Stephan Berger Profile picture
Mar 9 6 tweets 3 min read
1/ Number #4 of the #ActiveDirectory hardening measures:

PowerShell Script Block Logging

🧵 #CyberSecurity
2/ Strictly speaking not part of a guide about hardening AD, but I must stress once again the importance of logging executed PowerShell code on clients and servers:



And here with several examples from our Incident Response cases:

3/ There are other opinions about PowerShell Script Block logging because, potentially, passwords or other sensitive data could end up in event logs, and authenticated users on the workstation or server could read these logs, thus giving away the sensitive data. [1]
4/ My opinion about this topic:
5/ As a bonus, we recommend our customers to install Sysmon on critical systems like DCs or Exchange servers if they do not have an EDR in place.

In case of an incident, we could at least collect and evaluate the Sysmon logs, which would speed up the investigation.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Mar 8
1/ Number #3 of the #ActiveDirectory hardening measures:

Passwords

🧵 #CyberSecurity
2/ We talked about passwords in SYSVOL before:

Read 7 tweets
Mar 7
1/ Number #2 of the #ActiveDirectory hardening measures:

Service Accounts

🧵 #CyberSecurity
2/ In our AD assessments or IR cases, we repeatedly see that service accounts are highly privileged, often also part of the domain administrators group.

This can be disastrous, especially with a weak password for the service account:

3/ @Synacktiv took a closer look at the detection capabilities of Defender for Identity, including whether and how Kerberoasting could be detected. [1]
Read 7 tweets
Mar 6
1/ I presented 10 #ActiveDirectory hardening measures a few weeks ago, and I will tweet my recommendations in the next ten days.

The list is neither prioritised nor complete, but it might give companies and administrators good input on improving (AD) security.

🧵 #CyberSecurity
2/ Number #1 of the Active Directory hardening measures:

#ADCS (Active Directory Certificate Services)
3/ The whitepaper Certified Pre-Owned: Abusing Active Directory Certificate Services by Will Schroeder and Lee Christensen showcased new possibilities and attack vectors to gain domain administrative rights as an attacker. [1]
Read 14 tweets
Feb 16
1/ Ouch. 🫣

A TA brute-forced the password of the domain admin.

The customer first suspected an internal compromise, but upon a deeper investigation of this incident, we quickly realized that the IP address was the internal address of a Cisco ASA VPN box.

🧵 #CyberSecurity
2/ The customer disabled the login mask a long time ago on the public internet-facing IP address of the Cisco ASA, as depicted in the image below.
3/ But, if we take a closer look at the @metasploit module 'Cisco SSL VPN Bruteforce Login Utility', we see that the URL "+CSCOE+/logon.htm" is used for the password guessing, at least in this module. [1]
Read 10 tweets
Feb 16
1/ Two takeaways from @Aon_plc's blog about the forensic traces left by Evilginx2 [1]:

1⃣ "Initial logins from the phishing server will appear as the victim's legitimate user agent string."

🧵 #CyberSecurity
2/ When I saw this for the first time I was quite confused and scratched my head, because I always look for suspicious user agents or deviating user agents of the compromised user.

It took a moment to realise that the phishing kit spoofed the UA from the user's browser. 👉😏
3/ This behavior of Evilginx2 makes it harder to find outliers in the recorded login information, because as nicely described in the blog the user agent from the user performs the login as if the user would log in himself.
Read 5 tweets
Jan 31
1/ In a recent case, the TA installed DWservice as a backdoor. [1]

I installed the software on my test machine, which works incredibly well!

The screenshot shows the desktop from my lab machine, which I accessed from within the browser.

🤯

🧵 #CyberSecurity
2/ The screenshot above depicts the content of the config.json file, which is located in the installation directory of DWservice, and could be interesting for LEA purposes (the key could be linked to an account).

Below is another screenshot with various features of the service.
3/ In our case, the path to the binary was C:\Programdata\DWAgent\native\dwagsvc.exe, but the path can be changed during installation.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(