CINXE.COM

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>Active Directory Security</title> <atom:link href="https://adsecurity.org/?feed=rss2" rel="self" type="application/rss+xml" /> <link>https://adsecurity.org</link> <description>Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia...</description> <lastBuildDate>Wed, 05 Jun 2024 15:38:59 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod> hourly </sy:updatePeriod> <sy:updateFrequency> 1 </sy:updateFrequency> <generator>https://wordpress.org/?v=6.5.5</generator> <item> <title>BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf</title> <link>https://adsecurity.org/?p=4436</link> <dc:creator><![CDATA[Danny Akacki]]></dc:creator> <pubDate>Wed, 05 Jun 2024 15:23:56 +0000</pubDate> <category><![CDATA[Technical Reference]]></category> <guid isPermaLink="false">https://adsecurity.org/?p=4436</guid> <description><![CDATA[We have an Identity problem and not the kind you think of when you look in the mirror. Attacks have shifted from the perimeter to the endpoints and now attackers have their sights on identity. This talk explores the issues with Identity security specifically the two most popular identity systems, Active Directory & Azure AD … <a class="more-link btn" href="https://adsecurity.org/?p=4436">Continue reading</a>]]></description> </item> <item> <title>DEFCON 2017: Transcript – Hacking the Cloud</title> <link>https://adsecurity.org/?p=4434</link> <dc:creator><![CDATA[Danny Akacki]]></dc:creator> <pubDate>Tue, 28 May 2024 16:29:02 +0000</pubDate> <category><![CDATA[Technical Reference]]></category> <category><![CDATA[ActiveDirectory]]></category> <category><![CDATA[Azure]]></category> <category><![CDATA[EntraID]]></category> <guid isPermaLink="false">https://adsecurity.org/?p=4434</guid> <description><![CDATA[Let’s look at recon in a cloud-type environment. You have a customer. They’ve hired you to come in and pen test, red team their environment, and they said, “We want to add cloud to the scope.” What does that mean? How do we identify what sort of cloud services they have? Continue reading…]]></description> </item> <item> <title>Detecting the Elusive: Active Directory Threat Hunting</title> <link>https://adsecurity.org/?p=4432</link> <dc:creator><![CDATA[Danny Akacki]]></dc:creator> <pubDate>Tue, 28 May 2024 16:22:28 +0000</pubDate> <category><![CDATA[Technical Reference]]></category> <category><![CDATA[ActiveDirectory]]></category> <category><![CDATA[bsides]]></category> <category><![CDATA[threat hunting]]></category> <guid isPermaLink="false">https://adsecurity.org/?p=4432</guid> <description><![CDATA[This is “Detecting the Elusive: Active Directory Threat Hunting”, and I am Sean Metcalf. I’m the founder of Trimarc, a Security Company, a Microsoft-Certified Master (MCM) in Active Directory. There’s about 100 in the world. I’m also a Microsoft MVP. I’ve spoken about Active Directory attack and defense at a number of conferences. I’m a … <a class="more-link btn" href="https://adsecurity.org/?p=4432">Continue reading</a>]]></description> </item> <item> <title>Detecting Kerberoasting Activity</title> <link>https://adsecurity.org/?p=4430</link> <dc:creator><![CDATA[Danny Akacki]]></dc:creator> <pubDate>Tue, 28 May 2024 16:20:16 +0000</pubDate> <category><![CDATA[Technical Reference]]></category> <category><![CDATA[ActiveDirectory]]></category> <category><![CDATA[Kerberoast]]></category> <guid isPermaLink="false">https://adsecurity.org/?p=4430</guid> <description><![CDATA[Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attack is effective since people tend to create poor passwords. The reason why this attack is successful is that most service account passwords are the same length as … <a class="more-link btn" href="https://adsecurity.org/?p=4430">Continue reading</a>]]></description> </item> <item> <title>Detecting Password Spraying with Security Event Auditing</title> <link>https://adsecurity.org/?p=4428</link> <dc:creator><![CDATA[Danny Akacki]]></dc:creator> <pubDate>Tue, 28 May 2024 16:17:58 +0000</pubDate> <category><![CDATA[Technical Reference]]></category> <guid isPermaLink="false">https://adsecurity.org/?p=4428</guid> <description><![CDATA[A common method attackers leverage as well as many penetration testers and Red Teamers is called “password spraying”. Password spraying is interesting because it’s automated password guessing. This automated password guessing against all users typically avoids account lockout since the logon attempts with a specific password are performed against against every user and not one … <a class="more-link btn" href="https://adsecurity.org/?p=4428">Continue reading</a>]]></description> </item> <item> <title>Hardening Azure AD in the Face of Emerging Threats</title> <link>https://adsecurity.org/?p=4426</link> <dc:creator><![CDATA[Danny Akacki]]></dc:creator> <pubDate>Tue, 28 May 2024 16:14:26 +0000</pubDate> <category><![CDATA[Technical Reference]]></category> <category><![CDATA[AzureAD]]></category> <category><![CDATA[EntraID]]></category> <guid isPermaLink="false">https://adsecurity.org/?p=4426</guid> <description><![CDATA[In September of 2021, Trimarc Founder & CTO Sean Metcalf presented at Quest’s The Experts Conference. “This presentation covers some attacks that involve Microsoft cloud on-prem components as well as those against the Microsoft cloud directly. After discussing attacks and specific defenses, I will wrap up with some key recommendations. Note: There will be some … <a class="more-link btn" href="https://adsecurity.org/?p=4426">Continue reading</a>]]></description> </item> <item> <title>Attacking Active Directory Group Managed Service Accounts (GMSAs)</title> <link>https://adsecurity.org/?p=4367</link> <dc:creator><![CDATA[Sean Metcalf]]></dc:creator> <pubDate>Fri, 29 May 2020 14:00:00 +0000</pubDate> <category><![CDATA[ActiveDirectorySecurity]]></category> <category><![CDATA[Hacking]]></category> <category><![CDATA[Microsoft Security]]></category> <category><![CDATA[clear-text password]]></category> <category><![CDATA[Computer Account]]></category> <category><![CDATA[ConvertTo-NTHash]]></category> <category><![CDATA[DSInternals]]></category> <category><![CDATA[Get-ADReplAccount]]></category> <category><![CDATA[Get-ADServiceAccount]]></category> <category><![CDATA[GMSA]]></category> <category><![CDATA[GMSA password]]></category> <category><![CDATA[GMSA password hash]]></category> <category><![CDATA[GMSA SPN]]></category> <category><![CDATA[Group Managed Service Accounts]]></category> <category><![CDATA[Kerberos]]></category> <category><![CDATA[Kerberos SPN]]></category> <category><![CDATA[LSASS]]></category> <category><![CDATA[mimikatz]]></category> <category><![CDATA[msDS-GroupManagedServiceAccount]]></category> <category><![CDATA[msDS-GroupMSAMembership]]></category> <category><![CDATA[msds-ManagedPassword]]></category> <category><![CDATA[msDS-ManagedPasswordId]]></category> <category><![CDATA[msDS-ManagedPasswordInterval]]></category> <category><![CDATA[msDS-ManagePasswordInterval]]></category> <category><![CDATA[PrincipalsAllowedToRetriveManagedPassword]]></category> <category><![CDATA[PSEXEC]]></category> <category><![CDATA[Sekurlsa::ekeys]]></category> <category><![CDATA[sekurlsa::logonpasswords]]></category> <category><![CDATA[service principal name]]></category> <category><![CDATA[ServicePrincipalNames]]></category> <category><![CDATA[SPN]]></category> <category><![CDATA[SYSTEM]]></category> <category><![CDATA[_SA_]]></category> <guid isPermaLink="false">https://adsecurity.org/?p=4367</guid> <description><![CDATA[In May 2020, I presented some Active Directory security topics in a Trimarc Webcast called “Securing Active Directory: Resolving Common Issues” and included some information I put together relating to the security of AD Group Managed Service Accounts (GMSA). This post includes the expanded version of attacking and defending GMSAs I covered in the webcast.I … <a class="more-link btn" href="https://adsecurity.org/?p=4367">Continue reading</a>]]></description> </item> <item> <title>From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path</title> <link>https://adsecurity.org/?p=4277</link> <dc:creator><![CDATA[Sean Metcalf]]></dc:creator> <pubDate>Wed, 27 May 2020 18:00:00 +0000</pubDate> <category><![CDATA[Cloud Security]]></category> <category><![CDATA[Microsoft Security]]></category> <category><![CDATA[TheCloud]]></category> <category><![CDATA[Access management for Azure resources]]></category> <category><![CDATA[ActiveDirectory]]></category> <category><![CDATA[Azure AD PIM]]></category> <category><![CDATA[Azure Owner]]></category> <category><![CDATA[Azure RBAC]]></category> <category><![CDATA[Azure root]]></category> <category><![CDATA[AzureAD]]></category> <category><![CDATA[Company Administrator]]></category> <category><![CDATA[Compromise Azure Domain Controller]]></category> <category><![CDATA[Compromise Azure VM]]></category> <category><![CDATA[Elevate Access]]></category> <category><![CDATA[EnableAdminAccount]]></category> <category><![CDATA[From Azure AD to Azure]]></category> <category><![CDATA[Global Admin to Azure]]></category> <category><![CDATA[Global Administrator]]></category> <category><![CDATA[Global Administrator Elevate Access]]></category> <category><![CDATA[MFA]]></category> <category><![CDATA[Microsoft.Compute/virtualMachines/runCommand/]]></category> <category><![CDATA[net localgroup]]></category> <category><![CDATA[Office 365 Security]]></category> <category><![CDATA[PIM]]></category> <category><![CDATA[Privileged Identity Manager]]></category> <category><![CDATA[Run PowerShell on Azure VM]]></category> <category><![CDATA[runCommand]]></category> <category><![CDATA[RunPowerShellScript]]></category> <category><![CDATA[User Access Administrator]]></category> <category><![CDATA[Virtual Machine Contributor]]></category> <guid isPermaLink="false">https://adsecurity.org/?p=4277</guid> <description><![CDATA[For most of 2019, I was digging into Office 365 and Azure AD and looking at features as part of the development of the new Trimarc Microsoft Cloud Security Assessment which focuses on improving customer Microsoft Office 365 and Azure AD security posture. As I went through each of them, I found one that was … <a class="more-link btn" href="https://adsecurity.org/?p=4277">Continue reading</a>]]></description> </item> <item> <title>What is Azure Active Directory?</title> <link>https://adsecurity.org/?p=4211</link> <dc:creator><![CDATA[Sean Metcalf]]></dc:creator> <pubDate>Sun, 12 Jan 2020 20:17:03 +0000</pubDate> <category><![CDATA[Technical Reference]]></category> <category><![CDATA[AAD]]></category> <category><![CDATA[AccountTokenTheft]]></category> <category><![CDATA[ActiveDirectory]]></category> <category><![CDATA[ActiveSync]]></category> <category><![CDATA[AD]]></category> <category><![CDATA[ADAL]]></category> <category><![CDATA[ADALPowerShell]]></category> <category><![CDATA[AttackingMicrosoftCloud]]></category> <category><![CDATA[AttackingOffice365]]></category> <category><![CDATA[Azure AD Account Enumeration]]></category> <category><![CDATA[AzureActiveDirectory]]></category> <category><![CDATA[AzureAD]]></category> <category><![CDATA[AzureADPasswordSpray]]></category> <category><![CDATA[AzureADPowerShellModule]]></category> <category><![CDATA[AzurePIM]]></category> <category><![CDATA[CloudAD]]></category> <category><![CDATA[ExchangeOnlineModule]]></category> <category><![CDATA[GlobalAdmin]]></category> <category><![CDATA[GlobalReader]]></category> <category><![CDATA[MicrosoftCloud]]></category> <category><![CDATA[MicrosoftCloudSecurity]]></category> <category><![CDATA[MSOnline]]></category> <category><![CDATA[O365]]></category> <category><![CDATA[O365Creeper]]></category> <category><![CDATA[O365PasswordSpray]]></category> <category><![CDATA[Office365]]></category> <category><![CDATA[Office365PasswordSpray]]></category> <category><![CDATA[Office365security]]></category> <category><![CDATA[OWA]]></category> <category><![CDATA[PasswordSprayDetection]]></category> <category><![CDATA[PasswordSpraying]]></category> <category><![CDATA[PIM]]></category> <category><![CDATA[PrivilegedIdentityManagement]]></category> <category><![CDATA[WhatIsAzureActiveDirectory]]></category> <category><![CDATA[WhatIsAzureAD]]></category> <guid isPermaLink="false">https://adsecurity.org/?p=4211</guid> <description><![CDATA[Many are familiar with Active Directory, the on-premises directory and authentication system that is available with Windows Server, but exactly what is Azure Active Directory? Azure Active Directory (Azure AD or AAD) is a multi-tenant cloud directory and authentication service. Azure AD is the directory service that Office 365 (and Azure) leverages for account, groups, … <a class="more-link btn" href="https://adsecurity.org/?p=4211">Continue reading</a>]]></description> </item> <item> <title>Slides Posted for Black Hat USA 2019 Talk: Attacking & Defending the Microsoft Cloud</title> <link>https://adsecurity.org/?p=4179</link> <dc:creator><![CDATA[Sean Metcalf]]></dc:creator> <pubDate>Wed, 07 Aug 2019 19:15:59 +0000</pubDate> <category><![CDATA[Technical Reference]]></category> <guid isPermaLink="false">https://adsecurity.org/?p=4179</guid> <description><![CDATA[Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD) Sean Metcalf (Trimarc) & Mark Morowczynski (Principal Program Manager, Microsoft) The allure of the “Cloud” is indisputable. Organizations are moving into the cloud at a rapid pace. Even companies that have said no to the Cloud in the past have started migrating services and … <a class="more-link btn" href="https://adsecurity.org/?p=4179">Continue reading</a>]]></description> </item> </channel> </rss>