I investigated a situation where an SMB client could not connect to an SMB server. The SMB server returned an “Access Denied” during the NTLM authentication, even though the credentials were correct, etc. The only unusual thing is that the SMB server was accessed through a NAT mapping! Which made me think that this setup was in fact similar to an NTLM relay (aka SMB relay) attack. 💡 And indeed, the server had the “Microsoft network server: Server SPN target name validation level” policy (i.e. SmbServerNameHardeningLevel registry key) enabled which blocked this scenario!

😉 This situation could also occur in your regular SMB environments, so follow along to see how to troubleshoot this, how it is configured, how it works and what we suggest to do in this case.

➡️ Find this article on Tenable’s TechBlog: SMB “Access is denied” caused by anti-NTLM relay protection

Have you ever wondered how to decrypt Kerberos/NTLM “encrypted stub data” fields 🔐 in Wireshark when analyzing Kerberos, RPC, LDAP… traffic?
➡️ Read how to do it on Tenable’s TechBlog: Decrypt Kerberos/NTLM “encrypted stub data” in Wireshark

An Active-Directory domain controller running as a virtual machine hosted by a compatible hypervisor is able to detect when it has been restored from a snapshot, thanks to the Virtual Machine Generation ID feature. In this case, it goes into a safe passive mode before retrieving the latest changes from other domain controllers (to avoid USN rollback issues, RID reuse, etc.). The same can be observed on the DFS-R side.

💡 This is a practical safety feature in production environments, but it can create tricky issues in labs and even break them… Let’s see how to disable it (in labs only)!

Windows offers built-in audit policy settings to configure which events should be logged. But when testing those options, we noticed surprising behaviors that can lead to missed events. When you configure your Active Directory domain controllers to log security events to send to your SIEM and raise alerts, you absolutely do not want any regression which would ultimately blind your SOC! In this article we will share technical tips to prevent those unexpected issues.

➡️ Discover this article on Tenable’s TechBlog: Don’t make your SOC blind to Active Directory attacks: 5 surprising behaviors of Windows audit policy

On my server I have a very simple webapp developed in Python with Flask. Its code is hosted on GitHub in a private repository. Before, every time I modified the app on my PC, then pushed it to GitHub, I had to connect to the Linux server to kill it, git pull and restart it. It was annoying but now everything is happening automatically!

How can my Python Flask web app deploy itself to my Linux server when I push to GitHub?

Microsoft Teams has become even more popular in the current context (blah blah pandemic, blah blah work from home). It allows users to collaborate using Groups that they create and manage themselves. Groups can be public or private (on invitation), but many group owners use the public option, even though it allows anyone in the organization to access their chats, shared files and more! 😮 We will also see that even private Groups disclose their title, description, and members to anyone, and sometimes this alone is enough to disclose restricted information. 🕵️

The NTLM relay feature of Impacket’s ntlmrelayx.py used to offer only two servers, HTTP and SMB, for incoming NTLM authenticated connections using those two protocols. Which can then be relayed to more protocols: HTTP, SMB, LDAP, SMTP, etc. I had a situation where the incoming NTLM authenticated connection used ADWS (built upon NetTcpBinding WCF) so I implemented this new server protocol in Impacket 😉

DLL injection in McAfee Agent allowing a local administrator to kill the antivirus, or tamper with it, without knowing the McAfee password

The macompatsvc.exe McAfee Agent process tries to load the missing wow64log.dll DLL file (in System32). By DLL planting a malicious file, a local Windows administrator can achieve code execution in the context of this trusted McAfee process and kill other McAfee processes thus achieving a denial of service on the antivirus which cannot detect and clean viruses anymore.

This small Python 3 project allows to fetch from Twitter API all the tweets you (or even another account) liked, to save them (for backup) and display them as a nice HTML page.

This Python 3 script allows to archive a local folder, as a ZIP file, and upload it to a Google Drive folder. It allows to easily backup a folder from a server for example.