Work and live with IT

/en/exploit-kerberos-samaccountname-spoofing/images/Preview.png

Exploit samAccountName spoofing with Kerberos

Fabian Bader published on 2021-12-12 included in Active Directory Kerberos Security

When Microsoft released the November 2021 patches, the following CVEs caught the eye of many security professionals because they allow impersonation of a domain controller in an Active Directory environment. CVE-2021-42278 - KB5008102 Active Directory Security Accounts Manager hardening changes CVE-2021-42278 addresses a security bypass vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing. CVE-2021-42287 KB5008380 Authentication updates CVE-2021-42287 addresses a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate (PAC) and allows potential attackers to impersonate domain controllers.

/en/speaking-trust-tech-cologne-feodo/images/Preview.jpeg

Speaking @ Trust in Tech Cologne

Fabian Bader published on 2021-12-07 included in User Group

On Tuesday, December 14th, I will be speaking at the Trust in Tech Cologne virtual meetup. The topic of my talk is “Protect your endpoint from known C2 Feodo servers”. Abstract As Emotet is back from the dead the cyber security landscape is getting even more dangerous as before. Thankfully open projects like Feodo Tracker provide information about active C2 servers. Learn how you can utilize the provided Indicators of Compromise, Microsoft Defender for Endpoint and Azure Automation to add an additional layer of security for your endpoints.

/en/jit-role-assignment-microsoft-defender/images/PIMMicrosoft365Defender.png

Just-In-Time role assignment in Microsoft Defender

Fabian Bader published on 2021-11-29 included in Azure AD Entra ID Identity and Access Security Defender for Endpoint

For a long time assigning multiple Entra ID (Azure AD) roles to a user was a tedious task in not done via a script. Every role assignment had to be made separately. This also made it hard to change role assignments for a group of people. That all changed when Microsoft introduced Entra ID (Azure AD) role-assignable groups. It is now possible to assign multiple roles to one group and add the users to this group.

/en/manage-group-policies-powershell/images/Preview.png

Manage group policies with PowerShell

Fabian Bader published on 2021-11-22 included in Active Directory GPO PowerShell HHPSUG

Despite Intune, DSC and Azure AD; group policies are still a widely used method to manage Windows clients and servers in many companies. However, the MMC is not really suitable for managing several hundred GPOs. But that’s what PowerShell is designed for.

/en/alert-sensitive-ad-groups-mdi/images/Preview.png

Alert changes to sensitive AD groups using MDI

Fabian Bader published on 2021-11-05 included in Active Directory Defender for Identity Identity and Access Advanced Hunting KQL

Microsoft Defender for Identity is a very powerful tool when it comes to track changes to users and groups in your on-prem Active Directory. When used in combination of the advanced hunting capabilities available in the Microsoft 365 Defender portal and custom detection rules you can very easily automate the change tracking. If you protect any on-prem Active Directory, you should be aware to changes to any privileged groups. Microsoft itself list a few of them in their documentation on Active Directory Domain Services and in the Defender for Identity documentation adds additional ones.

/en/automated-response-c2-traffic-devices/images/Preview.png

Automated response to C2 traffic on your devices

Fabian Bader published on 2021-10-18 included in Defender for Endpoint Security Advanced Hunting KQL

The Feodo Tracker from abuse.ch provides a list of active ip addresses that are used for C2 servers. With MDE and a bit automation you can easily block your clients connecting to those servers and get an alert if they do.