências do Episódio] - DGA家族Orchard持续变化，新版本用比特币交易信息生成DGA域名 - https://blog.netlab.360.com/orchard-dga/ - Aviso sobre redefinições de senha no Slack - https://slack.com/intl/pt-br/blog/news/notice-about-slack-password-resets - An incident impacting some accounts and private information on Twitter - https://privacy.twitter.com/en/blog/2022/an-issue-affecting-some-anonymous-accounts - BumbleBee Roasts Its Way to Domain Admin - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ [Ficha técnica] Apresentação: Carlos Cabral Roteiro: Carlos Cabral e Daniel Venzi Edição de áudio: Paulo Arruzzo Narração de encerramento: Bianca Garcia Projeto gráfico: Julian Prieto

In the Enterprise Security News for this week, ZeroFox has a $1.4 billion dollar blank check, Corellium raises a $25m series A, GreyNoise makes its data free to help out Log4j sufferers, AWS suffers its third outage in a month (coincidentally hindering GreyNoise's efforts), Ditching Unicorns for Dragons, Yet another easy way to become domain admin, thanks Microsoft, New report finds that current phishing training isn't effective and is even potentially harmful, & more!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw255

In the Enterprise Security News for this week, ZeroFox has a $1.4 billion dollar blank check, Corellium raises a $25m series A, GreyNoise makes its data free to help out Log4j sufferers, AWS suffers its third outage in a month (coincidentally hindering GreyNoise's efforts), Ditching Unicorns for Dragons, Yet another easy way to become domain admin, thanks Microsoft, New report finds that current phishing training isn't effective and is even potentially harmful, & more!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw255

Today our friend Christopher Fielder of Arctic Wolf joins us on the show again (check out his first appearance in episode #444 - this time to talk about the security journey, and how to start out in your "security diapers" and mature towards a stronger infosec program. Specifically, we talk about: When the company has one person in charge of IT/security, how can you start taking security seriously without burning this person out? First, it's probably a good idea to take note of what you have as far as people, tools and technology to help you meet your security goals. Early in this process, you should inventory what you have (see CIS controls) so you know what you need to protect. A few tools to help you get started: Nmap Rumble LanSweeper Witnessme As you go about any phase of your security journey, don't ever think "I'm good, I'm secure!" Quarterly/yearly vulnerability scans just won't cut it in today's threat landscape - especially your external network. Consider scanning it nightly to catch show-stoppers like Hafnium early) Limiting administrative privileges is SUPER important - but don't take our word for it, check out this report from Beyond Trust for some important stats like "...enforcing least privilege and removing admin rights eliminates 56% of critical Microsoft vulnerabilities." Install LAPS, because if an attacker gets local admin access everywhere, that's in many ways just as good as Domain Admin! Train your users on relevant security topics. Then train them again. Then....again. And after that? Again. There are many ways to conduct tabletop exercises. They don't have to be crazy technical. Start with the internal tech teams, practice some scenarios and get everybody loosened up. Then add the executives to those meetings so that everybody is more at ease. How do you know when it's time to ask for help from an outside security resource? Not sure what kind of shape your company's security posture is in? Check out Arctic Wolf's free security maturity assessment.

On this week’s show Patrick and Adam discuss the week’s security news, including: Russia, China, Iran having a red hot go at US political orgs Crowdstrike drops report, telcos having a bad time MSS owning US government with dumb bugs DoJ indicts Iranian script kiddie because reasons Proposed TikTok-Oracle deal barely makes sense The mother of all Microsoft auth bugs, wow Much, much more… This week’s show is brought to you by Senetas. And we’ve got two sponsor guests for you this week: Senetas CTO Julian Fay will join us, as will Peter Farrely of AUCloud. Senetas uses AUCloud as a partner for its Suredrop file sharing and collaboration platform here in Oz, and Pete is joining us this week to talk through the new Cloud Assessment and Authorisation Framework published by the ACSC. If you work in Australian government IT and security, this one’s for you! Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes Exclusive: Microsoft believes Russians that hacked Clinton targeted Biden campaign firm - sources | Reuters GRU eyes US election - Risky Business STRONTIUM: Detecting new patterns in credential harvesting - Microsoft Security Chinese hacking groups are bullying telecoms as 2020 goes on, CrowdStrike says Report2020OverWatchNowheretoHide.pdf New CDRThief malware targets VoIP softswitches to steal call detail records | ZDNet VOS3000 VOS5000 Softswitch by Linknat - A Word-leading VoIP Solutions Provider Chinese intelligence-linked hackers are exploiting known flaws to target Washington, US says (8) Eric Geller on Twitter: "DOJ to announce Chinese hacking charges (and arrests!) tomorrow. https://t.co/Wj7KSq9BNd" / Twitter PAN-OS vulnerabilities add to a torrid year for enterprise software bugs Public disclosure didn't stop suspected Chinese hackers from targeting the Vatican Trump says Oracle ' very close' to TikTok deal Huawei HarmonyOS: Operating system will be on smartphones in 2021 US charges two hackers for defacing US websites following Soleimani killing | ZDNet FBI says credential stuffing attacks are behind some recent bank hacks | ZDNet Magento online stores hacked in largest campaign to date | ZDNet Multibillion-dollar Equinix is the latest data-center firm to face ransomware incident [Blog] Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472) New BlindSide attack uses speculative execution to bypass ASLR | ZDNet BLURtooth vulnerability lets attackers overwrite Bluetooth authentication keys | ZDNet Billions of devices vulnerable to new 'BLESA' Bluetooth security flaw | ZDNet MITRE releases emulation plan for FIN6 hacking group, more to follow | ZDNet Internal Facebook systems exposed via unpatched Apache library | The Daily Swig Porn site users targeted with malicious ads redirecting to exploit kits, malware | ZDNet Researcher kept a major Bitcoin bug secret for two years to prevent attacks | ZDNet Vast majority of cyber-attacks on cloud servers aim to mine cryptocurrency | ZDNet Slovak cryptocurrency exchange ETERBASE discloses $5.4 million hack | ZDNet Chinese diplomat demands investigation after his Twitter account liked embarrassing posts Whistleblower Says Facebook Ignored Global Political Manipulation When you browse Instagram and find former Australian Prime Minister Tony Abbott's passport number Anatomy of a Cloud Assessment and Authorisation | Cyber.gov.au

This is an especially fun tale of pentest pwnage because it involves D.D.A.D. (Double Domain Admin Dance) and varying T.T.D.A. (Time to Domain Admin). The key takeaways I want to share from these tests are as follows: Responder.py -i eth0 -rPv is AWESOME. It can make the network rain hashes like manna from heaven! Testing the egress firewall is easy with this script. Consider this SANS article for guidance on ports to lock down. Testing for MS14-025 is easy with this site. mitm6 and ntlmrelayx can work really well together to rain shells if you follow this article. It's especially handy/focused when you create a targets.txt that looks something like this: smb://CORPAdministrator@192.168.195.2 smb://CORPAdministrator@192.168.195.3 smb://CORPbrian.admin@192.168.195.7 192.168.195.7 192.168.195.10 Then save that as your targets.txt and run ntlmrelayx with ./ntlmrelayx.py -tf /targets.txt -socks -smb2support. From there, once you get active socks connections, you can connect to them directly with a full interactive shell with something like proxychains smbclient //192.168.195.2/ -U CORP/brian.admin I ran into a weird issue with CrackMapExec where the --local-auth flag didn't seem to be working so I ended up trying the binary version and then it worked like a champ! Looking to dump lsass a "clean" way? Try RDPing in directly to the victim machine, opening up taskmgr.exe, click the Details tab, then right-click lsass.exe and choose Create dump file and bam, done. Wanna spin up a quick SMB share from your Kali box? Try smbserver.py -smb2support share /share Then, once you've pulled back the lsass.dmp file, you can rip through it easily with: pip3 install pypykatz sudo pypykatz lsa minidump lsass.dmp > lsass.txt Then comb through lsass.txt and hopefully there will be some delicious and nutritious DA creds there for you to much on!

Today's episode is a fun tale of pentest pwnage! Interestingly, to me this pentest had a ton of time-sponging issues on the front end, but the TTDA (Time to Domain Admin) was maybe my fastest ever. I had to actually roll a fresh Kali VM to upload to the customer site, and I learned (the hard way) to make that VM disk as lean as possible. I got away with a 15 gig drive, and the OS+tools+updates took up about 12 gig. One of the biggest lessons I learned from this experience is to make sure that not only is your Kali box updated before you take it to a customer site (see this script), but you should make sure you install all the tool dependencies beforehand as well (specifically, Eyewitness, Impacket and MITM6). This pentest was also extremely time-boxed, so I tried to get as much bang out of it as possible. This included: Capturing hashes with Responder Checking for "Kerberoastable" accounts (GetUserSPNs.py -request -dc-ip x.x.x.x domain/user) Check for MS14-025 (see this article) Check for MS17-010 (nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24 -oA vulnerable-2-eblue) and try this method of exploiting it Check for DNS zone transfer (dnsrecon -d name.of.fqdn -t axf) Test for egress filtering of ports 1-1024 Took a backup of AD "the Microsoft way" and then cracked with secretsdump: sudo python ./secretsdump.py -ntds /loot/Active Directory/ntds.dit -system /loot/registry/SYSTEM -hashes lmhash:nthash LOCAL -outputfile /loot/ad-pw-dump

Today's episode is the thrilling, exciting, heart-pounding conclusion of Tales of Internal Pentest Pwnage - Part 1. In this episode, we cover the final "wins" that got me to Domain Admin status (and beyond!): Got DA but can't get to your final "crown jewels" destinations? How about going after the organization's backups (evil grin!) Got DA but stuck to find hot leads to where the crown jewels are? Get snoopy and go through people's files, folders and...bookmark caches! (evil grin #2!) If your nmap/eyewitness scan turns up Web sites with simply an IIS default landing page or "It works!" Apache page on it, there's probably more there than meets the eye. We also talk about lessons learned from this pentest - both things done well and things the org can do to make the next pentester's job a lot harder.

Buckle up! This is one of my favorite episodes. Today I'm kicking off a two-part series that walks you through a narrative of a recent internal pentest I worked on. I was able to get to Domain Admin status and see the "crown jewels" data, so I thought this would be a fun and informative narrative to share. Below are some highlights of topics/tools/techniques discussed: Building a pentest dropbox The timing is perfect - my pal Paul (from Project7) and Dan (from PlexTrac) have a two-part Webinar series on building your own $500 DIY Pentest Lab, but the skills learned in the Webinars translate perfectly into making a pentest dropbox. Head to our webinars page for more info. Securing a pentest dropbox What I did with my Intel NUC pentest dropbox is build a few VMs as follows: Win 10 pro management box with Bitlocker drive encryption and Splashtop (not a sponsor) which I like because it offers 2FA and an additional per-machine password/PIN. I think I spent $100/year for it. Kali attack box with an encrypted drive (Kali makes this easy by offering you this option when you first install the OS). Scoping/approaching a pentest From what I can gather, there are (at least) two popular schools of thought as it relates to approaching a pentest: From the perimeter - where you do a lot of OSINT, phish key users, gain initial access, and then find a path to privilege from there. Assume compromise - assume that eventually someone will click a phishing link and give bad guys a foothold on the network, so you have the pentester bring in a Kali box, plug it into the network, and the test begins from that point. Pentest narrative For one of the tests I worked on, here were some successes and challenges I had along the way: Check out the show notes at 7MS.us as there's lots more good info there!

This week, a tool that finds vulnerable robots on the Internet, a new exploit that threatens over 9,000 Cisco routers, apple turns of group FaceTime after an eavesdropping bug, wordpress sites under attack via Zero-Day in abandoned plugin, and OpenBMC caught with 'pantsdown' over a new security flaw! Jason Wood from Paladin Security joins us for expert commentary on Abusing Exchange: One API call away from Domain Admin!   Full Show Notes: https://wiki.securityweekly.com/HNNEpisode205 Visit https://www.securityweekly.com/hnn for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, a tool that finds vulnerable robots on the internet, a new exploit that threatens over 9,000 Cisco Routers, apple turns of group FaceTime after an eavesdropping bug, wordpress sites under attack via Zero-Day in abandoned plugin, and OpenBMC caught with 'pantsdown' over a new security flaw! Jason Wood from Paladin Security joins us for expert commentary on Abusing Exchange: One API call away from Domain Admin! Full Show Notes: https://wiki.securityweekly.com/HNNEpisode205 Visit http://hacknaked.tv to get all the latest episodes!

This week, a tool that finds vulnerable robots on the Internet, a new exploit that threatens over 9,000 Cisco routers, apple turns of group FaceTime after an eavesdropping bug, wordpress sites under attack via Zero-Day in abandoned plugin, and OpenBMC caught with 'pantsdown' over a new security flaw! Jason Wood from Paladin Security joins us for expert commentary on Abusing Exchange: One API call away from Domain Admin!   Full Show Notes: https://wiki.securityweekly.com/HNNEpisode205 Visit https://www.securityweekly.com/hnn for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Ghostscript Remote Code Execution Vulnerability https://www.openwall.com/lists/oss-security/2019/01/23/5 Abusing Exchange to Obtain Domain Admin https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/ IPC Voucher UaF Remote Jailbreak http://blogs.360.cn/post/IPC%20Voucher%20UaF%20Remote%20Jailbreak%20Stage%202%20(EN).html Cisco Security Updates https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-bo

Ghostscript Remote Code Execution Vulnerability https://www.openwall.com/lists/oss-security/2019/01/23/5 Abusing Exchange to Obtain Domain Admin https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/ IPC Voucher UaF Remote Jailbreak http://blogs.360.cn/post/IPC%20Voucher%20UaF%20Remote%20Jailbreak%20Stage%202%20(EN).html Cisco Security Updates https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-bo

As I was preparing for my Secure 360 talk a month or so ago, I stumbled upon this awesome article which details a method for getting Domain Admin access in just a few minutes - without cracking passwords or doing anything else "loud." The tools you'll need are: PowerShell Empire DeathStar Responder Ntlmrelayx I've written up all the steps in a gist that you can grab here. Enjoy!

Ms. Berlin’s mega tweet on protecting your network   https://twitter.com/InfoSystir/status/1000109571598364672   Utica College CYB617     I tweeted “utica university” many pardons   Mr. Childress’ high school class Laurens, South Carolina   Probably spent as much as a daily coffee at Starbucks… makes all the difference.   CTF Club, and book club (summer reading series)   Patreon SeaSec East   Showmecon Area41con bsidescleveland Here are 50 FREE things you can do to improve the security of most environments:   Segmentation/Networking: Access control lists are your friend (deny all first) Disable ports that are unused, & setup port security DMZ behind separate firewall Egress Filtering (should be just as strict as Ingress) Geoblocking Segment with Vlans Restrict access to backups Role based servers only! DNS servers/DCs are just that Network device backups Windows: AD delegation of rights Best practice GPO (NIST GPO templates) Disable LLMNR/NetBios EMET (when OSes prior to 10 are present) Get rid of open shares MSBSA WSUS ** run as a standard user ** no ‘localadmin’ Endpoints: App Whitelisting Block browsing from servers. Not all machines need internet access Change ilo settings/passwords Use Bitlocker/encryption Patch *nix boxes Remove unneeded software Upgrade firmware MFA/Auth: Diff. local admin passwords (LAPS) https://www.microsoft.com/en-us/download/details.aspx?id=46899 Setup centralized logins for network devices. Use TACACS+ or radius Least privileges EVERYWHERE Separation of rights - Domain Admin use should be sparse & audited Logging Monitoring: Force advanced file auditing (ransomware detection) Log successful and unsuccessful logins - Windows/Linux logging cheatsheets Web: Fail2ban For the love of god implement TLS 1.2/3 URLscan Ensure web logins use HTTPS Mod security   Other: Block Dns zone transfers Close open mail relays Disable telnet & other insecure protocols or alert on use DNS servers should not be openly recursive Don't forget your printers (saved creds aren't good) Locate and destroy plain text passwords No open wi-fi, use WPA2 + AES Password safes IR: Incident Response drills Incident Response Runbook & Bugout bag Incident Response tabletops   Purple Team: Internal & OSINT honeypots User Education exercises MITRE ATT&CK Matrix is your friend Vulnerability Scanner   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Guy came on the show and gave a live demo on how to become Domain Admin in an Active Directory environment, and keep those privileges for 20+ years. Guys shows us how to abuse service accounts to get yourself a golden ticket. Then shows how the Javelin Networks technology can be used to detect, prevent and monitor for this type of attack and the exposures inside Active Directory that hand over the keys, er tickets, to the kingdom. Full Show Notes: https://wiki.securityweekly.com/Episode520 Subscribe to YouTube Channel: https://www.youtube.com/channel/UCg--XBjJ50a9tUhTKXVPiqg Security Weekly Website: http://securityweekly.com Follow us on Twitter: @securityweekly

Guy came on the show and gave a live demo on how to become Domain Admin in an Active Directory environment, and keep those privileges for 20+ years. Guys shows us how to abuse service accounts to get yourself a golden ticket. Then shows how the Javelin Networks technology can be used to detect, prevent and monitor for this type of attack and the exposures inside Active Directory that hand over the keys, er tickets, to the kingdom. Full Show Notes: https://wiki.securityweekly.com/Episode520 Subscribe to YouTube Channel: https://www.youtube.com/channel/UCg--XBjJ50a9tUhTKXVPiqg Security Weekly Website: http://securityweekly.com Follow us on Twitter: @securityweekly

byt3bl33d3r recently released "DeathStar", which use Powershell Empire's API to automatically obtain Domain Admin privileges in an Active Directory environment with the Click of a button. Some may ask "How do i detect and prevent this attack?". Tune in to this segment to find out how to use products available from Javelin Networks to do just that! Full Show Notes: https://wiki.securityweekly.com/Episode517 Subscribe to YouTube Channel: https://www.youtube.com/securityweekly Security Weekly Website: https://securityweekly.com Follow us on Twitter: @securityweekly

byt3bl33d3r recently released "DeathStar", which use Powershell Empire's API to automatically obtain Domain Admin privileges in an Active Directory environment with the Click of a button. Some may ask "How do i detect and prevent this attack?". Tune in to this segment to find out how to use products available from Javelin Networks to do just that! Full Show Notes: https://wiki.securityweekly.com/Episode517 Subscribe to YouTube Channel: https://www.youtube.com/channel/UCg--XBjJ50a9tUhTKXVPiqg Security Weekly Website: http://securityweekly.com Follow us on Twitter: @securityweekly

Show notes: https://7ms.us/7ms-236-from-derp-to-domain-admin-with-moveit-central