< ciso
brief />
Tag Banner

All news with #active directory tag

34 articles

Recovering active ADFS signing keys via Machine DPAPI

🛡️ This post examines how ADFS token-signing private keys persisted in the machine-scoped key store and protected by Machine DPAPI can be recovered by a sufficiently privileged local context. It describes a red team finding where manual certificate rotations with AutoCertificateRollover disabled created configuration drift, leaving active signing keys exposed in Machine DPAPI and enabling forged SAML assertions. The article outlines extraction details, detection guidance, and mitigation measures including HSM use and configuration validation.
read more →

Amazon RDS for Db2 adds self-managed Active Directory support

🔒 Amazon RDS for Db2 now lets customers join DB instances directly to self-managed Microsoft Active Directory domains, whether on-premises, in AWS, or in another cloud. Using Kerberos for authentication, this enables single sign-on and allows customers to authenticate and authorize database users without deploying AWS Managed Microsoft AD or creating a domain trust. Domain join is available when creating or modifying instances using a delegated AD service account stored in AWS Secrets Manager and encrypted with AWS KMS, and the feature is generally available in all Regions where RDS for Db2 is offered, including GovCloud.
read more →

Legacy Infrastructure Enables AI Agent Hijacking

🔒 This article explains how attackers bypass AI security by exploiting legacy infrastructure that AI agents inherit, such as Active Directory, cloud storage, and unpatched servers. It outlines a staged attack where a CVE-exploited perimeter server leads to credential theft, lateral movement, and compromise of an AI Co-Pilot's knowledge base. The piece urges exposure management that maps dependencies and fixes choke points to protect AI environments.
read more →

Unpatched Windows search: URI leaks NTLMv2 hashes

🔒 Researchers disclosed an unpatched Windows issue that can expose a user's NTLMv2 hash via the search: URI handler. Similar to CVE-2026-33829 in the Snipping Tool, the flaw leverages a crumb=location: parameter to force an SMB connection and trigger NTLM authentication. The weakness produces the same Net-NTLMv2 leak and attack prerequisites, and Microsoft declined to patch it after responsible disclosure.
read more →

AI-built ransomware toolkit automates EDR evasion

🛡️ A threat actor used an AI-assisted ransomware toolkit to automate Active Directory discovery and iterate EDR evasion techniques. Researchers found Cursor and Claude Opus agents used for coding, analysis, testing, and checking public research for bypass methods, with some malware tested against Sophos, CrowdStrike, and Microsoft EDR products. Sophos determined the workflow was human-directed, while AI accelerated development, producing numerous payload modules and mapping techniques to MITRE ATT&CK.
read more →

Active Directory Certificate Services: Exploitation Risks

🔐 This Unit 42 report examines how misconfigured Active Directory Certificate Services (AD CS) components create high-impact attack surfaces that enable privilege escalation, identity impersonation, and persistent access. It details exploitation techniques—especially certificate template misconfigurations and shadow credential abuse—tools observed in the wild, and a five-phase adversary lifecycle. The report emphasizes behavioral detection, telemetry correlation, and mitigation guidance to help defenders close monitoring gaps.
read more →

AWS Adds STIG-Aligned Security Settings to Managed AD

🔒 AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) now offers expanded STIG-aligned security settings focused on high-impact directory controls. These settings are available today through a self-service interface, both programmatically and via the AWS Management Console, enabling administrators to declare desired configurations and have AWS implement and persist them. When new domain controllers are added or directories are scaled or deployed in additional regions, AWS automatically applies the declared settings to new instances to maintain consistency.
read more →

Autonomous Exposure Validation: Webinar on AI-Driven Threats

🔒 In February 2026 researchers flagged a major shift: threat actors now deploy custom AI agents that automate attacks through the kill chain, from Active Directory mapping to rapid Domain Admin takeover. Join a technical webinar with Picus Security leaders Kevin Cole and Gursel Arici for a deep dive into Autonomous Exposure Validation. Learn how to safely ingest threat intelligence, simulate attacks, and close the gap between CTI, Red, and Blue teams to speed detection and remediation.
read more →

AWS Managed Microsoft AD upgraded to 2016 functional level

🔒 AWS has automatically upgraded all AWS Managed Microsoft AD directories to the Windows functional level 2016, effective Apr 20, 2026. The update delivers enhanced authentication and improved privileged access management and enables built-in LAPS to generate unique, complex local administrator passwords stored securely in Active Directory. The upgrade is applied in all Regions where the service is available, except Middle East (UAE) and Middle East (Bahrain). See the AWS Directory Service Administration Guide for details.
read more →

Microsoft: April update causes domain controller loops

⚠️After installing the April 2026 Windows security update (KB5082063), some non‑Global Catalog domain controllers configured with Privileged Access Management (PAM) may experience Local Security Authority Subsystem Service (LSASS) crashes during startup. Affected servers can enter repeated reboot loops, disrupting authentication and directory services and potentially rendering domains unavailable. Microsoft is investigating and advises administrators to contact Microsoft Support for Business for mitigation options until a permanent fix is released.
read more →

Core infrastructure engineer pleads guilty in insider attack

🔒 A core infrastructure engineer, Daniel Rhyne, pleaded guilty on April 1 after launching an insider extortion attack that used routine admin tools and techniques to disable systems and accounts. He initiated unauthorized RDP sessions, deleted administrator accounts, changed passwords, and scheduled tasks on the domain controller, then claimed to have erased backups while demanding roughly $750,000 in bitcoin. Security experts say the methods were alarmingly predictable and could have been prevented by immutable backups, strict least privilege controls, and behavioral alerts for high‑risk tools.
read more →

AWS Managed Microsoft AD Adds Multi-Region in Opt-In Regions

🔁 AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) now supports Multi-Region replication in AWS Opt-In regions. The automated feature deploys domain controllers across Availability Zones per region, handles inter-region networking, and replicates users, groups, Group Policy Objects, and schema to maintain a single authoritative directory. It configures an Active Directory site per region to optimize authentication performance and reduce cross-region transfer costs; availability excludes the Middle East (UAE) and Middle East (Bahrain) regions and pricing is hourly per domain controller plus data transfer.
read more →

Detecting Kerberos Relay via DNS CNAME Abuse and Mitigation

🔒 CrowdStrike outlines detection for CVE-2026-20929, a Kerberos relay vulnerability exploited via DNS CNAME abuse that can enroll certificates from Active Directory Certificate Services (AD CS). Their correlation-based detection flags anomalous certificate-based authentications coincident with unusual AD CS Kerberos service access within a short time window. Customers can enable the provided CRT rule in Falcon Next‑Gen SIEM to activate alerts and support hunting.
read more →

Why Identity Recovery Is Central to Cyber Resilience

🔐 Ransomware has shifted boardroom and security priorities by showing that identity compromise can block recovery even after applications and data are restored. Security leaders now treat identity recovery as a designed capability, emphasizing immutable backups, automated restoration for Active Directory, and isolated backup platforms. Vendors such as Cognizant and Rubrik are positioning integrated services that combine orchestration, rapid recovery, and compliance-ready reporting to shorten downtime and reduce attacker re-entry risk.
read more →

Going Fully Passwordless in Hybrid AD and Entra ID

🔐 The article provides a practical, technical roadmap for eliminating passwords in hybrid Active Directory and Microsoft Entra ID environments. It emphasizes the prerequisite triangle of cloud Kerberos trust, device registration, and Conditional Access, then compares architectural choices like Windows Hello for Business, FIDO2 keys, and phone sign-in. The author presents phased migration steps, common troubleshooting patterns, and recovery best practices to help organizations move securely toward Zero Trust.
read more →

Active Directory Password Resets Surge in Hybrid Work

🔒 Hybrid work has driven a sharp rise in Active Directory password resets as cached credentials, inconsistent network connectivity, and stricter rotation policies cause more account lockouts. IT helpdesks supporting distributed employees are inundated with routine tickets that drain resources and reduce productivity. Forrester estimates a $70 cost per reset, and Specops data shows an average organization handles 923 resets annually. Implementing self‑service password reset solutions like Specops uReset can reduce wait times and restore access quickly.
read more →

China-linked Hackers Exploited Sitecore Zero-Day Access

🔒 Cisco Talos describes an actor tracked as UAT-8837, active since at least 2025, that targeted North American critical infrastructure to gain initial access. The group exploited both compromised credentials and a Sitecore ViewState deserialization zero-day (CVE-2025-53690), with Mandiant linking the flaw to deployment of the WeepSteel reconnaissance backdoor. Post-compromise activity focused on credential theft, Active Directory enumeration, and use of living-off-the-land utilities and open-source tools to evade detection.
read more →

China-Linked APT Exploits Sitecore Zero-Day in US

⚠️ Cisco Talos says a China-aligned advanced persistent threat tracked as UAT-8837 has been leveraging a critical Sitecore zero-day (CVE-2025-53690, CVSS 9.0) to gain initial access to North American critical infrastructure. The actor uses both exploit-based access and compromised credentials, then deploys open-source tools for credential harvesting, Active Directory reconnaissance, and persistent remote access. Observed artifacts include GoTokenTheft, EarthWorm, DWAgent, SharpHound, Impacket, Rubeus, and Certipy, raising supply chain and OT exposure concerns.
read more →

UAT-8837 APT Targets North American Critical Systems

🔍 Cisco Talos is tracking UAT-8837, an assessed China-nexus APT that since 2025 has focused on obtaining initial access to high-value and critical infrastructure organizations in North America. The actor uses both n-day and zero-day exploits (including CVE-2025-53690 in SiteCore) and often deploys open-source tooling—Earthworm, SharpHound, DWAgent, Certipy, and GoTokenTheft—to harvest credentials, enumerate Active Directory, and create remote tunnels. Operators perform hands-on-keyboard reconnaissance, create backdoored accounts and remote admin access, and cycle tools when endpoint protections block their payloads. Talos provides IOCs, Snort rules, and ClamAV signatures to detect and mitigate this activity.
read more →

Generative AI Accelerates Active Directory Identity Attacks

🔐 Generative AI is accelerating password attacks against Active Directory, making cracking cheaper, faster, and more targeted than traditional techniques. Models like PassGAN learn real-world password patterns and can predict employee passwords when trained on breach data or public company content. Combined with readily available GPU cloud rentals, attackers can test vastly more candidates and tailor guesses using org-specific reconnaissance. Vendors such as Specops recommend longer, random passphrases and breached-password screening to reduce exposure.
read more →