Protecting Privileged Domain Accounts during Live Response

More documents

Recommendations

Info

servers/workstations for some time. I want to minimize any chance of exposing my credentials. I posted a couple of blog articles on the topic, in particular focusing on the aspect of not passing clear-‐text credentials over the network: http://blogs.sans.org/computer-‐forensics/2010/06/01/protecting-‐admin-‐passwords-‐ remote-‐response-‐forensics/ http://blogs.sans.org/computer-‐forensics/2010/06/04/wmic-‐draft/ response from Cory Altheide: protects the passphrase from unlikely threat of being sniffed across the network but does nothing to prevent the incredibly likely threat of the on the remote compromised system being investigated and used via pass-‐the-‐hash Great comment, and it led to a lot of research over the past year, which 4
For effective IR, what do we need to be able to do on the remote system? We must be able to run commands with Administrator privileges, otherwise we risk missing advanced malware. In some cases, we are unable to use local administrative account, so must use domain account with admin privileges. What are the issues? If it is necessary to use domain accounts, they are likely privileged accounts across multiple machines. We must prevent the attacker from stealing our privileged domain credentials and making a bad situation worse. 5
Page 1 and 2: Mike Pilkington SANS Forensics and
Page 3: If you live in Houston and are inte
Page 7 and 8: There are 3 areas where our credent
Page 9 and 10: 3 types of password hashes supporte
Page 11 and 12: Hashes must reside on the system Fo
Page 13 and 14: Windows codes: From: http://www.ul
Page 15 and 16: Next, I used the RunAs -‐ MSA
Page 17 and 18: -‐ now logs into the remote mac
Page 19 and 20: -‐ In the same second, the WMI
Page 22 and 23: Just wanted to demonstrate that I w
Page 24 and 25: Access tokens allow a privileges a
Page 26 and 27: Impersonate-‐level tokens are p
Page 28 and 29: Output from Incognito shows tokens
Page 30 and 31: Rebooted boxes, then logged back in
Page 32 and 33: NO with NET USE and WMIC YES with P
Page 34 and 35: Delegate-‐level tokens availabl
Page 36 and 37: Net authentication prior to Windows
Page 38 and 39: Provides mutual-‐authentication
Page 40 and 41: The related Relay Attack, to a 3rd
Page 42 and 43: By design, LM/NTLM (v1 & v2) uses p
Page 44 and 45: completely NTLM is still used in th
Page 47 and 48: Turns out that PsExec and NET USE w
Page 49 and 50: Use local admin account whenever po
Page 51 and 52: posting a set of written articles o
Page 53: Contact me directly: mike@securitys

Protecting Privileged Domain Accounts during Live Response

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?