Chris Long recently released DetectionLab, a Vagrant project that allows defenders or attackers to quickly build an Active Directory domain configured with security monitoring tooling and logging best practices. I wanted to write a quick post about why I'm so excited about this and my experiences getting it set up. I highly recommend reading both the README and this blog post that Chris wrote about the project.
I haven't been in information security for a very long time, I actually just recently passed the three year mark. But as I've talked with people and grown my very long list of people I look up to, I've come to notice and respect certain traits that come with being a mature infosec professional.
Application Compatibility Shims has been a popular persistence mechanism for at least a couple of years now and as our job is to emulate real world threats, I decided to spend some time learning how they worked, how they can be abused and how you can defend against them. Theres already a lot of great resources out there on this technique, but this article fills in some missing details that I encountered during my research.
A lot has gone into PS>Attack since its debut at CarolinaCon earlier this year. There have been improvements to reliability, tab-completion and AV evasion. In this article I want to talk about some of the changes and the decsions that went into them.
Now that we have a functional Active Directory environment, lets make it do something. In this final article we cover creating users, adding computers to the domain and we'll create some basic Group Policy objects.
So, we have a domain controller but we don't have Internet access. Lets fix that as well as add a DHCP server to make things easier on us going forward.
Having a lab is absolutely invaluable for anyone in IT, especially pentesters. Being able to put a new tool or attack through its paces in a safe environment is the best way to to learn and its the only way to develop new attacks and techniques. Nearly every company use Active Directory to manage their infrastructure, so it makes sense to start there.
I was doing an assessment on a piece of hardware recently and I need to sniff the traffic leaving the device. The easiest way to approach this was to setup an access point in Kali.
Autorize is a great plugin for Burp that lets you quickly and easily test for Authentication (AuthN) and Authorization (AuthZ) issues within webapps.
A lot of work has gone into PS>Attack over the last month and almost all of the features work. With any luck, I'll get the last checkbox checked this weekend and it can move into beta. Before that though, I wanted to recap whats happened with the project over the last month.