Skip to main content

Posts

MITRE ATT&CK - Understanding Kerberos (for Golden Ticket Attack)

Kerberos = Network Authentication Protocol used by AD environments Provides authentication by issuing tickets to authenticate users and allow them access to the services Tickets are distibuted by KDC (Key Distribution Center), which is typically a Domain Controller (DC) During initial authentication, a TGT (Ticket Granting Ticket) is a ticket asigned to a user by KDC. TGT is later used to authenticate the user to the KDC in order to request a service ticket from TGS (Ticket Granting Service). Service tickets are granted for authentication against services. List of steps / negotiations for Kerberos authentication (of the user with the service): The user requests  (AS-REQ)  a TGT from the KDC and the KDC verifies and validates the credentials and user information. This request if often done automatically at login. After authenticating the user, the KDC sends an encrypted TGT back to the requester  (AS-REP) . The user presents the TGT to the DC and requests a TGS  (TGS-...

MITRE ATT&CK - Tools, Attacks and Related - 1

MASSCAN - Mass IP port scanner https://github.com/robertdavidgraham/masscan TeamTNT - Threat group that has primarily targeted cloud and containerized applications. The group has been active since at least Oct 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments. List of Techniques used by TeamTNT can be found here: https://attack.mitre.org/groups/G0139/ Mimikatz - Is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. Golden Ticket Attack - A golden ticket in Active Directory grants the bearer unlimited access. A golden ticket attack abuses the Kerberos protocol, which depends on the use of shared secrets to encrypt and sign messages. One of these secrets is known only to the Key Distribution Center (KDC): the password hash for the KRBTGT user, which is used to issue the Ke...

Technical Debt and Security Debt

  Technical debt (also known as tech debt or code debt) describes what results when development teams take actions to expedite the delivery of a piece of functionality or a project which later needs to be refactored. In other words, it’s the result of prioritizing speedy delivery over perfect code. It is like borrowing money to get something done faster than one typically can. Of course that comes at an interest, which in case of technical debt would be difficulty of managing code, "good" end user experience rather than a "great" experience. Technical debt is not a mess! A mess is a mess.. Technical debt is simply a choice taken to expedite development in response to real project constraints. By extension Security debt is simply an accumulation of security vulnerabilities that have not been addressed time to time. Security debit is a more serious problem as compared to the generic technical debt as it makes the infrastructure susceptible to the attackers. The older ...

GCP - Professional Cloud Security Engineer - Part 1

Cloud DLP 1. Data discovery and classification of (sensitive) data in Cloud Storage, BigQuery and Datastore. 2. Supports "streaming API" to support additional data sources and custom workloads Data identification using "built-in" and "custom" infotypes. Also performs automatic classification, masking, tokenization and transformation of sensitive data elements (such as PII data) Data Catalog To find, curate and use metadata to describe data assets in the cloud. Use Data Catalog to search for data assets and tag the assets with metadata. CMEK - Generate and manage encryption keys using Cloud KMS. Helps to rotate encryption keys regularly CSEK - Create and manage your own encryption keys and then provide to Google Cloud. You need your own BYOK solution. Cloud External Key Manager (Cloud EKM) - This lets you achieve a secure hold-your-own-key (HYOK) model for key management.  Cloud KMS - Software-backed encryption keys or FIPS 140-2 Level 3 validated HSM.  Clo...

Alibaba Cloud Networking Services List

Virtual Private Cloud - Isolated tenant containing IP address range, network segment, route tables and gateway. NAT Gateway - Allows Alibaba ECS instances to be source NAT'd with public IP to communicate on Internet. Cloud Enterprise Network VPN Gateway Express Connect Smart Access Gateway Alibaba Cloud PrivateZone PrivateLink Network Intelligence Services (NIS) Global Traffic Manager CDN and Edge Alibaba Cloud CDN Secure Content Delivery Dynamic CDN Edge Node Service (ENS) Global Accelerator

Amazon EventBridge - Resource-based Policies and Lambda

Refer AWS Documentation here When a rule runs in EventBridge, all of the targets associated with the rule are invoked.  Rules can invoke AWS Lambda functions, publish to Amazon SNS topics or relay the event to Kinesis streams. To make API calls against the resources you own, EventBridge needs appropriate permissions. EventBridge uses Resource-based policies for: 1. Lambda 2. Amazon SNS 3. Amazon SQS 4. Amazon CloudWatch Logs  EventBridge uses Identity-based policies for: Kinesis streams  AWS Lambda Permissions will look something like below: {   "Effect": " Allow ",   "Action": " lambda:InvokeFunction ",   "Resource": "arn:aws:lambda:region:account-id:function:function-name",   "Principal": {     "Service": " events.amazonaws.com "   },   "Condition": {     "ArnLike": {       "AWS:SourceArn": "arn:aws:events:region:account-id:rule/rule-name"     }   },   ...

Kubernetes - Concepts, Components & Use-Cases

Kubernetes (K8s) is an open-source container-orchestration platform for automating application deployment, management and scaling. Concepts 1. Kubernetes uses the concepts of pods - an object that consists of one or more containers which share network namespace 2. Kubernetes automates deploying, scaling and managing containerized application on a group (cluster) of (bare metal or virtual) servers, such as ensuring that in case a container within a pod crashes, it will be restarted. Use case: A developer needs 5 application containers on a host. The way he can do it using docker is type the command: "docker run <application_name>" individually 5 times, to create 5 containers on the host machine. What if a production environment requires 200 containers? If you have an automation script that does run the above command 200 times to create 200 containers, how do you monitor them? How do you ensure the underlying host resources aren't stretched or depleted? K8s to the res...