Stephan Berger Profile picture
Mar 7 7 tweets 3 min read
1/ Number #2 of the #ActiveDirectory hardening measures:

Service Accounts

🧵 #CyberSecurity
2/ In our AD assessments or IR cases, we repeatedly see that service accounts are highly privileged, often also part of the domain administrators group.

This can be disastrous, especially with a weak password for the service account:

3/ @Synacktiv took a closer look at the detection capabilities of Defender for Identity, including whether and how Kerberoasting could be detected. [1]
4/ Interestingly, the researchers found that a time-delay between the LDAP query to find accounts with an SPN and the request for the service ticket is enough to bypass the detection.

Whether this detection has been adjusted or revised in the meantime, I can't say.
"DFI includes logic to detect Kerberoasting activity in your environment. By taking signals from your domain controllers, Defender for Identity can help detect users enumerating your domain looking for Kerberoast-able accounts or attempts to actively exploit those accounts." [2]
6/ A recommendation for already relatively well-secured networks is to implement Honey-SPNs.

These service accounts are never used, and an alert should be generated if a service ticket is requested for his honey-account.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Mar 6
1/ I presented 10 #ActiveDirectory hardening measures a few weeks ago, and I will tweet my recommendations in the next ten days.

The list is neither prioritised nor complete, but it might give companies and administrators good input on improving (AD) security.

🧵 #CyberSecurity
2/ Number #1 of the Active Directory hardening measures:

#ADCS (Active Directory Certificate Services)
3/ The whitepaper Certified Pre-Owned: Abusing Active Directory Certificate Services by Will Schroeder and Lee Christensen showcased new possibilities and attack vectors to gain domain administrative rights as an attacker. [1]
Read 14 tweets
Feb 16
1/ Ouch. 🫣

A TA brute-forced the password of the domain admin.

The customer first suspected an internal compromise, but upon a deeper investigation of this incident, we quickly realized that the IP address was the internal address of a Cisco ASA VPN box.

🧵 #CyberSecurity
2/ The customer disabled the login mask a long time ago on the public internet-facing IP address of the Cisco ASA, as depicted in the image below.
3/ But, if we take a closer look at the @metasploit module 'Cisco SSL VPN Bruteforce Login Utility', we see that the URL "+CSCOE+/logon.htm" is used for the password guessing, at least in this module. [1]
Read 10 tweets
Feb 16
1/ Two takeaways from @Aon_plc's blog about the forensic traces left by Evilginx2 [1]:

1⃣ "Initial logins from the phishing server will appear as the victim's legitimate user agent string."

🧵 #CyberSecurity
2/ When I saw this for the first time I was quite confused and scratched my head, because I always look for suspicious user agents or deviating user agents of the compromised user.

It took a moment to realise that the phishing kit spoofed the UA from the user's browser. 👉😏
3/ This behavior of Evilginx2 makes it harder to find outliers in the recorded login information, because as nicely described in the blog the user agent from the user performs the login as if the user would log in himself.
Read 5 tweets
Jan 31
1/ In a recent case, the TA installed DWservice as a backdoor. [1]

I installed the software on my test machine, which works incredibly well!

The screenshot shows the desktop from my lab machine, which I accessed from within the browser.

🤯

🧵 #CyberSecurity
2/ The screenshot above depicts the content of the config.json file, which is located in the installation directory of DWservice, and could be interesting for LEA purposes (the key could be linked to an account).

Below is another screenshot with various features of the service.
3/ In our case, the path to the binary was C:\Programdata\DWAgent\native\dwagsvc.exe, but the path can be changed during installation.
Read 6 tweets
Jan 25
1/ Three observations while playing around with a malicious OneNote sample we discovered today at a customers network:

Purchase_order__01_B2202026_2022-07-18_09-15-49.one

MD5: 99388b4d4f9c52a79e84e9538d92d979

🧵 #CyberSecurity
2/ In this case, a malicious .bat file gets executed when the user double clicks "View Document".

The malicious .bat file is written to a temporary folder:

C:\Users\<username>\AppData\Local\Temp\OneNote\16.0\Exported\{0438B35A-EB92-4C25-8DB6-5413952EFD08}\NT\0\.bat"
3/ This might come in handy for a forensic investigation when we have to prove, for example, that the user indeed clicked the button.

Otherwise, the malicious file would not have been written to disk / to the Exported OneNote folder.
Read 5 tweets
Jan 24
1/ Playing around with the BatLoader sample showcased first in the @VMware blog [1][2].

"The novaPDF installer is edited using the tool Advanced Installer to add a PowerShellScriptInline custom action that executes a malicious PowerShell script."

🧵

#CyberSecurity
2/ What is exciting for us as analysts: After installing the Advanced Installer on my VM, the BatLoader MSI package can be opened inside Advanced Installer, and the PowerShell code can be copied out (see above).

How to create PS custom actions is described here [3].
3/ After the initial infection, in this case, Nsudo was used for performing configuration changes on the infected machine.

In the commands presented in the VMware blog, we can see the typical Nsudo command line "-U:T", as I also describe here:

Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(