Experts Blog

Hunting Resource-Based Constrained Delegation in Active Directory

Fortalice Solutions is proud to announce it has signed on as Champion for Cybersecurity Awareness Month 2022. At Fortalice Solutions, we believe preparation is the best strategy to protect organizations from cyber threats and crime. We transform a reactive security model into a proactive, results-based model of protection. Fortalice Solutions, led by the first woman to serve as White House Chief Information Officer, Theresa Payton, is comprised of passionate practitioners who provide organizations with clarity of priority, approach, and security design.

Fortalice Solutions Announces New Partners

Discussion of environments susceptible to lateral movement through resource-based constrained delegation (RBCD) attacks, prompting me to take a deeper dive into the topic

As Premiums Skyrocket, Cyber Insurance Companies Use Open-Source Intelligence to Assess Clients

Fortalice Solutions CEO and Founder, Theresa Payton has announced the promotion of Bridget O’Connor and Melissa O’Leary to the position of Partner of Fortalice Solutions.

The Privacy Pitfalls and Security Dangers of Internet Trackers

Fortalice Client Advisory: New Bank Cybersecurity Incident Reporting Rules

Fortalice Client Advisory on Twilio Breach

Pegasus Attacks, iOS 16, and Lockdown Mode

SWIFT Compliance Made Easy

Fortalice Solutions Offensive Security Partnership with Immaculata University

Granularize Your Active Directory Reconnaissance Game Part 2

Upcoming Open-Source Intelligence (OSINT) Training

Last month Fortalice open-sourced BOFHound, an offline BloodHound ingestor for raw ldapsearch results. Along with BOFHound, we released a companion tool for it, pyldapsearch, and submitted a pull request to TrustedSec's CS-Situational-Awareness-BOF modifying the ldapsearch BOF to include the nTSecurityDescriptor attribute. Adam Brown wrote a post accompanying the release, which covered much of the tool's background, including blue team strategies for detecting BloodHound useful and the red team's reversion to more manual LDAP querying techniques. This blog will serve as a follow-up to that post, covering some usage strategies for ldapsearch + BOFHound and going into the updates that were recently pushed to BOFHound in version 0.1.0.

Fortalice BOFHound Release - Granularize Your Active Directory Reconnaissance Game

Adam Brown

BloodHound has helped offensive and defensive teams since then conduct efficient and thorough auditing of Active Directory environments. For a while, reviewing Active Directory environments without BloodHound became almost unimaginable, and certainly unattractive. As the tool has evolved and grown, it has become a staple of the offensive tester's toolkit while simultaneously becoming an increasingly desired detection point for defensive teams. Several detection strategies have surfaced over the past 7 years. This post will cover a few helpful detection strategies. Some you may know of, and others, maybe not. Then we'll wrap by introducing two new tools which aim to give red teams a chance at avoiding detection when necessary.

Okta Breach Advisory

Keeping Up with the NTLM Relay

Apple AirTag Tracking Without Consent

Back in when I was getting started as a junior pentester, I vividly remember reading @byt3bl33d3r's 2017 post: Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes). I still recommend checking this out if you haven't already - it will cover the basics of NTLM relaying and background on some of the confusing pieces ([Net]NTLMv1/2 anyone?) that there's no need for me to repeat here. There's also a plethora of other great NTLM relay blogs and resources that I'll try to link to throughout this post, while I attempt to touch on the ever growing library of NTLM relay uses after 2021 introduced several new relay vectors.

Triple Threat 2022-2023 Cybersecurity Predictions

ADCS: Playing with ESC4

Log4j Explainer: Protect Your Systems From Log4j 2 Vulnerability

ADCS has been a treasure trove for recent offensive operations while organizations are still catching up to the research released by Will Schroeder and Lee Christensen back in June. Amazingly, enough escalation vectors were dropped that 5 months later I still haven't found time to test and explore every one of them (suppose that means I'm still catching up too). Luckily, an ESC4 scenario prompted some digging into abusing ACL permissions to create vulnerable template states.

Advisory on the Apache Log4j Library Vulnerability

Shadow Credentials: Workstation Takeover Edition

Wire Fraud Alert: Business Email Compromise (BEC) on the Rise

Active Directory Certificates and PKINIT are hot topics these days and our operators at Fortalice have been doing their best to stay on top of the new research and tools. My previous blog touched on PyWhisker and referenced one of its resources available on https://thehacker.recipes. While reading through the documentation there, a note near the bottom caught my eye, which stated: User objects can't edit their own msDS-KeyCredentialLink attribute while computer objects can.

Kyle Macken

PKINIT FTW - Chaining Shadow Credentials and ADCS Template Abuse

MacOS password recovery on a disk with FileVault 2 encryption

On a recent red team engagement, our team was tasked with focusing on Active Directory Certificate Services (ADCS) exploitation. The objective was to identify certificate template misconfigurations and potentially achieve privilege escalation by abusing them. The concepts and attacks used were based around the work and whitepaper by Will Shroeder (@harmj0y) and Lee Christensen (@tifkin_).

Disinformation, Misinformation and Manipulation Campaigns: A How to Guide for Creating an Organizational Incident Response Playbook and Managing Reputational Risk

Elevating with NTLMv1 and the Printer Bug

Demystifying Penetration Testing Pricing

Kyle Macken

A How to Guide for Creating an Organizational Incident Response Playbook and Managing Reputational Risk

Colonial Pipeline Ransomware Breach: How to Protect Your Assets

Fortalice Client Advisory: Unemployment Fraud

Hiding Behind the Front Door

Adam Brown

Domain fronting is a generic technique based on HTTPS that allows an actor to hide the true destination of a communication from network equipment in the path. While domain fronting has been used in offensive engagements for several years now, the number of frontable cloud services continues to dwindle. Today, Fortalice is publicly adding another service to that list: Azure Front Door.

Advisory: HAFNIUM Threat Activity and Microsoft Exchange

In the News: US Federal Data Breach Legislation

Fortalice's Threat and Incident Response Team is providing this advisory video to partners on recent developments associated with the HAFNIUM Threat Activity and Microsoft Exchange. The information is current as of March 2021.

Mimecast Advisory

Fortalice Advisory on SolarWinds Orion Code Compromise

The notification provided to Mimecast from Microsoft indicated that several certificates issued by Mimecast had been compromised by a sophisticated threat actor.

Interview with an Expert: OCO Director Matt Shirley

If your organization currently uses SolarWinds Orion products (versions 2019.4 through 2020.2.1 HF1), we recommend disconnecting all affected devices immediately.

Election Security and Cybersecurity Best Practices

Fortalice Director of Offensive Cybersecurity Operations (OCO) Matt Shirley talks the red team's perspective on addressing cyber threats on behalf of our clients.

Interview with an Expert: Director of Custom Solutions Alise Brzezinski

Fortalice CEO & Founder Theresa Payton spoke to Julie Mason about cybersecurity - Host of the Press Pool on SiriusXM - following the historic 2020 election.

Fortalice Interview with an Expert: CEO Theresa Payton

Fortalice Director of Custom Solutions Alise Brzezinski talks third-party risk management in the COVID-19 era.

What is Fortified Security?

Fortalice CEO & Founder Theresa Payton discusses the Fortalice difference and her new book, Manipulated Inside the Cyberwar to Hijack Elections and Distort the Truth.