Security Person at Microsoft, currently in Windows Defender Security Research. Opinions are my own.
Apr 9, 2019 • 4 tweets • 1 min read
Popular attacker trick in corporate networks: change the WDigest UseLogonCredential registry key to 1.
Helpful if you want to transmute RDP brute forced local admin credential into domain credentials without risking a Mimikatz detection.
Why?
WDigest=plaintext creds in memory.
WDigest credentials being available in memory means attackers can use alternate sophisticated tools like taskmanager to get credentials versus bringing cred theft tools that AV might detect. WDigest is disables by default but can be enabled as admin without reboot (just lock.)
Mar 8, 2019 • 6 tweets • 2 min read
Attackers don’t make assumptions that security policies are followed - they test them. There’s probably at least one person in your org that thinks Winter2019! is a strong password, and your service account passwords may not be as strong as you assume them to be.
Have a safe, legal, and documented way to verify your user accounts are following password best practices, Password Sprays are a common entry vector because human generated passwords that match ‘complexity’ tend to overlap. microsoft.com/en-us/microsof…
Feb 11, 2019 • 8 tweets • 2 min read
Some things attackers like:
-Domain Admin accounts that do logon type 4 or 5 to workstations
-Accounts with weak Kerberos configs like DES encryption or no preauth
-GPO settings that allow unexpected admin actions like loading drivers
Why not check for these before they do?
Highly privileged accounts doing logon type 4 or 5 to workstations are useful to attackers because they leave credentials in memory and on disk - so an attacker can transmute one local administrator account into a domain wide compromise.
Jun 29, 2018 • 11 tweets • 3 min read
Windows Event ID 4624 displays a numerical value for the type of login that was attempted. These numbers are important from a forensic standpoint but also for understanding credential exposure and mitigating risks. Descriptions in replies.
Logon type 10: this is a typical RDP alert meaning that terminal services was engaged for the logon. 3rd party software like virtualization consoles and screen share can also generate it. Means credentials were in memory (lsass) and also hit cached credentials.
Jun 26, 2018 • 7 tweets • 2 min read
Cases I have investigated recently have included:
-new ‘elite’ malware that most well configured/behavioral AV would have caught
-‘junk’ malware used for initial entry
-unpatched servers on the internet
Attackers don’t often encounter networks that require advanced techniques.
Every week we encounter at least one case of malware taking advantage of matching local admin passwords. You can fix that for free with aka.ms/laps
Dec 11, 2017 • 4 tweets • 1 min read
Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI: aka.ms/WEFFLES
This is a blog post about how to build the lightweight IR console I personally used during my time as a consultant, which a lot of companies still have in place and use. I'm posting it in the hopes of 'commoditizing' security efforts and making things easier for defenders.
Aug 30, 2017 • 21 tweets • 2 min read
Reacting to a new technique with 'well of course it works, they had admin' may indicate you don't fully appreciate the attacker mindset.
The attacker goal is not just to run code, but often to keep it running without you noticing for as long as possible-'borrowed' trust helps.