RGH

Windows 10’s “Controlled Folder Access” feature

Published 16/11/2017 | By RGH

Microsoft released a rolling upgrade of Windows 10 in October 2017. The “Fall Creators” edition (version 1709, codename Redstone 3) contains a new feature called “Controlled Folder Access”, which is designed to combat ransomware attacks. Continue reading →

Posted in Blog | Tagged auditing, blue team, red team, training, Windows

Hindering Lateral Movement

Published 27/10/2017 | By RGH

Lateral Movement is a method used by attackers (or malware) against a network Domain. After an initial device is compromised (typically, a user’s workstation), the attacker extracts passwords from memory, or obtains encrypted password hashes from the system for cracking or direct use (i.e. Pass the Hash). The attacker then attempts to login to other systems using those credentials to search for cached passwords of privileged Domain accounts. Usually, the local Administrator account is targeted as the password is often the same on all systems (due to the common practice of deploying systems from a master image), but service accounts, etc. can also be targeted. Continue reading →

Posted in Blog | Tagged auditing, blue team, red team, training, Windows

Detecting windows horizontal password guessing attacks in near real-time

Published 16/02/2015 | By RGH

When attempting to gain a foothold into a Windows Domain, an attacker will often attempt one or two likely passwords against every user in the Active Directory, a so-called horizontal password guessing attack. A small number of failed logons per user will usually not trigger a user account lockout policy and can be very effective. This post will provide an example solution to detecting such attacks in near real time, using only native Windows tools. Continue reading →

Posted in Blog | Tagged auditing, blue team, training, Windows

Investigating the TimeLive application

Published 04/04/2014 | By RGH

Some time ago I was on an internal infrastructure pentest job where I found a web server that hosted the TimeLive application. I had never heard of this application, and since I was looking at a login page, I opened a browser to my favourite search engine. The following is a brief explanation of things that I shouldn’t have found. Continue reading →

Posted in Blog | Tagged analysis, CVE-2014-1217, CVE-2014-2042, exploit, TimeLive

winlanfoe

Published 24/10/2013 | By RGH

Winlanfoe is a tool that parses the output from enum4linux and displays Domain/Workgroup membership, IP address, Operating System (OS) information and if a host is a domain controller. It is intended to provide an overview of the Samba network structure as reported by enum4linux. Continue reading →

Posted in Tools