Automating Azure Just In Time VM Access

RDP Brute force When it comes to managing Azure virtual machines, administrators are usually using Remote Desktop (Windows) or SSH (Linux) to remotely connect and manage. We have seen cases where virtual machines were infected with ransomware, cryptocurrency miners, and other types of malware. The initial method to get access to these virtual machines was…


Building a security lab in Azure

Building your own lab for security research or penetration testing is a must for any security professional. There are many good reasons for building a lab: Test various security solutions before implementing them on a production environment Learn a new skill or technique by doing it on isolated environment Study for a security certification (OSCP,…


Avoiding credentials reuse attacks

Adversaries are reusing credentials all the time, How can you check and prevent credential reuse attacks? Deny them by leveraging new (and old) security features. Reusable credentials Method Log Type Reusable credentials  Log to console (+KVM) Interactive Yes RUNAS Interactive Yes Remote desktop RemoteInteractive Yes WinRM+CredSSP NetworkClearText Yes PSExec with explicit credentials Network+Interactive Yes Scheduled Task Batch Yes (as LSA…


Invoke-Adversary – Simulating Adversary Operations

Invoke-Adversary is a PowerShell script that helps you to evaluate security products and monitoring solutions based on how well they detect advanced persistent threats. I was inspired to write this script after seeing APTSimulator excellent tool from Florian Roth. Update 4/17/2018: The script is temporally removed while I resolve an issue. I will update as soon as…


Setting up Kali Linux on Windows Subsystem for Linux

Kali Linux on Windows 10 “Kali Linux on Windows 10? What the hell?” – one might ask. But we are in the year 2018 and we can run Linux directly on Windows,  install SQL server on Linux and Microsoft is the top open-source contributor on GitHub.  Using one PowerShell command and a download from the Store,…


Detecting Kerberoasting activity using Azure Security Center

Kerberoasting, a term coined by Tim Medin, is a privilege escalation technique which proves to be very effective in extracting service account credentials in a domain environment. A service account is standard user account that has been configured with the specific task of running a service or scheduled task. Many organizations are using service accounts…


List of Azure Active Directory Audit Activities

Hi all, Audit logs in Azure Active Directory help customers to gain visibility about users and group management, managed applications and directory activities in their cloud-based Active Directory. Using the logs you can detect and investigate security incidents, and review important configuration changes. By using the Graph API, which provides programmatic access to Azure AD,…


Deploying Sysmon through Group Policy (GPO) Preferences

In my previous post I explained how to leverage Group Policy Preferences to deploy and update Sysmon configuration in the enterprise. I decided to write a script to automate the entire process. What you need to have in order to run this script? A baseline computer with the following: Sysmon installed and Sysmon XML configuration…


Update: Sysmon configuration file version 8

This new version of config_v8.xml adds the latest additions from Sysmon : FileCreateStreamHash events PipeEvent events WmiEvent events In addition, the XML was cleaned and all the events categories are now ordered by the event number. Link to file: 


Sysinternals Sysmon suspicious activity guide

Sysmon tool from Sysinternals provides a comprehensive monitoring about activities in the operating system level. Sysmon is running in the background all the time, and is writing events to the event log. You can find the Sysmon events under the Microsoft-Windows-Sysmon/Operational event log. This guide will help you to investigate and appropriately handle these events….