CASSIDIAN CyberSecurity Blog


Entries feed


Playing defence against the Equation Group

In August 2016 an archive was released to the public by an unknown group calling itself Shadow Brokers. This archive contained material attributed to the Equation Group. The authenticity of this leak, its reason, attribution and content have already been widely discussed, by Bruce Schneier and Matthieu Suiche among others. Mustafa Al-Bassam has kept an inventory of the leak and has commented on Twitter.

This post is based on what can be extracted from the various procedures contained in the released material. Most of these procedures can be found in the “SCRIPTS” directory, with a few others scattered in various other directories. Using the aforementioned data, this post will focus on what can be deduced regarding Equation Group’s organisation, their modus operandi, and will list simple techniques to impede or detect their operations.

Continue reading...


The Active Directory Permissions Analysis Challenge

Analyzing permissions in Active Directory is a quite difficult task for Active Directory administrators.

First, because the Active Directory delegation capabilities are extremely powerful and could lead to highly complex hierarchy which is then hard to check.

Second, because the built-in tools are limited: The permissions are displayed in the properties of each object, the effective permissions for a user on an object can be calculated but the usage is limited in large environment and provide approximated and sometimes inaccurate results (See Microsoft KB 933071). Other alternatives will also be describe in this post.

Third, because the company may not have a defined delegation model, or may have an old one defined at the forest or domain creation. In a perfect world, every Active Directory "should" have a defined (and documented) delegation model which "should" evolve as the Enterprise evolves (Teams reorganizations, Companies acquisitions, Partnerships...). In the same perfect world, Active Directory administrators should be able to check if the current delegations in Active Directory are in accordance with the defined delegation model, and modify either part accordingly to the desired state.

Last, because this task is a shared responsibility of both the Active Directory service administrators (for the top-level delegations) and Active Directory data administrators (See Microsoft Best Practices for Active Directory Delegation)

Continue reading...


Welcome to our new blog!

Welcome to our experts’ blog !

This blog is Cassidian CyberSecurity experts’ territory, for them to share their technical knowledge with the cyber community.

According to the news as well as to our authors’ area of expertise and mood, you’ll find in this blog their thoughts about environment trends and above all their views and specific analysis: from focus on specific malware behaviour to attackers methodologies and newest discoveries.

Indeed we strongly believe in the importance to share cyber expert knowledge, to the benefit of all.