Protecting Privileged Domain Accounts during Live Response

More documents

Recommendations

Info

Delegate-‐level tokens available with Interactive Logons Delegate-‐level tokens not available with Network Logons, except PsExec As discussed, workarounds are available Impersonation-‐level tokens are available with either logon type and open the possibility for local privilege escalation attack This cannot be avoided unless the system is taken offline (or you investigate with a non-‐admin account, which is generally not effective) 34
My original post was about not divulging credentials on the network I.e., avoid using PsExec with the username/password option -‐ -‐ which sends passwords in clear-‐text But even using native MS authentication protocols, passwords in the clear, how secure is it? Well, that really depends on which protocol is used 35
Page 1 and 2: Mike Pilkington SANS Forensics and
Page 3 and 4: If you live in Houston and are inte
Page 5 and 6: For effective IR, what do we need t
Page 7 and 8: There are 3 areas where our credent
Page 9 and 10: 3 types of password hashes supporte
Page 11 and 12: Hashes must reside on the system Fo
Page 13 and 14: Windows codes: From: http://www.ul
Page 15 and 16: Next, I used the RunAs -‐ MSA
Page 17 and 18: -‐ now logs into the remote mac
Page 19 and 20: -‐ In the same second, the WMI
Page 22 and 23: Just wanted to demonstrate that I w
Page 24 and 25: Access tokens allow a privileges a
Page 26 and 27: Impersonate-‐level tokens are p
Page 28 and 29: Output from Incognito shows tokens
Page 30 and 31: Rebooted boxes, then logged back in
Page 32 and 33: NO with NET USE and WMIC YES with P
Page 36 and 37: Net authentication prior to Windows
Page 38 and 39: Provides mutual-‐authentication
Page 40 and 41: The related Relay Attack, to a 3rd
Page 42 and 43: By design, LM/NTLM (v1 & v2) uses p
Page 44 and 45: completely NTLM is still used in th
Page 47 and 48: Turns out that PsExec and NET USE w
Page 49 and 50: Use local admin account whenever po
Page 51 and 52: posting a set of written articles o
Page 53: Contact me directly: mike@securitys

Protecting Privileged Domain Accounts during Live Response

Create successful ePaper yourself

Delete template?

Save as template?