Calcom Blog

New Posts Policy Expert All Posts

Unsigned LDAP Channel Binding Attacks- How to Mitigate Without Breaking Production:

unsigned ldap channel binding

On March 2020 Microsoft published a patch that supposes to help prevent unsigned LDAP channel binding attacks on Domain Controllers (DC). In this article, we’ll dive into the attack and what

Read Post

Preventing LDAP Reconnaissance- The First Step of AD Attacks

LDAP reconnaissance

Due to the architecture of Active Directory, once a domain-joined computer is breached, the attacker is able to map the network, locate sensitive accounts and assets, and estimate vulnerabilities. The process

Read Post

Domain controller: LDAP server signing requirements

CALCOM_COP04

LDAP signing increases security in communication between LDAP clients and Active Directory domain controllers.  LDAP signing is a Simple Authentication and Security Layer (SASL) feature, as part of the LDAP protocol

Read Post

Why NTLMv1 will always be vulnerable to NTLM Relay attacks

Why NTLMv1 will always be vulnerable to NTLM Relay attacks

NTLM is one of the most iconic and common attacks on Active Directory environments. In this attack, the attacker (Relayer) captures an authentication and pass it to their desired server. This

Read Post

Ryuk Ransomware is Targeting Hospitals

Ryuk Hospitals

The Ryuk ransomware operators continue to target hospitals despite the Corona Virus and the massive loads they have to cope with. According to BleepingComputer, only two of the ransomware groups they’ve

Read Post

remote connection from a server hardening perspective

hardeni remote connction

The new reality demands from organizations to be creative to continue running the business. Having the ability to allow employees to work from home is becoming essential for business survival. Even

Read Post

Mitigating Type 1 Font Parsing Remote Code Execution Vulnerability for Windows

SAN FRANCISCO, CA JULY 1, 2018: Entrance to Adobe San Francisco office location in historic Baker and Hamilton warehouse

A new critical vulnerability in Microsoft Adobe Type Manager Library was discovered after investigating several Windows 7 based attacks. Microsoft is aware of this issue but hasn’t published any update to

Read Post

TrickBot RDP Brute Force Attack

trickbot rdp brute force

A new module in the known TrickBot attack is now is discovered. The new development allows attackers to leverage compromised systems and launch a brute force attack against Windows systems running

Read Post

RDS: Do Not Allow Drive Redirection

CALCOM_COP02

POLICY DESCRIPTION: This policy specifies whether to prevent the mapping of client drives in a Remote Desktop Services session.   By default, an RD Session Host server maps client drives automatically

Read Post

SQL server attacks: mechanisms you must know

sql server attacks new

SQL server attacks are one of the most painful attacks organizations can suffer from. Organizations’ database is one of their softest spots, resulting in it being an attractive target of attackers.

Read Post

Domain controller: LDAP server signing requirements

CALCOM_COP04

LDAP signing increases security in communication between LDAP clients and Active Directory domain controllers.  LDAP signing is a Simple Authentication and Security Layer (SASL) feature, as part of the LDAP protocol

Read Post

RDS: Do Not Allow Drive Redirection

CALCOM_COP02

POLICY DESCRIPTION: This policy specifies whether to prevent the mapping of client drives in a Remote Desktop Services session.   By default, an RD Session Host server maps client drives automatically

Read Post

rds: Do not allow LPT port redirection

CALCOM_COP03

Short for line printer terminal, LPT is used by IBM compatible computers as an identification for the parallel port, such as LPT1, LPT2, or LPT3. The LPT port is commonly required when installing a printer

Read Post

RDS: Do Not Allow COM Port Redirection- The Policy Expert

CALCOM_COP04

  COM port is the name of the serial port interface on IBM PC-compatible computers. It can refer not only to physical ports but also to emulated ports, such as ports created by Bluetooth or USB-to-serial adapters.   POLICY DESCRIPTION: This

Read Post

Restrict NTLM: Audit Incoming NTLM Traffic- The Policy Expert

CALCOM_COP01

NTLM is Microsoft’s old mythological authentication protocol. Although new and better authentication protocol has already been developed, NTLM is still very much in use. Basically, even the most recent Windows versions

Read Post

LAN Manager authentication level- The Policy Expert

CALCOM_COP02

NTLM attacks are especially relevant to Active Directory environments. One of the most common attack scenarios is NTLM Relay, where the attacker compromises one machine and then spreads laterally to other

Read Post

RDS: Require user authentication for remote connections by using Network Level Authentication (NLA)- The policy expert

CALCOM_COP03

POLICY DESCRIPTION: This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication (NLA). This policy

Read Post

RDS: Do not allow supported Plug and Play device redirection- The policy expert

CALCOM_COP04

POLICY DESCRIPTION: This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services

Read Post

MSS: (DisableIPSourceRouting) IP source routing protection level (protect against packet spoofing)- The Policy Expert

CALCOM_COP02

Configuring this value in the most secure fashion can help to lower the risk for DOS attacks via packet spoofing. The objective of this kind of attack is to flood the

Read Post

RDS: Do not allow clipboard redirection- The Policy Expert

CALCOM_COP01

POLICY DESCRIPTION: Specifies whether to prevent the sharing of clipboard contents (clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. You can use this setting

Read Post

Unsigned LDAP Channel Binding Attacks- How to Mitigate Without Breaking Production:

unsigned ldap channel binding

On March 2020 Microsoft published a patch that supposes to help prevent unsigned LDAP channel binding attacks on Domain Controllers (DC). In this article, we’ll dive into the attack and what

Read Post

Preventing LDAP Reconnaissance- The First Step of AD Attacks

LDAP reconnaissance

Due to the architecture of Active Directory, once a domain-joined computer is breached, the attacker is able to map the network, locate sensitive accounts and assets, and estimate vulnerabilities. The process

Read Post

Domain controller: LDAP server signing requirements

CALCOM_COP04

LDAP signing increases security in communication between LDAP clients and Active Directory domain controllers.  LDAP signing is a Simple Authentication and Security Layer (SASL) feature, as part of the LDAP protocol

Read Post

Why NTLMv1 will always be vulnerable to NTLM Relay attacks

Why NTLMv1 will always be vulnerable to NTLM Relay attacks

NTLM is one of the most iconic and common attacks on Active Directory environments. In this attack, the attacker (Relayer) captures an authentication and pass it to their desired server. This

Read Post

Ryuk Ransomware is Targeting Hospitals

Ryuk Hospitals

The Ryuk ransomware operators continue to target hospitals despite the Corona Virus and the massive loads they have to cope with. According to BleepingComputer, only two of the ransomware groups they’ve

Read Post

remote connection from a server hardening perspective

hardeni remote connction

The new reality demands from organizations to be creative to continue running the business. Having the ability to allow employees to work from home is becoming essential for business survival. Even

Read Post

Mitigating Type 1 Font Parsing Remote Code Execution Vulnerability for Windows

SAN FRANCISCO, CA JULY 1, 2018: Entrance to Adobe San Francisco office location in historic Baker and Hamilton warehouse

A new critical vulnerability in Microsoft Adobe Type Manager Library was discovered after investigating several Windows 7 based attacks. Microsoft is aware of this issue but hasn’t published any update to

Read Post

TrickBot RDP Brute Force Attack

trickbot rdp brute force

A new module in the known TrickBot attack is now is discovered. The new development allows attackers to leverage compromised systems and launch a brute force attack against Windows systems running

Read Post

RDS: Do Not Allow Drive Redirection

CALCOM_COP02

POLICY DESCRIPTION: This policy specifies whether to prevent the mapping of client drives in a Remote Desktop Services session.   By default, an RD Session Host server maps client drives automatically

Read Post

SQL server attacks: mechanisms you must know

sql server attacks new

SQL server attacks are one of the most painful attacks organizations can suffer from. Organizations’ database is one of their softest spots, resulting in it being an attractive target of attackers.

Read Post