Patient zero is the first device (or identity) that has been compromised, after the initial compromise, the attacker continues the attack, e.g. via (local & domain) privilege escalation and lateral movement to exfiltrate or destroy data (e.g. ransomware).

It’s very important during a breach to connect the dots for the…


PetitPotam is a NTLM relay attack on Active Directory Certificate Services (AD CS) HTTP Endpoints. If the following AD CA services are installed the Active Directory is vulnerable to the attack.

See KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) for more information how to mitigate.

The attack


Microsoft Defender for Endpoint (MDE) is an integrated platform that provides Endpoint Protection Platform (EPP), Endpoint Detection Response (EDR) and Threat and Vulnerability Management (TVM) for endpoints.

Microsoft Defender for Endpoint (MDE) is part of the Microsoft 365 Defender (M365D) ecosystem.

The Endpoint discovery feature detects (agent-less where all MDE…


The Print spooler service on domain controller(s) is enabled by default since 2000. Any authenticated user can remotely connect to the print spooler service (owned by SYSTEM) and abuse the service if compromised and get access to the domain controller with ‘nt authority/system’ permissions.

Microsoft Defender for Identity (MCAS) …


This blog is a high level overview of Microsoft Defender for IoT and the integration with Azure Sentinel.

IT (Information Technology) is secure by default (at least it should be) and internet connected.


Active Directory lateral movement attack(s) via MimiKatz (e.g. pass-the-hash, pass-the-ticket, etc.) via domain-joined machines are detected by Microsoft Defender for Identity (MDI).

Please Microsoft: rebrand MDI to MDAD (Microsoft Defender for Active Directory) so people don’t get confused Azure AD is not in-scope of the detection.

MimiKatz (version 2.2.0 and…


Password spray is an attack method to fly under the radar of the Security detection systems.

A password spray attackis is using one common used password against a lot of different accounts (e.g. Summer2021!). …


Microsoft Defender for Endpoint (MDE) is an integrated platform that provides Endpoint Protection Platform (EPP), Endpoint Detection Response (EDR) and Threat and Vulnerability Management (TVM) for endpoints.

Microsoft Defender for Endpoint is part of the Microsoft 365 Defender ecosystem.

All common enterprise O.S. (Operating Systems) are supported like computer (Mac…


Web applications are connected to the internet 24x7 and attacked continuously.

It is very important to Protect web applications against different types of attacks (prevention is better than the cure) but no Security baseline can 100% prevent breaches to occur so it is also important to Detect & Respond to…


Azure WAF (Web Application Firewall) provides protection for web applications (IaaS, PaaS or on-premises) from common attacks (OWASP Top 10) like SQL injection and XSS (Cross-site scripting).

Azure WAF can be used on Azure Front Door and/or Azure Application Gateway, in our example we use Azure Application Gateway (simple setup).

Setup

Derk van der Woude

Chief Technology Officer @ Nedscaper

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store