We basically need a Windows Server for various experiments, such as studying Keycloak federation with AD, exploring different types of attacks like Kerberoasting, learning the Kerberos protocol, and ADFS and SAML integration with Keycloak and etc. It’s not a supported installation of Windows Server on ARM architecture so a simple way is to have separate laptop with installed… Read More »
Intro Imagine, that you know that attackers are on a particular host but you have no idea whether they are persisted on another ones, servers, domain controllers. Detecting fileless artifacts, such as beacons in the case of Cobalt Strike, is not as easy as it may seem. Two interesting techniques that can be used here are: Below are… Read More »
I found my old note about signature detection apporach that typically used by AV products and I thought that it may be interested, so let’s dive in. As an example, let’s consider Mimikatz (one of the most popular hacking tools) – Mimikatz 2.2.0 branch, tagged as version 2.2.0. Interestingly, the simplest part of this tool is the kernel-mode… Read More »
To gather information about processes running with administrator privileges on endpoints, it’s important to understand Windows Integrity Levels, introduced by Microsoft in Windows Vista (see Mandatory Integrity Control). Mandatory Integrity Control (MIC) is a security feature that enforces access control by assigning integrity levels to processes and objects. It uses integrity levels: Low, Medium, High, and System to… Read More »
You can often find structure in the code that looks like this TOKEN_PRIVILEGES structure. The ANYSIZE_ARRAY macro is used in the definition of the TOKEN_PRIVILEGES structure to allow for a flexible array member. This is a common technique in C and C++ to define structures that can have a variable-length array as their last member. In C and… Read More »