protecting the keys to the castle! - restricted admin credential exposure
DESCRIPTION
More info on http://techdays.be.TRANSCRIPT
Protecting the keys to the castle – Restricted Admin Credential Exposure
Marcus Murray & Hasain AlshakartiTruesec Security Team, MVP-Enterprise Security x2
Marcus Murray Hasain Alshakarti
Who doesn’t want to be domain admin?
Passing the dutchie
Web Srv Mail Srv
File SrvDC
Client
UserAdmin
Client
Attacker
Mitigating Passing the dutchie
• SMB Signing! On domain controllers!
mimikatz• privilege::debug • inject::process lsass.exe sekurlsa.dll • @getLogonPasswords
• Passwords in CLEAR TEXT!!!
The ”Mandiant report”
Local account depencencies
Web Srv Mail Srv
File SrvDC Mail Srv
Client
CliAdmCliAdm
Client
Attacker
SrvAdm SrvAdm
Logged on account depencencies
Web Srv Mail Srv
File SrvDC Mail Srv
Client
Marcus_DAMarcus_DA
Client
Attacker
Marcus_DA Marcus_DA
Complete mission
Web Srv Mail Srv
File SrvDC Mail Srv
Client
UserAdmin
Client
Attacker
Attacker
Microsoft PtH Mitigations
Protecting!• Local firewalls• Non-admin• Cutting dependencies• Managed service accounts• AMA
Marcus Murray Hasain Alshakarti
Thank you for listening!