SANS Digital Forensics and Incident Response Blog: Author - Mike Pilkington

Monitoring for Delegation Token Theft

Delegation is a powerful feature of Windows authentication which allows one remote system to effectively forward a user's credentials to another remote system. This is sometimes referred to as the "double-hop". This great power does not come without great risk however, as the delegation access tokens used for this purpose can be stolen by attackers … Continue reading Monitoring for Delegation Token Theft


Kerberos in the Crosshairs: Golden Tickets, Silver Tickets, MITM, and More

It's been a rough year for Microsoft's Kerberos implementation. The culmination was last week when Microsoft announced critical vulnerability MS14-068. In short, this vulnerability allows any authenticated user to elevate their privileges to domain admin rights. The issues discussed in this article are not directly related this bug. Instead we'll focus on design and implementation … Continue reading Kerberos in the Crosshairs: Golden Tickets, Silver Tickets, MITM, and More


Protecting Privileged Domain Accounts: Restricted Admin and Protected Users

It's been a while since I've written about this topic, and in that time, there have been some useful security updates provided by Microsoft, as well as some troubling developments with Microsoft's Kerberos implementation. In order to fully cover these topics, I'm going to split the discussion into two articles. This article will cover specific … Continue reading Protecting Privileged Domain Accounts: Restricted Admin and Protected Users


The Power of PowerShell Remoting

PowerShell "Remoting" is a feature that holds a lot of promise for incident response. "Remoting" is the ability to run PowerShell commands directly on remote systems and have just the results sent back to the querying machine. From an IR standpoint, this is like a built-in agent ready and waiting to answer your investigative questions-at … Continue reading The Power of PowerShell Remoting


Overview of Microsoft`s "Best Practices for Securing Active Directory"

As incident responders, we are often called upon to not only supply answers regarding "Who, What, When, Where, and How" an incident occurred, but also how does the organization protect itself against future attacks of a similar nature? In other words, what are the lessons learned and recommendations based on the findings? A new paper … Continue reading Overview of Microsoft`s "Best Practices for Securing Active Directory"