Elastiflow
Elastiflow is a high performance flow collector that provides unparalleled network observability. The community edition is free so it’s perfect for homelabbers. Why use Elastiflow? Note: This guide is not recommended for production use. It is a POC for home lab use. Setting up Elastiflow Visit this link to obtain a Basic Free License. Follow these steps to install Elastiflow. Don’t follow the steps under Running the Collector to start Elastiflow yet....
WPAD Security Considerations
What is WPAD? WPAD stands for Windows Proxy Auto-Discovery. It is a protocol to obtain the URL for a PAC file. WPAD uses the following methods in order to discover the PAC file URL: DHCP DNS WINS LLMNR NetBIOS Hosts Lmhosts The PAC file tells the host where to direct network traffic. This is usually used to force traffic through a web proxy. Why is it insecure? When DHCP or DNS is misconfigured or not configured, an attacker can provide the client with a PAC file that directs traffic to a compromised server....
Remote Credential Guard
Summary Remote Credential Guard (RCG) protects admin credentials by ensuring they are not passed over the network to a target device. RCG is particularly useful for administrators who need to remotely access and manage servers and other critical systems. By ensuring that credentials are not exposed during these remote sessions, it significantly reduces the risk of credential theft and lateral movement in the network. Details Clients with RCG enabled do not send primary credentials to the target machine....
SentinelQueriesKQL
Identity Queries Detect Users in an OU not in an Azure AD Group Let’s say you need to find out which AD users are in an OU but not in an Azure AD group. You can use the following query to find the users in the OU but not in the group: IdentityInfo | where OnPremisesDistinguishedName endswith_cs "OU=COMPANY,OU=STORES,OU=CONTOSO,DC=LOCAL" | where GroupMembership !contains "Company Store Users" Detect Users using Office Resources on Personal Devices Identify users logging in from non company devices....
Stormspotter
Introduction Stomspotter is an Azure Red Team tool to graph Azure and Azure AD objects. By mapping out relationships between objects, Stormspotter visualises attack paths between Azure objects. Stormspotter currently only supports Neo4j 3.x.x. I recommend setting image: neo4j:3.5.18 in your docker-compose.yml Requirements Docker Docker Compose Python 3.8.X Az PowerShell Installation Installation via Docker to avoid manual installation of dependencies. The docker-compose file creates three containers: Frontend Backend Neo4j git clone https://github....