7MS #301: CredDefense
Lets say you use the out-of-the-box password policy that comes with Active Directory, and you want to change your password to Winter2017! - AD is gonna say "Yeah dude/dudette, go for it...it fits the bill!" But from an attacker's perspective we know this is bad - people love to pick bad seasonal passwords like Winter2017, Summer2019, etc.
With CredDefense's password filter in the mix, any new password gets checked against an additional word list, and if there's a match found within, BAM!! - password rejected. Think of how wonderful this is! You can stop people from using passwords that contain:
- [email protected]
- [email protected]$$w0rd
Ok, so now are you curious who in your AD environment is already using crappy passwords like Winter2017? Load up the password audit feature, feed it a big wordlist like rockyou, and you'll be good to go in no time. Output like this makes a compelling case to management as to why you need to up your AD policy to at least meet Microsoft's recommendations.
This is a nifty PowerShell tool that can jack with pentesters/attackers in your environment who are running the popular cred-stealing Responder tool. And what I especially appreciate from a blue team perspective is that if ResponderGuard catches Responder in use in the environment, it can stamp an event in the event log, which can then in turn generate an email if you're using something like WEFFLES (which we talked about recently) and the nifty WEFFLES email script my pal hackern0v1c3 put together here.