Podcasts about mimikatz

Send us a textGet ready to be inspired by Serena, also known as SheNetworks, as she shares her exciting transformation from a Best Buy employee to a leading voice in cybersecurity. Celebrating Tim's birthday and Election Day, this episode is packed with fascinating insights into Serena's career journey and the unexpected twists that led her from the world of network engineering to the challenging field of penetration testing. You'll hear firsthand how the monotony of network engineering sparked her interest in the fast-paced, ever-evolving world of offensive security.Join us as we uncover the intriguing world of penetration testing, where Serena reveals the techniques and tools employed by professionals to mimic real-world cyber threats. You'll learn about the concept of "assumed compromise," the thrill of privilege escalation, and the critical importance of thorough reporting and documentation. Discover how open-source tools like Mimikatz play a significant role in both protecting and threatening systems and why early detection and a robust incident response strategy are vital to cybersecurity.The ethical challenges faced by cybersecurity experts are also on the table, as Serena shares her experiences in educating clients while maintaining trust and avoiding blame. From the technical details of exploiting network protocols to the complexities of cloud penetration testing, this episode offers a deep dive into the human elements of the industry. Explore the necessity of understanding networking fundamentals, the nuances of zero trust security principles, and the dynamic interplay between pen testing and red teaming. Whether you're a cybersecurity enthusiast or simply curious about the field, this episode promises a wealth of knowledge and engaging anecdotes.How to connect with our guest:@shenetworks on Twitter/XCheck out the Fortnightly Cloud Networking Newshttps://docs.google.com/document/d/1fkBWCGwXDUX9OfZ9_MvSVup8tJJzJeqrauaE6VPT2b0/Visit our website and subscribe: https://www.cables2clouds.com/Follow us on Twitter: https://twitter.com/cables2cloudsFollow us on YouTube: https://www.youtube.com/@cables2clouds/Follow us on TikTok: https://www.tiktok.com/@cables2cloudsMerch Store: https://store.cables2clouds.com/Join the Discord Study group: https://artofneteng.com/iaatj

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.North Korean threat actors known as the Lazarus Group exploited a zero-day in the Windows AppLocker driver to gain kernel-level access and turn off security tools, allowing them to bypass noisy Bring Your Own Vulnerable Driver techniques.Researchers observed threat actors run the Angry IP Scanner, followed by some Mimikatz functions, and then the kicker, the open-source QEMU hardware emulator and virtualizer.Threat actors have been observed installing RMM tools as a means of maintaining persistence within a compromised organization. Hackers breached some of the systems belonging to CISA in February through some known vulnerabilities in Ivanti products.

Sponsor by ⁠⁠⁠⁠SEC Playground --- Support this podcast: https://podcasters.spotify.com/pod/show/chillchillsecurity/support

Find out what Mimikatz is and how it can cause the Blue Screen of Death on your system. Mimikatz is a powerful post-exploitation tool that specifically targets Windows credentials. In this video, we discuss the various functions of Mimikatz, how it works, and why it can lead to the Blue Screen of Death. We also explore the potential risks and consequences associated with this tool and provide recommendations on how to protect your system from such attacks. Watch this informative video to learn more about Mimikatz and how to stay secure. #MimikatzExplained #BluescreenOfDeath #WindowsSecurity #PostExploitation #CybersecurityTips #InformationSecurity #SystemSecurity #CredentialTheft

Special Thanks to our podcast sponsor, Cymulate.  On this episode, Dave Klein stops by to discuss the 3 Digital Challenges that organizations face: Cyber threats evolve on a daily basis and this constant threat to our environment appears to be only accelerating The level of vulnerabilities today is 30x what it was 10 years ago.  We have more IT infrastructure, complexity, and developers in our current environment. In the pursuit of digital innovation, we are changing our IT infrastructure by the hour.  For Example: Infrastructure as Code capabilities (Chef, Puppet, Terraform, etc.) allow developers to deploy faster and create more opportunities for misconfigured code at scale.   Breach and Attack Simulation tooling address these 3 digital challenges by focusing on Breach Attack Simulation, Vulnerability Prioritization, & Threat Exposure Management.  This combined approach allows a cyber organization to ensure its security is fully optimized and its risk exposure is minimized.  Key benefits of adopting Breach and Attack Simulation software include: Managing organizational cyber-risk end to end Rationalizing security spend Prioritizing mitigations based on validated risks Protecting against the latest threats in near real-time Preventing environmental drift   Welcome back listeners and thank you for continuing your education in CISO Tradecraft.  Today we are excited to share with you a great episode focused on Breach and Attack Simulation software.  To begin we will provide a solid background on Breach and Attack Simulation then we are going to bring on our special guest Dave Klein who will give us the pro tips that help CISOs maximize the value from Breach and Attack Simulation Software.   Starting from the beginning.  What is Breach and Attack Simulation software and why is this needed?  At the end of the day most companies are not on an island.  They need to connect to clients, partners, and vendors.  They need the ability for employees to visit websites.  They need to host public facing websites to sell products and services.  Each of these activities result in creating organizational assets such as IT equipment that has internet connectivity.  Now internet connectivity isn't a bad thing.  Remember internet connectivity allows companies to generate income which allows the organization to exist.  This income goes to funding expenses like the cyber organization so that is a good thing.     If bad actors with the intent and capability to cause your company harm can find your company's internet connected assets which have vulnerabilities, then you have a risk to your organization.  So enter vulnerability assessment and penetration testing tools that companies can buy to identify and address this risk.  Now sometimes you will hear the terms Cyber Asset Attack Surface Management or (CAASM).  It's also commonly referred to as continuous threat exposure management.  Essentially these two categories of tools are the latest evolution of vulnerability management tooling that have the additional benefit of ingesting data from multiple sources.  Essentially they are designed to address key questions such as:  How do we get an inventory of what we have? How do we know our vulnerabilities? and  How do we know which vulnerabilities might be exploited by threat actors?     Now if you want to take this line of questioning one step further, then you should consider adopting Breach and Attack Simulation software.  Note Breach and Attack Simulation software overlaps with many of the CAASM capabilities, but it does something unique.  Breach and Attack Simulation software allows you to pose as bad actors on your network and perform red team exercises.  Essentially you learn how bad actors can bypass your cyber tooling and safeguards.  This means you go from knowing where you are vulnerable to actually seeing how well your incident response activities perform.  Example if I can take a normal user's laptop and spawn a Powershell Script or run a tool like MimiKatz to gain Domain Admin level privileges, then I want to know if the Cyber Security Incident Response team was alerted to that activity.  I also want to know if the Incident Response team blocked or disabled this account in a timely manner.  According to the 2022 Microsoft Digital Defense Report the median time it takes for an attacker to access your private data if you fall victim to a phishing email is 1 hour 12 minutes.  The report also stated that the median time for an attacker to begin moving laterally within your corporate network once a device is compromised is 1 hour 42 minutes.  Remember the difference to responding to these attacks in minutes vs hours can be the difference between how much files get encrypted when ransomware actors get into your environment.     Another thing that CISOs need to ensure is that vulnerabilities get fixed.  How do you test that?  You have to replay the attack.     You can think of fire drills as the comparison.  If an organization only did one fire drill every 24 months, then chances are the company's time to exit the building isn't going to decrease all that much.  It's likely to stay the same.  Now if an organization does 8-12 fire drills over the course of 24 months, then you would generally see a good decrease in departure times as people get familiar with knowing how to leave the building in a timely fashion.  The good thing on Breach and Attack Simulation tools is they have the ability to replay numerous attacks with the click of a button.  This can save your penetration testing team hours over manual exploitation activities which would have to be repeated to confirm successful patches and mitigations.   If we look at Breach and Attack Simulation software the tools have typically come in two flavors.  One is an agent based approach.  Example.  A company might install an attack agent on a laptop inside the corporate environment that runs Data Loss Protection software.  The attack agent might look at how much data it can exfiltrate which is not stopped by the DLP tool.  The attack agent could also run similar attacks with how much malware the Antivirus detects, how much sensitive email it send outside the company despite there being an email protection solution.  These attack agents can also be placed on servers to determine how effective web applications firewalls are at stopping attacks.   Essentially having an attack agent on the internal side of a trusted network and one on the outside allows an organization to evaluate the effectiveness of various cyber tools.  Now there's a few concerns with this type of approach.  One, companies don't want to add more agents across their network because it steals critical system resources and makes things slower.  Two, the time it takes to install and test agents means the value you can get out of these tools is delayed because cyber needs approvals from the desktop team, the network team, the firewall team, etc. before these solutions can be deployed.  Three, by having an agent you don't always truly simulate what an attacker would do since you don't have to live off the land and gain permissions the attacker did.  Your agent may not be know to antivirus or EDR tools, but using windows libraries to gain access does.    Now let's compare this with an agentless approach.  This approach is quite popular since labs where agents are run don't always look like a production environment.  Example they lack the amount of traffic, don't possess the same amount of production data, or contain last month's versions of software.     Here attacker software may start with the premise what happens if someone from the Accounting Team opens an Excel document containing a malicious macro.  Let's see how we can automate an attack after that initial compromise step occurs.  Then let's walk through every attack identified by the Mitre Attack Framework and see what gets caught and what doesn't.  The tooling can then look at the technical safeguards in the organization that should have been applied and provide recommendations on how to increase their effectiveness.  This might be something simple like adding a Windows Group Policy to stop an attack.  Also breach and attack simulation tools can provide alerting recommendations to the SIEM that help identify when an endpoint attack occurred.  Example: Instead of knowing that bad actors can run an attack, the Breach and Attack Simulation software actually gives you the Splunk Signature that your SOC team can leverage.  That's a great add to minimize the amount of time to improve your alerting capabilities.     Now when the breach and attack simulation software replays attacks each month, cyber leadership can look at how fast the Incident Response team detected and remediated the attack.  It might be as simple as we stopped this attack before it could happen by applying the new Windows Group Policy or it took the team 4 hours to determine XYZ account had been taken over.  These metrics allow you to know how well your Response plans work.  So you get the value of a penetration test with the automation & scaling of vulnerability management tools.     What's even more impressive is how these tools are evolving to meet the larger mission of cyber organizations.     Example: Most Financial and Health Care organizations have to demonstrate evidence that IT controls are working effectively.  Generally this is a manual process done in the Governance Risk and Compliance (GRC) team within a cyber organization.  GRC teams have to ask developers to provide evidence to various IT controls such as are you monitoring and alerting to privilege activity.  Now imagine if you had an automated tool that showed evidence that monitoring tools are installed on 99% of endpoints and these tools actually stopped various MITRE attacks immediately.  That evidence would minimize the data call which takes time from the developer teams.   

Grâce à la vigilance de chercheurs en cybersécurité travaillant pour un éditeur de logiciel antivirus, on a pu découvrir l'existence d'un groupe de hackers spécialiste du vol d'information. Si leurs méfaits semblent pour l'instant se concentrer principalement sur l'Asie, force est de constater que ce groupe baptisé Worok est très dangereux.Dans leur dernier rapport, les chercheurs de l'entreprise Eset ont découvert qu'un groupe de hackers qu'ils ont baptisé Worok utilisait des outils jusqu'alors inconnus pour commettre leurs vols. Dans le détail, Worok s'attaque aux gouvernements du continent asiatique, ainsi que plusieurs pays du Moyen-Orient et du sud de l'Afrique. Les premières traces de ces malfaiteurs ont été découvertes il y a un an et demi, début 2021, plus ou moins au même moment que la découverte des failles ProxyShell. D'après les chercheurs, le profil de Worok est très similaire à celui d'un autre groupe de hackers : TA428. Si tout laisse à penser qu'il s'agit des mêmes personnes, les chercheurs ont pu différencier leurs activités grâce aux outils utilisés lors de chaque attaque informatique, et ainsi dater les premières attaques de Worok à fin 2020. Je cite le rapport des chercheurs : « nous considérons que les liens ne sont pas assez forts pour considérer que Worok soit le même groupe que TA428, mais les deux pourraient partager des outils et avoir des intérêts communs » fin de citation.Ce qui est intéressant avec Worok, c'est que le groupe a été très actif entre fin 2020 et mai 2021, puis a disparu des radars, avant de réapparaître en février dernier en ciblant une entreprise du secteur de l'énergie en Asie Centrale, ainsi qu'un organisme du secteur public d'Asie du Sud-Est. Si ces méfaits ont pu être attribués à ce groupe de hacker avec certitude, difficile toutefois de savoir avec quel outil les attaques ont eu lieu. Ceci dit, d'après les chercheurs, il est fort possible que Worok ait exploité les failles ProxyShell pour implanter du code malveillant sur les serveurs des victimes, et ainsi pouvoir se connecter au réseau à leur guise. Dans le détail, les hackers utilisent des outils totalement gratuits et libres disponibles sur Internet afin d'explorer les réseaux comportant des failles. On peut citer Mimikatz, EarthWorm, ReGeorg u encore NBTscan. Les hackers installent ensuite un premier programme pour prendre le contrôle des machines, on peut penser à PowHeartBeat, un logiciel écrit avec le langage de script PowerShell qui possède notamment la capacité de se connecter à un serveur afin de recevoir des commandes et télécharger d'autres programmes. Le programme sert alors à charger un second outil, PNGLoad, qui lui s'appuie sur la stéganographie, un message caché dans un autre message, pour installer le virus final. D'après les chercheurs d'Eset, il s'agit le plus souvent d'une image au format PNG contenant du code caché malgré un aspect parfaitement valide et donc paraître complètement inoffensive pour la victime.Pour l'instant, les chercheurs n'ont pas eu la possibilité d'analyser les fichiers PNG que je viens de vous décrire, ce qui signifie qu'ils ne savent pas avec précision quel programme final est été chargé et donc quel est le but exact de Worok. Et c'est justement toute cette incertitude et ce flou entourant le groupe de hacker qui le rend aussi dangereux. Ceci dit, compte tenu, je cite « du profil des cibles et des outils que nous avons vus déployés contre ces victimes », tout porte à croire que l'objectif principal des hackers reste l'espionnage. Reste désormais à savoir dans quel but, et éventuellement pour qui ? Hébergé par Acast. Visitez acast.com/privacy pour plus d'informations.

Bloodhound, Cobalt Strike, LaZagne, MimiKatz of Powershell? Dit zijn slechts een aantal tools die cybercriminelen gebruiken om hun aanvallen uit voeren. Hoe kunnen we voorkomen dat dergelijke tools worden gebruikt door de verkeerde personen? In deze podcast vertelt security evangelist Eddy Willems welke tools cybercriminelen gebruiken, wat ‘living off the land‘ technieken zijn, hoe cybercriminelen aan tools komen om te hacken, welke tools het meeste worden gebruikt en hoe cybercriminelen deze toepassen. 

Microsoft Defender to gain ability to block credential theft via Mimikatz and similar methods.Kraken botnet spread using Smokeloader, and is observed dropping Redline.Hackers using Microsoft Teams to perform extremely blatant internal attacks.

This week in the Security News: The Ukraine, Defender, Mimikatz, Chrome, Blackbyte, Cities Skylines, Adobe, and Teams, along with special guest commentator Aaran Leyland on this Edition of the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn187

This week in the Security News: The Ukraine, Defender, Mimikatz, Chrome, Blackbyte, Cities Skylines, Adobe, and Teams, along with special guest commentator Aaran Leyland on this Edition of the Security Weekly News!   Show Notes: https://securityweekly.com/swn187 Visit https://www.securityweekly.com/swn for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week in the Security News: The Ukraine, Defender, Mimikatz, Chrome, Blackbyte, Cities Skylines, Adobe, and Teams, along with special guest commentator Aaran Leyland on this Edition of the Security Weekly News!   Show Notes: https://securityweekly.com/swn187 Visit https://www.securityweekly.com/swn for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

On this episode Eric shows us how to bypass Microsoft Windows Defender with DumpStack log and Mimikatz. Eric Taylor https://www.linkedin.com/in/ransomware/ https://twitter.com/barricadecyber https://www.barricadecyber.com https://www.buymeacoffee.com/erictaylor Shiva Maharaj https://www.linkedin.com/in/shivamaharaj https://twitter.com/kontinuummsp https://www.kontinuum.com/ https://www.buymeacoffee.com/shivaemm --- Support this podcast: https://anchor.fm/amplifiedandintensified/support

The PetitPotam attack against Microsoft CA has garnered a lot of attention. Our hosts describe this attack and define related terms like Mimikatz, pass-the-hash, and NTLM Relay. The episode goes on to give a roadmap for mitigating this attack , including free resources available to help defend against PetitPotam.

Auch wenn es sich nach dem Klick auf Play vielleicht etwas anders anhört: Bei der aktuellen Episode des Security-Insider Podcast sind garantiert keine Katzen zu Schaden gekommen! Dafür haben sich Co-Host Dirk Srocke und Security-Insider-Chefredakteur Peter Schmitz mit verschiedenen Exploits gequält, aktuelle Schwachstellen nachvollzogen, liefern praktische Tipps für eine sichere IT und erweisen einem gleichermaßen großen wie umstrittenen Geist der Security-Branche die letzte Ehre.

Twitter: mpgn: https://twitter.com/mpgn_x64 gentilkiwi: https://twitter.com/gentilkiwi Github project: Mimikatz: https://github.com/gentilkiwi/mimikatz Kekeo: https://github.com/gentilkiwi/kekeo

Twitter: mpgn: https://twitter.com/mpgn_x64 gentilkiwi: https://twitter.com/gentilkiwi Github project: Mimikatz: https://github.com/gentilkiwi/mimikatz Kekeo: https://github.com/gentilkiwi/kekeo

Twitter: mpgn: https://twitter.com/mpgn_x64 vletoux: https://twitter.com/mysmartlogon Github project: PingCastle: https://github.com/vletoux/pingcastle NULL DACL youtube.com/watch?v=KILnU4FhQbc GidsApplet: https://github.com/vletoux/GidsApplet

Time to do a security test of Active Directory. Going to be using Bloodhound, Plumhound, mimikats and Ping Kastle. Never used them before. First time for everything. LINKS1. Bloodhound 2. Plumhound3. Mimikatz 4. PingCastle5. BadBloodFIND US ON1. Facebook2. Twitter - DamienHull

Hey everybody! Sorry that we're late again with today's episode, but I got COVID shot #2 and it kicked my behind BIG TIME today. But I'm vertical today and back amongst the living and thrilled to be sharing with you another tale of pentest pwnage! Yeah! This might be my favorite tale yet because: I got to use some of my new CRTP skills! Make sure on your pentests that you're looking for "roastable" users. Harmj0y has a great article on this, but the TLDR is make sure you run PowerView with the -PreauthNotRequired flag to hunt for these users: Get-DomainUser -PreauthNotRequired Check for misconfigured LAPS installs with Get-LAPSPasswords! The combination of mitm6.py -i eth0 -d company.local --no-ra --ignore-nofqdn + ntlmrelayx -t ldaps://domain.controller.ip.address -wh attacker-wpad --delegate-access is reeeeeealllllyyyyyyy awesome and effective! When you are doing the --delegate-access trick, don't ignore (like I did for years) if you get administrative impersonation access on a regular workstation. You can still abuse it by impersonating an admin, run secretsdump or pilfer the machine for additional goodies! SharpShares is a cool way to find shares your account has access to. I didn't get to use it on this engagement but Chisel looks to be a rad way to tunnel information Once you've dumped all the domain hashes with secretsdump, don't forget (like me) that you can do some nice Mimikatz'ing to leverage those hashes! For example: sekurlsa::pth /user:administrator /ntlm:hash-of-the-administrator-user /domain:yourdomain.com Do that and bam! a new command prompt opens with administrator privileges! Keep in mind though, if you do a whoami you will still be SOMEWORKSTATIONjoeblo, but you can do something like psexec VICTIM-SERVER cmd.exe and then do a whoami and then POW! - you're running as domain admin! Once you've got domain admin access, why not run Get-LAPSPasswords again to get all the local admin passwords across the whole enterprise? Or you can do get-netcomputer VICTIM-SERVER and look for the mc-mcs-admpwd value - which is the LAPS password! Whooee!!! That's fun! Armed with all the local admin passwords, I was able to run net use Q: VICTIM-SERVERC$" /user:Adminisrator LAPS-PASSWORD to hook a network drive to that share. You can also do net view VICTIM-SERVER to see all the shares you can hook to. And that gave me all the info I needed to find the company's crowned jewels :-)

This holiday week, Adam and Andy give you some advice on how to spin up your own virtual machine lab and dev environment. They go through SaaS applications that have free dev environments as well as tools to use to manage VM's. They also give tips on what you can do with that lab environment from testing policies to managing devices in Intune and even learning about tools like Mimikatz and John the Ripper. Documentation: Lab Building Guide: Virtual Active Directory Script to spin up AD controllers quickly Microsoft Developer Subscription Android Images Andy Jaw Twitter: @ajawzero LinkedIn: https://www.linkedin.com/in/andyjaw/ Adam Brewer Twitter: @ajbrewer LinkedIn: https://www.linkedin.com/in/adamjbrewer/ --- Send in a voice message: https://anchor.fm/blue-security-podcast/message

NOTE: THIS INFORMATION IS FOR EDUCATIONAL PURPOSES ONLY! I DO NOT CONDONE OR ENDORSE USING THIS INFORMATION FOR ILLEGAL OR NEFARIOUS PURPOSES.Herein I provide key offensive testing tools along with clear description of what they do, when and why to use them and the impact these tools have on target systems.I discuss or mention the following products:Linux - Kali, UbuntuTORVPN - ExpressVPN, OpenVPN, Hide.meNMAP and NSE ScriptsMetasploitPacket Capture Tools - Wireshark, TCPDump, Windump, tshar, Network MinerPassword Crackers/Tools - Mimikatz, JohntheRipper, L0phtcrack, Hashcat, Hydra, xHydraHash Tools - Raidbow Tables, Crackstation, onlinehashcrackVulnerability Management - Nessus, Nexpose, Qualys

Today's episode is all about creating and deploying your own pentest dropbox! In part 1 I talked about some "gotchas" but this time around I'm ready to dump a whole slug of specific and updated tips on ya! Below are the tips covered in this episode that are better read than said: For the Windows VM Turn on RDP with PowerShell: Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal Server'-name "fDenyTSConnections" -Value 0 Enable-NetFirewallRule -DisplayGroup "Remote Desktop" Change time zone with command line: tzutil /s "Central Standard Time" Install Chrome with PowerShell: $LocalTempDir = $env:TEMP; $ChromeInstaller = "ChromeInstaller.exe"; (new-object System.Net.WebClient).DownloadFile('http://dl.google.com/chrome/install/375.126/chrome_installer.exe', "$LocalTempDir$ChromeInstaller"); & "$LocalTempDir$ChromeInstaller" /silent /install; $Process2Monitor = "ChromeInstaller"; Do { $ProcessesFound = Get-Process | ?{$Process2Monitor -contains $_.Name} | Select-Object -ExpandProperty Name; If ($ProcessesFound) { "Still running: $($ProcessesFound -join ', ')" | Write-Host; Start-Sleep -Seconds 2 } else { rm "$LocalTempDir$ChromeInstaller" -ErrorAction SilentlyContinue -Verbose } } Until (!$ProcessesFound) Install PowerUpSQL: Install-Module -Name PowerUpSQL Turn off sleepy time: powercfg.exe -change -standby-timeout-ac 0 Install DotNet 3.5: dism /online /Enable-Feature /FeatureName:"NetFx3" For the Kali VM Refresh the SSH keys: apt install openssh-server -y mkdir /etc/ssh/default_keys mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/ dpkg-reconfigure openssh-server systemctl enable ssh.service systemctl start ssh.service Get SharpHound and Mimikatz: wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200519/mimikatz_trunk.zip wget https://github.com/BloodHoundAD/BloodHound/raw/master/Ingestors/SharpHound.exe Install pypykatz sudo pip3 install pypykatz Install CrackMapExec binaries (which at time of this publication is this one): curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip -L -o cme.zip

Mimikatz, open source malware used to gather credentials on Windows computers, is an ancient relic in terms of cybersecurity. On this episode, host Joe Panettieri and Webroot director of security intelligence Grayson Milbourne ponder how a technique first developed in 2007 still poses a threat to PC users.

A daily look at the relevant information security news from overnight.Episode 188 - 04 November 2019Calypso beat - https://threatpost.com/calypso-apt-target-governments/149773/Nikkei BEC - https://www.bleepingcomputer.com/news/security/media-giant-nikkei-loses-29-million-to-bec-scammers/Chrome patches xero-day - https://www.zdnet.com/article/halloween-scare-google-discloses-chrome-zero-day-exploited-in-the-wild/Ai.type costly - https://threatpost.com/android-keyboard-app-swindle-40m/149731/Marriott exposure - https://www.bleepingcomputer.com/news/security/marriott-reports-exposure-of-associates-social-security-numbers/

Simple Mimikatz And RDPWrapper Dropper https://isc.sans.edu/forums/diary/Simple+Mimikatz+RDPWrapper+Dropper/25262/ Malware Impersonating IRS https://www.irs.gov/newsroom/security-summit-warns-of-new-irs-impersonation-email-scam-reminds-taxpayers-the-irs-does-not-send-unsolicited-emails Instagram Phishing with 2FA Codes https://nakedsecurity.sophos.com/2019/08/23/instagram-phishing-uses-2fa-as-a-lure/ GitHub Adding WebAuthn Support https://www.theregister.co.uk/2019/08/23/github_upgrades_its_twofactor_authentication_with_webauthn_support/ Lenovo Solution Center Privilege Escalation https://www.pentestpartners.com/security-blog/privesc-in-lenovo-solution-centre-10-minutes-later/

Simple Mimikatz And RDPWrapper Dropper https://isc.sans.edu/forums/diary/Simple+Mimikatz+RDPWrapper+Dropper/25262/ Malware Impersonating IRS https://www.irs.gov/newsroom/security-summit-warns-of-new-irs-impersonation-email-scam-reminds-taxpayers-the-irs-does-not-send-unsolicited-emails Instagram Phishing with 2FA Codes https://nakedsecurity.sophos.com/2019/08/23/instagram-phishing-uses-2fa-as-a-lure/ GitHub Adding WebAuthn Support https://www.theregister.co.uk/2019/08/23/github_upgrades_its_twofactor_authentication_with_webauthn_support/ Lenovo Solution Center Privilege Escalation https://www.pentestpartners.com/security-blog/privesc-in-lenovo-solution-centre-10-minutes-later/

# News * Windows ist ganz schön sicher: https://www.spiegel.de/netzwelt/gadgets/apple-hacker-patrick-wardle-ein-mac-ist-leicht-zu-hacken-a-1281361.html * Ninja (Twitch Streamer und Fortnite Player) macht jetzt Mixer: https://twitter.com/Ninja/status/1156970023421915136?s=20 * Samsung und Microsoft Coop beim Note 10 Launch: https://blogs.windows.com/windowsexperience/2019/08/07/microsoft-and-samsung-partner-to-empower-you-to-achieve-more/ * MDATP AMA: @WindowsATP oder #MDATPAMA * Microsoft Team Policy rollout (Discover + Private Channel): https://docs.microsoft.com/en-us/MicrosoftTeams/teams-policies * Security muss mit PR und Marketing zusammenarbeiten: https://www.itprotoday.com/big-data/black-hat-2019-deepfakes-require-rethink-incident-response * Teams Channel Moderation: https://docs.microsoft.com/en-us/microsoftteams/manage-channel-moderation-in-teams * Access Review mit Teams (EN): https://marcoscheel.de/post/186728523052/mange-microsoft-teams-membership-with-azure-ad * MDATP Streaming API # Office ATP Safe Attachments * Office Macro executing .cmd file --> Delivered * Office Macro executing .cmd file that loads PS and downloads file --> Blocked * Zipped Office Macro executing .cmd file that loads PS and downloads file --> Blocked * PW protected Office Macro executing .cmd that loads PS and downloads file --> Delivered * Zipped, nrenamed to .txt or embedded 'Mimikatz' --> Blocked * Base64 encoded Mimikatz --> Blocked * Custom app that downloads .cmd file which creates folder (mkdir) --> Delivered * Cusotm App that additionally writes to registry (Start/Run) --> Blocked # Teams App permission policies Mit dieser Änderung kann der Teams Admin erstmals Apps an einzelene User verteilen. Es kann noch immer Tenant-Wide eingeschränkt werden (ging im normalen MS Admin center unter Services & Settings). Jetzt kann ich einzelnen Usern der Installieren einer App erlauben. * Org Wide Settings (überschreibt alle Policies!) * Block 3rd Party generell * Block all custom apps * Block specific app * Policy settings * Allow all * Allow specific black all * Block specify and allow other * Block all * Gobal Policy * MS Apps * 3rd Party * Tenant * User definded policies * based on user asignment (still no group assignment) Wenn geblock wird dann kann der Benutzer die App nicht verwenden (Tab wird zum Beispiel nicht angezeigt) # Feedback, Kritik, Lob, Fragen? * Email: podcast@hairlessinthecloud.com * Twitter: @hairlesscloud * Web: www.hairlessinthecloud.com (Links zu allen Podcast Plattformen) * Coverarts & new Audio Intro by CARO (mit Hilfe von pixabay.com)

A daily look at the relevant information security news from overnight.Episode 127 - 08 August 2019Smominru expands - https://threatpost.com/smominru-cryptominer-scrapes-credentials-half-million-machines/147038/Clipsa the brute - https://www.zdnet.com/article/new-windows-malware-can-also-brute-force-wordpress-websites/LokiBot adds steganography - https://www.bleepingcomputer.com/news/security/lokibot-uses-image-files-to-hide-code-for-unpacking-routine/State Farm brute = https://www.zdnet.com/article/state-farm-says-hackers-confirmed-valid-usernames-and-passwords-in-credentials-stuffing-attack/Leapfrog too chatty - https://www.digitaltrends.com/news/leapfrog-flaw-could-have-exposed-childrens-info-and-location/

Things I learned this week:   https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/ https://www.helpnetsecurity.com/2019/04/29/docker-hub-breach/   https://www.zdnet.com/article/a-hacker-is-wiping-git-repositories-and-asking-for-a-ransom/ https://attack.mitre.org/techniques/T1003/ https://github.com/giMini/PowerMemory   https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service   https://attack.mitre.org/techniques/T1208/

This week Rose and Phil join Harrison to discuss a three-stage cryptocurrency mining attack using Mimikatz and Radmin in tandem. The team also discusses the Cr1ptTor ransomware, an unknown North Korean threat actor targeting US universities, and MarioNet. Some of the team is heading to RSA Conference next week so make sure to stop by Booth 4421 in the North Hall to say hello. Get the Intellgence Summary at https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-22-feb-01-mar-2019.

Mitigations against Mimikatz Style Attacks https://isc.sans.edu/forums/diary/Mitigations+against+Mimikatz+Style+Attacks/24612/ LibreOffice Macro Vulnerability https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html Firefox 65 Breaks HTTPS AV Scanning https://bugzilla.mozilla.org/show_bug.cgi?id=1523701 RDP Client Vulnerabilities https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/ DNS "Lookingglass" https://isc.sans.edu/tools/dnslookup.html

This week, roughly 500,000 Ubiquiti devices may be affected by a flaw already exploited in the wild, Outlaw Shellbot infects Linux servers to mine for Monero, Apple's Siri shortcuts feature vulnerable to abuse, Google's new Chrome extension warns you about stolen passwords, and Google patches critical .png image bug! David Pearson from Awake Security joins us for expert commentary on recent news around Japan performing an IoT pentest on their public IPs!   To learn more about Awake Security, visit: https://securityweekly.com/awake Full Show Notes: https://wiki.securityweekly.com/HNNEpisode206   Visit https://www.securityweekly.com/hnn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, roughly 500,000 Ubiquiti devices may be affected by a flaw already exploited in the wild, Outlaw Shellbot infects Linux servers to mine for Monero, Apple's Siri shortcuts feature vulnerable to abuse, Google's new Chrome extension warns you about stolen passwords, and Google patches critical .png image bug! David Pearson from Awake Security joins us for expert commentary on recent news around Japan performing an IoT pentest on their public IPs!   To learn more about Awake Security, visit: https://securityweekly.com/awake Full Show Notes: https://wiki.securityweekly.com/HNNEpisode206   Visit https://www.securityweekly.com/hnn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Mitigations against Mimikatz Style Attacks https://isc.sans.edu/forums/diary/Mitigations+against+Mimikatz+Style+Attacks/24612/ LibreOffice Macro Vulnerability https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html Firefox 65 Breaks HTTPS AV Scanning https://bugzilla.mozilla.org/show_bug.cgi?id=1523701 RDP Client Vulnerabilities https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/ DNS "Lookingglass" https://isc.sans.edu/tools/dnslookup.html

This week, RDP Servers Can Hack Client Devices, Roughly 500,000 Ubiquiti devices may be affected by a flaw already exploited in the wild, Crypto exchange in limbo after the founder dies with password, Home DNA kit company says its working with the FBI, Outlaw Shellbot infects Linux servers to mine for Monero, Apple's Siri Shortcuts feature vulnerable to abuse, researchers warn, Code Execution Flaw Found in LibreOffice and OpenOffice, Google's new Chrome extension warns you about stolen passwords, Mitigations against Mimikatz Style Attacks, and Google Patches Critical .PNG Image Bug. David Pearson from Awake Security joins us for the expert commentary on the recent news around Japan performing an IoT pentest on their public IPs! To learn more about Awake Security, visit: https://securityweekly.com/awake Full Show Notes: https://wiki.securityweekly.com/HNNEpisode206 Visit http://hacknaked.tv to get all the latest episodes!

This week I talk about contacting Mimikatz through windows event log.

I'm working on a fun project right now where I'm evaluating endpoint protection solutions for a client. They're faced with a choice of either refreshing endpoints to the latest gen of their current product, or doing a rip and replace with something else. I've spun up a standalone AD environment with ~5 Win 10 VMs and nothing on 'em except a current set of patches. The idea is I can assign each workstation VM an install of INSERT_NAME_OF_POPULAR_AV_VENDOR_HERE and have somewhat of a "bake off." Now what I'm finding is there are great sites like [AV Test](AV Test) or AV-Comparatives do a nice job of breaking down what kind of performance, features, and management offerings a given vendor has. But what I haven't found is some structured testing for "act like a bad guy" actions. I'm thinking things like: Mimikatz tomfoolery Lateral attacks with Metasploit shells Egress port scanning (to find an acceptable outbound port for C2 or data exfil) Jacking around with various PowerShell scripts and commands However, thanks to some awesome friends on Slack they pointed me to what looks to be a nice set of scripts/tests - many of which could be used to see what kind of behaviors the endpoint protection will catch. So coming up in part #2 of this series, I'll do a deeper dive into: RTA Atomic Red Team

John will be talking about the new mimikatz event log clearing feature. Full Show Notes: https://wiki.securityweekly.com/Episode542 Subscribe to our YouTube channel: https://www.youtube.com/securityweekly Visit our website: http://securityweekly.com Follow us on Twitter: https://www.twitter.comsecurityweekly

John will be talking about the new mimikatz event log clearing feature. Full Show Notes: https://wiki.securityweekly.com/Episode542 Subscribe to our YouTube channel: https://www.youtube.com/securityweekly Visit our website: http://securityweekly.com Follow us on Twitter: https://www.twitter.comsecurityweekly

Episode #155 Interview de Benjamin Delpy – Créateur de mimikatz Lien vers l’épisode précédent : https://www.nolimitsecu.fr/mimikatz/ La règle YARA dont il est fait mention dans l’épisode : https://github.com/gentilkiwi/mimikatz/blob/master/kiwi_passwords.yar The post Interview de Benjamin Delpy – Créateur de mimikatz appeared first on NoLimitSecu.

The Trickbot malware that targets bank customers. Password harvesters like Mimikatz. "Fileless malware" attacks. All three are popular hacking tools and techniques, but they're unconnected except for one trait: They all rely in part on manipulating a Windows management tool known as PowerShell to carry out their attacks. Long a point of interest for security researchers, PowerShell techniques increasingly pop up in real-world attacks.

byt3bl33d3r recently released "DeathStar", which use Powershell Empire's API to automatically obtain Domain Admin privileges in an Active Directory environment with the Click of a button. Some may ask "How do i detect and prevent this attack?". Tune in to this segment to find out how to use products available from Javelin Networks to do just that! Full Show Notes: https://wiki.securityweekly.com/Episode517 Subscribe to YouTube Channel: https://www.youtube.com/securityweekly Security Weekly Website: https://securityweekly.com Follow us on Twitter: @securityweekly

byt3bl33d3r recently released "DeathStar", which use Powershell Empire's API to automatically obtain Domain Admin privileges in an Active Directory environment with the Click of a button. Some may ask "How do i detect and prevent this attack?". Tune in to this segment to find out how to use products available from Javelin Networks to do just that! Full Show Notes: https://wiki.securityweekly.com/Episode517 Subscribe to YouTube Channel: https://www.youtube.com/channel/UCg--XBjJ50a9tUhTKXVPiqg Security Weekly Website: http://securityweekly.com Follow us on Twitter: @securityweekly

In the last few years, security researchers and hacker have found an easy way of gaining access to passwords without the use of dumping the Windows hash table. When improperly configured, the passwords are stored in memory, often in plain text.   This week, we discuss Mimikatz, and methods by which you can protect your environment by hardening Windows against such attacks.   Links to blogs: https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft http://blog.gojhonny.com/2015/08/preventing-credcrack-mimikatz-pass-hash.html https://jimshaver.net/2016/02/14/defending-against-mimikatz/  Praetorian Report on pentests: http://www3.praetorian.com/how-to-dramatically-improve-corporate-IT-security-without-spending-millions-report.html Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-030-Defense_against_Mimikatz.mp3 YouTube:  https://www.youtube.com/watch?v=QueSEroKR00 iTunes: https://itunes.apple.com/us/podcast/2016-030-defending-against/id799131292?i=1000373511591&mt=2 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582    

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Sean-Metcalf-Red-vs-Blue-AD-Attack-and-Defense.pdf Red vs. Blue: Modern Active Directory Attacks & Defense Sean Metcalf CTO, DAn Solutions, Inc. Kerberos "Golden Tickets" were unveiled by Alva "Skip" Duckwall & Benjamin Delpy in 2014 during their Black Hat USA presentation. Around this time, Active Directory (AD) admins all over the world felt a great disturbance in the Force. Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right? This talk explores the latest Active Directory attack vectors and describes how Golden Ticket usage can be detected. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage. Skip the fluff and dive right into the technical detail describing the latest methods for gaining and maintaining administrative access in Active Directory, including some sneaky AD persistence methods. Also covered are traditional security measures that work (and ones that don't) as well as the mitigation strategies that disrupts the attacker's preferred game-plan. Prepare to go beyond "Pass-the-Hash" and down the rabbit hole. Some of the topics covered: Sneaky persistence methods attackers use to maintain admin rights. How attackers go from zero to (Domain) Admin MS14-068: the vulnerability, the exploit, and the danger. "SPN Scanning" with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.). Exploiting weak service account passwords as a regular AD user. Mimikatz, the attacker's multi-tool. Using Silver Tickets for stealthy persistence that won’t be detected (until now). Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network. Detecting offensive PowerShell tools like Invoke-Mimikatz. Active Directory attack mitigation. Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members. Sean Metcalf is the Chief Technology Officer at DAn Solutions, a company that provides Microsoft platform engineering and security expertise. Mr. Metcalf is one of about 100 people in the world who holds the elite Microsoft Certified Master Directory Services (MCM) certification. Furthermore, he assisted Microsoft in developing the Microsoft Certified Master Directory Services certification program for Windows Server 2012. Mr. Metcalf has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers with large Active Directory environments and regularly posts useful Active Directory security information on his blog, ADSecurity.org. Follow him on Twitter @PyroTek3 Twitter: @PyroTek3 Web: ADSecurity.org

In this huge episode: Retorts, Head in the clouds, RSA love vs. Team Sad Face, Got a dollah, Cyber, cyber, cyber, Juice box, Hookers and blow, SET update, Mimikatz, Source Boston, B-Sides SF, Demerit points, Adventures in insomnia

In this huge episode: Retorts, Head in the clouds, RSA love vs. Team Sad Face, Got a dollah, Cyber, cyber, cyber, Juice box, Hookers and blow, SET update, Mimikatz, Source Boston, B-Sides SF, Demerit points, Adventures in insomnia