Understanding and Preventing Pass the Hash Attacks

Pass the hash is one of most prevalent techniques used in targeted attacks today, due to its ease of use and effectiveness.  Despite this prevalence, many organizations do misunderstand how the attack works and remain vulnerable.  In this post, I will describe how a pass the hash attack works and provide some effective ways to … Continue reading Understanding and Preventing Pass the Hash Attacks

Understanding Antivirus – Signatures, Scans, and Schedules

Antivirus, when used properly, can provide great protection for an organization if used effectively.  Although antivirus may appear to be a set-it-and-forget-it software, diligence in managing antivirus can pay off. Understanding Signatures As you probably know, antivirus software works off of signatures of known malicious files.  These signatures are distributed periodically to all antivirus clients, … Continue reading Understanding Antivirus – Signatures, Scans, and Schedules

Am I Pwned? – 5 simple ways to help determine if you should be concerned about malware you discover on your network

One of the difficulties involved with malware analysis is determining exactly how concerned you should be when you find a new sample on your network.  Categorizing malware does not require high cost tools and access to subscription-only databases (although these can help).  The following is a list of ways to help determine how concerned you should … Continue reading Am I Pwned? – 5 simple ways to help determine if you should be concerned about malware you discover on your network

Understanding MS14-068

In November 2014, Microsoft issued a critical patch addressing a Kerberos issue on domain controllers.  This vulnerability enables an attacker to leverage any authenticated session to create a Kerberos ticket which can have any group membership in the Active Directory domain, to include membership in domain admins, schema admins, enterprise admins, or BUILTIN\Administrators.  In addition, a … Continue reading Understanding MS14-068

Recovering Active Directory after Targeted Attack Compromise

Over the past few years, I have had the opportunity to assist various organizations in detecting and removing attackers from large enterprises.  Throughout these efforts, I have noticed that remediation of this condition is a difficult and technically challenging task.  As a result, I decided to take this on as a challenge and develop a generalized … Continue reading Recovering Active Directory after Targeted Attack Compromise