A Follow-Up on the Heisec Webinar on Emotet & Some Active Directory Security Sources

Some weeks ago, Heinrich and I had the pleasure to participate in the heisec-Webinar “Emotet bei Heise – Lernen aus unseren Fehlern”. We really enjoyed the webinar and the (alas, due to the format: too short) discussions and we hope we could contribute to understand how to make Active Directory implementations out there a bit safer in the future.

Continue reading “A Follow-Up on the Heisec Webinar on Emotet & Some Active Directory Security Sources”

Continue reading

Emotet im Active Directory: Es kann jeden treffen – aber Jeder kann es dem Angreifer schwer machen!

Heise berichtet aktuell öffentlich über die Emotet-Infektion im eigenen Haus, bei dessen Aufklärung ERNW unterstützte. Damit liefert Heise Informationen zum Verlauf aktueller Angriffe, aber insbesondere auch wertvolle Einsichten zu Vorbeugung, Erkennung, Analyse und Gegenmaßnahmen aus eigener Erfahrung, wie sie nur selten der Öffentlichkeit preisgegeben werden.

Ein Team aus Incident-Response Spezialisten der ERNW Research unterstützte Heise bei der Analyse und Rekonstruktion des Vorfalls und analysierte die Schadsoftware, um deren Ausbreitungswege nachzuvollziehen und IoCs (Indicators of Compromise) zu extrahieren. Hierdurch konnten effektive Gegenmaßnahmen entwickelt und gemeinsam mit Heise erfolgreich umgesetzt werden.

Im Zuge dessen unterstützten Active-Directory-Spezialisten der ERNW Heise bei der Konzeption und dem Wiederaufbau eines neuen Active Directory. Im heisec-Webinar am 3. Juli berichtet Heise über den Incident und die wichtigsten Erkenntnisse daraus. Dabei sein werden zwei unserer Active Directory-Security-Spezialisten. Sie werden Konzepte und Verfahren für ein sicheres, resilientes und trotzdem betreibbares Active Directory vorstellen und den Teilnehmern mit Tipps für Containment nach einer Infektion und in gemeinsamer Diskussion zur Verfügung stehen.

Bei Interesse an diesem Thema beachten Sie auch die vielen Vorträge internationaler Active Directory-Security-Spezialisten des Active Directory Security Tracks auf der diesjährigen Troopers (so wie unsere eigenen Beiträge dazu, wie etwa hier und hier) und unsere Workshops zu Active Directory-Sicherheit und Inicdent Response.

Wir wünschen allen Lesern ein schönes verlängertes und hoffentlich Incident-freies Pfingstwochenende!


Friedwart Kuhn & Andreas Dewald.

Continue reading

Active Directory Security Summit 2018 – Slides Online

on Tuesday, 13.th of November we realized our second AD security summit with the title: “Active Directory Security: On-Prem-Security, Secure Extension into the Cloud & Secure Operations” in Heidelberg. First, we had three talks: the first one about “Active Directory Core Security Principles & Best Practices” covering hybrid AD and AD Trusts as well (by Friedwart Kuhn & Heinrich Wiederkehr from ERNW), the second one a case study about the implementation of an ESAE Forest in a big insurance company (by Fabian Böhm from Teal Technology Consulting) and the third one about a case study with respect to the (security) challenges of a hybrid AD (by Raphael Rojas from STIHL). Continue reading “Active Directory Security Summit 2018 – Slides Online”

Continue reading

How to go ahead with future end of life Windows (2003) Servers

Server operating systems with an OS, for which vendor support has ended, come with many risks that have to be considered and addressed. The primary goal should be always to decommission or migrate the majority of end-of-life (EoL) servers to OS versions, supported by the vendor. Here it should be noted that a migration to an up-to-date OS should be preferably done before your organization enters the end of life of that software 😉

However, it must be considered that a number of servers cannot be migrated or shut down (easily) and must remain operational and accessible. Based on a customer project in 2014 we developed a high-level security concept for the secure operation of end-of-life Windows servers. We published this concept in our latest newsletter. You will find it here (https://www.ernw.de/download/newsletter/ERNW_Newsletter_47_Security_Concept_for_End-of-Life_Windows_Servers_signed.pdf)


Continue reading “How to go ahead with future end of life Windows (2003) Servers”

Continue reading

Skeleton Key – a Nasty Piece of Malware. Some Remarks.

Just recently, Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers published details (see http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/ ) on a especially nasty piece of malware that bypasses authentication on Active Directory (AD) systems which implement single-factor (password only) authentication. Once deployed the malware stays quite noiseless in the Domain Controller´s (DC) RAM, and the DC´s replication issues caused by it weren´t interpreted – in this case – during months as a hint for system compromise. Probably the malware´s modification on the LSASS process reduced the DC´s ability to perform DC-to-DC authentication, but this is only speculation and not where we would like to go today.

So, what to do? The relevant mitigations, pointed out by Dell´s CTU, as event log monitoring and scanning processes on suspicious systems with the published YARA signature should be applied.
Still, let’s discuss for a second which long-term, preventative measures could come into play as well. Continue reading “Skeleton Key – a Nasty Piece of Malware. Some Remarks.”

Continue reading

EMET v4.0 with New Certificate Trust Feature Released

Microsoft released EMET v4.0  with a new (security) feature that enables protection against fraudulent websites or compromised root certification authorities (do you remember Comodo, DigiNotar, DigiCert, Turktrust et al. ;-)?)

EMET defines via “certificate trust“ a trust chain between the domain name of a website (and its associated website certificate) and a root CA certificate. This is done through so called “pinning rules”. Here is one of the default pinning rules of EMET 4.0 for the domain name login.live.com:

Continue reading “EMET v4.0 with New Certificate Trust Feature Released”

Continue reading

Windows Server 2008 R2 BSI-compliance

Recommendations by the German Federal Office for Information Security (BSI – Bundesamt für Sicherheit in der Informationstechnik) are obligatory for German government agencies, civil services and authorities (like recommendations of the NIST are relevant to American government agencies and authorities). They are often used as references and security best practices in other countries as well. Hence it is hard to understand why the recommendations on how to harden Windows Server 2008 based systems were published only some weeks ago and only on a preliminary draft basis (which is, obviously, better than nothing ;-)).

We at ERNW, however, did an overall baseline security approach of Windows Server 2008 R2 and Active Directory for a large German authority last year. The aim was to fullfil the requirements of the German Federal Office for Information Security without having precise technical guidelines by the BSI itself (from our side we do have guidelines of course ;-)). The hardened Windows Server 2008 R2 environment was then approved at the end of 2011 by the German BSI. Now we published the results of our overall approach in our latest newsletter [German language].

Enjoy reading!
Friedwart Kuhn

PS: There’s also a digitally signed version of the newsletter. (Because it is signed with a qualified certificate, the validation requires an appropriate validation software, for example SecSigner from SecCommerce – which is free software).

Continue reading