Setting up Kali Linux in Docker on Windows 10

A few times now, I find myself wondering why I need a full blown VM. I like need to quickly get my tools up and running on any hardware I find myself on. Most of the time that is a fresh installed Windows 10 on my Surface Book—I like messing things up to a point…


WMI Queries: ReturnValue vs uValue (and some Remote Registry)

Interestingly, when querying a registry setting in Windows via WMI, through PowerShell, it isn’t as straight forward as previously thought. When developing the Audit Policy settings tool, which uses WMI through PowerShell explicitly to avoid dependencies on Windows Remote Management (WinRM) or even the Remote Registry service, we hit a bug in our logic. What we…


ATA Auditing (AuditPol, Advanced Audit Settings Enforcement, Lightweight Gateway Service discovery)

NOTE: This blog and code was updated to include a new targeting feature so only 1 domain/child-domain can be targeted for assessment.  This will still discover all DCs in the Forest, however, only the DCs in the targeted domain will be assessed.   Advanced Threat Analytics (ATA) v1.8 added new capabilities to monitor suspicious and anomalous…



Installing Operational Management Suite (OMS) on top of Advanced Threat Analytics (ATA) is dead simple. It is even more simple if your ATA Center is installed in Azure as deploying the OMS agent on Azure VMs is one click. OMS continues to gain momentum as it provides a single-pane-of-glass. It’s integration into things like Azure…


Setting up Damn Vulnerable Web App (DVWA) on Ubuntu in Azure

Getting familiar with attacks is step one of knowing what you’re up against. One way to do that is getting a vulnerable application to hit against and sharpen your skills. Nothing beats Damn Vulnerable Web App (DVWA). Here are the steps to get Damn Vulnerable Web App up and running in the Azure environment, all…


SmartCard and Pass-the-Hash

On a pretty consistent basis, SmartCard and Multi-factor Authentication (MFA) technologies are brought up when discussing Pass-the-Hash/Pass-the-Ticket with customers. Many customers believe they do not need to worry about such attacks as they have non-repudiation. However, what Smartcard was set to solve was before Pass-the-Hash/Ticket (or Overpass-the-Hash) was a real thing! At that time, preventing…


Ubuntu RDP in Azure

Many times, I get a question on how do you RDP into a Linux machine created in Azure. So, instead of having the same conversation over and over, I’ll blog about it and point folks here . And going one step further, I figured now was a good time to also test out OpenSSH-Win32. In…


cpassword – MS14-025

Microsoft announced MS14-025 on 13 May, 2014. However, it continues to be an issue for many IT organizations, even when patched. I repeat, by simply installing the KB you have not fully remediated the vulnerability (elevate of privileges!) unless you ran the provided PowerShell code to ensure you don’t have any existing cpassword Group Policies….


ATA Playbook Released

The Advanced Threat Analytics Playbook is released. It includes a breakdown of how to test (and therefor learn!) ATA and the real-world research tools that are available on the public Internet. The goal here was simple: Debunk some myths around pass-the-hash (i.e. SmartCards) Show how these research tools work (and just how easy it is…


Advanced Threat Analytics Detects Forged PACs

Advanced Threat Analytics (ATA) detects all sorts of credential theft and post-exploit activities of an adversary. Detecting Forged PACs is no different. Here, I use PyKEK in a lab environment that I use to stage other research and attack scenarios with real tools. If you wish to do this testing, you absolutely should stick to…