Abhijeet Kulkarni’s Post

Deep dive to Access token on windows : ⦁ User Login and Token Creation: -When a user like Alice attempts to log in, the process begins with winlogon.exe, which is responsible for handling the login interface. -LogonUI.exe prompts the user for credentials. Once the credentials are entered, they are passed to the Local Security Authority (LSA) for verification. -LSA (Local Security Authority Subsystem Service) processes the credentials. If the credentials are valid, LSA requests lsass.exe (Local Security Authority Subsystem) to create an access token for the new logon session. ⦁ Token Propagation: -Once the access token is created, userinit.exe is started using the new access token. userinit.exe is responsible for setting up the user environment, including starting the user’s shell (e.g., explorer.exe). -Every process that is launched in the user's logon session inherits a copy of the primary access token. For instance, explorer.exe starts with the same primary access token as userinit.exe, allowing these processes to run with the same security context. ⦁ Primary and Impersonation Tokens: -Each process has a primary token associated with it, defining its security context. For example, a service running under service.exe may have a primary token that defines its permissions. -Threads within a process, such as thread1 and thread2, can use different tokens called impersonation tokens. These allow the thread to temporarily assume another user’s security context, enabling the process to perform actions on behalf of another user or process. ⦁ Access Control Verification: -When a user attempts to access a resource (like a file), the system checks the user’s access token against the resource's security descriptor. The security descriptor contains a Discretionary Access Control List (DACL) with Access Control Entries (ACEs) that define who can access the resource and with what permissions. -The access token's contents, including the user’s SID (Security Identifier), group memberships, privileges, and logon ID, are compared against the DACL to determine whether access is allowed or denied. ⦁ Default DACL Application: -The Default DACL (Discretionary Access Control List) within the access token specifies the permissions that are automatically applied to new objects created by the user. This helps in consistently enforcing security policies for new resources generated during the session. ⦁ Logon ID and Session Identification: -The Logon ID in the access token uniquely identifies the logon session. This ID helps track which processes belong to which user session, ensuring the correct context is maintained across various actions and resources.

Export 7+ Mailbox Folder Permission Reports using a single PowerShell script! Download now to identify excessive folder permissions. #ExchangeOnline #PowerShell #Sysadmin #Security #MailboxPermission

𝐃𝐚𝐲 𝟓/𝟓𝟎 𝐏𝐨𝐰𝐞𝐫𝐒𝐡𝐞𝐥𝐥 𝐒𝐜𝐫𝐢𝐩𝐭𝐬: 𝐄𝐧𝐡𝐚𝐧𝐜𝐞 𝐌𝐚𝐢𝐥𝐛𝐨𝐱 𝐅𝐨𝐥𝐝𝐞𝐫 𝐏𝐞𝐫𝐦𝐢𝐬𝐬𝐢𝐨𝐧 𝐑𝐞𝐩𝐨𝐫𝐭𝐢𝐧𝐠 𝐢𝐧 𝐄𝐱𝐜𝐡𝐚𝐧𝐠𝐞 𝐎𝐧𝐥𝐢𝐧𝐞! Concerned about excessive folder permissions? Download this PS script for detailed insights on mailbox folder access rights. Act now and secure your mailboxes! https://lnkd.in/gqgK7FYm #Microsoft365 #O365reports #PowerShell #FolderPermissions #ExchangeOnline #AccessRights #Security #MicrosoftExchange #SysAdmin

Investigating Windows Scheduled Task Abuse by Threat Actors Scheduled Tasks are a common way for threat actors to establish persistence and execute malicious code on Windows systems. As a cybersecurity professional, it's critical to understand: - How scheduled tasks work on Windows - The artifacts that scheduled tasks leave behind - Techniques threat actors use to abuse tasks This post https://lnkd.in/gQGH8cSg is the first in a series that dives deep into Windows Scheduled Task forensics. Key takeaways: - Task definitions are stored on disk as XML files, in the registry, and in memory - Historical evidence of created, modified and deleted tasks is logged if auditing is enabled - Powershell Scheduled Jobs require analyzing additional artifact sources - Comprehensive artifact collection and parsing is essential to piece together the full story Tools like Cyber Triage can help automate and simplify the investigative process by collecting task-related artifacts, parsing them into a readable format, and highlighting suspicious tasks that warrant deeper analysis. For more details, check out the full blog post. And stay tuned for upcoming posts that explore task-related artifacts in greater depth! #dfir #cybersecurity #incidentresponse #threatintel #WindowsScheduledTasks

Another in a series of really good articles, by an experienced BigFix user, on creative ways to leverage BigFix!

If you have not done so yet. Make sure to update your Windows operating system immediately. The most recent patch release by Microsoft contains two critical patches that close two recent vulnerabilities that have been found. These vulnerabilities when exploited could cause a major stop to your business and put you at risk of a serious breach. If you haven't been keeping up to date with your patches, or simply don’t know how to patch and maintain your network. Maybe it is time to look at bringing on an IT partner than can help keep you safe. https://loom.ly/11yIkv8

*** BIGFIX IS NOT A SPY - UNTIL IT IS *** Right, we're not quite talking MI5, MI6 or CIA here but if you read on you'll find yet another use case for HCL BigFix that doesn't get advertised. Humans are an absolute nightmare! It's no lie. Almost all (if not all) weak points or exploitable areas of an OS or Software are created by something a human has done. You don't have to answer this but... How many of you have a plain text file sitting on your server, laptop or desktop with passwords in it? You know you're not supposed to do have it but you do and your company knows you do too. The problem is that they often have no real way to spot it or prevent it beyond the million training courses they make you take each year on not doing stupid things like this. Queue BigFix! Did you know that BigFix agents have the ability to spy on your endpoints and the data within them? Your BigFix team can create a very simple analysis that looks inside files for the word "password", or "pass" if you want to be a bit more down with the kids 😅 Now that query can run continuously (or at a defined period) and privately send an email to your security team when it detects the issue with the name of the server it's been spotted on, the location of the file and if you really wanted it, the contents of said file. Now I've used the specific scenario of looking for files with exposed plain text passwords in them but in reality this process can be used for anything you want it to be used for. You just have to define the parameters of what you're looking for. There are of course some caveats and it's much better to look at specific folders rather than a whole system drive but that's not to say it can't be done. You could even build in a "quarantine" facility that would work with a policy action that not only looks for and finds these cases but it also uploads the file to a specific server then deletes the file from the disk or overwrites it with nice warning like "The contents of this file have been removed and uploaded to the Security Team for review". Again, this is a very generic use of the "spy" capabilities of BigFix and I'm sure you could think of more specific use cases (like I can) but I have to be very generic for the purposes of my posts 😉 So this is how BigFix is not a Spy - until it is. Remember, BigFix has a whole number of use cases that are never advertised and with the right BigFix admin on your team, anything is possible and they will certainly make sure you're getting the most out of your deployment. BigFix Administrators are worth their weight in gold, I should know 😂 If you would like to know whether BigFix can do something, feel free to drop me a message or comment below. Alternatively, if you've got a use case I haven't already covered and would like me to cover it, same again, drop me a message or comment below.

If you have not done so yet. Make sure to update your Windows operating system immediately. The most recent patch release by Microsoft contains two critical patches that close two recent vulnerabilities that have been found. These vulnerabilities when exploited could cause a major stop to your business and put you at risk of a serious breach. If you haven't been keeping up to date with your patches, or simply don’t know how to patch and maintain your network. Maybe it is time to look at bringing on an IT partner than can help keep you safe. https://loom.ly/11yIkv8

If you have not done so yet. Make sure to update your Windows operating system immediately. The most recent patch release by Microsoft contains two critical patches that close two recent vulnerabilities that have been found. These vulnerabilities when exploited could cause a major stop to your business and put you at risk of a serious breach. If you haven't been keeping up to date with your patches, or simply don’t know how to patch and maintain your network. Maybe it is time to look at bringing on an IT partner than can help keep you safe. https://loom.ly/11yIkv8

Credentials Dump and Password Attack Tools 🔐 🔹 Mimikatz - One of the most well - known tools for extracting credentials from Windows systems. 🔹Windows Credential Editor ( WCE ) - Allows extraction of Windows logons stored in memory. 🔹LaZagne - Recovers saved passwords from various software. 🔹Procdump - A Sysinternals tool that can be used to create memory dumps of processes. Can be used in conjunction with other tools to extract credentials. 🔹PwDump7 - Extracts NTLM and LanMan hashes from the local system. 🔹Gsecdump - Tool for dumping LSA passwords. 🔹Hashdump - A Metasploit tool for extracting password hashes. 🔹Quarks PwDump - Tool to extract hashes from local and active Accounts. 🔹Samdump2 - Dumps password hashes from Windows ' Sam. 🔹Creddump7 - Tool to extract credentials from Windows ' cache. 🔹LSADump - A tool included in some suites , like Metasploit , to dump credentials from LSA protected storage. 🔹SecretsDump - Impacket tool for dumping hashes and other Windows secrets. 🔹Kekeo - A set of tools related to Mimikatz , but focused on Kerberos. 🔹PwdumpX - A tool for extracting NTLM hashes from Windows. 🔹Bkhive / Samdump - Used to extract the SYSKEY from the SYSTEM hive and subsequently dump hashes from the SAM hive. 🔹CacheDump - Tool to extract cached password hashes. 🔹DitSpy - A tool to visualize and extract content from an NTDS.dit file. 🔹NtdsAudit - A tool to audit the NTDS.dit file of a Domain Controller. 🔹Ntdsxtract - Tools to extract information from NTDS.dit. 🔹NirSoft Utilities - Various small utilities , like IE PassView , Mail PassView , and more , that can extract saved passwords from various programs. 🔹DumpSec - A tool that dumps DACLS / SACLS permissions , user account details , and more. 🔹SniffPass - A password sniffer utility to capture passwords passing through your network card. 🔹Crowd Response - A CrowdStrike tool that can be used to gather process and memory information. 🔹Pass - the - Hash Toolkit - Tools to attack the Windows authentication mechanism using hashes. 🔹Windows - privesc - check - A Python script that checks for Windows privilege escalation vulnerabilities. 🔖#infosec #cybersecurity #hacking #pentesting #security