Active Directory Certificate Services (ADSCS) is Microsoft’s Public Key Infrastructure (PKI) for typical Windows environments. There has been lots of blog posts on how to compromise an entire ADCS infrastructure, so I don’t want to repeat the same stuff over and over again. However, since ADCS is now a clear target with all the POCs that are available, and so
Read moreGroup Policy is a powerful tool that attackers are using to deploy their ransomware across a network. This blog post will cover some tips on how we can hunt for this type of activity in the event logs, and so on. We will be relying on the default Windows event logs that are straight out of the box. In order
Read moreProxyShell is an attack chain that exploits three known vulnerabilities in On-Premises Exchange servers: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. ProxyShell allows a remote unauthenticated attacker to execute arbitrary commands on an unpatched Exchange Server through port 443. The bug relies in the Client Access Service (CAS) component in Exchange and was discovered by a security researcher in 2021. The presentation of
Read moreOn-Premises Exchange servers are valuable targets for attackers, since it contains critical data and often has wide permissions within AD. Over the years, we have seen different exploits for Microsoft Exchange that could lead to a full compromise on the Exchange farm, as well as a full compromise on Active Directory. Today I would like to do a recap on
Read moreA Webshell is a malicious script that an attacker can drop on a webserver to launch additional attacks and establish persistence. Before a Webshell is dropped, it is usually the case that an attacker has successfully obtained SYSTEM level access on the targeted server in order to upload the Webshell. A Webshell may provide a set of functions to execute
Read moreThis will be a high-level summary of the different logs that can be found on an On-Premises Exchange server, which can be useful during an IR. For each log, I’ll try to explain what we can achieve with it. Not all logs are useful, so I’ve only picked the one’s that I’m aware of and believe are useful. IIS logs
Read moreToday I would like to share my experience with doing Cloud forensics in Azure AD. I’ve been working for over a year with Azure Active Directory, and have primary focused on the different security aspects of it. One of my main focus has been doing Cloud forensics, which I will tell more about. I was always interested in understanding, where
Read moreToday we are going to talk about our good old friend or better known as Windows Defender AV. Not to confuse with the EDR solution that’s called ”Defender for Endpoint”. Windows Defender is the traditional out of the box antivirus for a Windows machine. In this blog post, we are going to explain why it is relevant to keep an
Read moreIn this blog post, we are going to explain how to exfiltrate data over (S)FTP. This blog post is mainly for educational purposes. During this blog post, we will cover everything in steps, which will help the readers being able to simulate this attack by themselves. The goal of this blog post is to demonstrate how relative easy it is
Read moreDuring the past year, we have seen ransomware gangs using public tools to exfiltrate data by copying it to an array of a Cloud storage provider. In November 2020, SentinelOne discovered, that adversaries were using such techniques to transfer data from a victim’s machine to a Cloud storage provider. The blog post of SentinelOne can be found here. Where they
Read more
Microsoft 365 Security 