The NASCIO Midyear Conference this past week highlighted the good, the bad and the scary of generative AI, as well as the vital importance of the data that states are using to feed large language models.
The post GenAI Continues to Dominate CIO and CISO Conversations appeared first on Security Boulevard.
The RSA Conference 2024 will kick off on May 6. Known as the “Oscars of Cybersecurity,” the RSAC Innovation Sandbox has become a benchmark for innovation in the cybersecurity industry. Today, let’s get to know the company Reality Defender. Introduction to Reality Defender Reality Defender, established in 2021, is a startup specializing in detecting deepfakes and […]
The post RSAC 2024 Innovation Sandbox | Reality Defender: Deepfake Detection Platform appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..
The post RSAC 2024 Innovation Sandbox | Reality Defender: Deepfake Detection Platform appeared first on Security Boulevard.
The RSA Conference 2024 will kick off on May 6. Known as the “Oscars of Cybersecurity,” the RSAC Innovation Sandbox has become a benchmark for innovation in the cybersecurity industry. Today, let’s get to know the company Dropzone AI. Introduction to Dropzone AI Dropzone AI is a company specializing in automated security operations, founded by Edward […]
The post RSAC 2024 Innovation Sandbox | Dropzone AI: Automated Investigation and Security Operations appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..
The post RSAC 2024 Innovation Sandbox | Dropzone AI: Automated Investigation and Security Operations appeared first on Security Boulevard.
Authors/Presenters: Jianhao Xu, Kangjie Lu, Zhengjie Du, Zhu Ding, Linke Li Qiushi Wu, Mathias Payer, Bing Mao
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.
The post USENIX Security ’23 – Silent Bugs Matter: A Study of Compiler-Introduced Security Bugs appeared first on Security Boulevard.
What is the government if not an organization dedicated to the creation of paperwork? All of that paperwork means something, though, and it can range from trivial to vitally important. One of the more important forms, if it’s required for your business or institution to fill out, is the DD2345 form. What is it, what […]
The post DD2345 Military Critical Technical Data Agreement and CMMC appeared first on Security Boulevard.
Recently, I wrapped up my first work trip with Balbix—a whirlwind tour of customer roundtables in Singapore, Melbourne and Sydney. We were joined by local EY teams that have been working with us for almost an entire year to explore the topic of Cyber Risk Management in the region. EY has launched a new managed …
The post The Real Risk is Not Knowing Your Real Risk: Perspectives from Asia Pacific Tour with EY appeared first on Security Boulevard.
We recently hosted Michael Tapia, Chief Technology Director at Clint ISD in Texas, and Kobe Brummet, Cybersecurity Technician at Hawkins School District in Tennessee, for a live webinar. Michael and Kobe volunteered to share with other K-12 tech pros how important cybersecurity and safety monitoring are for Google Workspace, Microsoft 365, and online browsing. They […]
The post Cloud Monitor Automation Thwarts Phishing & Malware Emails appeared first on ManagedMethods.
The post Cloud Monitor Automation Thwarts Phishing & Malware Emails appeared first on Security Boulevard.
This month we dive into CVE-2024-27198 for JetBrains TeamCity and the controversy surrounding the patching process that contributed to it being exploited in the wild.
The post Vulnerability of the Month – Controversy of the JetBrains TeamCity CVE-2024-27198 & CVE-2024-27199 appeared first on Security Boulevard.
Failure to configure authentication allowed malicious actors to exploit Airsoftc3.com's database, exposing the sensitive data of a vast number of the gaming site's users.
The post Airsoft Data Breach Exposes Data of 75,000 Players appeared first on Security Boulevard.
For security leaders heading to RSAC 2024 in need of a refresher on all things SOAR (Security Automation, Orchestration and Response), D3 Security has you covered. Before you hit the expo floor, check out these must-read resources that will equip you with the insights needed to understand the security automation space and choose the right […]
The post Get SOAR Savvy Before RSAC 2024: 5 Reads to Level Up Your SOC appeared first on D3 Security.
The post Get SOAR Savvy Before RSAC 2024: 5 Reads to Level Up Your SOC appeared first on Security Boulevard.
SAN FRANCISCO — On the eve of what promises to be a news-packed RSA Conference 2024, opening here on Monday, Microsoft is putting its money where its mouth is.
Related: Shedding light on LLM vulnerabilities
More precisely the software … (more…)
The post MY TAKE: Is Satya Nadella’s ‘Secure Future Initiative’ a deja vu of ‘Trustworthy Computing?’ appeared first on Security Boulevard.
This year, virtual CISOs must begin making a difference in our industry. For the longest time, small and medium businesses (SMBs) have been abandoned by the cybersecurity industry. But, SMBs need security leaders to guide them through the maze of cyber risk and craft practical strategies that align with their unique ever-evolving business objectives.
Sadly, SMBs cannot afford an experienced full-time CISO. They often either ignore the risks or get lured into purchasing shiny tools that do not meet their overall needs. Before spending money on security solutions, it's crucial to understand the risks and develop clear objectives that support the overall business goals.
This is the role of a CISO: to set the direction and establish cybersecurity program foundations that will meet the expectations of the Board and C-suite.
However, there are not enough CISOs to go around which creates a high premium on their time. Hiring a CISO can cost hundreds of thousands of dollars, which is far beyond what most SMBs are willing to commit. But they don’t actually need a full-time CISO. An hour or two may be perfect for guidance, leadership, and strategy development. This is where the fractional/virtual CISOs (vCISO) community can play a role!
Experienced CISOs often have a few hours extra per week and yearn to take on new challenges, as long as it does not impact their day job. Many retiring CISOs still have the itch to contribute, but don’t want to commit the long hours of managing all the operations and details. They would rather leverage their experience to provide guidance and help organizations avoid costly pitfalls.
It becomes a perfect fit.
Experienced leaders offer guidance at a fraction of the cost, with short-term contracts keeping commitments flexible. Everyone wins.
vCISOs can provide leadership without being tied to the demanding operational aspects. By dedicating a few hours a week, vCISOs help SMBs benefit from experienced cyber risk leadership with direction, focus, and an understanding of the evolving risks. SMBs can then make informed business decisions that properly account for cybersecurity factors. The practical benefits include effective prioritization and efficient allocation of resources for an optimized cybersecurity posture, based upon their unique needs.
There are risks in the vCISO market. Two things to watch out for:
First, beware of vCISO services offered by security vendors masquerading as impartial advisors. In many cases, this is just a ploy to get customers to buy the parent company’s products or services. These people are effectively used as a sales channel and incentivized to convince SMBs to purchase their wares. They aren’t necessarily looking out for their clients’ best interests. Instead, seek out vendor-agnostic vCISOs that will work with what you have and align recommendations to your actual needs.
Second, many will assert themselves as seasoned cybersecurity leaders, but in actuality, lack the practical experience needed to be a successful vCISO. Let’s be clear, a vCISO is NOT an entry-level job. Rather it is the opposite.
An experienced cybersecurity leader can quickly understand the major risks and business needs, develop a customized set of strategic plans for a specific organization, and communicate effectively to executives so they may rapidly understand and make well-informed decisions. vCISOs must be vetted properly to make sure they can deliver quality results in very limited timeframes. Otherwise, it will be money wasted!
If you are interested in exploring how vCISOs can help businesses, sectors, or various audiences, reach out to me directly or visit my website. We must purposefully work to support the SMB community. Let's join forces to make this year a turning point in fortifying SMBs and bolstering their digital security and competitiveness!
The post Unlocking SMB Cybersecurity: The Rise of Virtual CISOs in 2024 and Beyond appeared first on Security Boulevard.
Cybersecurity organizations are fighting a constant battle against threats across an evolving cyber landscape while being understaffed and facing constrained budgets. Traditional cybersecurity threat intelligence solutions require significant funding, or in-house skills, or both. For many cybersecurity teams, access to high-quality threat feeds may not be feasible, given their costs. This generally results in a reactive cybersecurity environment, especially for the more resource-strained entities, wherein the adversary always has the initiative.
The post IronRadar Reforged appeared first on Security Boulevard.
Prisma SASE 3.0 promises to make it simpler and faster to apply zero-trust policies.
The post Palo Alto Networks Extends SASE Reach to Unmanaged Devices appeared first on Security Boulevard.
Authors/Presenters: Tarun Kumar Yadav, Devashish Gosain, Kent Seamons
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.
The post USENIX Security ’23 – Cryptographic Deniability: A Multi-perspective Study of User Perceptions and Expectations appeared first on Security Boulevard.
Recently, I chatted with developers from a customer in a heavily regulated industry. They were manually updating their open source dependencies and wanted to find a better solution to save time. Keeping their dependencies up-to-date was very time-consuming but something they identified as crucial for their business.
The post The impact of automating open source dependency management appeared first on Security Boulevard.
As businesses continue to adopt container technologies such as Docker and Kubernetes for their deployment efficiency and scalability, they also face a growing challenge—securing these environments. Container security is still a developing field, with many organizations just beginning to understand the extent and effectiveness of necessary security controls.
The post Navigating Container Security with AttackIQ’s Optimization Solutions appeared first on AttackIQ.
The post Navigating Container Security with AttackIQ’s Optimization Solutions appeared first on Security Boulevard.
Every organization has its own combination of cyber risks, including endpoints, internet-connected devices, apps, employees, third-party vendors, and more. Year after year, the risks continue to grow more complex and new threats emerge as threat actors become more sophisticated and the use of artificial intelligence aids their efforts. There’s not much an individual organization can...
The post CEO Discusses MDR Service With a Risk-Based Approach appeared first on Pondurance.
The post CEO Discusses MDR Service With a Risk-Based Approach appeared first on Security Boulevard.
Password reset FAILURE: The U.S. Cybersecurity and Infrastructure Security Agency warns GitLab users of a 100-day-old, maximum severity vulnerability.
The post GitLab ‘Perfect 10’ Bug Gets a CISA Warning: PATCH NOW appeared first on Security Boulevard.
3 Takeaways Relentless Risk The world seems to be on fire, fueled by the Hamas attack on Israel and the subsequent Israeli Defense Force (IDF) invasion of Gaza. As a result, protests have taken off like wildfire across many college campuses. As the New York Times reports, “In many students’ eyes, the war in Gaza…
The post Our New “Days of Rage” Protest Activity and Considerations for Corporate Security appeared first on Ontic.
The post Our New “Days of Rage” Protest Activity and Considerations for Corporate Security appeared first on Security Boulevard.
Authors/Presenters: Alexandra Nisenoff, Arthur Borem, Grant Nakanishi, Maya Thumpasery, Blase Ur
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.
The post USENIX Security ’23 – Defining “Broken”: User Experiences and Remediation Tactics When Ad-Blocking or Tracking-Protection Tools Break a Website’s User Experience appeared first on Security Boulevard.
via the comic artistry and dry wit of Randall Munroe, creator of XKCD
The post Randall Munroe’s XKCD ‘Alphabetical Cartogram’ appeared first on Security Boulevard.
In a digital+ world, there is no escaping “vulnerabilities.” As software development grows more complex and APIs become more central to new software architectures, vulnerabilities can stem from various sources, whether it’s an issue within open-source components or a mistake made by one of your developers. The critical question we need to address is: what […]
The post Understanding the Link Between API Exposure and Vulnerability Risks appeared first on OX Security.
The post Understanding the Link Between API Exposure and Vulnerability Risks appeared first on Security Boulevard.
The post Streamline NIS2 Compliance with Automation appeared first on AI Enabled Security Automation.
The post Streamline NIS2 Compliance with Automation appeared first on Security Boulevard.
Here we go again: Verizon’s new Data Breach Investigations Report (DBIR) is out, and once again, unauthorized uses of web application credentials and exploits of vulnerabilities in web applications are among the top three on the breach list. It’s the same, lame story every single year. At what point will the industry figure out that Application Security (AppSec) status quo methods — Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), web application firewall (WAFs), etc. — aren't working? Why not give something new — like Runtime Security — a chance?
The post Cybersecurity Insights with Contrast CISO David Lindner | 5/3/24 appeared first on Security Boulevard.
Keeping pace with the latest cybersecurity threats is vital for organizations of all sizes. Here at Strobes, our security team has assembled a list of the top 5 most critical...
The post A Closer Look at Top 5 Vulnerabilities of April 2024 appeared first on Strobes Security.
The post A Closer Look at Top 5 Vulnerabilities of April 2024 appeared first on Security Boulevard.
This Article Insider Risk Digest: April was first published on Signpost Six. | https://www.signpostsix.com/
Dive into our latest Insider Risk Digest, where we unravel recent cases of espionage, insider betrayal, and security breaches across various sectors, from a prevented espionage attempt by a former NSA employee to alarming leaks within the Swedish police force. We also examine the broader implications of economic pressures on insider threats and explore international […]
This Article Insider Risk Digest: April was first published on Signpost Six. | https://www.signpostsix.com/
The post Insider Risk Digest: April appeared first on Security Boulevard.
I had not planned to blog this (this is an incredibly time-crunched week for me) but CERT/CC and CISA made a big deal out of a non-vulnerability in R, and it’s making the round on socmed, so here we are. A security vendor decided to try to get some hype before 2024 RSAC and made... Continue reading →
The post CVE-2024-27322 Should Never Have Been Assigned And R Data Files Are Still Super Risky Even In R 4.4.0 appeared first on rud.is.
The post CVE-2024-27322 Should Never Have Been Assigned And R Data Files Are Still Super Risky Even In R 4.4.0 appeared first on Security Boulevard.
Path traversal vulnerabilities, or directory traversal, are now subject to a government advisory for obligatory consideration We live in an environment where digital infrastructure is increasingly fundamental to business operations across all business sectors, and the security of software products is a paramount concern. The FBI and CISA (Cybersecurity and Infrastructure Security Agency) have recently...
The post The Persistent Threat of Path Traversal Vulnerabilities in Software Development appeared first on TrueFort.
The post The Persistent Threat of Path Traversal Vulnerabilities in Software Development appeared first on Security Boulevard.
VAPT testing tools are a vital part of any organization’s approach to proactively strengthen cyber security posture. The pentest tools help in digital security, using a variety of methods to identify and report these vulnerabilities in all of your systems, and applications. With the help of pentest tools, which include penetration testing suites, automated vulnerability […]
The post Top 7 VAPT Testing Tools appeared first on Kratikal Blogs.
The post Top 7 VAPT Testing Tools appeared first on Security Boulevard.
At the start, Distributed Denial of Service (DDoS) attacks were often motivated by bragging rights or mischief.
Related: The role of ‘dynamic baselining’
DDoS attack methodology and defensive measures have advanced steadily since then. Today, DDoS campaigns are launched by … (more…)
The post RSAC Fireside Chat: The necessary care and feeding of DDoS detection and protection systems appeared first on Security Boulevard.
Proxmox VE, like any software, is vulnerable to security threats. Patching helps address these vulnerabilities, protecting your virtual machines from attacks. Traditional patching methods often require taking systems offline, leading to downtime and disruptions for critical business operations. TuxCare’s live patching ensures your Proxmox instances stay secure with the latest security fixes without needing to […]
The post What is Proxmox VE – and Why You Should Live Patch It appeared first on TuxCare.
The post What is Proxmox VE – and Why You Should Live Patch It appeared first on Security Boulevard.
Recent reports have highlighted that the notorious FIN7 cybercrime group has targeted the U.S. automotive industry through a sophisticated spear-phishing campaign. Employing a familiar weapon, the Carbanak backdoor (also known as Anunak), they aimed to infiltrate systems and compromise sensitive data. This nefarious activity underscores the critical importance of robust cybersecurity measures in safeguarding against […]
The post FIN7 Cybercrime Group Strikes US Auto Sector Using Carbanak appeared first on TuxCare.
The post FIN7 Cybercrime Group Strikes US Auto Sector Using Carbanak appeared first on Security Boulevard.
The RSA Conference 2024 will kick off on May 6. Known as the “Oscars of Cybersecurity,” the RSAC Innovation Sandbox has become a benchmark for innovation in the cybersecurity industry. Today let’s get to know the company Amebit. Company Introduction Aembit was established in 2021 and is headquartered in Washington, USA. The company is dedicated to […]
The post RSAC 2024 Innovation Sandbox | Aembit: An IAM Platform for Cloud Workloads appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..
The post RSAC 2024 Innovation Sandbox | Aembit: An IAM Platform for Cloud Workloads appeared first on Security Boulevard.
Businesses today need protection from increasingly frequent and sophisticated DDoS attacks. Service providers, data center operators, and enterprises delivering critical infrastructure all face risks from attacks.
Related: The care and feeding of DDoS defenses
But to protect their networks, … (more…)
The post GUEST ESSAY: A primer on how, why ‘dynamic baselining’ fosters accurate DDoS protection appeared first on Security Boulevard.
I’m not a robot” tests are definitely getting harder. But does that mean more complex CAPTCHAs are the right path forward to outsmart advancing AI and adversarial technologies?
The post Why CAPTCHAs Are Not the Future of Bot Detection appeared first on Security Boulevard.
The post Tips and stories for your team on World Password Day appeared first on Click Armor.
The post Tips and stories for your team on World Password Day appeared first on Security Boulevard.
The blockchain analysis company is using a deep learning model, new AI techniques, and a massive dataset to better detect and track money laundering on a Bitcoin blockchain.
The post Elliptic Shows How an AI Model Can Identify Bitcoin Laundering appeared first on Security Boulevard.
50,000 security practitioners are about to attend RSA 2024. Here’s what one expert anticipates for this year’s show.
The post What to Expect at RSA 2024: Will AI Wreak Havoc on Cybersecurity? appeared first on Security Boulevard.
As we wrapped up another exhilarating day at Kaseya Connect Global 2024 in Las Vegas, the spotlight was firmly onRead More
The post Kaseya Connect Global 2024 Day Two Recap: Embracing AI and Autonomous Automation appeared first on Kaseya.
The post Kaseya Connect Global 2024 Day Two Recap: Embracing AI and Autonomous Automation appeared first on Security Boulevard.
Authors/Presenters: Alaa Daffalla Marina Bohuk, Nicola Dell, Rosanna Bellini, Thomas Ristenpart
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.
The post USENIX Security ’23 – Account Security Interfaces: Important, Unintuitive, and Untrustworth – Distinguished Paper Award Winner appeared first on Security Boulevard.
New and updated coverage for ransomware and malware variants, including Acid Rain, Pikabot, VenomRAT, Mallox Ransomware, & More
The post Acid Rain, Pikabot, VenomRAT, Mallox Ransomware, and More: Hacker’s Playbook Threat Coverage Round-up: March-April 2024 appeared first on SafeBreach.
The post Acid Rain, Pikabot, VenomRAT, Mallox Ransomware, and More: Hacker’s Playbook Threat Coverage Round-up: March-April 2024 appeared first on Security Boulevard.
After a pre-day packed with the annual M&A Symposium and the GlueXperience, the main event of Kaseya Connect Global 2024Read More
The post Kaseya Connect Global 2024 Kicks Off appeared first on Kaseya.
The post Kaseya Connect Global 2024 Kicks Off appeared first on Security Boulevard.
Managed Service Providers (or MSPs) are facing a myriad of obstacles when it comes to...
The post Why Coro is a Dream Cybersecurity Platform for MSPs appeared first on Security Boulevard.
via the inimitable Daniel Stori at Turnoff.US!
The post Daniel Stori’s ‘Frontenders and Backenders’ appeared first on Security Boulevard.
Drop Dropbox? The company apologized as user details were leaked from its “Dropbox Sign” product.
The post Dropbox Hacked: eSignature Service Breached appeared first on Security Boulevard.
In a recent podcast interview with Cybercrime Magazine's Host, Heather Engel, Scott Schober, Cyber Expert, Author, and CEO of Berkeley Varitronics Systems, discusses the introduction of federal rules for reporting not only cybersecurity incidents but also ransomware payments for critical infrastructure operators. The podcast can be listened to in its entirety below.
The post U.S. Rules for Cyber Incident Reporting appeared first on Security Boulevard.
In a dramatic shift, the 2024 version of the Verizon Business Data Breach Investigations Report (DBIR) sounds the alarm about the growing link between data breaches and the vulnerability of the software supply chain – and calls on enterprises to hold their software suppliers to a higher standard for software security.
The post Verizon 2024 DBIR: Software supply chain risks fuel a data breach epidemic appeared first on Security Boulevard.
This post is a follow-up to my previous post on manual LDAP querying. I would highly recommend reading that post prior to reading this one if you are interested in some of the basics of searching LDAP.
A few people asked why I chose dsquery and ldapsearch for the last blog. There are several options for querying LDAP, but dsquery and ldapsearch were the tools I was most comfortable with. Additionally, dsquery being signed binary, it is easy to get on target without being flagged. Similarly, with ldapsearch, it is easily installed and is sometimes already present on hosts and it can be run through SOCKS proxies. For this blog, I will show less examples for conciseness, but remember the focus is how to query with LDAP filters. The important item to focus on is the LDAP filters themselves.
Many tools that query LDAP have a way for you to create custom filters baked in. Therefore, if you understand how to create LDAP filters, you can use any tool that allows you to create your own custom LDAP filter. While this blog focuses on querying in a Windows Active Directory (AD) environment, LDAP queries can work in other forms of directory services.
For this blog, I will focus on items not covered in the previous blog as well as discuss some of the complexities of manually querying. The goal is to try to get a more accurate understanding of an AD environment and recognize some of the common issues that can arise from querying manually.
One important item not included in the first blog was how to create compound filters with an OR operator. A compound filter with an OR operator will look like this:
"(|(attribute1=value1)(attribute1=value2))"
In this filter, the “|” indicates that it is a combination filter, and any results should have “value1” or “value2” for attribute1. As with other filters, these operators can be combined with others to create more complex queries.
dsquery * -filter "(&(objectClass=computer)(|(name=*WIN-10*)(name=*WIN-11))(!(description=*HIPAA*)))"
The image and query listed show how these different operators can be used in a combination filter. Here, we are using the AND (&), OR (|), NOT (!), and wildcard (*) operators to create the query. The plain language explanation for this filter would read, “I want all of the computer objects that have WIN-10 or WIN-11 in the name but do not have HIPAA in the description.” When you are creating these queries, keep in mind that the parentheses do matter and if you do not close them correctly, your query may fail or give you inaccurate results.
dsquery * -filter "(&(objectClass=computer)(|(name=*WIN-10*)(name=*WIN-11)(!(description=*HIPAA*))))"
This is one example of how the parentheses can affect your results. In this example, the parentheses around the OR statement were moved to include our not parameter. In plain language, the way this is interpreted is, “I want all of the computer objects that have WIN-10, WIN-11, or does not have HIPAA in the description.” The JZOID-WIN-10, which should have been excluded because it contains HIPAA in the description, was included in the results because it met the WIN-10 parameter in the OR statement while others which do not have WIN-10 or WIN-11 were included because they do not have HIPAA in the description.
Nested groups occur when one group is added as a member of another group. This is a common practice but can create additional complexities and unforeseen results. It can also make it harder to find what you are looking for when you are trying to understand permissions in an environment because permissions inherit down to nested members of a group. Here I will show why it is important to check for nested groups. In this first screenshot, the query is looking for any users who are members of the Domain Admins group.
dsquery * -filter "(&(objectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=PLANETEXPRESS,DC=LOCAL))"
However, when we look at the same group through the administrator view, we see there is a group nested within the Domain Admins groups.
This group did not show up because our query is looking for users who are members of the Domain Admins group, not groups who are members of the Domain Admins group.
This next block is a query which filters on the memberOf attribute of the Domain Admins group. This returns the Security group, but does not show who the members are who may also be part of the Domain Admins group.
dsquery * -filter "(&(objectClass=group)(name=Domain Admins))" -attr member
From this information, you could further expand and query who the members of the Security group are, as shown below.
dsquery * -filter "(&(objectClass=group)(name=Security))" -attr member
One option for getting a more precise list of group membership would be to ensure that your filter is not being too restrictive. While usually we want to be as specific as possible to reduce the number of results that must be evaluated, this query is an example of how making a query too specific of a filter can give inaccurate results.
dsquery * -filter "(memberOf=CN=Domain Admins,CN=Users,DC=PLANETEXPRESS,DC=LOCAL)"
By not specifying an object class in the query, we will get a list of both the users and groups that are members of the group.
Alternatively, using a combination of dsquery and dsget (which is also a signed binary and available on many servers), we can get the nested members of the group. Here we can now see that the user Turanga Leela is a nested member of the Domain Admins group.
dsquery group -samid "*Domain Admins*" | dsget group -members -expand
While dsget is outside of the scope of LDAP filters, it works here to show an example of how information can be obscured when using LDAP filters. This example shows some of the complexities of manual querying and why it is important to be thorough when you are doing manual investigation. Nested groups are an item you want to look for in an assessment. While it is much easier to visualize with tools such as BloodHound, mapping it out manually can be complex but worth the time.
Microsoft defines a Service Principal Name (SPN) as, “a unique identifier of a service instance”. Kerberos authentication uses SPNs to associate a service instance with a service logon account.
SPNs can be applied to accounts and are common to find in an Active Directory environment. The reason we want to check for their presence is to discover if there are any accounts that would be good targets for Kerberoasting. We can run a quick query to see if any accounts have SPNs applied to them as shown below.
dsquery * -filter "(servicePrincipalName=*)" -attr name servicePrincipalName
NOTE: This query may be detected by identity protection products as enumeration for Kerberoasting.
In the above example, we are querying for any account that has an SPN applied to it. In the results, we can see there are four accounts. The first one is the computer account belonging to the Domain Controller, which has several SPNs applied. This account, along with the PFRY-WIN-10 computer account would not be good targets for Kerberoasting. This is because computer accounts typically have long randomized passwords set and are difficult to break. Similarly, the krbtgt account would not be a good target for Kerberoasting; if the krbtgt password is easy to crack, the domain is in a very bad position already. The third account in the returned list is a user account, which could potentially be a good candidate for Kerberoasting.
This is not all the information you would need to determine if Kerberoasting is a viable option, but it is information from a quick query that could inform you on potential attack paths. As we have seen with other queries, we can narrow down our results to user accounts only to save a bit of time.
The userAccountControl attribute is a number set depending on the user account setting. These are not as straightforward as some of the other attributes we have discussed so far and the available Microsoft documentation is incomplete on what the numbers indicate. Fortunately other resources contains a more complete list.
Since the domain we are working in here is small, we can list out this attribute for all users as shown below.
dsquery * -filter "(userAccountControl=*)" -attr name userAccountControl
The first value of 512 indicates a NORMAL_ACCOUNT which applied to HFarnsworth and Hermes Conrad. This can be a bit misleading as we know from previous queries that HFarnsworth is a Domain Administrator. So, what does this mean then? If we look at it from the Administrator perspective, we can see this is related to the “Account options” settings as shown below.
What the 512 value indicates is that the user accounts do not have any of the properties enabled. It does not indicate the users’ permissions or privileges in the environment.
The next value is the 514, which means the account is disabled. In addition to the krbtgt account having this value, we can see that the Scruffy Service account is also disabled. This is something we would want to note if the Scruffy Service account were one we wished to target. Additionally, you can use the userAccountControl to filter out disabled accounts like the query below.
dsquery * -filter "(&(objectClass=user)(!(userAccountControl=514)))" -attr name userAccountControl
The next item we will look at is the 66048 value, which indicates a user account whose password does not expire. This could be a good account to go after because it could indicate that the account has an old password, which may be easier to obtain or crack. In the example below, we are printing out which users have a password set to not expire, as well as the pwdLastSet attribute which can help target accounts with old passwords.
dsquery * -filter "(userAccountControl=66048)" -attr name userAccountControl pwdLastSet
There are several more interesting values, but I would suggest reading the sources linked for additional information. The value is shown in decimal, but it is calculated in hexadecimal and is cumulative with an addition calculation. For example, most user accounts are labeled as NORMAL_ACCOUNT, which has a decimal value of 512 and a hexadecimal value of 0x0200. If the password is stored using reversible encryption, it will be assigned a user account control value of 128 in decimal and 0x0080 in hexadecimal. The account setting is displayed as shown in the image below within Active Directory Users & Computers (ADUC).
So if a normal user account is set to store the password with reversible encryption and no other options set, the value for that account would be 640 (512 + 128) in decimal, and 0x0280 (0x0200 + 0x0080) in hexadecimal. This makes querying for a specific user account control setting easy because the value will be unique based on the calculation of the settings for the user. We can query for a user account control value and it will pull all users who have that setting. However, if we were to just query with userAccountControl and the value, we would only get the users with that exact calculated value. In the image below, the query is looking for normal user accounts, but it is only pulling one account.
dsquery * -filter "(userAccountControl=512)" -attr name userAccountControl
Since that is not at all helpful, we have to add a bit filter for bit-wise comparison by specifying the BitFilterRule ID. There is an AND and OR filter:
The way this is added to the LDAP filter is in the following format:
<Attribute name>:<BitFilterRule-ID>:=<decimal comparative value>
With this filter, we can pull all users with a specific setting as well as other settings calculated in the userAccountControl value. As shown below, either filter will work for this particular query, but depending on what you are searching for, you should choose the appropriate filter.
dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=512)" -attr name userAccountControl
dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.804:=512)" -attr name userAccountControl
With the BitFilterRule, you can query for other values stored in a hexadecimal value, such as grouptype.
Although most organizations make efforts to secure passwords, it is possible that passwords or password hashes are stored in LDAP attributes. The most common way I have seen this occur is when an organization adds software to the environment that can use AD for authentication. Sometimes this software will update the schema to add additional attributes in AD which store passwords or hashes. To find this, you can search if these fields exist and are populated in an environment with the following filter:
"(|(UserPassword=*)(unicodePwd=*)(UnixUserPassword=*) (msSFU30Password=*)(orclCommonAttribute=*)(defender-tokenData=*)(ms-Mcs-AdmPwd=*))"
This filter includes common attributes which store credentials in AD. These are the attributes this filter looks at:
Another area where I have found passwords stored is in the description for accounts, so it is a good idea to check there as well.
Organizational units (OUs) are logical groups for objects in AD. OUs differ from containers because they allow policies in the form of Group Policy Objects (GPOs) to be applied to them whereas containers do not. OUs can be created and organized at administrators’ discretion though, by default, one OU is automatically created for Domain Controllers when a domain is created. The OUs can be hierarchical, where one OU is added as a member to another OU and can be nested. Many organizations will create the OU structure to reflect the organization’s business structure.
To get a quick list of the OUs in a domain, you can run the dsquery command for the object class “organizationalUnit” to get the OUs.
dsquery * -filter "(objectClass=organizationalUnit)"
This will give you the distinguished names of the OUs. In this domain, the Device OU is nested under the Domain Computers OU, which is reflected in the full name of the OU. If we are querying an object, the OU is reflected in the distinguished name of the object.
dsquery * -filter "(name=BROD-SELF)" -attr name distinguishedName
This will reflect where in the AD the structure object resides. If the object is not in any OUs, the distinguished name will reflect where in the container structure the object resides as shown below.
dsquery * -filter "(name=FS-CREW)" -attr name distinguishedName
The difference between these two is the computer object that is not in an OU would not have GPOs applied to it. If you were looking for objects to target, this could be an indication of a misconfiguration in an AD environment where an object was created in the wrong container or OU and does not have the same policies applied.
Searching for objects in an OU is not as straightforward as some other queries. OUs for an object make up the distinguished name, but this does not form a separate attribute stored in the object information. LDAP does not have a way for you to partially match a distinguished name easily and wildcards will not return results. Instead, you can specify the distinguished name as the start node for your query. This will specify the OU where you want the query to start searching for the objects specified in the LDAP filter.
dsquery * -filter "(objectCategory=computer)" -attr name distinguishedName
dsquery * "OU=Domain Computers,DC=PLANETEXPRESS,DC=LOCAL" -filter “(objectCategory=computer)” -attr name distinguishedName
dsquery * "OU=Devices,OU=Domain Computers,DC=PLANETEXPRESS,DC=LOCAL" -filter “(objectCategory=computer)” -attr name distinguishedName
In the first query, the search will encompass the entire domain. In the second query, we are specifying the start node which will begin searching in the "OU=Domain Computers,DC=PLANETEXPRESS,DC=LOCAL" for objects. In the third query, we are specifying the nested OU, "OU=Devices,OU=Domain Computers,DC=PLANETEXPRESS,DC=LOCAL", as where we want to start our search. As we can see, specifying the start node will give us more specific results depending on what OU we are starting our search in.
Lastly, if we wanted to see the objects in an OU, an alternate way we could view this information quickly is by providing the start name in our query and simply specify the OU as the start node.
dsquery * "OU=Domain Computers,DC=PLANETEXPRESS,DC=LOCAL"
Typically, when querying for OUs from an operational perspective, the goal is to correlate the objects with what group policies are applied to it or vice versa.
For this section, I will assume you are already familiar with the concepts and terms associated with domain trusts. If you are not, this resource from Microsoft can help to get you familiar with what you need to know. The important thing to know is that when a trust relationship is established between domains, the relationship is represented in AD as a trusted domain object. The easiest way to start looking at the trust relationships is by querying for that object type, as shown below:
dsquery * -filter "(objectCategory=trustedDomain)"
The information provided here is limited but it will give us a quick list of what relationships, if any, exist in a domain. This alone is not enough information to understand the trust relationship between the domains, so we will need to get additional information. If you are looking for a specific type of trust relationship, you can filter the trustDirection attribute in your LDAP filter to specify the type of relationship.
dsquery * -filter "(trustDirection=3)”
Since this attribute is unique to this object type, we can filter for just that attribute for a less complicated filter. In this example, the value of 3 means that it is a bidirectional trust relationship. For additional information, you can review the Microsoft documentation here. For quick reference, the following is the mapping of numbers to relationships:
Trust type is another attribute that can help us to understand trust relationships. The trust type, represented with the trustType attribute, will indicate the type of trust the current domain has with the foreign domain.
dsquery * -filter "(trustType=2)"
With this query, we are specifically looking for domains which are Windows domains and are running Windows AD. The type of domain is relevant when you are looking to cross domains and want to know what technology the other trusted domain is running. LDAP works with environments not running Windows AD, so LDAP queries and filters will often work as well. To read more about the trust types, Windows has provided this documentation. The quick meaning of the trust type values is as follows:
Trust partner is a mandatory attribute which holds the fully qualified domain name (FQDN) of the trusted domain. When you are enumerating the trust relationships, the FQDN is necessary for activities such as querying into the trusted domain or interacting with some resources in the other domain.
dsquery * -filter "(objectClass=trustedDomain)" -attr name trustPartner
Instead of searching by this attribute, this query will retrieve the trusted domain objects and list the name and trustPartner attributes. This is a simple attribute, however additional information can be found in the Microsoft documentation. Keep in mind that when you are querying, limiting your output can be very beneficial for getting exactly the information you need to work with.
The last part of the discussion of trust relationships is the trust attributes. This is another attribute which describes the trust relationship the current domain has with other trusted domains.
dsquery * -filter "(trustAttributes=8)"
In this example, the filter will return trust relationships which have a trustAttributes value of 8, which means the trust is established between forests. These trust attributes can help inform you on how you can interact with another domain due to the attribute value containing information on restrictions. There is further detail in the documentation from Microsoft on the trust attributes. The quick reference for these attributes is as follows:
The foreign security principal is an object which originates from an external source. The easiest way to identify a foreign security principal is to query for the object class.
dsquery * -filter "(objectClass=foreignSecurityPrincipal)"
The first four items can be ignored or filtered out because they are standard in every domain. Unlike the other returned objects, the principal is not stored with an easily readable name but uses the object SID to represent the object. When retrieving further information on the object, we can see that it is still not entirely clear what the object is.
dsquery * -filter "(distinguishedName=CN=S-1–5–21–3542491776–619976232–3744802786–1605,CN=ForeignSecurityPrincipals,DC=PLANETEXPRESS,DC=LOCAL)" -attr *
Since the setup within this environment is simple, with only one other connected domain, the object is easy to find in the trusted domain by using the trust relationship that is established between the domains. Depending on the tool you are using, the flags will be different, but in dsquery the /domain flag will query another domain for information.
dsquery * -filter "(objectSid=S-1–5–21–3542491776–619976232–3744802786–1605)" /domain DOOP-HQ.LOCAL
Expanding the attributes will provide additional information about the object.
dsquery * -filter "(objectSid=S-1–5–21–3542491776–619976232–3744802786–1605)" /domain DOOP-HQ.LOCAL -attr *
With this, we can see the object is a group which references a user from the foreign domain. This information is helpful when understanding how trust relationships are used in an environment. These sorts of relationships can be potential paths for traversal in an environment when looking to move to a different domain.
That’s it for another round of LDAP filter discussions. The topics in this blog were chosen based on what I was not able to cover in the last blog and feedback I received from the first blog. Unfortunately, there again was not the space or time to explain everything, but hopefully this helps create a bit more understanding about manual LDAP querying.
Special thanks to Adam and Sarah for proofreading and editing!
Manual LDAP Querying: Part 2 was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Manual LDAP Querying: Part 2 appeared first on Security Boulevard.
Login