AD Object Detection: Detecting the undetectable (dynamicObject)

What an auditor want to make sure is that you have non-repudiation in place. This also applies to forensic work. You want to make sure you can track the activity to a person and to do that we need to first identify the user account. But what if it just has disappeared from Active Directory?…

0

Finding an Attribute's Property Set

Attributes vs Property Set If you are granting access on an attribute level it’s most likely you end up with long lists of Access Control Entries (ACEs) on objects in Active Directory. This will lead to database growth, the NTDS.dit will get bigger. It will also lead to degrading performance of you Domain Controller when…

2

Prevent Lateral Movement With Local Accounts

What is Lateral Movement? Lateral movement is an activity used when an attacker is scavenging a network for credentials, typically used in a Pass-The-Hash scenario.   From Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques.pdf   "In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another…

0

Access denied on C:, even though you have given the user Full Control

Overview One of my customer was in the process of migrating away from Windows XP. As a part of this work, the customer was verifying application compatibility. During the testing of applications, they discovered that 2 applications that are business critical for the customer were having issues with file creations. These issues are counted as…

1

Effective Rights - What can users do?

I guess I’m not the only one that have been sitting and wondering .. Hmm.. What permissions does these users got in Active Directory actually? I can see a lot of groups in the access control list but how do I relate that to a certain user. Ok, we got the Effective Rights tab under…

1

Take Control Over AD Permissions and the AD ACL Scanner Tool

What is the state of your delegation? Have you a documented and recent report over the permissions in your Active Directory? Have you granted permissions on the relevant OU’s in the past and left it like this ever since?? Maybe it’s time to take a look again to see what’s actually delegated in Active Directory?…


Do You Allow Blank Passwords In Your Domain?

Do you or did you back in the days use your own code or a third party tool to create user accounts that did not update the userAccountControl attribute after the account was created? Well then there’s a change you might have accounts in your domain that are allowed blank passwords or even worse have…

9