handmade.social

0 posts0 participants0 posts today

💡𝚂𝗆𝖺𝗋𝗍𝗆𝖺𝗇 𝙰𝗉𝗉𝗌📱<a href="https://dotnet.social/tags/TechTuesday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TechTuesday</a> This <a href="https://dotnet.social/tags/Lemmy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Lemmy</a> post <a href="https://programming.dev/post/22672085" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://programming.dev/post/22672085</a> links to the recording of the talk I gave earlier in the year, about how <a href="https://dotnet.social/tags/dotNet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dotNet</a> <a href="https://dotnet.social/tags/dotNetMAUI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dotNetMAUI</a> and other <a href="https://dotnet.social/tags/programmers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#programmers</a> <a href="https://dotnet.social/tags/developers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#developers</a> can get the most out of <a href="https://dotnet.social/tags/Mastodon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Mastodon</a> and the <a href="https://dotnet.social/tags/Fediverse" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fediverse</a> in general. Show to people you want to come here, or watch yourself if you feel like you could learn more about it.CC <a href="https://macaw.social/@andypiper" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@andypiper</a> <a href="https://evanp.me/author/evanprodromou/" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@evanprodromou@evanp.me</a> <a href="https://socialwebfoundation.org/author/evanprodromou/" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@evanprodromou@socialwebfoundation.org</a> <a href="https://mastodon.social/@Gargron" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@Gargron</a> <a href="https://hachyderm.io/@mapache" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@mapache</a> <a href="https://hachyderm.io/@alvinashcraft" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@alvinashcraft</a> <a href="https://bsky.brid.gy/r/https://bsky.app/profile/alvinashcraft.com" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@alvinashcraft.com</a> <a href="https://mastodon.social/@jamesmontemagno" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@jamesmontemagno</a>

Lutra SecurityThe worst case has happened: Hackers have managed to breach your network and elevate their privileges to their ultimate goal: Domain Admin.Today, we will take a look at one of the attacks that this absolute nightmare scenario makes possible for attackers: Golden Tickets (MITRE T1558.001)But let’s start at the beginning: Kerberos authentication. When a user logs in, a Ticket Granting Ticket (TGT) is issued to the user. Put very simply, the ticket contains, among other things, the username to identify the user. To prevent users from simply modifying a ticket and impersonating other users, the ticket is encrypted.The encryption key that secures the ticket is essentially the password hash of a user called krbtgt. This makes the krbtgt user one of the most sensitive, if not the most sensitive, user in an Active Directory domain. If this user's password is weak or the password (hash) is compromised, the entire domain is compromised.This is because attackers can use this password hash to forge their own tickets and impersonate any user they want. They simply create a ticket with the username they want and encrypt it with the password hash. They now have an authentication ticket that, if done correctly, is virtually indistinguishable from a real ticket.And that's what’s called a “Golden Ticket”. And there are many tools available to attackers, the most prominent of which are: Mimikatz, Rubeus and Impacket.The fact that it abuses legitimate functionality, makes it difficult to detect a Golden Ticket attack. However, there are a few things that you can look out for: * Are there TGS requests (Event 4769) without the original TGT being issued by the KDC (Event 4768)? * Is RC4 encryption being used? * Strange TGT parameters (e.g. very long lifetimes)? * Are there logins from sensitive accounts that aren’t normally used (e.g. the default domain administrator account)?Additionally, you can also look for signs of Pass the Ticket attacks (MITRE T1550.003).To mitigate this attack, the krbtgt password should be changed whenever a highly privileged user leaves the organization and additionally on a fixed schedule (and, of course, if you suspect a compromise). Make sure that the password is very, very strong.But changing the password once is not enough. It has to be changed twice because of the password history. However, be careful not to do this in quick succession. The change must be replicated to other domain controllers first. Otherwise, you risk severe authentication problems.<a href="https://infosec.exchange/tags/itsecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#itsecurity</a> <a href="https://infosec.exchange/tags/GoldenTicket" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GoldenTicket</a> <a href="https://infosec.exchange/tags/ttp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ttp</a> <a href="https://infosec.exchange/tags/mitre" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mitre</a> <a href="https://infosec.exchange/tags/redteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#redteam</a> <a href="https://infosec.exchange/tags/redteaming" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#redteaming</a> <a href="https://infosec.exchange/tags/TechTuesday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TechTuesday</a>

Lutra SecurityIn the recent years it has become increasingly difficult for attackers to get their malware on victim computers. But, it is far from impossible, which today's technique can easily demonstrate: "Obfuscated Files or Information: HTML Smuggling" (MITRE T1027.006).Okay, first a bit of theory about HTML Smuggling.Instead of directly sending a malicious or even suspicious file over the wire, an attacker can use an HTML file to smuggle the malicious file. Often, the smuggled file is placed compressed and encrypted somewhere in the HTML file. Upon opening, JavaScript is used to extract the malicious file and drop it to disk with browser API's like msSaveBlob.Enough with the theory! You can test whether you are susceptible to this kind of attack in our newest article. There we provide two links to HTML pages that try to download harmless executable files via HTML Smuggling. So try it yourself:English: <a href="https://lutrasecurity.com/en/articles/html-smuggling/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://lutrasecurity.com/en/articles/html-smuggling/</a> German: <a href="https://lutrasecurity.com/articles/html-smuggling/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://lutrasecurity.com/articles/html-smuggling/</a>It is very difficult to actually defend against this kind of attack, since the malicious file is only assembled in the victims browser and the data can be obfuscated with JavaScript. Therefore, a web gateway cannot really help here. Blocking JavaScript and the HTML5 features used by this attack is also not a viable solution, because it will probably break something like 99% of the internet.However, you can block the download of potentially malicious files through JavaScript in browsers. But remember, such files can also be contained in other normally harmless files, such as ZIP archives. So there is no 100%-working, painless solution to defend against HTML smuggling. Therefore, it is best to always assume that undetected malicious files could be on your employees' computers and build a defense in depth strategy.<a href="https://infosec.exchange/tags/itsecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#itsecurity</a> <a href="https://infosec.exchange/tags/ttp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ttp</a> <a href="https://infosec.exchange/tags/mitre" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mitre</a> <a href="https://infosec.exchange/tags/redteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#redteam</a> <a href="https://infosec.exchange/tags/redteaming" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#redteaming</a> <a href="https://infosec.exchange/tags/TechTuesday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TechTuesday</a>

Recent searches

Search options

Administered by:

Server stats:

#techtuesday