Even if you have implemented a Zero Trust security paradigm for network and infrastructure security, you need to plan for the inevitable — at some point, an attacker will get into your network with the intent to deploy ransomware or cause other damage A typical attack goes something like this: There is a misconception that lateral movement threats are limited to on-prem networks.
There is an old saying: “One person’s tool is another person’s weapon.” That is certainly true of Windows PowerShell. Included with every Windows operating system today, this powerful command-line shell and scripting language is used by IT professionals for system administration, remote management, cybersecurity, software development and more.
Deception technology is a cybersecurity strategy that utilizes decoys to gather information about current threats and attack methodologies used by cybercriminals. The premise of this approach is to offer some sort of bait in your network, such as a fake database that looks like a legitimate one, that attackers will find too enticing to pass up.
Sysmon is a component of Microsoft’s Sysinternals Suite, a comprehensive set of tools for monitoring, managing and troubleshooting Windows operating systems. Version 13 of Sysmon introduced monitoring for two advanced malware tactics: process hollowing and herpaderping. This article explains what these tactics are, why they are so dangerous and how you can now detect them using Sysmon.
Administrators have several options for managing the properties of Active Directory users. The Active Directory Users and Computers (ADUC) console is convenient for making a few basic changes, such as modifying a user’s description or office location. For more functionality, however, consider using PowerShell. This article illustrates how you can address many common use cases with the PowerShell cmdlet Set-ADUser.
The PowerShell cmdlet Get-ChildItem obtains objects from one or more specified locations, such as a file system directory, registry hive or certificate store. These locations are exposed by PowerShell providers. If the location is a container, the cmdlet gets the child items in that container. The -Recurse parameter can be used to get items from all child containers, while the -Depth parameter can be used to limit how many levels to recurse to.
Once an adversary has compromised privileged credentials, for example, by exploiting an attack path, they want to make sure they don’t lose their foothold in the domain. That is, even if the accounts they have compromised are disabled or have their passwords reset, they want to be able to easily regain Domain Admin rights. One way to achieve this persistence is to exploit features of Active Directory that are intended to keep privileged accounts protected: AdminSDHolder and SDProp.
The Exchange Administration Center (EAC) is an easy-to-use interface for managing Exchange. However, it enable you to change only a handful of mailbox settings, and you can modify only one mailbox at a time. For more comprehensive management, you turn to Microsoft PowerShell (or, to be exact, Exchange Management Shell).
If an adversary manages to gain control of a privileged account in your network, you may face serious consequences, including costly data loss, prolonged downtime, customer churn, and legal and compliance penalties. This blog explains how to build an effective incident response plan that can help you minimize the damage from a breach.
Traditional IT security models focused on one thing: keeping the bad guys out the network. Anyone inside the network was physically in the corporate office and logged on to a machine set up and managed by the IT team, so they were trusted implicitly. That model no longer works. Today’s world of cloud resources, remote workers and user-owned devices has blurred if not entirely erased the notion of a network perimeter that could be defended.
