Understanding MS14-068

In November 2014, Microsoft issued a critical patch addressing a Kerberos issue on domain controllers.  This vulnerability enables an attacker to leverage any authenticated session to create a Kerberos ticket which can have any group membership in the Active Directory domain, to include membership in domain admins, schema admins, enterprise admins, or BUILTIN\Administrators.  In addition, a … Continue reading Understanding MS14-068

Recovering Active Directory after Targeted Attack Compromise

Over the past few years, I have had the opportunity to assist various organizations in detecting and removing attackers from large enterprises.  Throughout these efforts, I have noticed that remediation of this condition is a difficult and technically challenging task.  As a result, I decided to take this on as a challenge and develop a generalized … Continue reading Recovering Active Directory after Targeted Attack Compromise