CINXE.COM

<!DOCTYPE html>   <html lang="en-US" prefix="og: http://ogp.me/ns#">  <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Active Directory Security – Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…</title> <meta name='robots' content='max-image-preview:large' /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security » Feed" href="https://adsecurity.org/?feed=rss2" /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security » Comments Feed" href="https://adsecurity.org/?feed=comments-rss2" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/adsecurity.org\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://adsecurity.org/wp-includes/css/dist/block-library/style.min.css?ver=6.5.5' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 14px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 20px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--tiny: 10px;--wp--preset--font-size--regular: 16px;--wp--preset--font-size--larger: 26px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} .wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} .wp-block-pullquote{font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='bootstrap-css' href='https://adsecurity.org/wp-content/themes/graphene/bootstrap/css/bootstrap.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='font-awesome-css' href='https://adsecurity.org/wp-content/themes/graphene/fonts/font-awesome/css/font-awesome.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-css' href='https://adsecurity.org/wp-content/themes/graphene/style.css?ver=2.8.4' type='text/css' media='screen' /> <link rel='stylesheet' id='graphene-responsive-css' href='https://adsecurity.org/wp-content/themes/graphene/responsive.css?ver=2.8.4' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-blocks-css' href='https://adsecurity.org/wp-content/themes/graphene/blocks.css?ver=2.8.4' type='text/css' media='all' /> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/bootstrap/js/bootstrap.min.js?ver=2.8.4" id="bootstrap-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-hover-dropdown/bootstrap-hover-dropdown.min.js?ver=2.8.4" id="bootstrap-hover-dropdown-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-submenu/bootstrap-submenu.min.js?ver=2.8.4" id="bootstrap-submenu-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/jquery.infinitescroll.min.js?ver=2.8.4" id="infinite-scroll-js"></script> <script type="text/javascript" id="graphene-js-extra"> /* <![CDATA[ */ var grapheneJS = {"siteurl":"https:\/\/adsecurity.org","ajaxurl":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","templateUrl":"https:\/\/adsecurity.org\/wp-content\/themes\/graphene","isSingular":"","enableStickyMenu":"","shouldShowComments":"","commentsOrder":"newest","sliderDisable":"","sliderInterval":"7000","infScrollBtnLbl":"Load more","infScrollOn":"","infScrollCommentsOn":"","totalPosts":"249","postsPerPage":"10","isPageNavi":"","infScrollMsgText":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollMsgTextPlural":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollFinishedText":"All loaded!","commentsPerPage":"50","totalComments":"0","infScrollCommentsMsg":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsMsgPlural":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsFinishedMsg":"All comments loaded!","disableLiveSearch":"1","txtNoResult":"No result found.","isMasonry":""}; /* ]]> */ </script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/graphene.js?ver=2.8.4" id="graphene-js"></script> <script type="text/javascript" id="wpstg-global-js-extra"> /* <![CDATA[ */ var wpstg = {"nonce":"23dea5be61"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/wp-staging-pro/assets/js/dist/wpstg-blank-loader.min.js?ver=6.5.5" id="wpstg-global-js"></script> <link rel="https://api.w.org/" href="https://adsecurity.org/index.php?rest_route=/" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://adsecurity.org/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.5.5" /> <script> WebFontConfig = { google: { families: ["Lato:400,400i,700,700i&display=swap"] } }; (function(d) { var wf = d.createElement('script'), s = d.scripts[0]; wf.src = 'https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js'; wf.async = true; s.parentNode.insertBefore(wf, s); })(document); </script> <style type="text/css"> .header_title, .header_title a, .header_title a:visited, .header_title a:hover, .header_desc {color:#000000}.carousel, .carousel .item{height:400px}@media (max-width: 991px) {.carousel, .carousel .item{height:250px}}#header{max-height:198px}@media (min-width: 1200px) {.container {width:1280px}} </style> <style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style> </head> <body class="home blog custom-background wp-embed-responsive layout-boxed two_col_left two-columns"> <div class="container boxed-wrapper"> <div id="top-bar" class="row clearfix top-bar "> <div class="col-md-12 top-bar-items"> <ul class="social-profiles"> <li class="social-profile social-profile-rss"> <a href="https://adsecurity.org/?feed=rss2" title="Subscribe to Tech, News, and Other Ideations's RSS feed" id="social-id-1" class="mysocial social-rss"> <i class="fa fa-rss"></i> </a> </li> </ul> <button type="button" class="search-toggle navbar-toggle collapsed" data-toggle="collapse" data-target="#top_search"> <span class="sr-only">Toggle search form</span> <i class="fa fa-search-plus"></i> </button> <div id="top_search" class="top-search-form"> <form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form> </div> </div> </div> <div id="header" class="row"> <img src="https://adsecurity.org/wp-content/themes/graphene/images/headers/fluid.jpg" alt="Active Directory Security" title="Active Directory Security" width="960" height="198" /> </div> <nav class="navbar row navbar-inverse"> <div class="navbar-header align-center"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#header-menu-wrap, #secondary-menu-wrap"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <p class="header_title"> Active Directory Security </p> <p class="header_desc">Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…</p> </div> <div class="collapse navbar-collapse" id="header-menu-wrap"> <ul class="nav navbar-nav flip"><li class="current_page_item"><a href="https://adsecurity.org/">Home</a></li><li class="menu-item menu-item-8"><a href="https://adsecurity.org/?page_id=8" >About</a></li><li class="menu-item menu-item-41"><a href="https://adsecurity.org/?page_id=41" >AD Resources</a></li><li class="menu-item menu-item-4031"><a href="https://adsecurity.org/?page_id=4031" >Attack Defense & Detection</a></li><li class="menu-item menu-item-293"><a href="https://adsecurity.org/?page_id=293" >Contact</a></li><li class="menu-item menu-item-1821"><a href="https://adsecurity.org/?page_id=1821" >Mimikatz</a></li><li class="menu-item menu-item-1352"><a href="https://adsecurity.org/?page_id=1352" >Presentations</a></li><li class="menu-item menu-item-195"><a href="https://adsecurity.org/?page_id=195" >Schema Versions</a></li><li class="menu-item menu-item-399"><a href="https://adsecurity.org/?page_id=399" >Security Resources</a></li><li class="menu-item menu-item-183"><a href="https://adsecurity.org/?page_id=183" >SPNs</a></li><li class="menu-item menu-item-2532"><a href="https://adsecurity.org/?page_id=2532" >Top Posts</a></li></ul> </div> </nav> <div id="content" class="clearfix hfeed row"> <div id="content-main" class="clearfix content-main col-md-8"> <div class="carousel slide carousel-fade style-bgimage-excerpt row" data-ride="carousel" id="graphene-slider"> <div class="carousel-inner" role="listbox"> <div style="background-image:url(https://adsecurity.org/wp-content/uploads/2024/06/2024-06-05_11-21-28-823x400.png);" class="item active" id="slider-post-4436"> <a href="https://adsecurity.org/?p=4436" class="permalink-overlay" title="View post"></a> <div class="carousel-caption"> <div class="carousel-caption-content"> <h2 class="slider_post_title"><a href="https://adsecurity.org/?p=4436">BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf</a></h2> <div class="slider_post_excerpt"><p>We have an Identity problem and not the kind you think of when you look in the mirror. Attacks have shifted from the perimeter to the endpoints and now attackers have their sights on identity. … </p> </div> </div> </div> </div> <div style="background-image:url(https://adsecurity.org/wp-content/uploads/2024/06/543129-DefCon-defcon25-748x421-1-748x400.jpg);" class="item " id="slider-post-4434"> <a href="https://adsecurity.org/?p=4434" class="permalink-overlay" title="View post"></a> <div class="carousel-caption"> <div class="carousel-caption-content"> <h2 class="slider_post_title"><a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript – Hacking the Cloud</a></h2> <div class="slider_post_excerpt"><p>Let’s look at recon in a cloud-type environment. You have a customer. They’ve hired you to come in and pen test, red team their environment, and they said, “We want to add cloud to the … </p> </div> </div> </div> </div> <div style="background-image:url(https://adsecurity.org/wp-content/uploads/2024/06/OIP-4.jpg);" class="item " id="slider-post-4432"> <a href="https://adsecurity.org/?p=4432" class="permalink-overlay" title="View post"></a> <div class="carousel-caption"> <div class="carousel-caption-content"> <h2 class="slider_post_title"><a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a></h2> <div class="slider_post_excerpt"><p>This is “Detecting the Elusive: Active Directory Threat Hunting”, and I am Sean Metcalf. I’m the founder of Trimarc, a Security Company, a Microsoft-Certified Master (MCM) in Active Directory. There’s about 100 in the world. … </p> </div> </div> </div> </div> <div style="background-image:url(https://adsecurity.org/wp-content/uploads/2024/06/27c3eb_5d69bd721556444493c0b2902a7e4f08mv2.webp);" class="item " id="slider-post-4430"> <a href="https://adsecurity.org/?p=4430" class="permalink-overlay" title="View post"></a> <div class="carousel-caption"> <div class="carousel-caption-content"> <h2 class="slider_post_title"><a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a></h2> <div class="slider_post_excerpt"><p>Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attack is effective since people tend to create … </p> </div> </div> </div> </div> <div style="background-image:url(https://adsecurity.org/wp-content/uploads/2024/06/DALL·E-2024-06-05-11.37.35-A-banner-image-depicting-a-password-spraying-attack-in-an-Active-Directory-environment-without-using-any-printed-words.-The-image-includes-a-central-A-823x400.webp);" class="item " id="slider-post-4428"> <a href="https://adsecurity.org/?p=4428" class="permalink-overlay" title="View post"></a> <div class="carousel-caption"> <div class="carousel-caption-content"> <h2 class="slider_post_title"><a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a></h2> <div class="slider_post_excerpt"><p>A common method attackers leverage as well as many penetration testers and Red Teamers is called “password spraying”. Password spraying is interesting because it’s automated password guessing. This automated password guessing against all users typically … </p> </div> </div> </div> </div> </div> <ol class="carousel-indicators slider_nav"> <li data-target="#graphene-slider" class="active" data-slide-to="0"></li> <li data-target="#graphene-slider" data-slide-to="1"></li> <li data-target="#graphene-slider" data-slide-to="2"></li> <li data-target="#graphene-slider" data-slide-to="3"></li> <li data-target="#graphene-slider" data-slide-to="4"></li> </ol> <a class="left carousel-control" href="#graphene-slider" role="button" data-slide="prev"> <i class="fa fa-long-arrow-left"></i> <span class="sr-only">Previous</span> </a> <a class="right carousel-control" href="#graphene-slider" role="button" data-slide="next"> <i class="fa fa-long-arrow-right"></i> <span class="sr-only">Next</span> </a> </div> <div class="entries-wrapper"> <div id="post-4277" class="clearfix post post-4277 type-post status-publish format-standard sticky hentry category-cloud-security category-microsoft-security category-thecloud tag-access-management-for-azure-resources tag-activedirectory tag-azure-ad-pim tag-azure-owner tag-azure-rbac tag-azure-root tag-azuread tag-company-administrator tag-compromise-azure-domain-controller tag-compromise-azure-vm tag-elevate-access tag-enableadminaccount tag-from-azure-ad-to-azure tag-global-admin-to-azure tag-global-administrator tag-global-administrator-elevate-access tag-mfa tag-microsoft-compute-virtualmachines-runcommand tag-net-localgroup tag-office-365-security tag-pim tag-privileged-identity-manager tag-run-powershell-on-azure-vm tag-runcommand tag-runpowershellscript tag-user-access-administrator tag-virtual-machine-contributor item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">May</span> <span class="day">27</span> <span class="year">2020</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=4277" rel="bookmark" title="Permalink to From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path"> From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-431" href="https://adsecurity.org/?cat=431">Cloud Security</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-156" href="https://adsecurity.org/?cat=156">TheCloud</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>For most of 2019, I was digging into Office 365 and Azure AD and looking at features as part of the development of the new <a href="http://trimarc.co/mcsa">Trimarc Microsoft Cloud Security Assessment</a> which focuses on improving customer Microsoft Office 365 and Azure AD security posture. As I went through each of them, I found one that was very interesting.</p> <p>In May 2020, I presented some Microsoft Office 365 & Azure Active Directory security topics in a <a href="https://www.hub.trimarcsecurity.com/post/webcast-securing-office-365-and-azure-ad-defend-your-tenant">Trimarc Webcast called “Securing Office 365 and Azure AD: Protect Your Tenant”</a> and included the attack path described in this article that takes advantage of a little known feature.</p> <p>While Azure leverages Azure Active Directory for some things, Azure AD roles don’t directly affect Azure (or Azure RBAC) typically. This article details a known configuration (at least to those who have dug into Azure AD configuration options) where it’s possible for a Global Administrator (aka Company Administrator) in Azure Active Directory to gain control of Azure through a tenant option. This is “by design” as a “break-glass” (emergency) option that can be used to (re)gain Azure admin rights if such access is lost.<br />In this post I explore the danger associated with this option how it is currently configured (as of May 2020).<br /><br />The key takeaway here is that if you don’t carefully protect and control Global Administrator role membership and associated accounts, you could lose positive control of systems hosted in all Azure subscriptions as well as Office 365 service data.<br /><br /><span style="text-decoration: underline;">Note:</span><br />Most of the research around this issue was performed during August 2019 through December 2019 and Microsoft may have incorporated changes since then in functionality and/or capability.</p> <p><strong>Attack Scenario:</strong><br />In this scenario, Acme has an on-premises Active Directory environment. Acme embraced Azure Infrastructure as a Service (IAAS) as an additional datacenter and deployed Domain Controllers to Azure for their on-prem AD (as their “cloud datacenter”). Acme IT locked down the DCs following hardening advice and limited Azure administration to the VMs hosting the DCs. Acme has other sensitive applications hosted on servers in Azure.<br /><br />Acme signed up for Office 365 and started a pilot. All of the Active Directory and Exchange admins (and many other IT admins) are granted temporary <a href="https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles">Global Administrator</a> (aka Global Admin or GA) rights to facilitate the pilot. So, more than should be there and not well protected.<br /><br />The Global Administrator role provides full admin rights to Azure AD and ultimately all Office 365 services.<br />The Microsoft online document provides key information (5/26/2020): <a href="https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles">https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles</a> <br /><br />Note that there is nothing stated here about Azure capability.</p> <figure class="wp-block-image size-large"><img fetchpriority="high" decoding="async" width="1024" height="643" src="https://adsecurity.org/wp-content/uploads/2020/05/image-33-1024x643.png" alt="" class="wp-image-4353" srcset="https://adsecurity.org/wp-content/uploads/2020/05/image-33-1024x643.png 1024w, https://adsecurity.org/wp-content/uploads/2020/05/image-33-300x188.png 300w, https://adsecurity.org/wp-content/uploads/2020/05/image-33-768x482.png 768w, https://adsecurity.org/wp-content/uploads/2020/05/image-33.png 1129w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <a href="https://adsecurity.org/?p=4277#more-4277" class="more-link btn"><span class="btn">Continue reading <i class="fa fa-arrow-circle-right"></i></span></a> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-1404" href="https://adsecurity.org/?tag=access-management-for-azure-resources">Access management for Azure resources</a>, <a class="term term-tagpost_tag term-20" href="https://adsecurity.org/?tag=activedirectory">ActiveDirectory</a>, <a class="term term-tagpost_tag term-1408" href="https://adsecurity.org/?tag=azure-ad-pim">Azure AD PIM</a>, <a class="term term-tagpost_tag term-1418" href="https://adsecurity.org/?tag=azure-owner">Azure Owner</a>, <a class="term term-tagpost_tag term-1403" href="https://adsecurity.org/?tag=azure-rbac">Azure RBAC</a>, <a class="term term-tagpost_tag term-1419" href="https://adsecurity.org/?tag=azure-root">Azure root</a>, <a class="term term-tagpost_tag term-136" href="https://adsecurity.org/?tag=azuread">AzureAD</a>, <a class="term term-tagpost_tag term-1411" href="https://adsecurity.org/?tag=company-administrator">Company Administrator</a>, <a class="term term-tagpost_tag term-1416" href="https://adsecurity.org/?tag=compromise-azure-domain-controller">Compromise Azure Domain Controller</a>, <a class="term term-tagpost_tag term-1417" href="https://adsecurity.org/?tag=compromise-azure-vm">Compromise Azure VM</a>, <a class="term term-tagpost_tag term-1410" href="https://adsecurity.org/?tag=elevate-access">Elevate Access</a>, <a class="term term-tagpost_tag term-1424" href="https://adsecurity.org/?tag=enableadminaccount">EnableAdminAccount</a>, <a class="term term-tagpost_tag term-1414" href="https://adsecurity.org/?tag=from-azure-ad-to-azure">From Azure AD to Azure</a>, <a class="term term-tagpost_tag term-1415" href="https://adsecurity.org/?tag=global-admin-to-azure">Global Admin to Azure</a>, <a class="term term-tagpost_tag term-1406" href="https://adsecurity.org/?tag=global-administrator">Global Administrator</a>, <a class="term term-tagpost_tag term-1413" href="https://adsecurity.org/?tag=global-administrator-elevate-access">Global Administrator Elevate Access</a>, <a class="term term-tagpost_tag term-1412" href="https://adsecurity.org/?tag=mfa">MFA</a>, <a class="term term-tagpost_tag term-1422" href="https://adsecurity.org/?tag=microsoft-compute-virtualmachines-runcommand">Microsoft.Compute/virtualMachines/runCommand/</a>, <a class="term term-tagpost_tag term-1426" href="https://adsecurity.org/?tag=net-localgroup">net localgroup</a>, <a class="term term-tagpost_tag term-1405" href="https://adsecurity.org/?tag=office-365-security">Office 365 Security</a>, <a class="term term-tagpost_tag term-1380" href="https://adsecurity.org/?tag=pim">PIM</a>, <a class="term term-tagpost_tag term-1409" href="https://adsecurity.org/?tag=privileged-identity-manager">Privileged Identity Manager</a>, <a class="term term-tagpost_tag term-1425" href="https://adsecurity.org/?tag=run-powershell-on-azure-vm">Run PowerShell on Azure VM</a>, <a class="term term-tagpost_tag term-1421" href="https://adsecurity.org/?tag=runcommand">runCommand</a>, <a class="term term-tagpost_tag term-1423" href="https://adsecurity.org/?tag=runpowershellscript">RunPowerShellScript</a>, <a class="term term-tagpost_tag term-1407" href="https://adsecurity.org/?tag=user-access-administrator">User Access Administrator</a>, <a class="term term-tagpost_tag term-1420" href="https://adsecurity.org/?tag=virtual-machine-contributor">Virtual Machine Contributor</a></span></li> </ul> </div> </div> <div id="post-2362" class="clearfix post post-2362 type-post status-publish format-standard has-post-thumbnail sticky hentry category-activedirectorysecurity category-microsoft-security category-technical-reference tag-activedirectory tag-administratorpassword tag-aesprivatekey tag-aessharedsecret tag-cpassword tag-credentialtheft tag-credentialtheftshuffle tag-domainadmins tag-domaincontroller tag-dumpcredentiasls tag-dumplsass tag-enterpriseadmins tag-get-gpppassword tag-goldentickets tag-gpp tag-grouppolicypreferences tag-groups-xml tag-ifm tag-installfrommedia tag-kb2962486 tag-kb3011780 tag-kekeo tag-kerberoast tag-kerberos tag-kerberoshacking tag-laps tag-lateralmovement tag-localadministratoraccountpassword tag-lsass tag-lsassdumpfile tag-microsoftlaps tag-mimikatz tag-ms14068 tag-ms14068-exe tag-ms14068exploit tag-msdn tag-ntds-dit tag-paws tag-persistence tag-powersploit tag-pykek tag-rc4_hmac_md5 tag-rdp tag-runas tag-scheduledtasks-xml tag-separateadminworkstation tag-serviceprincipalname tag-services-xml tag-spn tag-systemcompromise tag-sysvol tag-tgs tag-tgscracking tag-tgt tag-xml item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Jan</span> <span class="day">01</span> <span class="year">2016</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=2362" rel="bookmark" title="Permalink to Attack Methods for Gaining Domain Admin Rights in Active Directory"> Attack Methods for Gaining Domain Admin Rights in Active Directory </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>There are many ways an attacker can gain Domain Admin rights in Active Directory. This post is meant to describe some of the more popular ones in current use. The techniques described here “assume breach” where an attacker already has a foothold on an internal system and has gained domain user credentials (aka post-exploitation).</p> <p>The unfortunate reality for most enterprises, is that it often does not take long from an attacker to go from domain user to domain admin. The question on defenders’ minds is “how does this happen?”.</p> <p>The attack frequently starts with a spear-phishing email to one or more users enabling the attacker to get their code running on a computer inside the target network. Once the attacker has their code running inside the enterprise, the first step is performing reconnaissance to discover useful resources to escalate permissions, persist, and of course, plunder information (often the “crown jewels” of an organization).</p> <p>While the overall process detail varies, the overall theme remains:</p> <ul type="circle"> <li>Malware Injection (Spear-Phish, Web Exploits, etc)</li> <li>Reconnaissance (Internal)</li> <li>Credential Theft</li> <li>Exploitation & Privilege Escalation</li> <li>Data Access & Exfiltration</li> <li>Persistence (retaining access)</li> </ul> <p>We start with the attacker having a foothold inside the enterprise, since this is often not difficult in modern networks. Furthermore, it is also typically not difficult for the attacker to escalate from having user rights on the workstation to having local administrator rights. This escalation can occur by either exploiting an unpatched privilege escalation vulnerability on the system or more frequently, finding local admin passwords in SYSVOL, such as Group Policy Preferences.</p> <p>I spoke about most of these techniques when <a href="https://adsecurity.org/?page_id=1352">at several security conferences in 2015 (BSides, Shakacon, Black Hat, DEF CON, & DerbyCon)</a>.</p> <p>I also covered some of these issues in the post “<a href="https://adsecurity.org/?p=1684">The Most Common Active Directory Security Issues and What You Can Do to Fix Them</a>“.</p> <p> <a href="https://adsecurity.org/?p=2362#more-2362" class="more-link btn"><span class="btn">Continue reading <i class="fa fa-arrow-circle-right"></i></span></a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-20" href="https://adsecurity.org/?tag=activedirectory">ActiveDirectory</a>, <a class="term term-tagpost_tag term-758" href="https://adsecurity.org/?tag=administratorpassword">administratorpassword</a>, <a class="term term-tagpost_tag term-745" href="https://adsecurity.org/?tag=aesprivatekey">AESprivatekey</a>, <a class="term term-tagpost_tag term-789" href="https://adsecurity.org/?tag=aessharedsecret">AESsharedsecret</a>, <a class="term term-tagpost_tag term-747" href="https://adsecurity.org/?tag=cpassword">cpassword</a>, <a class="term term-tagpost_tag term-540" href="https://adsecurity.org/?tag=credentialtheft">CredentialTheft</a>, <a class="term term-tagpost_tag term-752" href="https://adsecurity.org/?tag=credentialtheftshuffle">CredentialTheftShuffle</a>, <a class="term term-tagpost_tag term-384" href="https://adsecurity.org/?tag=domainadmins">DomainAdmins</a>, <a class="term term-tagpost_tag term-101" href="https://adsecurity.org/?tag=domaincontroller">DomainController</a>, <a class="term term-tagpost_tag term-753" href="https://adsecurity.org/?tag=dumpcredentiasls">DumpCredentiasls</a>, <a class="term term-tagpost_tag term-761" href="https://adsecurity.org/?tag=dumplsass">DumpLSASS</a>, <a class="term term-tagpost_tag term-385" href="https://adsecurity.org/?tag=enterpriseadmins">EnterpriseAdmins</a>, <a class="term term-tagpost_tag term-744" href="https://adsecurity.org/?tag=get-gpppassword">Get-GPPPassword</a>, <a class="term term-tagpost_tag term-765" href="https://adsecurity.org/?tag=goldentickets">GoldenTickets</a>, <a class="term term-tagpost_tag term-12" href="https://adsecurity.org/?tag=gpp">GPP</a>, <a class="term term-tagpost_tag term-742" href="https://adsecurity.org/?tag=grouppolicypreferences">GroupPolicyPreferences</a>, <a class="term term-tagpost_tag term-748" href="https://adsecurity.org/?tag=groups-xml">groups.xml</a>, <a class="term term-tagpost_tag term-764" href="https://adsecurity.org/?tag=ifm">IFM</a>, <a class="term term-tagpost_tag term-763" href="https://adsecurity.org/?tag=installfrommedia">InstallFromMedia</a>, <a class="term term-tagpost_tag term-726" href="https://adsecurity.org/?tag=kb2962486">KB2962486</a>, <a class="term term-tagpost_tag term-337" href="https://adsecurity.org/?tag=kb3011780">KB3011780</a>, <a class="term term-tagpost_tag term-531" href="https://adsecurity.org/?tag=kekeo">Kekeo</a>, <a class="term term-tagpost_tag term-673" href="https://adsecurity.org/?tag=kerberoast">Kerberoast</a>, <a class="term term-tagpost_tag term-81" href="https://adsecurity.org/?tag=kerberos">Kerberos</a>, <a class="term term-tagpost_tag term-298" href="https://adsecurity.org/?tag=kerberoshacking">KerberosHacking</a>, <a class="term term-tagpost_tag term-631" href="https://adsecurity.org/?tag=laps">LAPS</a>, <a class="term term-tagpost_tag term-755" href="https://adsecurity.org/?tag=lateralmovement">lateralmovement</a>, <a class="term term-tagpost_tag term-757" href="https://adsecurity.org/?tag=localadministratoraccountpassword">localadministratoraccountpassword</a>, <a class="term term-tagpost_tag term-71" href="https://adsecurity.org/?tag=lsass">LSASS</a>, <a class="term term-tagpost_tag term-762" href="https://adsecurity.org/?tag=lsassdumpfile">LSASSDumpFile</a>, <a class="term term-tagpost_tag term-629" href="https://adsecurity.org/?tag=microsoftlaps">MicrosoftLAPS</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-295" href="https://adsecurity.org/?tag=ms14068">MS14068</a>, <a class="term term-tagpost_tag term-751" href="https://adsecurity.org/?tag=ms14068-exe">ms14068.exe</a>, <a class="term term-tagpost_tag term-334" href="https://adsecurity.org/?tag=ms14068exploit">MS14068Exploit</a>, <a class="term term-tagpost_tag term-746" href="https://adsecurity.org/?tag=msdn">MSDN</a>, <a class="term term-tagpost_tag term-691" href="https://adsecurity.org/?tag=ntds-dit">ntds.dit</a>, <a class="term term-tagpost_tag term-759" href="https://adsecurity.org/?tag=paws">PAWS</a>, <a class="term term-tagpost_tag term-766" href="https://adsecurity.org/?tag=persistence">Persistence</a>, <a class="term term-tagpost_tag term-232" href="https://adsecurity.org/?tag=powersploit">PowerSploit</a>, <a class="term term-tagpost_tag term-329" href="https://adsecurity.org/?tag=pykek">PyKEK</a>, <a class="term term-tagpost_tag term-708" href="https://adsecurity.org/?tag=rc4_hmac_md5">RC4_HMAC_MD5</a>, <a class="term term-tagpost_tag term-478" href="https://adsecurity.org/?tag=rdp">RDP</a>, <a class="term term-tagpost_tag term-754" href="https://adsecurity.org/?tag=runas">RunAs</a>, <a class="term term-tagpost_tag term-749" href="https://adsecurity.org/?tag=scheduledtasks-xml">scheduledtasks.xml</a>, <a class="term term-tagpost_tag term-760" href="https://adsecurity.org/?tag=separateadminworkstation">separateAdminWorkstation</a>, <a class="term term-tagpost_tag term-83" href="https://adsecurity.org/?tag=serviceprincipalname">ServicePrincipalName</a>, <a class="term term-tagpost_tag term-750" href="https://adsecurity.org/?tag=services-xml">Services.xml</a>, <a class="term term-tagpost_tag term-294" href="https://adsecurity.org/?tag=spn">SPN</a>, <a class="term term-tagpost_tag term-756" href="https://adsecurity.org/?tag=systemcompromise">systemcompromise</a>, <a class="term term-tagpost_tag term-621" href="https://adsecurity.org/?tag=sysvol">SYSVOL</a>, <a class="term term-tagpost_tag term-528" href="https://adsecurity.org/?tag=tgs">TGS</a>, <a class="term term-tagpost_tag term-743" href="https://adsecurity.org/?tag=tgscracking">TGSCracking</a>, <a class="term term-tagpost_tag term-529" href="https://adsecurity.org/?tag=tgt">TGT</a>, <a class="term term-tagpost_tag term-728" href="https://adsecurity.org/?tag=xml">xml</a></span></li> <li class="comment-link col-sm-4"><i class="fa fa-comments"></i> <a href="https://adsecurity.org/?p=2362#comments">2 comments</a></li> </ul> </div> </div> <div id="post-1684" class="clearfix post post-1684 type-post status-publish format-standard sticky hentry category-activedirectorysecurity category-microsoft-security category-technical-reference tag-activedirectoryattack tag-activedirectorydefense tag-activedirectorysecurity tag-commonsecurityissues tag-domaincontrollersecurity tag-enterprisesecurity item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Oct</span> <span class="day">14</span> <span class="year">2015</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=1684" rel="bookmark" title="Permalink to The Most Common Active Directory Security Issues and What You Can Do to Fix Them"> The Most Common Active Directory Security Issues and What You Can Do to Fix Them </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>The past couple of years of meeting with customers is enlightening since every environment, though unique, often has the same issues. These issues often boil down to legacy management of the enterprise Microsoft platform going back a decade or more.</p> <p>I spoke about Active Directory attack and defense at several security conferences this year including BSides, Shakacon, Black Hat, DEF CON, and DerbyCon. <a href="https://adsecurity.org/?page_id=1352">These talks include information about how to best protect the Active Directory enterprise from the latest, and most successful, attack vectors</a>.</p> <p>While the threats have changed over the past decade, the way systems and networks are managed often have not. We continue with the same operations and support paradigm despite the fact that internal systems are compromised regularly. We must embrace the new reality of “<a href="https://azure.microsoft.com/en-us/blog/red-teaming-using-cutting-edge-threat-simulation-to-harden-the-microsoft-enterprise-cloud/?rnd=1">Assume Breach</a>.”</p> <p>Assume breach means that we must assume that an attacker has control of a computer on the internal network and can access the same resources the users who have recently logged on to that computer has access to.<br /> <em>Note that when I describe risks and mitigations of Active Directory,this includes overall enterprise configuration.</em></p> <p>Here are some of the biggest AD security issues (as I see them). This list is not complete, but reflects common enterprise issues.<br /> I continue to find many of these issues when I perform <a href="https://trimarcsecurity.com/security-services">Active Directory Security Assessments</a> for organizations.</p> <p> <a href="https://adsecurity.org/?p=1684#more-1684" class="more-link btn"><span class="btn">Continue reading <i class="fa fa-arrow-circle-right"></i></span></a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-537" href="https://adsecurity.org/?tag=activedirectoryattack">ActiveDirectoryAttack</a>, <a class="term term-tagpost_tag term-538" href="https://adsecurity.org/?tag=activedirectorydefense">ActiveDirectoryDefense</a>, <a class="term term-tagpost_tag term-113" href="https://adsecurity.org/?tag=activedirectorysecurity">ActiveDirectorySecurity</a>, <a class="term term-tagpost_tag term-665" href="https://adsecurity.org/?tag=commonsecurityissues">CommonSecurityIssues</a>, <a class="term term-tagpost_tag term-664" href="https://adsecurity.org/?tag=domaincontrollersecurity">DomainControllerSecurity</a>, <a class="term term-tagpost_tag term-666" href="https://adsecurity.org/?tag=enterprisesecurity">EnterpriseSecurity</a></span></li> </ul> </div> </div> <div id="post-4436" class="clearfix post post-4436 type-post status-publish format-standard hentry category-technical-reference item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Jun</span> <span class="day">05</span> <span class="year">2024</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=4436" rel="bookmark" title="Permalink to BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf"> BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=3" rel="author">Danny Akacki</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <figure class="wp-block-image size-large"><img decoding="async" width="1024" height="567" src="https://adsecurity.org/wp-content/uploads/2024/06/2024-06-05_11-21-28-1024x567.png" alt="" class="wp-image-4440" srcset="https://adsecurity.org/wp-content/uploads/2024/06/2024-06-05_11-21-28-1024x567.png 1024w, https://adsecurity.org/wp-content/uploads/2024/06/2024-06-05_11-21-28-300x166.png 300w, https://adsecurity.org/wp-content/uploads/2024/06/2024-06-05_11-21-28-768x426.png 768w, https://adsecurity.org/wp-content/uploads/2024/06/2024-06-05_11-21-28-823x456.png 823w, https://adsecurity.org/wp-content/uploads/2024/06/2024-06-05_11-21-28.png 1274w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>We have an Identity problem and not the kind you think of when you look in the mirror. Attacks have shifted from the perimeter to the endpoints and now attackers have their sights on identity. This talk explores the issues with Identity security specifically the two most popular identity systems, Active Directory & Azure AD (“Entra ID” for those who read Microsoft’s press releases). These Identity security issues lead to compromise of systems that leverage the identity system for authentication/authorization.<br><br><a href="https://www.hub.trimarcsecurity.com/post/bsides-dublin-the-current-state-of-microsoft-identity-security-common-security-issues-and-misconf">Click here to read more. </a></p> </div> </div> </div> <div id="post-4434" class="clearfix post post-4434 type-post status-publish format-standard hentry category-technical-reference tag-activedirectory tag-azure tag-entraid item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">May</span> <span class="day">28</span> <span class="year">2024</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=4434" rel="bookmark" title="Permalink to DEFCON 2017: Transcript – Hacking the Cloud"> DEFCON 2017: Transcript – Hacking the Cloud </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=3" rel="author">Danny Akacki</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>Let’s look at recon in a cloud-type environment. You have a customer. They’ve hired you to come in and pen test, red team their environment, and they said, “We want to add cloud to the scope.” What does that mean? How do we identify what sort of cloud services they have?</p> <p><a href="https://www.hub.trimarcsecurity.com/post/transcript-for-defcon-2017-talk-hacking-the-cloud-gerald-steere-sean-metcalf">Continue reading…</a></p> <figure class="wp-block-image size-full"><img decoding="async" width="748" height="421" src="https://adsecurity.org/wp-content/uploads/2024/06/543129-DefCon-defcon25-748x421-1.jpg" alt="" class="wp-image-4442" srcset="https://adsecurity.org/wp-content/uploads/2024/06/543129-DefCon-defcon25-748x421-1.jpg 748w, https://adsecurity.org/wp-content/uploads/2024/06/543129-DefCon-defcon25-748x421-1-300x169.jpg 300w" sizes="(max-width: 748px) 100vw, 748px" /></figure> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-20" href="https://adsecurity.org/?tag=activedirectory">ActiveDirectory</a>, <a class="term term-tagpost_tag term-25" href="https://adsecurity.org/?tag=azure">Azure</a>, <a class="term term-tagpost_tag term-1453" href="https://adsecurity.org/?tag=entraid">EntraID</a></span></li> </ul> </div> </div> <div id="post-4432" class="clearfix post post-4432 type-post status-publish format-standard hentry category-technical-reference tag-activedirectory tag-bsides tag-threat-hunting item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">May</span> <span class="day">28</span> <span class="year">2024</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=4432" rel="bookmark" title="Permalink to Detecting the Elusive: Active Directory Threat Hunting"> Detecting the Elusive: Active Directory Threat Hunting </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=3" rel="author">Danny Akacki</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="474" height="355" src="https://adsecurity.org/wp-content/uploads/2024/06/OIP-4.jpg" alt="" class="wp-image-4444" srcset="https://adsecurity.org/wp-content/uploads/2024/06/OIP-4.jpg 474w, https://adsecurity.org/wp-content/uploads/2024/06/OIP-4-300x225.jpg 300w" sizes="(max-width: 474px) 100vw, 474px" /></figure> <p>This is “Detecting the Elusive: Active Directory Threat Hunting”, and I am Sean Metcalf. I’m the founder of <a href="http://trimarcsecurity.com/"><u>Trimarc</u></a>, a Security Company, a Microsoft-Certified Master (MCM) in Active Directory. There’s about 100 in the world. I’m also a Microsoft MVP. I’ve spoken about Active Directory attack and defense at a number of conferences. I’m a security consultant and researcher, and as we just found out, I run <a href="https://adsecurity.org/"><u>ADSecurity.org</u></a> where I post a lot of interesting security information about the Microsoft platform. So what are we going to talk about?</p> <p>Continue reading…</p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-20" href="https://adsecurity.org/?tag=activedirectory">ActiveDirectory</a>, <a class="term term-tagpost_tag term-1455" href="https://adsecurity.org/?tag=bsides">bsides</a>, <a class="term term-tagpost_tag term-1454" href="https://adsecurity.org/?tag=threat-hunting">threat hunting</a></span></li> </ul> </div> </div> <div id="post-4430" class="clearfix post post-4430 type-post status-publish format-standard hentry category-technical-reference tag-activedirectory tag-kerberoast item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">May</span> <span class="day">28</span> <span class="year">2024</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=4430" rel="bookmark" title="Permalink to Detecting Kerberoasting Activity"> Detecting Kerberoasting Activity </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=3" rel="author">Danny Akacki</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attack is effective since people tend to create poor passwords. The reason why this attack is successful is that most service account passwords are the same length as the domain password minimum (often 10 or 12 characters long) meaning that even brute force cracking doesn’t likely take longer than the password maximum password age (expiration).</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="666" height="346" src="https://adsecurity.org/wp-content/uploads/2024/06/27c3eb_5d69bd721556444493c0b2902a7e4f08mv2.webp" alt="" class="wp-image-4446" srcset="https://adsecurity.org/wp-content/uploads/2024/06/27c3eb_5d69bd721556444493c0b2902a7e4f08mv2.webp 666w, https://adsecurity.org/wp-content/uploads/2024/06/27c3eb_5d69bd721556444493c0b2902a7e4f08mv2-300x156.webp 300w" sizes="(max-width: 666px) 100vw, 666px" /></figure> <p><a href="https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-kerberoasting-activity">Continue reading…</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-20" href="https://adsecurity.org/?tag=activedirectory">ActiveDirectory</a>, <a class="term term-tagpost_tag term-673" href="https://adsecurity.org/?tag=kerberoast">Kerberoast</a></span></li> </ul> </div> </div> <div id="post-4428" class="clearfix post post-4428 type-post status-publish format-standard hentry category-technical-reference item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">May</span> <span class="day">28</span> <span class="year">2024</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=4428" rel="bookmark" title="Permalink to Detecting Password Spraying with Security Event Auditing"> Detecting Password Spraying with Security Event Auditing </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=3" rel="author">Danny Akacki</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="585" src="https://adsecurity.org/wp-content/uploads/2024/06/DALL·E-2024-06-05-11.37.35-A-banner-image-depicting-a-password-spraying-attack-in-an-Active-Directory-environment-without-using-any-printed-words.-The-image-includes-a-central-A-1024x585.webp" alt="" class="wp-image-4448" srcset="https://adsecurity.org/wp-content/uploads/2024/06/DALL·E-2024-06-05-11.37.35-A-banner-image-depicting-a-password-spraying-attack-in-an-Active-Directory-environment-without-using-any-printed-words.-The-image-includes-a-central-A-1024x585.webp 1024w, https://adsecurity.org/wp-content/uploads/2024/06/DALL·E-2024-06-05-11.37.35-A-banner-image-depicting-a-password-spraying-attack-in-an-Active-Directory-environment-without-using-any-printed-words.-The-image-includes-a-central-A-300x171.webp 300w, https://adsecurity.org/wp-content/uploads/2024/06/DALL·E-2024-06-05-11.37.35-A-banner-image-depicting-a-password-spraying-attack-in-an-Active-Directory-environment-without-using-any-printed-words.-The-image-includes-a-central-A-768x439.webp 768w, https://adsecurity.org/wp-content/uploads/2024/06/DALL·E-2024-06-05-11.37.35-A-banner-image-depicting-a-password-spraying-attack-in-an-Active-Directory-environment-without-using-any-printed-words.-The-image-includes-a-central-A-1536x878.webp 1536w, https://adsecurity.org/wp-content/uploads/2024/06/DALL·E-2024-06-05-11.37.35-A-banner-image-depicting-a-password-spraying-attack-in-an-Active-Directory-environment-without-using-any-printed-words.-The-image-includes-a-central-A-823x470.webp 823w, https://adsecurity.org/wp-content/uploads/2024/06/DALL·E-2024-06-05-11.37.35-A-banner-image-depicting-a-password-spraying-attack-in-an-Active-Directory-environment-without-using-any-printed-words.-The-image-includes-a-central-A.webp 1792w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p></p> <p>A common method attackers leverage as well as many penetration testers and Red Teamers is called “password spraying”. Password spraying is interesting because it’s automated password guessing. This automated password guessing against all users typically avoids account lockout since the logon attempts with a specific password are performed against against every user and not one specific one which is what account lockout was designed to defeat. The attacker starts with a list list of passwords they’re going to try which starts with the most likely passwords (“Fall2017”, “Winter2018”, etc).</p> <p><a href="https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-password-spraying-with-security-event-auditing">Continue reading…</a></p> </div> </div> </div> <div id="post-4426" class="clearfix post post-4426 type-post status-publish format-standard hentry category-technical-reference tag-azuread tag-entraid item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">May</span> <span class="day">28</span> <span class="year">2024</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=4426" rel="bookmark" title="Permalink to Hardening Azure AD in the Face of Emerging Threats"> Hardening Azure AD in the Face of Emerging Threats </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=3" rel="author">Danny Akacki</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p id="viewer-ea92g">In September of 2021, Trimarc Founder & CTO Sean Metcalf presented at Quest’s The Experts Conference.</p> <p id="viewer-bae28">“This presentation covers some attacks that involve Microsoft cloud on-prem components as well as those against the Microsoft cloud directly. After discussing attacks and specific defenses, I will wrap up with some key recommendations.</p> <p id="viewer-40tif"><strong>Note: There will be some duplication among recommendations. That’s on purpose – if I mention something more than once, that means it’s really important!”</strong><br><br><a href="https://www.hub.trimarcsecurity.com/post/hardening-azure-ad-in-the-face-of-emerging-threats">To view the full slide deck, click here. Enjoy!</a></p> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-136" href="https://adsecurity.org/?tag=azuread">AzureAD</a>, <a class="term term-tagpost_tag term-1453" href="https://adsecurity.org/?tag=entraid">EntraID</a></span></li> </ul> </div> </div> <div id="post-4367" class="clearfix post post-4367 type-post status-publish format-standard hentry category-activedirectorysecurity category-hacking category-microsoft-security tag-clear-text-password tag-computer-account tag-convertto-nthash tag-dsinternals tag-get-adreplaccount tag-get-adserviceaccount tag-gmsa tag-gmsa-password tag-gmsa-password-hash tag-gmsa-spn tag-group-managed-service-accounts tag-kerberos tag-kerberos-spn tag-lsass tag-mimikatz tag-msds-groupmanagedserviceaccount tag-msds-groupmsamembership tag-msds-managedpassword tag-msds-managedpasswordid tag-msds-managedpasswordinterval tag-msds-managepasswordinterval tag-principalsallowedtoretrivemanagedpassword tag-psexec tag-sekurlsaekeys tag-sekurlsalogonpasswords tag-service-principal-name tag-serviceprincipalnames tag-spn tag-system tag-_sa_ item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">May</span> <span class="day">29</span> <span class="year">2020</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=4367" rel="bookmark" title="Permalink to Attacking Active Directory Group Managed Service Accounts (GMSAs)"> Attacking Active Directory Group Managed Service Accounts (GMSAs) </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-1039" href="https://adsecurity.org/?cat=1039">Hacking</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>In May 2020, I presented some Active Directory security topics in a <a href="https://www.hub.trimarcsecurity.com/post/webcast-securing-active-directory-resolving-common-issues">Trimarc Webcast called “Securing Active Directory: Resolving Common Issues”</a> and included some information I put together relating to the security of AD Group Managed Service Accounts (GMSA). This post includes the expanded version of attacking and defending GMSAs I covered in the webcast.<br />I put this information together after speaking with someone about using GMSAs running services on servers that have privileged AD rights and there was confusion about what GMSAs actually do and what they can’t. The confusion seemed to be rooted in the belief that GMSA credentials are protected more than regular accounts (they aren’t). The key benefit is that their passwords change automatically, not that the credential data has stronger protections. </p> <p>This post is meant to highlight what GMSAs can do and what an attacker can do if not protected appropriately. We have seen limited usage of Group Managed Service Accounts in AD environments when we perform <a href="http://trimarc.co/ADSA">Active Directory Security Assessments at Trimarc</a>. GMSAs should be used wherever possible to replace user accounts as service accounts since the passwords will rotate automatically.</p> <p><strong>Group Managed Service Accounts (GMSAs)</strong><br />User accounts created to be used as service accounts rarely have their password changed. <a href="https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview">Group Managed Service Accounts (GMSAs) </a>provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed. This means that the GMSA has to have security principals explicitly delegated to have access to the clear-text password. Much like with other areas where delegation controls access (<a href="https://adsecurity.org/?p=3164">LAPS</a>), determining who should have be delegated access needs to be be carefully considered.</p> <p><span style="text-decoration: underline;">Key Points for Group Managed Service Accounts (GMSAs) :</span></p> <ul><li>The GMSA password managed by AD.</li><li>Computers hosting GMSA service account(s) request current password from Active Directory to start service.</li><li>Configure the GMSA to allow computer accounts access to password.</li><li>If an attacker compromises computer hosting services using GMSA, the GMSA is compromised.</li><li>If attacker compromises an account with rights to request GMSA password, the GMSA is compromised.</li></ul> <p>Group Managed Service Accounts have the object class “<a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adsc/219549d4-39eb-4771-bb8c-b3593ff6be48">msDS-GroupManagedServiceAccount</a>” and associated attributes specific to GMSAs. These properties include:</p> <ul><li><a href="https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-groupmsamembership">msDS-GroupMSAMembership</a> (PrincipalsAllowedToRetrieveManagedPassword) – stores the security principals that can access the GMSA password.</li><li><a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/9cd2fc5e-7305-4fb8-b233-2a60bc3eec68">msds-ManagedPassword</a> – This attribute contains a BLOB with password information for group-managed service accounts.</li><li><a href="https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-managedpasswordid">msDS-ManagedPasswordId</a> – This constructed attribute contains the key identifier for the current managed password data for a group MSA.</li><li><a href="https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-managedpasswordinterval">msDS-ManagedPasswordInterval</a> – This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA.<br /></li></ul> <figure class="wp-block-image alignfull size-large"><img loading="lazy" decoding="async" width="1024" height="248" src="https://adsecurity.org/wp-content/uploads/2020/05/image-48-1024x248.png" alt="" class="wp-image-4383" srcset="https://adsecurity.org/wp-content/uploads/2020/05/image-48-1024x248.png 1024w, https://adsecurity.org/wp-content/uploads/2020/05/image-48-300x73.png 300w, https://adsecurity.org/wp-content/uploads/2020/05/image-48-768x186.png 768w, https://adsecurity.org/wp-content/uploads/2020/05/image-48-1536x372.png 1536w, https://adsecurity.org/wp-content/uploads/2020/05/image-48.png 1942w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>Running the AD PowerShell cmdlet Get-ADServiceAccount, we can retrieve information about the GMSA, including specific GMSA attrbiutes. This GMSA is a member of the domain Administrators group which has full AD & DC admin rights to the domain. The screenshot shows that the password changed recently and won’t change for a few weeks – changed on 5/11/2020 and configured to change every 30 days. This means that if we can get the password for this account, we have almost a month to use the account credentials before it changes. We can also identify a group that can retrieve the password data. We’ll take a look at this is a bit.</p> <a href="https://adsecurity.org/?p=4367#more-4367" class="more-link btn"><span class="btn">Continue reading <i class="fa fa-arrow-circle-right"></i></span></a> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-1444" href="https://adsecurity.org/?tag=clear-text-password">clear-text password</a>, <a class="term term-tagpost_tag term-1446" href="https://adsecurity.org/?tag=computer-account">Computer Account</a>, <a class="term term-tagpost_tag term-1442" href="https://adsecurity.org/?tag=convertto-nthash">ConvertTo-NTHash</a>, <a class="term term-tagpost_tag term-602" href="https://adsecurity.org/?tag=dsinternals">DSInternals</a>, <a class="term term-tagpost_tag term-1448" href="https://adsecurity.org/?tag=get-adreplaccount">Get-ADReplAccount</a>, <a class="term term-tagpost_tag term-1432" href="https://adsecurity.org/?tag=get-adserviceaccount">Get-ADServiceAccount</a>, <a class="term term-tagpost_tag term-1430" href="https://adsecurity.org/?tag=gmsa">GMSA</a>, <a class="term term-tagpost_tag term-1431" href="https://adsecurity.org/?tag=gmsa-password">GMSA password</a>, <a class="term term-tagpost_tag term-1438" href="https://adsecurity.org/?tag=gmsa-password-hash">GMSA password hash</a>, <a class="term term-tagpost_tag term-1436" href="https://adsecurity.org/?tag=gmsa-spn">GMSA SPN</a>, <a class="term term-tagpost_tag term-1429" href="https://adsecurity.org/?tag=group-managed-service-accounts">Group Managed Service Accounts</a>, <a class="term term-tagpost_tag term-81" href="https://adsecurity.org/?tag=kerberos">Kerberos</a>, <a class="term term-tagpost_tag term-1435" href="https://adsecurity.org/?tag=kerberos-spn">Kerberos SPN</a>, <a class="term term-tagpost_tag term-71" href="https://adsecurity.org/?tag=lsass">LSASS</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-1449" href="https://adsecurity.org/?tag=msds-groupmanagedserviceaccount">msDS-GroupManagedServiceAccount</a>, <a class="term term-tagpost_tag term-1451" href="https://adsecurity.org/?tag=msds-groupmsamembership">msDS-GroupMSAMembership</a>, <a class="term term-tagpost_tag term-1443" href="https://adsecurity.org/?tag=msds-managedpassword">msds-ManagedPassword</a>, <a class="term term-tagpost_tag term-1452" href="https://adsecurity.org/?tag=msds-managedpasswordid">msDS-ManagedPasswordId</a>, <a class="term term-tagpost_tag term-1450" href="https://adsecurity.org/?tag=msds-managedpasswordinterval">msDS-ManagedPasswordInterval</a>, <a class="term term-tagpost_tag term-1440" href="https://adsecurity.org/?tag=msds-managepasswordinterval">msDS-ManagePasswordInterval</a>, <a class="term term-tagpost_tag term-1439" href="https://adsecurity.org/?tag=principalsallowedtoretrivemanagedpassword">PrincipalsAllowedToRetriveManagedPassword</a>, <a class="term term-tagpost_tag term-1447" href="https://adsecurity.org/?tag=psexec">PSEXEC</a>, <a class="term term-tagpost_tag term-1434" href="https://adsecurity.org/?tag=sekurlsaekeys">Sekurlsa::ekeys</a>, <a class="term term-tagpost_tag term-776" href="https://adsecurity.org/?tag=sekurlsalogonpasswords">sekurlsa::logonpasswords</a>, <a class="term term-tagpost_tag term-1137" href="https://adsecurity.org/?tag=service-principal-name">service principal name</a>, <a class="term term-tagpost_tag term-1441" href="https://adsecurity.org/?tag=serviceprincipalnames">ServicePrincipalNames</a>, <a class="term term-tagpost_tag term-294" href="https://adsecurity.org/?tag=spn">SPN</a>, <a class="term term-tagpost_tag term-1445" href="https://adsecurity.org/?tag=system">SYSTEM</a>, <a class="term term-tagpost_tag term-1433" href="https://adsecurity.org/?tag=_sa_">_SA_</a></span></li> </ul> </div> </div> <div id="post-4211" class="clearfix post post-4211 type-post status-publish format-standard hentry category-technical-reference tag-aad tag-accounttokentheft tag-activedirectory tag-activesync tag-ad tag-adal tag-adalpowershell tag-attackingmicrosoftcloud tag-attackingoffice365 tag-azure-ad-account-enumeration tag-azureactivedirectory tag-azuread tag-azureadpasswordspray tag-azureadpowershellmodule tag-azurepim tag-cloudad tag-exchangeonlinemodule tag-globaladmin tag-globalreader tag-microsoftcloud tag-microsoftcloudsecurity tag-msonline tag-o365 tag-o365creeper tag-o365passwordspray tag-office365 tag-office365passwordspray tag-office365security tag-owa tag-passwordspraydetection tag-passwordspraying tag-pim tag-privilegedidentitymanagement tag-whatisazureactivedirectory tag-whatisazuread item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Jan</span> <span class="day">12</span> <span class="year">2020</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=4211" rel="bookmark" title="Permalink to What is Azure Active Directory?"> What is Azure Active Directory? </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>Many are familiar with Active Directory, the on-premises directory and authentication system that is available with Windows Server, <em>but exactly <a href="https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis">what is Azure Active Directory</a>?</em><br /><br />Azure Active Directory (Azure AD or AAD) is a multi-tenant cloud directory and <a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios">authentication </a>service. <br />Azure AD is the directory service that Office 365 (and Azure) leverages for account, groups, and roles.<br />It is also an Identity Provider (IPD) and supports federation (SAML, etc). <br />Note: given how rapidly the cloud changes, elements of this post may become out of date soon after the original post date.<br /><strong><br />Azure AD is highly available and globally deployed.</strong></p> <blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"><p> Azure AD is deployed in over 30 datacenters around the world leveraging Azure Availability Zones where present. This number is growing rapidly as additional Azure Regions are deployed. <br /><br /> For durability, any piece of data written to Azure AD is replicated to at least 4 and up to 13 datacenters depending on your tenant configuration. Within each data center, data is again replicated at least 9 times for durability but also to scale out capacity to serve authentication load. To illustrate—this means that at any point in time, there are at least 36 copies of your directory data available within our service in our smallest region. For durability, writes to Azure AD are not completed until a successful commit to an out of region datacenter. <br /><br /> This approach gives us both durability of the data and massive redundancy—multiple network paths and datacenters can serve any given authorization request, and the system automatically and intelligently retries and routes around failures both inside a datacenter and across datacenters. <br /><br /> To validate this, we regularly exercise fault injection and validate the system’s resiliency to failure of the system components Azure AD is built on. This extends all the way to taking out entire datacenters on a regular basis to confirm the system can tolerate the loss of a datacenter with zero customer impact. <br />…<br /> Azure AD is already a massive system running on over 300,000 CPU Cores and able to rely on the massive scalability of the Azure Cloud to dynamically and rapidly scale up to meet any demand. This can include both natural increases in traffic, such as a 9AM peak in authentications in a given region, but also huge surges in new traffic served by our Azure AD B2C which powers some of the world’s largest events and frequently sees rushes of millions of new users. <br />…<br /> To support the health checks that gate safe deployment and give our engineering team insight into the health of the systems, Azure AD emits a massive amount of internal telemetry, metrics, and signals used to monitor the health of our systems. At our scale, this is over 11 PetaBytes a week of signals that feed our automated health monitoring systems. </p><cite><a href="https://azure.microsoft.com/en-us/blog/advancing-azure-active-directory-availability/">https://azure.microsoft.com/en-us/blog/advancing-azure-active-directory-availability/</a></cite></blockquote> <p><strong>Azure Active Directory is Not Cloud AD</strong><br />Azure Active Directory is not Active Directory hosted in the cloud. <br />There is no standard AD authentication methods such as NTLM or Kerberos; no LDAP; and no group policy (GPO), so Azure AD won’t work for traditional on-prem applications.<br /><br />There are cloud hosted Active Directory environments that can be used to manage cloud workloads in Microsoft Azure (<a href="https://azure.microsoft.com/en-us/services/active-directory-ds/">Azure Active Directory Domain Services</a>), Amazon AWS (<a href="https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html">Amazon Managed Microsoft AD</a>), and Google Cloud (<a href="https://cloud.google.com/managed-microsoft-ad/">Managed Service for Microsoft Active Directory (AD)</a>). These are all hosted Microsoft Active Directory environments which have 2 Domain Controllers (or more) and the tenant admins do not receive Domain Admin rights to the hosted AD environment; only delegated access is provided which often includes the ability to create/manage resources in a specific OU and specific GPOs.<br /><br /><em>Note: I don’t have room to include a comparison of these services here, but may write a future post if there’s interest (I did some research comparing Microsoft Azure vs Amazon AWS hosted AD service offerings in 2017).</em></p> <figure class="wp-block-image size-large is-resized"><img loading="lazy" decoding="async" src="https://adsecurity.org/wp-content/uploads/2020/01/image-1024x556.png" alt="" class="wp-image-4212" width="768" height="417" srcset="https://adsecurity.org/wp-content/uploads/2020/01/image-1024x556.png 1024w, https://adsecurity.org/wp-content/uploads/2020/01/image-300x163.png 300w, https://adsecurity.org/wp-content/uploads/2020/01/image-768x417.png 768w, https://adsecurity.org/wp-content/uploads/2020/01/image.png 1426w" sizes="(max-width: 768px) 100vw, 768px" /></figure> <figure class="wp-block-image size-large is-resized"><img loading="lazy" decoding="async" src="https://adsecurity.org/wp-content/uploads/2020/01/image-6-1024x576.png" alt="" class="wp-image-4249" width="768" height="432" srcset="https://adsecurity.org/wp-content/uploads/2020/01/image-6-1024x576.png 1024w, https://adsecurity.org/wp-content/uploads/2020/01/image-6-300x169.png 300w, https://adsecurity.org/wp-content/uploads/2020/01/image-6-768x432.png 768w, https://adsecurity.org/wp-content/uploads/2020/01/image-6.png 1280w" sizes="(max-width: 768px) 100vw, 768px" /></figure> <p><strong>Primary Management Tools</strong><br />The tool that most AD administrators are familiar with is Active Directory Users and Computers aka ADUC (MMC tool). </p> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="745" height="533" src="https://adsecurity.org/wp-content/uploads/2020/01/image-7.png" alt="" class="wp-image-4261" srcset="https://adsecurity.org/wp-content/uploads/2020/01/image-7.png 745w, https://adsecurity.org/wp-content/uploads/2020/01/image-7-300x215.png 300w" sizes="(max-width: 745px) 100vw, 745px" /></figure> <p>Azure Active Directory administrators will primarily use the web console at https://portal.azure.com to administer the environment.</p> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="928" src="https://adsecurity.org/wp-content/uploads/2020/01/image-8-1024x928.png" alt="" class="wp-image-4262" srcset="https://adsecurity.org/wp-content/uploads/2020/01/image-8-1024x928.png 1024w, https://adsecurity.org/wp-content/uploads/2020/01/image-8-300x272.png 300w, https://adsecurity.org/wp-content/uploads/2020/01/image-8-768x696.png 768w, https://adsecurity.org/wp-content/uploads/2020/01/image-8-1536x1392.png 1536w, https://adsecurity.org/wp-content/uploads/2020/01/image-8.png 1987w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>Admins that manage Active Directory on-prem and now Azure AD/Office 365 will be using the on-prem MMC tools as well as the web admin portals (and various URLs associated with them).<br />There are PowerShell cmdlets available for managing Azure AD (similar to on-prem), though cloud features often move faster than the PowerShell tools are released, which means that using the cloud admin portal should still be used, even when using PowerShell.</p> <p><strong>Interfacing with Azure Active Directory</strong><br />Since Azure AD doesn’t have LDAP, interfacing with AAD involves connecting via the Graph API (or PowerShell modules). I like PowerShell, so I use the PowerShell modules (or Portal websites) for management and reporting.<br /><br />There are 2 primary PowerShell modules for interfacing with Azure AD: <a href="https://docs.microsoft.com/en-us/powershell/module/msonline/?view=azureadps-1.0">MSOnline </a>and <a href="https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0">AzureAD</a>. These can be installed through the PowerShell install feature:<br /> <em> Install-Module -Name MSOnline -Force </em> <br /> <em> Install-Module -Name AzureAD -Force<br /></em><br />The AzureAD module may eventually replace the MSOnline PowerShell module, but there are features available in MSOnline that haven’t been ported to the Azure AD module (yet). </p> <a href="https://adsecurity.org/?p=4211#more-4211" class="more-link btn"><span class="btn">Continue reading <i class="fa fa-arrow-circle-right"></i></span></a> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-1376" href="https://adsecurity.org/?tag=aad">AAD</a>, <a class="term term-tagpost_tag term-1401" href="https://adsecurity.org/?tag=accounttokentheft">AccountTokenTheft</a>, <a class="term term-tagpost_tag term-20" href="https://adsecurity.org/?tag=activedirectory">ActiveDirectory</a>, <a class="term term-tagpost_tag term-1395" href="https://adsecurity.org/?tag=activesync">ActiveSync</a>, <a class="term term-tagpost_tag term-1013" href="https://adsecurity.org/?tag=ad">AD</a>, <a class="term term-tagpost_tag term-1389" href="https://adsecurity.org/?tag=adal">ADAL</a>, <a class="term term-tagpost_tag term-1390" href="https://adsecurity.org/?tag=adalpowershell">ADALPowerShell</a>, <a class="term term-tagpost_tag term-1379" href="https://adsecurity.org/?tag=attackingmicrosoftcloud">AttackingMicrosoftCloud</a>, <a class="term term-tagpost_tag term-1378" href="https://adsecurity.org/?tag=attackingoffice365">AttackingOffice365</a>, <a class="term term-tagpost_tag term-1393" href="https://adsecurity.org/?tag=azure-ad-account-enumeration">Azure AD Account Enumeration</a>, <a class="term term-tagpost_tag term-491" href="https://adsecurity.org/?tag=azureactivedirectory">AzureActiveDirectory</a>, <a class="term term-tagpost_tag term-136" href="https://adsecurity.org/?tag=azuread">AzureAD</a>, <a class="term term-tagpost_tag term-1397" href="https://adsecurity.org/?tag=azureadpasswordspray">AzureADPasswordSpray</a>, <a class="term term-tagpost_tag term-1388" href="https://adsecurity.org/?tag=azureadpowershellmodule">AzureADPowerShellModule</a>, <a class="term term-tagpost_tag term-1392" href="https://adsecurity.org/?tag=azurepim">AzurePIM</a>, <a class="term term-tagpost_tag term-1385" href="https://adsecurity.org/?tag=cloudad">CloudAD</a>, <a class="term term-tagpost_tag term-1402" href="https://adsecurity.org/?tag=exchangeonlinemodule">ExchangeOnlineModule</a>, <a class="term term-tagpost_tag term-1382" href="https://adsecurity.org/?tag=globaladmin">GlobalAdmin</a>, <a class="term term-tagpost_tag term-1381" href="https://adsecurity.org/?tag=globalreader">GlobalReader</a>, <a class="term term-tagpost_tag term-135" href="https://adsecurity.org/?tag=microsoftcloud">MicrosoftCloud</a>, <a class="term term-tagpost_tag term-1377" href="https://adsecurity.org/?tag=microsoftcloudsecurity">MicrosoftCloudSecurity</a>, <a class="term term-tagpost_tag term-1387" href="https://adsecurity.org/?tag=msonline">MSOnline</a>, <a class="term term-tagpost_tag term-1386" href="https://adsecurity.org/?tag=o365">O365</a>, <a class="term term-tagpost_tag term-1394" href="https://adsecurity.org/?tag=o365creeper">O365Creeper</a>, <a class="term term-tagpost_tag term-1399" href="https://adsecurity.org/?tag=o365passwordspray">O365PasswordSpray</a>, <a class="term term-tagpost_tag term-1374" href="https://adsecurity.org/?tag=office365">Office365</a>, <a class="term term-tagpost_tag term-1398" href="https://adsecurity.org/?tag=office365passwordspray">Office365PasswordSpray</a>, <a class="term term-tagpost_tag term-1375" href="https://adsecurity.org/?tag=office365security">Office365security</a>, <a class="term term-tagpost_tag term-1396" href="https://adsecurity.org/?tag=owa">OWA</a>, <a class="term term-tagpost_tag term-1400" href="https://adsecurity.org/?tag=passwordspraydetection">PasswordSprayDetection</a>, <a class="term term-tagpost_tag term-1024" href="https://adsecurity.org/?tag=passwordspraying">PasswordSpraying</a>, <a class="term term-tagpost_tag term-1380" href="https://adsecurity.org/?tag=pim">PIM</a>, <a class="term term-tagpost_tag term-1391" href="https://adsecurity.org/?tag=privilegedidentitymanagement">PrivilegedIdentityManagement</a>, <a class="term term-tagpost_tag term-1383" href="https://adsecurity.org/?tag=whatisazureactivedirectory">WhatIsAzureActiveDirectory</a>, <a class="term term-tagpost_tag term-1384" href="https://adsecurity.org/?tag=whatisazuread">WhatIsAzureAD</a></span></li> </ul> </div> </div> <div id="post-4179" class="clearfix post post-4179 type-post status-publish format-standard hentry category-technical-reference item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Aug</span> <span class="day">07</span> <span class="year">2019</span> </p> </div> <h2 class="post-title entry-title"> <a href="https://adsecurity.org/?p=4179" rel="bookmark" title="Permalink to Slides Posted for Black Hat USA 2019 Talk: Attacking & Defending the Microsoft Cloud"> Slides Posted for Black Hat USA 2019 Talk: Attacking & Defending the Microsoft Cloud </a> </h2> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD) <br>Sean Metcalf (Trimarc) & Mark Morowczynski (Principal Program Manager, Microsoft)</p> <p>The allure of the “Cloud” is indisputable. Organizations are moving into the cloud at a rapid pace. Even companies that have said no to the Cloud in the past have started migrating services and resources. The Cloud is a new paradigm and the rapid update pace makes it difficult to keep up, especially when it comes to security. </p> <p>This presentation focuses on the Microsoft Cloud (Office 365 & Azure AD) and explores the most common attacks against the Cloud and describes effective defenses and mitigation. While the content is focused on the Microsoft Cloud, some of the attack and defense topics are applicable to other cloud providers and are noted where applicable. </p> <p>Key items covered: <br> Attacks against the Cloud<br> Account compromise and token theft<br> Methods to detect attack activity<br> Cloud identity firewall<br> Securing cloud infrastructure against attacks<br> Secure cloud administration</p> <p><a href="https://adsecurity.org/wp-content/uploads/2019/08/2019-BlackHat-US-Metcalf-Morowczynski-AttackingAndDefendingTheMicrosoftCloud.pdf">Slides (PDF)</a></p> </div> </div> </div> </div> <div class="pagination-wrapper"> <ul class="pagination"> <li class="disabled"><span class="page-numbers"><i class="fa fa-angle-left"></i></span></li> <li class="active"><span aria-current="page" class="page-numbers current">1</span></li><li><a class="page-numbers" href="https://adsecurity.org/?paged=2">2</a></li><li><a class="page-numbers" href="https://adsecurity.org/?paged=3">3</a></li><li><span class="page-numbers dots">…</span></li><li><a class="page-numbers" href="https://adsecurity.org/?paged=25">25</a></li><li><a class="next page-numbers" href="https://adsecurity.org/?paged=2"><i class="fa fa-angle-right"></i></a></li> </ul> </div> </div> <div id="sidebar1" class="sidebar sidebar-right widget-area col-md-4"> <div id="recent-posts-4" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript – Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="text-3" class="sidebar-wrap widget_text"><h3>Trimarc Active Directory Security Services</h3> <div class="textwidget">Have concerns about your Active Directory environment? Trimarc helps enterprises improve their security posture. <p> <a href="http://trimarcsecurity.com/security-services">Find out how...</a> TrimarcSecurity.com</div> </div><div id="widget_tptn_pop-4" class="sidebar-wrap tptn_posts_list_widget"><h3>Popular Posts</h3><div class="tptn_posts tptn_posts_widget tptn_posts_widget4"><ul><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=478" class="tptn_link"><span class="tptn_title">PowerShell Encoding & Decoding (Base64)</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2362" class="tptn_link"><span class="tptn_title">Attack Methods for Gaining Domain Admin Rights in…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=483" class="tptn_link"><span class="tptn_title">Kerberos & KRBTGT: Active Directory’s…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2288" class="tptn_link"><span class="tptn_title">Finding Passwords in SYSVOL & Exploiting Group…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3377" class="tptn_link"><span class="tptn_title">Securing Domain Controllers to Improve Active…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3299" class="tptn_link"><span class="tptn_title">Securing Windows Workstations: Developing a Secure Baseline</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3458" class="tptn_link"><span class="tptn_title">Detecting Kerberoasting Activity</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=1729" class="tptn_link"><span class="tptn_title">Mimikatz DCSync Usage, Exploitation, and Detection</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3658" class="tptn_link"><span class="tptn_title">Scanning for Active Directory Privileges &…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3164" class="tptn_link"><span class="tptn_title">Microsoft LAPS Security & Active Directory LAPS…</span></a></span></li></ul><div class="tptn_clear"></div></div></div><div id="categories-4" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565"><a href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="tag_cloud-3" class="sidebar-wrap widget_tag_cloud"><h3>Tags</h3><div class="tagcloud"><a href="https://adsecurity.org/?tag=activedirectory" class="tag-cloud-link tag-link-20 tag-link-position-1" style="font-size: 22pt;" aria-label="ActiveDirectory (55 items)">ActiveDirectory</a> <a href="https://adsecurity.org/?tag=active-directory" class="tag-cloud-link tag-link-75 tag-link-position-2" style="font-size: 10.453608247423pt;" aria-label="Active Directory (8 items)">Active Directory</a> <a href="https://adsecurity.org/?tag=active-directory-security" class="tag-cloud-link tag-link-976 tag-link-position-3" style="font-size: 9.7319587628866pt;" aria-label="Active Directory Security (7 items)">Active Directory Security</a> <a href="https://adsecurity.org/?tag=activedirectorysecurity" class="tag-cloud-link tag-link-113 tag-link-position-4" style="font-size: 13.773195876289pt;" aria-label="ActiveDirectorySecurity (14 items)">ActiveDirectorySecurity</a> <a href="https://adsecurity.org/?tag=adreading" class="tag-cloud-link tag-link-5 tag-link-position-5" style="font-size: 13.340206185567pt;" aria-label="ADReading (13 items)">ADReading</a> <a href="https://adsecurity.org/?tag=ad-security" class="tag-cloud-link tag-link-100 tag-link-position-6" style="font-size: 8pt;" aria-label="AD Security (5 items)">AD Security</a> <a href="https://adsecurity.org/?tag=adsecurity" class="tag-cloud-link tag-link-86 tag-link-position-7" style="font-size: 10.453608247423pt;" aria-label="ADSecurity (8 items)">ADSecurity</a> <a href="https://adsecurity.org/?tag=azure" class="tag-cloud-link tag-link-25 tag-link-position-8" style="font-size: 8pt;" aria-label="Azure (5 items)">Azure</a> <a href="https://adsecurity.org/?tag=azuread" class="tag-cloud-link tag-link-136 tag-link-position-9" style="font-size: 8pt;" aria-label="AzureAD (5 items)">AzureAD</a> <a href="https://adsecurity.org/?tag=dcsync" class="tag-cloud-link tag-link-598 tag-link-position-10" style="font-size: 10.453608247423pt;" aria-label="DCSync (8 items)">DCSync</a> <a href="https://adsecurity.org/?tag=domaincontroller" class="tag-cloud-link tag-link-101 tag-link-position-11" style="font-size: 15.216494845361pt;" aria-label="DomainController (18 items)">DomainController</a> <a href="https://adsecurity.org/?tag=goldenticket" class="tag-cloud-link tag-link-303 tag-link-position-12" style="font-size: 11.175257731959pt;" aria-label="GoldenTicket (9 items)">GoldenTicket</a> <a href="https://adsecurity.org/?tag=grouppolicy" class="tag-cloud-link tag-link-196 tag-link-position-13" style="font-size: 8pt;" aria-label="GroupPolicy (5 items)">GroupPolicy</a> <a href="https://adsecurity.org/?tag=hyperv" class="tag-cloud-link tag-link-3 tag-link-position-14" style="font-size: 8pt;" aria-label="HyperV (5 items)">HyperV</a> <a href="https://adsecurity.org/?tag=invoke-mimikatz" class="tag-cloud-link tag-link-336 tag-link-position-15" style="font-size: 10.453608247423pt;" aria-label="Invoke-Mimikatz (8 items)">Invoke-Mimikatz</a> <a href="https://adsecurity.org/?tag=kb3011780" class="tag-cloud-link tag-link-337 tag-link-position-16" style="font-size: 9.7319587628866pt;" aria-label="KB3011780 (7 items)">KB3011780</a> <a href="https://adsecurity.org/?tag=kdc" class="tag-cloud-link tag-link-80 tag-link-position-17" style="font-size: 8pt;" aria-label="KDC (5 items)">KDC</a> <a href="https://adsecurity.org/?tag=kerberos" class="tag-cloud-link tag-link-81 tag-link-position-18" style="font-size: 15.216494845361pt;" aria-label="Kerberos (18 items)">Kerberos</a> <a href="https://adsecurity.org/?tag=kerberoshacking" class="tag-cloud-link tag-link-298 tag-link-position-19" style="font-size: 11.752577319588pt;" aria-label="KerberosHacking (10 items)">KerberosHacking</a> <a href="https://adsecurity.org/?tag=krbtgt" class="tag-cloud-link tag-link-394 tag-link-position-20" style="font-size: 9.7319587628866pt;" aria-label="KRBTGT (7 items)">KRBTGT</a> <a href="https://adsecurity.org/?tag=laps" class="tag-cloud-link tag-link-631 tag-link-position-21" style="font-size: 9.0103092783505pt;" aria-label="LAPS (6 items)">LAPS</a> <a href="https://adsecurity.org/?tag=lsass" class="tag-cloud-link tag-link-71 tag-link-position-22" style="font-size: 11.175257731959pt;" aria-label="LSASS (9 items)">LSASS</a> <a href="https://adsecurity.org/?tag=mcm" class="tag-cloud-link tag-link-6 tag-link-position-23" style="font-size: 14.061855670103pt;" aria-label="MCM (15 items)">MCM</a> <a href="https://adsecurity.org/?tag=microsoftemet" class="tag-cloud-link tag-link-58 tag-link-position-24" style="font-size: 11.175257731959pt;" aria-label="MicrosoftEMET (9 items)">MicrosoftEMET</a> <a href="https://adsecurity.org/?tag=microsoftwindows" class="tag-cloud-link tag-link-102 tag-link-position-25" style="font-size: 9.7319587628866pt;" aria-label="MicrosoftWindows (7 items)">MicrosoftWindows</a> <a href="https://adsecurity.org/?tag=mimikatz" class="tag-cloud-link tag-link-207 tag-link-position-26" style="font-size: 18.103092783505pt;" aria-label="mimikatz (29 items)">mimikatz</a> <a href="https://adsecurity.org/?tag=ms14068" class="tag-cloud-link tag-link-295 tag-link-position-27" style="font-size: 11.175257731959pt;" aria-label="MS14068 (9 items)">MS14068</a> <a href="https://adsecurity.org/?tag=passthehash" class="tag-cloud-link tag-link-44 tag-link-position-28" style="font-size: 9.7319587628866pt;" aria-label="PassTheHash (7 items)">PassTheHash</a> <a href="https://adsecurity.org/?tag=powershell" class="tag-cloud-link tag-link-575 tag-link-position-29" style="font-size: 18.536082474227pt;" aria-label="PowerShell (31 items)">PowerShell</a> <a href="https://adsecurity.org/?tag=powershellcode" class="tag-cloud-link tag-link-22 tag-link-position-30" style="font-size: 14.927835051546pt;" aria-label="PowerShellCode (17 items)">PowerShellCode</a> <a href="https://adsecurity.org/?tag=powershellhacking" class="tag-cloud-link tag-link-68 tag-link-position-31" style="font-size: 8pt;" aria-label="PowerShellHacking (5 items)">PowerShellHacking</a> <a href="https://adsecurity.org/?tag=powershellv5" class="tag-cloud-link tag-link-69 tag-link-position-32" style="font-size: 8pt;" aria-label="PowerShellv5 (5 items)">PowerShellv5</a> <a href="https://adsecurity.org/?tag=powersploit" class="tag-cloud-link tag-link-232 tag-link-position-33" style="font-size: 10.453608247423pt;" aria-label="PowerSploit (8 items)">PowerSploit</a> <a href="https://adsecurity.org/?tag=presentation" class="tag-cloud-link tag-link-422 tag-link-position-34" style="font-size: 9.7319587628866pt;" aria-label="Presentation (7 items)">Presentation</a> <a href="https://adsecurity.org/?tag=security" class="tag-cloud-link tag-link-576 tag-link-position-35" style="font-size: 8pt;" aria-label="Security (5 items)">Security</a> <a href="https://adsecurity.org/?tag=silverticket" class="tag-cloud-link tag-link-304 tag-link-position-36" style="font-size: 11.175257731959pt;" aria-label="SilverTicket (9 items)">SilverTicket</a> <a href="https://adsecurity.org/?tag=sneakyadpersistence" class="tag-cloud-link tag-link-596 tag-link-position-37" style="font-size: 9.0103092783505pt;" aria-label="SneakyADPersistence (6 items)">SneakyADPersistence</a> <a href="https://adsecurity.org/?tag=spn" class="tag-cloud-link tag-link-294 tag-link-position-38" style="font-size: 9.0103092783505pt;" aria-label="SPN (6 items)">SPN</a> <a href="https://adsecurity.org/?tag=tgs" class="tag-cloud-link tag-link-528 tag-link-position-39" style="font-size: 9.0103092783505pt;" aria-label="TGS (6 items)">TGS</a> <a href="https://adsecurity.org/?tag=tgt" class="tag-cloud-link tag-link-529 tag-link-position-40" style="font-size: 9.0103092783505pt;" aria-label="TGT (6 items)">TGT</a> <a href="https://adsecurity.org/?tag=windows7" class="tag-cloud-link tag-link-117 tag-link-position-41" style="font-size: 8pt;" aria-label="Windows7 (5 items)">Windows7</a> <a href="https://adsecurity.org/?tag=windows10" class="tag-cloud-link tag-link-494 tag-link-position-42" style="font-size: 10.453608247423pt;" aria-label="Windows10 (8 items)">Windows10</a> <a href="https://adsecurity.org/?tag=windowsserver2008r2" class="tag-cloud-link tag-link-46 tag-link-position-43" style="font-size: 9.0103092783505pt;" aria-label="WindowsServer2008R2 (6 items)">WindowsServer2008R2</a> <a href="https://adsecurity.org/?tag=windowsserver2012" class="tag-cloud-link tag-link-47 tag-link-position-44" style="font-size: 11.175257731959pt;" aria-label="WindowsServer2012 (9 items)">WindowsServer2012</a> <a href="https://adsecurity.org/?tag=windowsserver2012r2" class="tag-cloud-link tag-link-54 tag-link-position-45" style="font-size: 9.7319587628866pt;" aria-label="WindowsServer2012R2 (7 items)">WindowsServer2012R2</a></div> </div><div id="search-2" class="sidebar-wrap widget_search"><form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form></div> <div id="recent-posts-2" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript – Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="recent-comments-2" class="sidebar-wrap widget_recent_comments"><h3>Recent Comments</h3><ul id="recentcomments"><li class="recentcomments"><span class="comment-author-link">Derek</span> on <a href="https://adsecurity.org/?p=3592#comment-13603">Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3782#comment-13545">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Brad</span> on <a href="https://adsecurity.org/?p=3782#comment-13544">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Joonas</span> on <a href="https://adsecurity.org/?p=3719#comment-13229">Gathering AD Data with the Active Directory PowerShell Module</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3719#comment-13215">Gathering AD Data with the Active Directory PowerShell Module</a></li></ul></div><div id="archives-2" class="sidebar-wrap widget_archive"><h3>Archives</h3> <ul> <li><a href='https://adsecurity.org/?m=202406'>June 2024</a></li> <li><a href='https://adsecurity.org/?m=202405'>May 2024</a></li> <li><a href='https://adsecurity.org/?m=202005'>May 2020</a></li> <li><a href='https://adsecurity.org/?m=202001'>January 2020</a></li> <li><a href='https://adsecurity.org/?m=201908'>August 2019</a></li> <li><a href='https://adsecurity.org/?m=201903'>March 2019</a></li> <li><a href='https://adsecurity.org/?m=201902'>February 2019</a></li> <li><a href='https://adsecurity.org/?m=201810'>October 2018</a></li> <li><a href='https://adsecurity.org/?m=201808'>August 2018</a></li> <li><a href='https://adsecurity.org/?m=201805'>May 2018</a></li> <li><a href='https://adsecurity.org/?m=201801'>January 2018</a></li> <li><a href='https://adsecurity.org/?m=201711'>November 2017</a></li> <li><a href='https://adsecurity.org/?m=201708'>August 2017</a></li> <li><a href='https://adsecurity.org/?m=201706'>June 2017</a></li> <li><a href='https://adsecurity.org/?m=201705'>May 2017</a></li> <li><a href='https://adsecurity.org/?m=201702'>February 2017</a></li> <li><a href='https://adsecurity.org/?m=201701'>January 2017</a></li> <li><a href='https://adsecurity.org/?m=201611'>November 2016</a></li> <li><a href='https://adsecurity.org/?m=201610'>October 2016</a></li> <li><a href='https://adsecurity.org/?m=201609'>September 2016</a></li> <li><a href='https://adsecurity.org/?m=201608'>August 2016</a></li> <li><a href='https://adsecurity.org/?m=201607'>July 2016</a></li> <li><a href='https://adsecurity.org/?m=201606'>June 2016</a></li> <li><a href='https://adsecurity.org/?m=201604'>April 2016</a></li> <li><a href='https://adsecurity.org/?m=201603'>March 2016</a></li> <li><a href='https://adsecurity.org/?m=201602'>February 2016</a></li> <li><a href='https://adsecurity.org/?m=201601'>January 2016</a></li> <li><a href='https://adsecurity.org/?m=201512'>December 2015</a></li> <li><a href='https://adsecurity.org/?m=201511'>November 2015</a></li> <li><a href='https://adsecurity.org/?m=201510'>October 2015</a></li> <li><a href='https://adsecurity.org/?m=201509'>September 2015</a></li> <li><a href='https://adsecurity.org/?m=201508'>August 2015</a></li> <li><a href='https://adsecurity.org/?m=201507'>July 2015</a></li> <li><a href='https://adsecurity.org/?m=201506'>June 2015</a></li> <li><a href='https://adsecurity.org/?m=201505'>May 2015</a></li> <li><a href='https://adsecurity.org/?m=201504'>April 2015</a></li> <li><a href='https://adsecurity.org/?m=201503'>March 2015</a></li> <li><a href='https://adsecurity.org/?m=201502'>February 2015</a></li> <li><a href='https://adsecurity.org/?m=201501'>January 2015</a></li> <li><a href='https://adsecurity.org/?m=201412'>December 2014</a></li> <li><a href='https://adsecurity.org/?m=201411'>November 2014</a></li> <li><a href='https://adsecurity.org/?m=201410'>October 2014</a></li> <li><a href='https://adsecurity.org/?m=201409'>September 2014</a></li> <li><a href='https://adsecurity.org/?m=201408'>August 2014</a></li> <li><a href='https://adsecurity.org/?m=201407'>July 2014</a></li> <li><a href='https://adsecurity.org/?m=201406'>June 2014</a></li> <li><a href='https://adsecurity.org/?m=201405'>May 2014</a></li> <li><a href='https://adsecurity.org/?m=201404'>April 2014</a></li> <li><a href='https://adsecurity.org/?m=201403'>March 2014</a></li> <li><a href='https://adsecurity.org/?m=201402'>February 2014</a></li> <li><a href='https://adsecurity.org/?m=201307'>July 2013</a></li> <li><a href='https://adsecurity.org/?m=201211'>November 2012</a></li> <li><a href='https://adsecurity.org/?m=201203'>March 2012</a></li> <li><a href='https://adsecurity.org/?m=201202'>February 2012</a></li> </ul> </div><div id="categories-2" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565"><a href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="meta-2" class="sidebar-wrap widget_meta"><h3>Meta</h3> <ul> <li><a href="https://adsecurity.org/wp-login.php">Log in</a></li> <li><a href="https://adsecurity.org/?feed=rss2">Entries feed</a></li> <li><a href="https://adsecurity.org/?feed=comments-rss2">Comments feed</a></li> <li><a href="https://wordpress.org/">WordPress.org</a></li> </ul> </div> </div> </div> <div id="sidebar_bottom" class="sidebar widget-area row footer-widget-col-3"> <div id="text-2" class="sidebar-wrap widget_text col-sm-4"><h3>Copyright</h3> <div class="textwidget">Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2020.</div> </div> </div> <div id="footer" class="row default-footer"> <div class="copyright-developer"> <div id="copyright"> <p>Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. </p> </div> <div id="developer"> <p> Made with <i class="fa fa-heart"></i> by <a href="https://www.graphene-theme.com/" rel="nofollow">Graphene Themes</a>. </p> </div> </div> </div> </div>  <script>  </script> <script type="text/javascript" src="https://secure.statcounter.com/counter/counter.js" async></script> <noscript><div class="statcounter"><a title="web analytics" href="https://statcounter.com/"><img class="statcounter" src="https://c.statcounter.com/10100711/0/4b306538/1/" alt="web analytics" /></a></div></noscript>  <a href="#" id="back-to-top" title="Back to top"><i class="fa fa-chevron-up"></i></a> <script defer type="text/javascript" src="https://adsecurity.org/wp-includes/js/comment-reply.min.js?ver=6.5.5" id="comment-reply-js" async="async" data-wp-strategy="async"></script> </body> </html>