Protecting Privileged Domain Accounts during Live Response

More documents

Recommendations

Info

The related Relay Attack, to a 3rd other . Tools such as SMBRELAY3 and Metasploit can perform the relay attack (currently supports NTLMv1 only, but v2 is possible). 40
Fixing Reflective Attack: IR workstations need MS08-‐068 applied Fixing Relay Attack: NTLMv2: EPA embeds the Service Principal Name of the target service with Extended Protection works because only domain controllers and machines where the user directly enters the password can compute/validate the Integrity Hash for the security blobs. However, to be effective, ALL machines on the network must enforce its use, which is no small task in most environments. 41
Page 1 and 2: Mike Pilkington SANS Forensics and
Page 3 and 4: If you live in Houston and are inte
Page 5 and 6: For effective IR, what do we need t
Page 7 and 8: There are 3 areas where our credent
Page 9 and 10: 3 types of password hashes supporte
Page 11 and 12: Hashes must reside on the system Fo
Page 13 and 14: Windows codes: From: http://www.ul
Page 15 and 16: Next, I used the RunAs -‐ MSA
Page 17 and 18: -‐ now logs into the remote mac
Page 19 and 20: -‐ In the same second, the WMI
Page 22 and 23: Just wanted to demonstrate that I w
Page 24 and 25: Access tokens allow a privileges a
Page 26 and 27: Impersonate-‐level tokens are p
Page 28 and 29: Output from Incognito shows tokens
Page 30 and 31: Rebooted boxes, then logged back in
Page 32 and 33: NO with NET USE and WMIC YES with P
Page 34 and 35: Delegate-‐level tokens availabl
Page 36 and 37: Net authentication prior to Windows
Page 38 and 39: Provides mutual-‐authentication
Page 42 and 43: By design, LM/NTLM (v1 & v2) uses p
Page 44 and 45: completely NTLM is still used in th
Page 47 and 48: Turns out that PsExec and NET USE w
Page 49 and 50: Use local admin account whenever po
Page 51 and 52: posting a set of written articles o
Page 53: Contact me directly: mike@securitys

Protecting Privileged Domain Accounts during Live Response

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?