Research
Trimarc performs cutting-edge enterprise attack and defense research to best identify how to detect, mitigate, and prevent modern attacks. This information is the foundation for our security offerings and training sessions. In the past, most of this information was published on ADSecurity.org though we have shifted much of the newer information to the Trimarc Content Hub.
Our research has helped the industry detect forged Kerberos tickets and better detect attack techniques.
Some of our published research:
-
2020: Described how to make Honeypot Accounts in Active Directory look normal
-
2020: From Azure AD to Active Directory (via Azure) - An Unanticipated Attack Path
-
2020: Escalating to Domain Admin in Microsoft’s Cloud Hosted Active Directory (Azure AD Domain Services)
-
2019: Mitigating Exchange Permission Paths to Domain Admins in Active Directory
-
2018: Described how most Read-Only Domain Controller deployments are vulnerable & how to improve
-
2017: Published first effective detection of Kerberoasting with no false positives (still effective)
-
2017: Published Password Spray (AD) detection when attackers use Kerberos
-
2016: Published methods to better detect PowerShell attack activity
-
2015: Described what rights were necessary to DCSync, including initial detection guidance
-
2015: Described “SPN Scanning” – identifying services on a network without port scanning
-
2015: Described how to pass-the-hash using the DC’s DSRM password
-
2015: Described how to modify AdminSDHolder permissions for persistence
-
2015: Expanding the Capability of Golden Tickets (Forged Kerberos TGT Authentication Tickets)
-
2014: Detecting MS14-068 Kerberos Exploit Packets on the Wire aka How the PyKEK Exploit Works
-
Mimikatz Guide and Command Reference (no longer updated)
We frequently present our research at security conferences to share with the community.