LAPS Overview: LAPS (Local Administrator Password Solution) is a tool for managing local administrator passwords for domain joined computers. It stores passwords/secrets in a confidential attribute in the computer’s corresponding active directory object. LAPS eliminates the risk of lateral movement by generating random passwords of local administrators. LAPS solution is a Group Policy Client Side… Continue reading Malicious use of Microsoft LAPS
Background: DCShadow is a post exploitation attack, the authors call this as the domination concept. The DCShadow attack was demonstrated by Vincent Le Toux and Benjamin Delpy at Blue Hat 2018. DCShadow attack abuses Directory Replication Service (DRS) Remote Protocol [MS-DRSR] and Active Directory Technical specification [MS-ADTS]. The DCShadow attack allows an attacker with appropriate… Continue reading Tales of a Rogue Domain Controller – The DCShadow Attack
Active Directory as a C2 Really ? I was amazed when i read a blog post on AD as a C2 on @Harmj0y‘s blog. Curiosity grew into me and wanted to explore it in my lab setup. Why AD as a C2? Active Directory is a Central Authentication and Access control. All the Endpoints Workstations/Servers are… Continue reading Active Directory as a C2 (Command & Control)
This blog post is another one on the well known Kerberos abuses. The attack is very similar to Kerberoasting where we scanned for service accounts and requested for RC4 ETYPES tickets and cracked TGS ticket offline. In AS-REP Roasting we will request for RC4 ETYPES TGT ticket and crack the TGT ticket offline. AS-REP… Continue reading AS-REP Roasting – Cracking User Account Password
This blog post is based on “Tradecraft Security Weekly Talk EP 21” given by @dafthack and @ustayready from Black Hills Information Security. Microsoft word document “DOCX” file is an ZIP archive of XML files. These XML documents controls the Theme,Fonts and web settings of the document. Historically Word document used to be HTML editor. we… Continue reading Leaking windows Credentials via Microsoft Office Document
This blog post is inspired from Rob ‘mubix’ Fuller post on “Dump LAPS passwords with ldapsearch“. So in this blog post we will explore different methods or ways to dump LAPS password in clear text. By Default all the Domain Admins have view access to ms-MCS-AdmPwd attribute. Lets have a look at the following ways… Continue reading Dump LAPS password in clear text
My presentation on Active Directory Attacks and Detection. Follow the link to view/download it. Active Directory Attacks and Detection Active_Directory_Attacks_Detections_Part-II Active_Directory_Attacks Detections_Part-III
