Whilst conducting security testing and assurance activities, I went looking to show logon events in Office 365. My first query was on IdentityEvents, this led to a view of a multi month attack by a threat actor/s against a tenent, followed by exploring the rabbit hole of logs and computer systems. This blog summarises some of the methods and findings when considering threat hunting and authentication defences for Office 365. (bear with me I am tired so this might need a bit of a tune up later!)Read more “Defending Against Direct Authentication Attacks in Microsoft Office 365”
MFA was the “silver bullet” but friction and security kind of go hand in hand, the idea of a push notification and simple “authorise” is great in theory, but in practise it is vulnerable to brute force and human error. In this post we are going to check out enabling number matching authentication in Azure.
This is just one configuration option, as you can see there are loads of options for methods and specific configurations. Bear in mind the pros and cons for each one, for example SMS based 2FA can be vulnerability to SIM swapping attacks. I’m going to focus on Number Matching in Authenticator for this post: Read more “Enable Number Matching in Azure MFA”
Ok so my most popular blog on pwndefend is about using Hydra… so I guess that’s all the goodies using it for good things, right? Probably not but it does help people understand the weaknesses of single factor authentication systems without supplementary controls.
So, let’s look at authentication defences, but let’s do this from an attacker perspective! (The opposite of what helps an attacker usually helps defend). Crazy madness right, let’s get to it!
Foundations of Sand
Ok so authentication is a key security control in computer systems. To understand the challenge around authentication and think it’s all a technical problem is to error.
See most modern computer systems require at least two things to authenticate:
- A Username
- A Password
Whilst I was on ‘holiday’ (seriously even when on holiday I almost always must do some work!) a few Windows vulnerabilities were published. Great work by Gilles Lionel, Benjamin Delpy and many many others!
- A Domain Controller
- A Separate ADCS Install with Web Enrolment or two DCs one with ADCS installed.
- A windows Client Device (non-domain joined)
- An attacker device (I used Kali)
You do not need any domain credentials to conduct this exploit chain, so from a network adjacent unauthenticated position you can get DA with the right circumstances (default configuration). Read more “From Zero to DA using ‘PetitPotam’”
Create PowerShell Session is failed using OAuth
When connecting to Exchange online (there was a reason I needed to do this) I had the following error:
I did some googling that luckily someone has already posted how to fix this:
It turns out WINRM’s ability to use BASIC client authentication is disabled as part of the standard Windows 10 hardening baseline deployed via Intune.
To fix these we need to re-enable BASIC client side WINRM authentication. Read more “Modern Workspace: PowerShell OAuth Error”
Back in 2019 I started to make some materials to help people with some basic offensive security techniques. I made three eppisodes of training materials. Well I’ve decided to re-release these, they haven’t really been changed but I’ve updated a few graphics on episode 3 and removed a link to Cain and Abel because it’s no longer maintained. I will probably go through these at some point and re-factor them.
I’ve got more documents on active directory security, I’ve actually written hundreds of pages on the subject but the challenge I’ve had is there is just so much to write, so I’ve decided I’m going to chunk it up into small blogs on a specific technique or area.Read more “Hacking 101”
Because typing is so 2017!
Ok, so I ordered a Kensington VeriMark fingerprint reader to see how for a few British pounds (or whatever currency you use!) you can add fingerprint authentication to a Windows desktop in minutes!
So this is being conducted with 0 reading of docs (because it’s fun to research just how simple you can a) enable security or b) mess things up when you don’t RTFM!. The next step on my uncharted journey, I plugged in the device to a spare USB port and didn’t see a failed driver installation toast, so we are looking good (note the sensor is the largest rectangle surface on the device, not the one with a cool blue LED)
Now I hit the windows key and typed finger and Win10 prompted me for the settings pane (that was lucky!) Read more “Using Windows Hello to enable fingerprint authentication”