Hi all, I’ve decided to review the new Decider tool from the US Cybersecurity and Infrastructure Security Agency (CISA), which was released on March 1, 2023. Decider is designed to provide security analysts with guided assistance in mapping Tactics, Techniques, and Procedures (TTPs) / adversary behaviours to the MITRE ATT&CK Enterprise Matrix. In this post, I’ll provide a brief overview of Decider’s capabilities and how it can augment your existing security operations capabilities. Decider overview: Decider is an open-source web app developed by CISA and is hosted on GitHub here: https://github.com/cisagov/decider. The repository includes documentation to help you install the…
Hello! I’ve decided to revive this blog since I’ve been paying for the domain and hosting for the past few years, but have neglected to post anything. Over the past couple of weeks, my brand new PC has been crashing a bunch. I had a bit of free time today and decided I’m finally going to sort this out as it’s really interrupting my need to play Among Us with my buddies. I’ve broken this post down into observations, a preliminary investigation, interrogation, and (possible) resolution. Enjoy! UPDATE: PC crashed after another hour so guess the issue isn’t resolved! I’ll…
Enhancing detection and blocking capabilities with Windows 10’s built-in anti-virus solution.
Combine on-premises breached password reset detection with your cloud environment!
Introduction Yep, another Pwned Passwords post! This one brings the total to 3, and it now makes up the entirety of my posts here. A couple of days ago, Troy Hunt released support for NTLM hashes for his Pwned Passwords dataset. This is really cool because it allows us to check live Active Directory hashes from ntds.dit (located under C:\Windows\NTDS on Domain Controllers). However, there’s a little bit of work involved in getting to that step, so I thought I would put together this quick little guide. Extracting Hashes from NTDS.DIT So, how do we get the hashes out of…
I’d like to preface this post by saying that I 100% understand concerns about using an external API, even when sending it just a small amount of unusable information. The possibility of compromise and subsequent infection on Domain Controllers is a true security risk and it is totally acceptable to not want to take that risk. For those not wishing to use an external API at all, I wrote an original post on checking breached passwords with AD, that works entirely offline with downloaded hashes of Troy Hunt’s Pwned Passwords – you can read about that project here. Introduction Last…
Edit: I have now overhauled the blog post and essentially recreated PwnedPasswordsDLL to run on-premises, and return results very quickly. Information regarding set-up and the new release can be found below. Changes have now been pushed to GitHub and are available for use. Introduction – In simplistic terms, PwnedPasswordsDLL will check a requested Active Direvtory password change against a local store of over 330 million password hashes. If the hash is found in the breached passwords, the requesting password is rejected. This entire process takes ~1 second against over 330 million previously breached password hashes. Now on to a more…