Hunting TTPs with Azure Sentinel

Introduction: Azure Sentinel is a cloud native SIEM solution that leverages, the power of Artificial Intelligence to analyze large data volumes at scale. It provides a lot of capabilities and it’s a solution that I highly can recommend to both SOC Analysts and Threat Hunters. Today in my blog post. I’m going to describe aContinue reading “Hunting TTPs with Azure Sentinel”

Kusto Query Internals – Azure Sentinel Reference

Folks, Since a lot of people are into Azure Sentinel. I’ve decided to share a documentation that walks you through the different steps to understand the basic concepts of Kusto Query Language (KQL). KQL is the core fundamentals in Azure Sentinel to search and analyze data. This is also why it’s worth to understand howContinue reading “Kusto Query Internals – Azure Sentinel Reference”

Re-Post: Active Directory Security – Resources

Introduction An old document that I had removed from my previous website, but since people have asked for it. I have decided re-post my Active Directory Security Assessment (ADSA) documentation. ADSA provides a clear ”how-to” guidance to apply common best practices to improve the security of AD. The purpose of this documentation was mainly meantContinue reading “Re-Post: Active Directory Security – Resources”

Mitigate Credential theft with Administrative Tier Model

Introduction: A lot of organizations have a credential hygiene problem without knowing that they have it. It’s one of the common reasons why attackers are managing to obtain Domain Dominance so easily in a corporate environment, because credentials are everywhere. High-privileged accounts with the likes of Domain Admins & Enterprise Admins are login on everyContinue reading “Mitigate Credential theft with Administrative Tier Model”

Stop being lazy and deploy LAPS

Introduction: Local Administrator Password Solution (LAPS) is a password manager that can be used to automatically rotate the Built-in Administrator (RID-500) account on each individual workstation or server. What’s great about LAPS is, that it doesn’t require any additional infrastructure to store passwords, and you don’t have to pay for it, because it’s free! LAPSContinue reading “Stop being lazy and deploy LAPS”

How attackers are moving laterally via Kerberos

Introduction Kerberos exist for a long time and it has been the default authentication protocol for Windows, Active Directory. Attackers have been abusing the Kerberos protocol for a while, but it’s not that Kerberos is immediately insecure. It’s the way how it has been designed. Before we’re diving into the ways of how an attackerContinue reading “How attackers are moving laterally via Kerberos”

Pass-the-Hash is still a threat

Introduction Pass-the-Hash is a very old technique that was originally published by Paul Ashton in 1997. Despite that Pass-the-Hash exists over more than a decade. It is used a lot in most ransomware attacks, like for example on the University of Maastricht. But why is this still a problem? First of all, lets have aContinue reading “Pass-the-Hash is still a threat”

Mitigate RDP attacks on Azure VM’s with Just-in-Time Access

Introduction There are organizations who have migrated some of their on-premise machines to the Cloud of Azure, because it can reduce the workload. What’s great about this is the fact, that you don’t need to maintain all the physical hardware anymore. However it’s becomes a shared responsibility, when you have resources running in Azure. ThisContinue reading “Mitigate RDP attacks on Azure VM’s with Just-in-Time Access”

Computer accounts can move laterally too!

Introduction Computer accounts in Active Directory can be abused as well, but it’s not something we hear often, because lets face it. It’s not the first thing that comes up in to our mind, when we’re thinking about moving laterally to another machine with a computer account. Before we go further in to all theContinue reading “Computer accounts can move laterally too!”

Pass-the-Hash with RID-500 account

Introduction In my previous post, I’ve blogged about how Pass-the-Hash is still a nuclear bomb on most networks around the world. Despite that Microsoft has released mitigation guidance’s around this security threat. I always felt that most companies didn’t (fully) understood the whole problem about this, which has led that many companies didn’t implemented theContinue reading “Pass-the-Hash with RID-500 account”