There are two main password attacks leveraged by adversaries; one is called Password Spraying and the other is called Kerberoasting.
This post focuses on identifying accounts that may be targeted for Kerberoasting and how to harden the environment against Kerberoasting.
Password spraying involves the attacker using a list of passwords and for each password attempts to authenticate as each user using that one password. After working through all users with the first password, they move on to the next password in the list. Successful authentication is noted along the way as these are compromised accounts.
Kerberoasting is possible when an Active Directory account has a Kerberos Service Principal Name (SPN) associated with it. In order to enable Kerberos authentication for an application, the associated service account needs a SPN. Kerberoasting takes advantage of the fact that one can request a service ticket using the SPN associated with a target service account and take that Kerberos service ticket offline to attempt to crack it. Attackers are most likely to attempt Kerberoasting on the accounts with passwords that are about 5 years and older since they are more likely to have poor passwords, though attackers may just attempt kerberoasting all AD accounts that have SPNs.
For more information on how Kerberoasting works as well as detecting Kerberoasting. read this article: adsecurity.org/?p=3458
I wrote a short PowerShell script that identifies all accounts with SPNs as well as Active Directory admin accounts with SPNs (leverages the Active Directory PowerShell module):
github.com/PyroTek3/Misc/…
TO DO LIST:
1. Remove SPNs from AD Admin accounts associated with people since they shouldn't have any SPNs associated with them.
2. If the default domain administrator account is listed here, work to remove the SPN associated with it. This account should never have a SPN.
3. Remove SPNs from the other accounts associated with people since they shouldn't have any SPNs associated with them.
4. Identify service accounts identified as AD Admin accounts (those that are members of Administrators, Domain Admins, or Enterprise Admins). Remove accounts that don't belong and leave only those accounts that require these privileges (should be a minimal to 0 list of service accounts).
5. Identify the AD Admin accounts that have old passwords (> 5 years) and put together a plan to change those passwords, preferably with a password of >25 characters.
6. Identify the other accounts that have old passwords (> 5 years) and put together a plan to change those passwords, preferably with a password of >25 characters.
IMPORTANT NOTE:
Ignore the krbtgt account as this is required to be configured this way for AD Kerberos to work.
Do not modify the krbtgt account!
This post focuses on identifying accounts that may be targeted for Kerberoasting and how to harden the environment against Kerberoasting.
Password spraying involves the attacker using a list of passwords and for each password attempts to authenticate as each user using that one password. After working through all users with the first password, they move on to the next password in the list. Successful authentication is noted along the way as these are compromised accounts.
Kerberoasting is possible when an Active Directory account has a Kerberos Service Principal Name (SPN) associated with it. In order to enable Kerberos authentication for an application, the associated service account needs a SPN. Kerberoasting takes advantage of the fact that one can request a service ticket using the SPN associated with a target service account and take that Kerberos service ticket offline to attempt to crack it. Attackers are most likely to attempt Kerberoasting on the accounts with passwords that are about 5 years and older since they are more likely to have poor passwords, though attackers may just attempt kerberoasting all AD accounts that have SPNs.
For more information on how Kerberoasting works as well as detecting Kerberoasting. read this article: adsecurity.org/?p=3458
I wrote a short PowerShell script that identifies all accounts with SPNs as well as Active Directory admin accounts with SPNs (leverages the Active Directory PowerShell module):
github.com/PyroTek3/Misc/…
TO DO LIST:
1. Remove SPNs from AD Admin accounts associated with people since they shouldn't have any SPNs associated with them.
2. If the default domain administrator account is listed here, work to remove the SPN associated with it. This account should never have a SPN.
3. Remove SPNs from the other accounts associated with people since they shouldn't have any SPNs associated with them.
4. Identify service accounts identified as AD Admin accounts (those that are members of Administrators, Domain Admins, or Enterprise Admins). Remove accounts that don't belong and leave only those accounts that require these privileges (should be a minimal to 0 list of service accounts).
5. Identify the AD Admin accounts that have old passwords (> 5 years) and put together a plan to change those passwords, preferably with a password of >25 characters.
6. Identify the other accounts that have old passwords (> 5 years) and put together a plan to change those passwords, preferably with a password of >25 characters.
IMPORTANT NOTE:
Ignore the krbtgt account as this is required to be configured this way for AD Kerberos to work.
Do not modify the krbtgt account!
Russian state-sponsored threat group APT28 (aka Fancy Bear or UAC-0001) has launched a sophisticated espionage campaign targeting European military and government entities...
https://www.trellix.com/blogs/research/apt28-stealthy-campaign-leveraging-cve-2026-21509-cloud-c2/
https://www.trellix.com/blogs/research/apt28-stealthy-campaign-leveraging-cve-2026-21509-cloud-c2/
Trellix
APT28’s Stealthy Multi-Stage Campaign Leveraging CVE‑2026‑21509 and Cloud C2 Infrastructure
Russian state-sponsored threat group APT28 (aka Fancy Bear or UAC-0001) has launched a sophisticated espionage campaign targeting European military and government entities, specifically targeting maritime and transport organizations across Poland, Slovenia…
meet https://www.track2pulse.com/
track2pulse enables you to monitor, via an interactive map, OSINT-driven intelligence streams aggregated from country-specific telegram channels, covering topics such as geopolitics, information warfare, domestic developments, and strategic shifts.
you can track:
-APT group activities targeting specific countries
-Terror-related fatality data and organizational intelligence
-Critical infrastructure across relevant geographic regions
-The Interpol wanted persons list
-War-related flights and aircraft movements (flight tracking)
-International arms trade flows between countries
-National intelligence insights and satellite imagery-based data
-cybersecurity incidents, including ransomware campaigns and threat reports
You can create a personalized profile and follow only the developments that align with your operational interests , all in real time, directly on the map interface.
track2pulse enables you to monitor, via an interactive map, OSINT-driven intelligence streams aggregated from country-specific telegram channels, covering topics such as geopolitics, information warfare, domestic developments, and strategic shifts.
you can track:
-APT group activities targeting specific countries
-Terror-related fatality data and organizational intelligence
-Critical infrastructure across relevant geographic regions
-The Interpol wanted persons list
-War-related flights and aircraft movements (flight tracking)
-International arms trade flows between countries
-National intelligence insights and satellite imagery-based data
-cybersecurity incidents, including ransomware campaigns and threat reports
You can create a personalized profile and follow only the developments that align with your operational interests , all in real time, directly on the map interface.
Track2Pulse
TRACK2PULSE | Intelligence Platform
Real-time global situational awareness platform for security events, geopolitical developments, and threat indicators
Kant_Adarsh_Ultimate_Linux_Network_Security_for_Enterprises_2024.pdf
9.9 MB
Master Effective and Advanced Cybersecurity
Techniques to Safeguard Linux Networks and
Manage Enterprise-Level Network Services
Techniques to Safeguard Linux Networks and
Manage Enterprise-Level Network Services
Walkthrough of Espressif ESP32 firmware encryption bypass techniques (2024)
https://courk.cc/breaking-flash-encryption-of-espressif-parts
https://courk.cc/breaking-flash-encryption-of-espressif-parts
Courk's Blog
Breaking the Flash Encryption Feature of Espressif's Parts
I recently read the Unlimited Results: Breaking Firmware Encryption of ESP32-V3 paper. This paper is about breaking the firmware encryption feature of the ESP32 SoC using a Side-Channel attack. This was an interesting read, and soon, I wanted to try to reproduce…
227 tips dedicated to red teaming, OPSEC, infrastructure, payloads, etc.
https://github.com/vysecurity/RedTips
https://github.com/vysecurity/RedTips
GitHub
GitHub - vysecurity/RedTips: Red Team Tips as posted by @vysecurity on Twitter
Red Team Tips as posted by @vysecurity on Twitter. Contribute to vysecurity/RedTips development by creating an account on GitHub.
Bypassing Detections with Command-Line Obfuscation
https://www.wietzebeukema.nl/blog/bypassing-detections-with-command-line-obfuscation
https://www.wietzebeukema.nl/blog/bypassing-detections-with-command-line-obfuscation
www.wietzebeukema.nl
Bypassing Detections with Command-Line Obfuscation
Defensive tools like AVs and EDRs rely on command-line arguments for detecting malicious activity. This post demonstrates how command-line obfuscation, a shell-independent technique that exploits executables’ parsing “flaws”, can bypass such detections. It…
Media is too big
VIEW IN TELEGRAM
Project Canard—the open source $96 Rocket that is a 3D-PRINTED MANPADS platform with $5 electronics that recalculates mid-air trajectory with off-the-shelf sensors and some piano wire.
It is potentially worrisome but a reality. Showing ingenuity of individuals.
It is potentially worrisome but a reality. Showing ingenuity of individuals.
This document defines how to build and mature a Purple Team program from ad-hoc Purple Team Exercises, to Operationalized Purple Teaming, to building a Dedicated Purple Team. Purple Team Exercises are an efficient method to test, measure, and improve your organization's resilience to a real cyber attack. Purple Teaming focuses on fostering collaboration with your entire organization including people, process, and technology (security stack).
https://github.com/scythe-io/purple-team-exercise-framework
https://github.com/scythe-io/purple-team-exercise-framework
GitHub
GitHub - scythe-io/purple-team-exercise-framework: Purple Team Exercise Framework
Purple Team Exercise Framework. Contribute to scythe-io/purple-team-exercise-framework development by creating an account on GitHub.