AD Object Detection: Detecting the undetectable (dynamicObject)

What an auditor want to make sure is that you have non-repudiation in place. This also applies to forensic work. You want to make sure you can track the activity to a person and to do that we need to first identify the user account. But what if it just has disappeared from Active Directory?…

Forensics: Active Directory ACL investigation

A Couple of Sensitive Spots Active Directory are full of delegated rights and permissions that grant privileges to security principals (User, Group Managed Service Account, Group and Computer Objects). Some permissions are more sensitive than others and should be kept only for privileged accounts such as for Tier 0 administrators (Read about the credential tier model…


Finding an Attribute’s Property Set

Attributes vs Property Set If you are granting access on an attribute level it’s most likely you end up with long lists of Access Control Entries (ACEs) on objects in Active Directory. This will lead to database growth, the NTDS.dit will get bigger. It will also lead to degrading performance of you Domain Controller when…


PowerShell: Malware detection and tracking of new autoruns

Old Project realized A month ago I reinstalled one of my PC's and thought of a project I started but never finished many years ago. It was when I found out about autorunsc.exe , one of the many awesome tools from the Sysinternals suite and the creator Mark Russinovich, when I thought of an idea…


Port Mirroring for Advanced Threat Analytics

The main data source used by ATA is deep packet inspection of the network traffic to and from your domain controllers. For ATA to see the network traffic, port mirroring needs to be configured. Port mirroring copies the traffic on one port, known as the source port, to another port, known as the destination port….


SCOM tuning: the video

Thanks to Jonas Lenntun from Approved Consulting AB in Sweden, you can now watch the recorded version of my presentation at the SCOM Days in Göteborg. It's a 45 minute presentation about the best practices in tuning your Operations Manager Environment and your management packs. Enjoy! And there's more coming soon – Watch…

Prevent Lateral Movement With Local Accounts

What is Lateral Movement? Lateral movement is an activity used when an attacker is scavenging a network for credentials, typically used in a Pass-The-Hash scenario.   From Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques.pdf   "In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another…

Access denied on C:, even though you have given the user Full Control

Overview One of my customer was in the process of migrating away from Windows XP. As a part of this work, the customer was verifying application compatibility. During the testing of applications, they discovered that 2 applications that are business critical for the customer were having issues with file creations. These issues are counted as…


Get location of Hyper-V Virtual Machines with Powershell

Sometime you probably like to re-install your system or replace a disk where you have installed Hyper-V. In that situation you better keep track of your VMs files. Here’s a one-liner to list the location of the VM files:   get-vm * |sort-object| ft -auto Name,path,configurationlocation,snapshotfilelocation,@{L=”Disks”;E={$_.harddrives.path}}    


Effective Rights – What can users do?

I guess I’m not the only one that have been sitting and wondering .. Hmm.. What permissions does these users got in Active Directory actually? I can see a lot of groups in the access control list but how do I relate that to a certain user. Ok, we got the Effective Rights tab under…