Protecting the keys to the castle! - Restricted Admin Credential Exposure

759 views
646 views

Published on

More info on http://techdays.be.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
759
On SlideShare
0
From Embeds
0
Number of Embeds
83
Actions
Shares
0
Downloads
28
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Protecting the keys to the castle! - Restricted Admin Credential Exposure

  1. 1. Protecting the keys to the castle– Restricted Admin Credential ExposureMarcus Murray & Hasain AlshakartiTruesec Security Team, MVP-Enterprise Securityx2
  2. 2. Marcus Murray Hasain Alshakarti
  3. 3. Who doesn’t want to be domain admin?
  4. 4. Passing the dutchie Web Srv Mail Srv DC File Srv Client Client Admin User
  5. 5. Mitigating Passing the dutchie• SMB Signing! On domain controllers!
  6. 6. mimikatz• privilege::debug• inject::process lsass.exe sekurlsa.dll• @getLogonPasswords• Passwords in CLEAR TEXT!!!
  7. 7. The ”Mandiant report”
  8. 8. Local account depencencies Web Srv Mail Srv DC File Srv Mail Srv SrvAdm SrvAdm Client Client CliAdm CliAdm
  9. 9. Logged on account depencencies Web Srv Mail Srv DC File Srv Mail Srv Marcus_DA Marcus_DA Client Client Marcus_DA Marcus_DA
  10. 10. Complete mission Web Srv Mail Srv DC File Srv Mail Srv Client Client Admin User
  11. 11. Microsoft PtH Mitigations
  12. 12. Protecting!• Local firewalls• Non-admin• Cutting dependencies• Managed service accounts• AMA
  13. 13. Marcus Murray Hasain Alshakarti
  14. 14. Thank you for listening! 

×