Author: Dennis Rietveld

Microsoft Advanced Threat Analytics Attack Demo

Cyber Attack Demo During my session at Experts Live 2016 I’ve shown a demo which consists of an cyber attack with Microsoft ATA running in the background. Various stages from the Attack Kill Chain are included in this demo like internal reconnaissance, lateral movement, pass-the-ticket and domain dominance. I’ve recorded the demo and enhanced it

Continue Reading
Microsoft Advanced Threat Analytics Banner

Microsoft Advanced Threat Analytics Fundamentals

Introduction Hi there, want to know more about Microsoft Advanced Threat Analytics (ATA)? You’ve come to the right place. In this blog post I’d like to share some fundamentals of the product and platform to get you started right away. Microsoft acquired Aorato in 2014 which was a security company. They are now part of Microsoft

Continue Reading
Experts Live

Experts Live 2016 Slide Deck Download

Thank you! It was a great experience to speak at the Experts Live 2016 event. A big thank you to all who attended my Microsoft ATA session and of course the visitors and volunteers who made this edition possible! Experts Live 2016 hosted over more than 50 breakout sessions about Microsoft Azure, Office 365, Windows Server

Continue Reading
Speaking at Experts Live

Speaking at Experts Live 2016

Tuesday november the 22nd I will be speaking at the community based tech event called Experts Live, which is a one day event focused primarily around Microsoft technologies. This years edition will host a whopping 50+  sessions from various speakers from the Netherlands and other EU countries. I will be talking about Microsoft Advanced Threat Analytics.

Continue Reading

Certificate Autoenrollment Failed on Domain Controllers

Introduction Just a short blogpost about troubleshooting existing certificate services within the Active Directory domain. In this case the domain controllers were not able to renew their certificates through autoenrollment. In a meanwhile the existing certs were already expired so LDAPS was no longer available. A group of servers did not find any trouble updating their certs,

Continue Reading

From the field: RPC client authentication breaks SID translation

SID translation problems Weird things can happen if something goes wrong with the RPC protocol, wheter it’s related to network traffic being blocked by a firewall (yes, I’m talking to you ephemeral ports) or just because the name resolution contains numerous configuration errors. Recently I was asked to troubleshoot SID translation problems over a forest trust. The

Continue Reading

Upgrade Your Active Directory and Domain Controllers the Safe Way

Introduction There are several good guides on the internet about upgrading your Active Directory Forest, Domains and Domain Controllers to Windows Server 2012 R2. I’d like to give you my strategy on this subject. It’s not wrong to add new Domain Controllers to your 2003/2008 domain, transfer the FSMO roles and demote the 2003/2008 DC’s,

Continue Reading
Security Breach

Active Directory checks you should run on a regular basis

The following powershell cmdlets will help you identify user accounts in your Active Directory environment that have settings configured that are a joy for hackers. My advise is to schedule the cmdlets or put them in a script to automate the process. Use the export-csv cmdlet piped to create a usable list. For example  |

Continue Reading

Illegal cross-realm Ticket and the Rejected Authentication by Kerberos

Introduction Finally I have found some time to write this blogpost in detail. It took place last year somewhere around october and november, so here we go! The other day I received some complaints about not being able to access a CIFS share on the network. Several users acknowledged this, they got the Windows authentication

Continue Reading

DNS Zone Recovery using Powershell

In case you’ve accidentally deleted a DNS zone it’s good to know how to recover asap and get the deleted zone back in your production environment. I’m using a DNS zone export as a backup of the zone that has been deleted. We admins are lazy so this is the most convenient way to recover a

Continue Reading