Active Directory: What can make your million dollar SIEM go blind?
|
|
- Asher Harvey
- 6 years ago
- Views:
Transcription
1 Active Directory: What can make your million dollar SIEM go blind?
2 Whoarewe Vincent LE TOUX Main Security researcher CEO of «My Smart Logon» (smart card & windows authentication) CONTRIBUTIONS Author of Ping Castle ( (few) Contributions in Mimikatz Smart card (GIDS applet, OpenSC,.) I m : Check a few boxes here Benjamin DELPY Guest «Technical Security Kiwi researcher at night AUTHOR OF MIMIKATZ This little program that he wrotes to learn C And kekeo, for personal usage ;) I m not: Bachelor, CISSP, CISA, OSCP, CHFI, CEH, ISO*, MCSA, CHFI, PASSI, [...] 2
3 What will be presented Domains & risks discovery With a : Corporate like infrastucture simulated A Real demo inside ;) PingCastle mimikatz DCShadow A new domain post exploitation / domination concept Included in mimikatz lsadump module ;) YES! With A Real demo inside too! 3
4 Story: a Merger Fabrikam, Inc Contoso Ltd Fabritoso Corp To facilitate the merge, both IT department have been asked to allows accounting teams to share data and to help in the «one accounting» team creation. While this operation takes time, Executives decided to subcontract some IT operations with the company Awesome Computers. You have been tasked to exfiltrate data related to the merger. 4
5 Attack plan 1. Explore and take control of the target domain via trusts 2. Bypass controls by running our own «DC»! Entry point Target Change this attribute to own the domain And then exfiltrate data 5
6 What AD defenders assume? No trust relationship The merger data is isolated from third parties. The defense team is not aware of the changes instructed by the management and lead by the infrastructure team Monitoring based on Logs or public data AD logs are sent to a SIEM which correlates data in real time. Presence of batches to do some health checking. 6
7 1 Build a map & reach the target Exploit Trusts
8 Should you care about trusts? Real life example (1): Large company with 300 domains trusted including 2 other large companies 10 smaller companies Remember NotPetya? A large company got infected through a former subsidiary with a 250M impact Most vulnerable: merger, join venture, newly bought companies, (1)
9 Basic discovery techniques Note: also accessible via nltest.exe /domain_trusts Forest information (all child domains, UPN routing) Trust information (partner, attributes, direction,..) Trust information accessible for ANY users (including trusted ones) 9
10 Aiming Fabritoso via Awesome computers it.fabrikam.com + (?) *.ac.com it.fabrikam.com Basic discovery techniques tech.ac.com ac.com 10
11 Too basic: go deeper! Basic Partition data SID lookup Domain Locator Basic discovery Explore trusted domains Information used to evaluate permissions Abuse DC locator service nltest /domain_trusts CN=Configuration SID History and ForeignSecurity Principals How DC are located 11
12 Technique#1: Partition data Every domain controller contains the partition Configuration, which stores configuration objects for the entire forest, The Configuration partition includes the definition of the AD partitions (=domains) in cn=partitions,cn=configuration,dc=forestrootdoma in Information gained: Domains list of the forest Shared among all DC of a forest TRUST to a domain (not a forest) = Read the Forest Configuration = Get all domains information of the Forest 12
13 Aiming Fabritoso via Awesome computers *.fabrikam.com + (?) *.ac.com it.fabrikam.com Partition data tech.ac.com ac.com fabrikam.com 13
14 Technique#2: SID lookup Foreign users of a domain have a SID (S-1-5- ) related to their domain Bastion CN=ForeignSecurityPrincipal s SIDHistory account attribute Migration List of Foreign Domain SID SID Translation (LsaLookupSid) List of most trusted domains 14
15 Aiming Fabritoso via Awesome computers *.fabrikam.com + (?) *.ac.com acc.contoso.com it.fabrikam.com SID Lookup bastion.fabri fabrikam.com tech.ac.com ac.com 15
16 Technique#3: Domain Locator You Ask a DC in a domain you can connect To locate a DC in a domain it trusts And return its forest info A good old NT4 service ([MS-ADTS] ) In practive: nltest /Server:trustedDC /DsGetDC:domainToQuery 16
17 Aiming Fabritoso via Awesome computers Domain locator service contoso.com acc.contoso.com it.fabrikam.com bastion.fabri fabrikam.com tech.ac.com ac.com 17
18 Demo time #1 Domain discovery PingCastle with cartography mode #2 Compromise via trust Mimikatz with: DCSync Golden ticket 18
19 2 Avoid SIEM detection: run your own DC! Install your own DC with DCShadow and enjoy your next GEN backdoor
20 A typical AD monitoring architecture We want to be granted admin rights to THIS server Replication DC2 Investigation DC1 Log collection Log mgmt Correlation SIEM Alerts SOC / CSIRT DC3 Incident response 20
21 What does a SIEM monitor? A «Security Information & Event Management» does: Keep a trace of all changes (permissions, attribute, account creation, membership, ) Raise alerts on sensitive group change (domain admin, enterprise admin, accounting, ) Raise alerts on connection to critical assets with unusual accounts (aka Domain Controllers) Detect some attack patterns: Bruteforce Simultaneous use of an account Good monitoring also tracks basic dcsync 21
22 How to avoid a SIEM? A «Security Information & Event Management» relies on log to trigger alerts. Global idea: remove the logs causing alerts Idea#1: Alter the log policy Problem: SIEM alerts based on log volume Idea#2: take control of a DC Problem:!! DC login!! Idea#3: Run your own DC and push changes to other DC 22
23 Previous attempts to alter DC data Require HW instructions not enabled by default Install a VM and run a DC Patch here: Mimikatz MISC::AddSid Inject in LSASS (not public) Require to login to a DC A layered view of a DC DSInternals offline operations + DC recovery process Until now, no easy way to edit localy or remotely the DC database
24 A new attack: DCShadow What is really a DC? 1. A RPC server implementing MS-DRSR 2. A record in the Configuration partition + known SPN 3. A server in the domain controllers group 4. A server promotted to AD DS role 24
25 Installation of a DC No need to be a member of the «domain controller» group What is really needed to register a DC? 1. A change in the configuration partition (domain admin only?) 2. A modification of the SPN of a computer account that the attacker owns 25
26 Special function [MS-DSRS] DrsAddEntry User View Internal View x xd Used to add special objects like DC DrsAddEntry is not limited to DC registration! OID AttID 26
27 Running a DC What is really needed to run a DC? 1. Impersonate the computer account to use its SPN 2. Run a RPC server listening for minimal APIs (like DrsGetNCChanges dcsync) 3. Trigger a replication Use DrsReplicaAdd on the computer (require DS-Replication-Manage- Topology and DS-Replication-Synchronize Administrator ) OR wait for the KCC event for 15 minutes. But not in this demo ;) No need to be a member of the «domain controller» group or a real server! 27
28 Running a DC (2015) 28
29 Demo time 29
30 Wait: you break MS-ADTS rules! MS-ADTS (Active Directory Technical Specification) is the AD Bible. 625 pages! Completed by [MS-DRSR] (replication), [MS-LSAT] Local security authority, [MS-NRPC] (netlogon), [MS- SAMR] Security account management, MS-SAMR: unicodepwd The ntpwdhistory attribute MUST be updated with the new unicodepwd attribute value 1/625 MS-SAMR: cleartextpassword If the RID of the objectsid attribute is DOMAIN_USER_RID_KRBTGT and the requesting protocol is a change-password protocol, the server MUST abort the request and return an error status. 30
31 What can be done with your own DC? Push any changes that a normal DC will push WITHOUT LOGGING Example: Change the primary group as 519 (member of the Enterprise admin group) only a DC will prepare WITHOUT LOGGING Example: add the Enterprise admin group SID in the SIDHistory attribute are partial changes WITHOUT LOGGING Example: Pushing an HASH as the old password hash without changing the current HASH of the account nor the last password change date 31
32 Breaking the rules Setting any SIDHistory Setting «whenchanged» to Bastille day 32
33 Demo time the last one ;) 33
34 A DC does not accept everything You cannot set a NULL DACL Nor the attribute «WhenCreated» 34
35 3 «We are being hacked!» Incident response
36 Going Forensic A consultant in an incident response company has been tasked by Fabritoso to investigate some unsual activity The consultant suspects a possible Active Directory compromission He wants to validate or discard this hypothesis
37 Getting replication Metadata Replication metadata: Public information Stored in ldap (replmetadata) and RPC Ldp.exe repadmin /showobjmeta <DC> <Object> 37
38 Decrypting replication Metadata Attribute id («description») DC which mades the modification Version of the attribute value («2») Local USN = # of the change seen locally USN of the DC which made the change Date when the change occured on the remote DC Idea: recover the attacker timeline by analysing the AD changes 38
39 Tracking Schema changes MS-ADTS Changing default permission in schema is a powerfull backdoor Can be tracked easily by monitoring the attribute schemainfo But wait it is updated by a DC? Work in progress 39
40 Deleting Erasing objects? Deletion = Move the object Removed properties Set IsDeleted Wait for deletion time (180 days!) But deletiontime is stored in metadata Idea: change the expiration time Work in progress 40
41 Conclusion
42 Fabritoso hacked! TRUSTS The larger the company is the easier it is to exploit trusts DCSHADOW DCShadow is a new domination attack aiming at SIEM bypass METADATA Forensic analysis trust replication data. Well, not anymore 42
43 Thanks! (will be updated to release DCShadow) Also thanks to Victor KERR for inspiring the name DCShadow 43
Active directory : How to change a weak point into a leverage for security monitoring Vincent LE TOUX ENGIE France OSSIR 2017 Paris (France) April,
Active directory : How to change a weak point into a leverage for security monitoring Vincent LE TOUX ENGIE France OSSIR 2017 Paris (France) April, 11th 2017 CONTENTS Chapter 1 Why focusing on Active Directory?
More information10 Active Directory Misconfigurations That Lead to Total Compromise Austin, TX 201 W 5th St.
10 Active Directory Misconfigurations That Lead to Total Compromise hello@javelin-networks.com +1-888-867-5179 Austin, TX 201 W 5th St. 1. Group Policy Preferences Visible Passwords Group Policy Preferences
More informationActive Directory Attacks and Detection Part -II
Active Directory Attacks and Detection Part -II #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos Key Takeaways How to
More informationJoe Stocker, CISSP, MCITP, VTSP Patriot Consulting
Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting Microsoft Cloud Evangelist at Patriot Consulting Principal Systems Architect with 17 Years of experience Technical certifications: MCSE, MCITP Office
More informationKERBEROS PARTY TRICKS
KERBEROS PARTY TRICKS Weaponizing Kerberos Protocol Flaws Geoffrey Janjua Who is Exumbra Operations Group? Security services and consulting Specialized services: Full scope red-team testing, digital and
More informationActive Directory Attacks and Detection
Active Directory Attacks and Detection #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos This talk is Based on Tim Madin
More informationActive Directory Attacks and Detection
Active Directory Attacks and Detection #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos Lab Setup AJLAB.COM: 2 Domain
More informationComputers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady
Computers Gone Rogue Abusing Computer Accounts to Gain Control in an Active Directory Environment Marina Simakov & Itai Grady Motivation Credentials are a high value target for attackers No need for 0-day
More informationDeploy and Configure Microsoft LAPS. Step by step guide and useful tips
Deploy and Configure Microsoft LAPS Step by step guide and useful tips 2 Table of Contents Challenges today... 3 What is LAPS... 4 Emphasis and Tips... 5 How LAPS Work... 6 Components... 6 Prepare, Deploy
More informationMicrosoft Exam Windows Server 2008 Active Directory, Configuring Version: 41.0 [ Total Questions: 631 ]
s@lm@n Microsoft Exam 70-640 Windows Server 2008 Active Directory, Configuring Version: 41.0 [ Total Questions: 631 ] Topic break down Topic No. of Questions Topic 1: Volume A 100 Topic 2: Volume B 100
More informationPass-the-Hash Attacks
Pass-the-Hash Attacks Mgr. Michael Grafnetter www.dsinternals.com Agenda PtH Attack Anatomy Mitigation Proactive Reactive Windows 10 + Windows Server 2016 Microsoft Advanced Threat Analytics PtH Attack
More informationAttacking and Defending Active Directory July, 2017
Attacking and Defending Active Directory July, 2017 About: Adam Steed - @aboy 20 years of experience in IAM, working for financial, websites, and healthcare organizations Associate Director Protiviti Security
More informationFUNCTIONAL LEVELS AND FSMO
Ondřej Ševeček GOPAS a.s. MCM: Directory Services MVP: Enterprise Security CISA ondrej@sevecek.com www.sevecek.com FUNCTIONAL LEVELS AND FSMO Active Directory Troubleshooting FUNCTIONAL LEVELS Domain vs.
More informationSobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.
Sobering statistics The frequency and sophistication of cybersecurity attacks are getting worse. 146 >63% $500B $3.8M The median # of days that attackers reside within a victim s network before detection
More information7 EASY ATTACKS AGAINST ACTIVE DIRECTORY
NEW TITLE: 7 EASY ATTACKS AGAINST ACTIVE DIRECTORY And How to Prevent Them Through Good Practices and a Little Group Policy ABOUT ME Kevin McBride Security Specialist at Meridian Credit Union 12 years
More informationWindows Server 2008 Training
Windows Server 2008 Training Day -4 Vijay Bhalerao BCS, MCM, CISA, DCL,MCTS, ISO 27001 LA univijay2001@yahoo.com 1 Day-4 Troubleshooting AD & issues- Solutions Server Security Measures - Installation &
More informationFuture Forests: Realistic Strategies for AD Security & Red Forest Architecture
SESSION ID: STR-R02 Future Forests: Realistic Strategies for AD Security & Red Forest Architecture Katie Knowles Security Consultant MWR InfoSecurity @_sigil Introduction: Why AD Matters How AD is Targeted
More informationSecuring Active Directory Administration
Securing Active Directory Administration April 18, 2019 Sponsored by @BlackHatEvents / #BlackHatWebcasts Agenda On-Prem AD vs Azure AD Evolution of Administration Exploiting Typical Administration Methods
More informationIT222 Microsoft Network Operating Systems II
1 ITT Technical Institute IT222 Microsoft Network Operating Systems II Unit 1: Chapters 1 & 2 2 Chapter 1 OVERVIEW OF ACTIVE DIRECTORY Chapter 1: Overview of Active Directory, pp. 1 23 Chapter 2, Implementing
More informationPass-the-Hash Attacks. Michael Grafnetter
Pass-the-Hash Attacks Michael Grafnetter www.dsinternals.com Agenda PtH Attack Anatomy Mitigation Proactive Reactive Windows 10 + Windows Server 2016 PtH History and Future 1988 Microsoft releases Lan
More informationTestOut Server Pro 2016: Identity - English 4.0.x LESSON PLAN. Revised
TestOut Server Pro 2016: Identity - English 4.0.x LESSON PLAN Revised 2018-08-06 Table of Contents Introduction Section 0.1: Server Pro 2016: Identity Introduction... 4 Section 0.2: The TestOut Lab Simulator...
More informationUnderstanding Active Directory Level 100
Understanding Active Directory Level 100 Ashwin Venugopal BinaryTitans IT Solutions Pvt. Ltd. What we are going to Learn here? Content What is Directory Service? Active Directory History of Directory Service
More informationClonePrincipal User Guide
ClonePrincipal User Guide Document version 2.1 November 9, 1999 Customers deploying Microsoft Windows 2000 might want to migrate users and resources incrementally to a new Windows 2000 environment in order
More informationHow to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2
Page 1 sur 11 Article ID: 875495 - Last Review: February 10, 2011 - Revision: 19.0 How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2
More informationOffice 365 and Azure Active Directory Identities In-depth
Office 365 and Azure Active Directory Identities In-depth Jethro Seghers Program Director SkySync #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM Agenda Introduction Identities Different forms of authentication
More informationInformation Security Policy
Information Security Policy Information Security is a top priority for Ardoq, and we also rely on the security policies and follow the best practices set forth by AWS. Procedures will continuously be updated
More informationMCSA Windows Server A Success Guide to Prepare- Microsoft Upgrading Your Skills to MCSA Windows Server edusum.
70-417 MCSA Windows Server 2012 A Success Guide to Prepare- Microsoft Upgrading Your Skills to MCSA Windows Server 2012 edusum.com Table of Contents Introduction to 70-417 Exam on Upgrading Your Skills
More informationCyberArk Privileged Threat Analytics
CyberArk Privileged Threat Analytics Table of Contents The New Security Battleground: Inside Your Network 3 Privileged account security 3 Collect the right data 4 Detect critical threats 5 Alert on critical
More informationAttackers Process. Compromise the Root of the Domain Network: Active Directory
Attackers Process Compromise the Root of the Domain Network: Active Directory BACKDOORS STEAL CREDENTIALS MOVE LATERALLY MAINTAIN PRESENCE PREVENTION SOLUTIONS INITIAL RECON INITIAL COMPROMISE ESTABLISH
More informationPenetration testing a building automation system
Penetration testing a building automation system Is your smart office creating backdoors for hackers? IBM X-Force Research Click here to start There is much focus in the IT industry on securing web servers,
More informationHow Shielded VMs Protect Your Data
How Shielded VMs Protect Your Data Jan Marek MVP MCC MCT MCSE MCSD Head of CDM & marek@kpcs.cz Architect @ KPCS CZ www.atom.ms www.kpcs.cz www.janmarek.eu Traditional Security Services (AD, MSSQL, ShP)
More informationHow To Manually Remove A Domain Controller From Active Directory 2003
How To Manually Remove A Domain Controller From Active Directory 2003 Instead, you must update the forest metadata manually after you remove the domain controller. If you use the version of the Active
More informationInternet infrastructure
Internet infrastructure Prof. dr. ir. André Mariën (c) A. Mariën 04/03/2014 1 Topic Vulnerability and patch management (c) A. Mariën 04/03/2014 2 Requirements Security principle: Everything can and will
More informationTracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory
Tracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory Presenters: Sander Berkouwer Senior Consultant at SCCT 10-fold Microsoft MVP Active Directory aficionado
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationWindows Server 2008 Active Directory Resource Kit
Windows Server 2008 Active Directory Resource Kit Stan Reimer, Mike Mulcare, Conan Kezema, Byron Wright w MS AD Team PREVIEW CONTENT This excerpt contains uncorrected manuscript from an upcoming Microsoft
More informationCYBER SECURITY EFFECTIVENESS FOR THE RESOURCE-CONSTRAINED ORGANIZATION
SELF-AUDIT GUIDE CYBER SECURITY EFFECTIVENESS FOR THE RESOURCE-CONSTRAINED ORGANIZATION A Primer for Moving Beyond AV and Firewalls 1 The Problem As software systems become more distributed and interactive
More informationAUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response
AUTHENTICATION Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response Who we are Eric Scales Mandiant Director IR, Red Team, Strategic Services Scott Koller
More informationDetecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC
Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC Agenda Introduction to JPCERT/CC About system-wide intrusions
More informationWHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS
WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS 1 INTRODUCTION Mergers & Acquisitions (M&A) are undertaken for a variety of strategic reasons that aim for greater synergy,
More informationActive Directory trust relationships
Active Directory trust relationships A trust relationship consists of two domains and provides the necessary configuration between them to grant security principals on one side of the trust permission
More informationCritical Hygiene for Preventing Major Breaches
SESSION ID: CXO-F02 Critical Hygiene for Preventing Major Breaches Jonathan Trull Microsoft Enterprise Cybersecurity Group @jonathantrull Tony Sager Center for Internet Security @CISecurity Mark Simos
More informationIdentity as the core of enterprise mobility
The current reality Identity as the core of enterprise mobility Azure Active Directory as the control plane Windows Server Active Directory Customers Partners Other directories Self-service Single sign-on
More informationSecurity Fundamentals for your Privileged Account Security Deployment
Security Fundamentals for your Privileged Account Security Deployment February 2016 Copyright 1999-2016 CyberArk Software Ltd. All rights reserved. CAVSEC-PASSF-0216 Compromising privileged accounts is
More information2 Me. 3 The Problem. Speaker. Company. Ed Breay Sr. Sales Engineer, Hitachi ID Systems.
1 2 Me Speaker Ed Breay Sr. Sales Engineer, Hitachi ID Systems. Company Hitachi, Ltd.: a 100 year old Fortune 100 conglomerate. Hitachi ID Systems, Inc.: a 19 year old IAM software subsidiary. Headquarters
More informationALIENVAULT USM FOR AWS SOLUTION GUIDE
ALIENVAULT USM FOR AWS SOLUTION GUIDE Summary AlienVault Unified Security Management (USM) for AWS is a unified security platform providing threat detection, incident response, and compliance management
More informationExam Identity with Windows Server 2016
MCSA / MCSE for Windows Server 2016 Exam 70-742 Identity with Windows Server 2016 Version 15.35 (198 Questions) (70-742) Identify with Windows Server 2016 QUESTION 1 You have a server named Server1 that
More informationManually Replicating Data Between Domain Controllers
Target Principal Name Is Incorrect When Manually Replicating Data Between Domain Controllers services that rely on the consistency of the data stored in Active Directory. This lab showrepl. "Displays the
More informationIdentity with Windows Server 2016 (742)
Identity with Windows Server 2016 (742) Install and Configure Active Directory Domain Services (AD DS) Install and configure domain controllers This objective may include but is not limited to: Install
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Analyze & prioritize alerts across various sources The cornerstone of security
More informationActive Directory Force Replication Command Line 2003
Active Directory Force Replication Command Line 2003 You can use command-line tools as well as GUI tools to check the replication status to check AD replication status since the release of Windows Server
More informationActive Directory Attacks and Detection Part -III
Active Directory Attacks and Detection Part -III #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos Key Takeaways Abusing
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More information70-742: Identity in Windows Server Course Overview
70-742: Identity in Windows Server 2016 Course Overview This course provides students with the knowledge and skills to install and configure domain controllers, manage Active Directory objects, secure
More informationBecoming the Adversary
SESSION ID: CIN-R06 Becoming the Adversary Tyrone Erasmus Managing Security Consultant MWR InfoSecurity @metall0id /usr/bin/whoami Most public research == Android Something different today 2 Overview Introduction
More informationUnable To Change Schema Master Windows 2008
Unable To Change Schema Master Windows 2008 The situation is: I have only one dc (Windows Server 2012 trial, its name To transfer the schema master role to the targeted schema FSMO holder below, click.
More informationDesigning and Operating a Secure Active Directory.
Designing and Operating a Secure Active Directory Introduction Gil Kirkpatrick, CTO, NetPro Architect of NetPro Active Directory products Author of Active Directory Programming from SAMS Founder of the
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationHello! we are here to share some stories
SHARING SESSION Hello! Paulus Tamba CISSP, former PCI-QSA Was with Verizon-CyberTrust, BT Global Services, and FireEye Specialize in Threat and Vulnerability Management, Security Operation, and Managed
More informationMINION ENTERPRISE FEATURES LIST
MINION ENTERPRISE FEATURES LIST Minion Enterprise is an automation and management tool for SQL Server. It provides you with the 10,000- foot view, detailed view, and fine-grained alerting and controls
More informationManage and Maintain Active Directory Domain Services
Active Directory 101 Manage and Maintain Active Directory Domain Services Sander Berkouwer CTO at SCCT 10-fold Microsoft MVP Active Directory aficionado Daniel Goater Systems Engineer Netwrix Active Directory
More informationPremediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.
Premediation The Art of Proactive Remediation Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C. Overview Case Study Remediation Overview Premediation
More informationVMware Identity Manager Administration
VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationTraining: Hardening Microsoft Environments
Training: Hardening Microsoft Environments Date of the training: March 12-13,2018 in Heidelberg, Germany Book Now using the voucher code: TR18HMTSEB and save an additional 5% of the current valid rate
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationCode42 Security. Tech Specs Data Protection & Recovery
Tech Specs Data Protection & Recovery Code42 Security Code42 provides continuous, automatic desktop and laptop backup. Our layered approach to security exceeds industry best practices and fulfills the
More informationDigital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS
Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS Digital Forensics Readiness: PREPARE BEFORE AN INCIDENT HAPPENS 2 Digital Forensics Readiness The idea that all networks can be compromised
More informationMEETING ISO STANDARDS
WHITE PAPER MEETING ISO 27002 STANDARDS September 2018 SECURITY GUIDELINE COMPLIANCE Organizations have seen a rapid increase in malicious insider threats, sensitive data exfiltration, and other advanced
More informationSDC EMEA 2019 Tel Aviv
Integrating Storage Systems into Active Directory SDC EMEA 2019 Tel Aviv Volker Lendecke Samba Team / SerNet 2019-01-30 Volker Lendecke AD integration (2 / 16) Overview Active Directory Authentication
More informationWho am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB
@markmorow Who am I? Identity Product Group, CXP Team Premier Field Engineer SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB Active Directory Domain Services On-premises App Server Validate credentials
More informationActive Directory Security: The Journey. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.
Active Directory Security: The Journey Sean Metcalf (@Pyrotek3) s e a n [@] TrimarcSecurity.com www.adsecurity.org TrimarcSecurity.com ABOUT Founder Trimarc (Trimarc.io), a professional services company
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationWHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX
WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX 1 INTRODUCTION The MITRE Corporation Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ) Matrix provides a model
More informationClick to edit Master title style. DIY vs. Managed SIEM
DIY vs. Managed SIEM Meet Paul Paul Caiazzo Principal, Chief Security Architect CISSP, CISA, CEH M.S. Information Security and Assurance 15+ years of experience in Information Security Connect with me:
More informationNews and Updates June 1, 2017
Microsoft Azure News and Updates June 1, 2017 Azure Backup for Windows Server System State Modern Backup Storage with Azure Backup Server v2 vcenter/esxi 6.5 support for Azure Backup Server Larger Disk
More informationSIEM Solution Integration With Control Manager
Contents Introduction... 3 Overview... 3 Direct Mode... 4 Bridge Mode... 5 Functional Design... 5 SNMP Trap... 6 Syslog... 6 Log Forwarder Tool... 9 Configure LogForwarder Settings... 10 Trigger Application...
More informationSingle Sign-On Showdown
Single Sign-On Showdown ADFS vs Pass-Through Authentication Max Fritz Solutions Architect SADA Systems #ITDEVCONNECTIONS Azure AD Identity Sync & Auth Timeline 2009 2012 DirSync becomes Azure AD Sync 2013
More informationICS Security Monitoring
ICS Security Monitoring INFRASTRUCTURE MINING & METALS NUCLEAR, SECURITY & ENVIRONMENTAL OIL, GAS & CHEMICALS Moses Schwartz Security Engineer Computer Incident Response Team Bechtel Corporation State
More informationA Binary Tree SMART Migration Webinar. Designing an Active Directory Migration to Meet Real- World Requirements
A Binary Tree SMART Migration Webinar Designing an Active Directory Migration to Meet Real- World Requirements Our Speakers Gary Steere Microsoft Certified Master Microsoft MVP: Exchange Microsoft Certified
More informationDetecting Computer Intrusions: Are You Pwned? Steve Anson HITB 8 Oct 2009
Detecting Computer Intrusions: Are You Pwned? Steve Anson HITB 8 Oct 2009 Steve Anson Former computer agent for the U.S. Department of Defense and Federal Bureau of Investigation (FBI) Cybercrime Task
More informationSecurity context. Technology. Solution highlights
Code42 CrashPlan Security Code42 CrashPlan provides continuous, automatic desktop and laptop backup. Our layered approach to security exceeds industry best practices and fulfills the enterprise need for
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationTS: Forefront Identity Manager 2010, Configuring
Microsoft 70-158 TS: Forefront Identity Manager 2010, Configuring Version: 4.0 Topic 1, Volume A QUESTION NO: 1 You use Forefront Identity Manager (FIM) 2010 in your company network. You want to migrate
More informationSOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2
Requirement Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence
More informationINCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER
INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER 1 INCIDENT RESPONDER'S FIELD GUIDE TABLE OF CONTENTS 03 Introduction
More informationitexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공
itexamdump 최고이자최신인 IT 인증시험덤프 http://www.itexamdump.com 일년무료업데이트서비스제공 Exam : CISA Title : Certified Information Systems Auditor Vendor : ISACA Version : DEMO Get Latest & Valid CISA Exam's Question and
More informationWindows Authentication With Multiple Domains and Forests
Windows Authentication With Multiple Domains and Forests Stefan Metzmacher Samba Team / SerNet 2017-09-13 Check for updates: https://samba.org/~metze/presentations/2017/sdc/ Update from
More informationSynchronized Security
Synchronized Security 2 Endpoint Firewall Synchronized Security Platform and Strategy Admin Manage All Sophos Products Self Service User Customizable Alerts Partner Management of Customer Installations
More informationUseful Hacking Series
Useful Hacking Series Welcome to the Useful Hacking Series, in this series of 20 Episodes our world-renowned penetration tester/international speaker will share with you the top useful tips used during
More informationNational Cyber Security Operations Center (N-CSOC) Stakeholders' Conference
National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference Benefits to the Stakeholders A Collaborative and Win-Win Strategy Lal Dias Chief Executive Officer Sri Lanka CERT CC Cyber attacks
More informationSecuring ArcGIS Services
Federal GIS Conference 2014 February 10 11, 2014 Washington DC Securing ArcGIS Services James Cardona Agenda Security in the context of ArcGIS for Server Background concepts Access Securing web services
More informationA YEAR OF PURPLE. By Ryan Shepherd
A YEAR OF PURPLE By Ryan Shepherd WHOAMI DETECTION and RESPONSE Investigator for Countercept Threat Hunter PURPLE Team Consultant Offensive Security Certified Professional (OSCP) Crest Registered Intrusion
More informationForest Active Directory Schema Snap In 2008 R2
Forest Active Directory Schema Snap In 2008 R2 Missing When existing class and attribute definitions in the Active Directory schema do not meet In Windows Server 2008 and Windows Server 2008 R2, the directory
More informationDomain Restructuring Windows Server 2008
Domain Restructuring Windows Server 2008 Introduction: This document will describe design decision to add Additional Domain Controller in the existing Active Directory Forest. The infrastructure is assumed
More informationCyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems
Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational
More information5.1. Functional Level
5.1. Functional Level A functional level is a set of operation constraints that determine the functions that can be performed by an Active Directory domain or forest. A functional level defines: Which
More information[MS-ADOD-Diff]: Active Directory Protocols Overview. Intellectual Property Rights Notice for Open Specifications Documentation
[MS-ADOD-Diff]: Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft publishes Open Specifications documentation ( this documentation ) for protocols,
More informationSailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities
SailPoint IdentityIQ Integration with the BeyondInsight Platform Providing Complete Visibility and Auditing of Identities Table of Contents Executive Summary... 3 Identity and Access Management... 5 BeyondTrust
More informationUn SOC avanzato per una efficace risposta al cybercrime
Un SOC avanzato per una efficace risposta al cybercrime Identificazione e conferma di un incidente @RSAEMEA #RSAEMEASummit @masiste75 Mauro Costantini - Presales Consultant Agenda A look into the threat
More information