Skip to main content


MITRE ATT&CK - Kerberos Vulnerabilities and Security

From the previous post, the summary of Kerberos authentication process is as below: For the initial authentication, the user’s client machine sends a request to the KDC  Authentication Service (AS) . The request includes details like the user’s username, and the date and time. All information except the username is encrypted using the hash of the user’s password. The KDC AS uses the username to look up its copy of the user’s password hash and uses it to decrypt the rest of the request. If the decryption is successful, that means the client used the correct password hash and the user has successfully authenticated. Once the user is authenticated, the KDC AS sends the user’s client a  ticket granting ticket   (TGT) . The TGT includes a unique session key and a timestamp that specifies how long that session is valid (normally 8 or 10 hours). Importantly, before sending the TGT, the KDC encrypts it using the password hash for a special account, the  KRBTGT account.  That password hash is s

MITRE ATT&CK - Understanding Kerberos (for Golden Ticket Attack)

Kerberos = Network Authentication Protocol used by AD environments Provides authentication by issuing tickets to authenticate users and allow them access to the services Tickets are distibuted by KDC (Key Distribution Center), which is typically a Domain Controller (DC) During initial authentication, a TGT (Ticket Granting Ticket) is a ticket asigned to a user by KDC. TGT is later used to authenticate the user to the KDC in order to request a service ticket from TGS (Ticket Granting Service). Service tickets are granted for authentication against services. List of steps / negotiations for Kerberos authentication (of the user with the service): The user requests  (AS-REQ)  a TGT from the KDC and the KDC verifies and validates the credentials and user information. This request if often done automatically at login. After authenticating the user, the KDC sends an encrypted TGT back to the requester  (AS-REP) . The user presents the TGT to the DC and requests a TGS  (TGS-REQ) . The TGS is e

MITRE ATT&CK - Tools, Attacks and Related - 1

MASSCAN - Mass IP port scanner TeamTNT - Threat group that has primarily targeted cloud and containerized applications. The group has been active since at least Oct 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments. List of Techniques used by TeamTNT can be found here: Mimikatz - Is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. Golden Ticket Attack - A golden ticket in Active Directory grants the bearer unlimited access. A golden ticket attack abuses the Kerberos protocol, which depends on the use of shared secrets to encrypt and sign messages. One of these secrets is known only to the Key Distribution Center (KDC): the password hash for the KRBTGT user, which is used to issue the Ke

Technical Debt and Security Debt

  Technical debt (also known as tech debt or code debt) describes what results when development teams take actions to expedite the delivery of a piece of functionality or a project which later needs to be refactored. In other words, it’s the result of prioritizing speedy delivery over perfect code. It is like borrowing money to get something done faster than one typically can. Of course that comes at an interest, which in case of technical debt would be difficulty of managing code, "good" end user experience rather than a "great" experience. Technical debt is not a mess! A mess is a mess.. Technical debt is simply a choice taken to expedite development in response to real project constraints. By extension Security debt is simply an accumulation of security vulnerabilities that have not been addressed time to time. Security debit is a more serious problem as compared to the generic technical debt as it makes the infrastructure susceptible to the attackers. The older

GCP - Professional Cloud Security Engineer - Part 1

Cloud DLP 1. Data discovery and classification of (sensitive) data in Cloud Storage, BigQuery and Datastore. 2. Supports "streaming API" to support additional data sources and custom workloads Data identification using "built-in" and "custom" infotypes. Also performs automatic classification, masking, tokenization and transformation of sensitive data elements (such as PII data) Data Catalog To find, curate and use metadata to describe data assets in the cloud. Use Data Catalog to search for data assets and tag the assets with metadata. CMEK - Generate and manage encryption keys using Cloud KMS. Helps to rotate encryption keys regularly CSEK - Create and manage your own encryption keys and then provide to Google Cloud. You need your own BYOK solution. Cloud External Key Manager (Cloud EKM) - This lets you achieve a secure hold-your-own-key (HYOK) model for key management.  Cloud KMS - Software-backed encryption keys or FIPS 140-2 Level 3 validated HSM.  Clo

Alibaba Cloud Networking Services List

Virtual Private Cloud - Isolated tenant containing IP address range, network segment, route tables and gateway. NAT Gateway - Allows Alibaba ECS instances to be source NAT'd with public IP to communicate on Internet. Cloud Enterprise Network VPN Gateway Express Connect Smart Access Gateway Alibaba Cloud PrivateZone PrivateLink Network Intelligence Services (NIS) Global Traffic Manager CDN and Edge Alibaba Cloud CDN Secure Content Delivery Dynamic CDN Edge Node Service (ENS) Global Accelerator

Amazon EventBridge - Resource-based Policies and Lambda

Refer AWS Documentation here When a rule runs in EventBridge, all of the targets associated with the rule are invoked.  Rules can invoke AWS Lambda functions, publish to Amazon SNS topics or relay the event to Kinesis streams. To make API calls against the resources you own, EventBridge needs appropriate permissions. EventBridge uses Resource-based policies for: 1. Lambda 2. Amazon SNS 3. Amazon SQS 4. Amazon CloudWatch Logs  EventBridge uses Identity-based policies for: Kinesis streams  AWS Lambda Permissions will look something like below: {   "Effect": " Allow ",   "Action": " lambda:InvokeFunction ",   "Resource": "arn:aws:lambda:region:account-id:function:function-name",   "Principal": {     "Service": " "   },   "Condition": {     "ArnLike": {       "AWS:SourceArn": "arn:aws:events:region:account-id:rule/rule-name"     }   },   &