Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

Kerberos in the Crosshairs: Golden Tickets, Silver Tickets, MITM, and More

It's been a rough year for Microsoft's Kerberos implementation. The culmination was last week when Microsoft announced critical vulnerability MS14-068. In short, this vulnerability allows any authenticated user to elevate their privileges to domain admin rights. The issues discussed in this article are not directly related this bug. Instead we'll focus on design and implementation weaknesses that can be exploited under certain conditions. MS14-068 is an outright bug which should be patched immediately. If you haven't patched it yet, I suggest you skip this article for now and work that issue right away. Then come back later for some more Kerberos fun!

Our red-team friends have been quite busy recently dissecting Kerberos and have uncovered some pretty concerning issues along the way. Issues, or attacks, such as the "Golden

...

Protecting Privileged Domain Accounts: Restricted Admin and Protected Users

It's been a while since I've written about this topic, and in that time, there have been some useful security updates provided by Microsoft, as well as some troubling developments with Microsoft's Kerberos implementation. In order to fully cover these topics, I'm going to split the discussion into two articles. This article will cover specific updates Microsoft has provided to help protect user credentials. I'll follow up next week to discuss the Kerberos issues in depth.

As a quick reminder, the major takeaway from my previous articles on this subject are that we can successfully protect our privileged domain accounts by taking these 3 steps:


  1. Avoid interactive logons to untrusted hosts

  2. Disable ...

SANS DFIR Summit 2015 - Call For Papers

Dates:


  • Summit Dates: - July 7-8, 2015

  • Post-Summit Training Course Dates: July 9-14, 2015


Summit Venue:

  • Hilton Austin

  • 500 East 4th Street

  • Austin, TX78701

  • Phone: 512-482-8000


DFIRCON East Advanced Smartphone Forensics Challenge Winner Announced!

Due to the vast amount of responses we got for our Smartphone Forensic Challenge, the winner was just determined. The rules states that the winner must answer 4 of the 6 questions correctly, and the lucky winner answered all 6 questions correctly. Shawna Denson, you are the lucky winner!!!!

Thank you to everyone who submitted. FOR585 Advanced Smartphone Forensics is currently being held online virtual training via onDemand, at Network Security 2014 (Las Vegas), and

...

Announcing the GIAC Network Forensic Analyst Certification - GNFA

A new security certification focused on the challenging field of network forensics


BETHESDA, MD - October 7, 2014- Global Information Assurance Certification (GIAC) is pleased to announce a new forensics certification, the GIAC Network Forensic Analyst (GNFA). The GNFA validates that professionals who hold this credential are qualified to perform examinations employing network forensic artifact analysis and demonstrate an understanding of the fundamentals of network forensics, normal and abnormal conditions for common network protocols, the process and tools used to examine device and system logs, wireless communication and encryption protocols. The GNFA exam will ...