Avoiding credentials reuse attacks

Adversaries are reusing credentials all the time, How can you check and prevent credential reuse attacks? Deny them by leveraging new (and old) security features. Reusable credentials Method Log Type Reusable credentials  Log to console (+KVM) Interactive Yes RUNAS Interactive Yes Remote desktop RemoteInteractive Yes WinRM+CredSSP NetworkClearText Yes PSExec with explicit credentials Network+Interactive Yes Scheduled Task Batch Yes (as LSA…

Invoke-Adversary – Simulating Adversary Operations

Invoke-Adversary is a PowerShell script that helps you to evaluate security products and monitoring solutions based on how well they detect advanced persistent threats. I was inspired to write this script after seeing APTSimulator excellent tool from Florian Roth. Update 4/17/2018: The script is temporally removed while I resolve an issue. I will update as soon as…


Sysinternals Sysmon suspicious activity guide

Sysmon tool from Sysinternals provides a comprehensive monitoring about activities in the operating system level. Sysmon is running in the background all the time, and is writing events to the event log. You can find the Sysmon events under the Microsoft-Windows-Sysmon/Operational event log. This guide will help you to investigate and appropriately handle these events….


Locking up Your BitLocker

Hello, Today I want to talk about securing your Bitlocker-enabled devices against a common attack vector: Direct Memory Access/Side channel attack. BitLocker quick overview First, a little primer on how BitLocker works is in order Trusted Platform Module (TPM) is a hardware security device that stores a master key, or Storage Root Key (SRK), and…