7MS #301: CredDefense
Intro
CredDefense is a freakin' sweet tool from the fine folks at Black Hills Information Security that does some really nifty things:
Password filter
Lets say you use the out-of-the-box password policy that comes with Active Directory, and you want to change your password to Winter2017! - AD is gonna say "Yeah dude/dudette, go for it...it fits the bill!" But from an attacker's perspective we know this is bad - people love to pick bad seasonal passwords like Winter2017, Summer2019, etc.
With CredDefense's password filter in the mix, any new password gets checked against an additional word list, and if there's a match found within, BAM!! - password rejected. Think of how wonderful this is! You can stop people from using passwords that contain:
- 2017
- 2018
- 2019
- 2020
- 2021
- 2022
- Password
- P@ssw0rd
- P@$$w0rd
- January
- February
- etc...
Password audit
Ok, so now are you curious who in your AD environment is already using crappy passwords like Winter2017? Load up the password audit feature, feed it a big wordlist like rockyou, and you'll be good to go in no time. Output like this makes a compelling case to management as to why you need to up your AD policy to at least meet Microsoft's recommendations.
ResponderGuard
This is a nifty PowerShell tool that can jack with pentesters/attackers in your environment who are running the popular cred-stealing Responder tool. And what I especially appreciate from a blue team perspective is that if ResponderGuard catches Responder in use in the environment, it can stamp an event in the event log, which can then in turn generate an email if you're using something like WEFFLES (which we talked about recently) and the nifty WEFFLES email script my pal hackern0v1c3 put together here.