Protecting Privileged Domain Accounts during Live Response

More documents

Recommendations

Info

Interact with a remote Windows XP (SP2) domain workstation for analysis/triage We need the ability to complete several tasks: Query the machine, with a tool such as WMIC Run commands on the machine, with a tool like PsExec Copy files to/from the machine, via the command NET USE Complete these actions in such a way as to leave no opportunity for an attacker to steal our domain credentials 6
There are 3 areas where our credentials are at particular risk: Password Hashes Method for storing credentials on the local system Access Tokens Single sign-‐on functionality within Windows Network Authentication Protocols for authenticating to remote systems 7
Page 1 and 2: Mike Pilkington SANS Forensics and
Page 3 and 4: If you live in Houston and are inte
Page 5: For effective IR, what do we need t
Page 9 and 10: 3 types of password hashes supporte
Page 11 and 12: Hashes must reside on the system Fo
Page 13 and 14: Windows codes: From: http://www.ul
Page 15 and 16: Next, I used the RunAs -‐ MSA
Page 17 and 18: -‐ now logs into the remote mac
Page 19 and 20: -‐ In the same second, the WMI
Page 22 and 23: Just wanted to demonstrate that I w
Page 24 and 25: Access tokens allow a privileges a
Page 26 and 27: Impersonate-‐level tokens are p
Page 28 and 29: Output from Incognito shows tokens
Page 30 and 31: Rebooted boxes, then logged back in
Page 32 and 33: NO with NET USE and WMIC YES with P
Page 34 and 35: Delegate-‐level tokens availabl
Page 36 and 37: Net authentication prior to Windows
Page 38 and 39: Provides mutual-‐authentication
Page 40 and 41: The related Relay Attack, to a 3rd
Page 42 and 43: By design, LM/NTLM (v1 & v2) uses p
Page 44 and 45: completely NTLM is still used in th
Page 47 and 48: Turns out that PsExec and NET USE w
Page 49 and 50: Use local admin account whenever po
Page 51 and 52: posting a set of written articles o
Page 53: Contact me directly: mike@securitys

Protecting Privileged Domain Accounts during Live Response

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?