DevOps Braga #3: Admin rights, everyone gets Admin rights!

•

0 likes•85 views

DevOps Braga

Apresentação do devops Braga

Technology

Admin rights, everyone gets Admin rights!
Pedro Tarrinho
tarrinho at gmail punto com

Expectation!
Reality!
Presentation -> Real World!

Kerberos
Tickets
Ticket Granting Ticket
Ticket Granting Service

Scenario 1
• Developer with Local Admin Rights
• Requested recently IT Support
• Sometimes, access lsass.exe process
memory doesn’t show clear passwords
but…..

Pass The Hash
Step by step
1 – Access privileged memory
2 – Copy RC4 password for NTLM authentication
3 – Execute the PassTheHash attack and start a
command prompt
4 – Now, with Domain Admin Rights, do:
Whatever you want!

Scenario 2
• Access for 1 minute in a computer with Local Admin Rights
• Requested recently IT Support
• Without being in the domain
• But with access to the network!

Pass The Ticket
Step by step
1 – Access privileged memory
2 – Because the machine had a recent access from a
Domain Admin, exporting the Tickets, we manage to get
one ticket from the pt.adm user
3 – In a non controlled machine, we do the Pass The Ticket
and are able to access everything in that Domain
Note: in a machine that doesn’t have protection, sky is the
limit

Scenario 3
• Access for 1 minute in a computer with Local Admin Rights
• User doesn’t have Domain Admin Rights, but belongs to
the Administrator group
• In a machine outside of the domain
• But with access to the network!

DC Sync
Step by step
1 – We want to manage a DC from an attackers machine
2 – Even thought its not in the Network Administrator
group, but because the user is misconfigured, and has
access to the Administrator group, he can request the
Kerberos Ticket (Golden Ticket)
3 – After that, the only thing to do is, in a non controlled
machine, do the Pass The Ticket and are able to access
everything in that Domain

Scenario 4
• Access 1 minute to a computer without Local Admin Rights
• Without IT Support
• Without being in the domain
• But with access to the network!

Kerberos Delegation
Step by step
1 – Request the Delegation ticket
2 – In a machine outside the Domain, use that ticket
3 – Now, with a user access in controlled machine, do:
Whatever you want! – Escalation?
Note: now, the machine doesn’t have protection!

Start
the
Escalation
Process!!!
(Yourself)

Scenario 5
• Access for 1 minute in a computer with Local Admin Rights
• Having requested IT Support
• Monitorization of the AD with a SIEM*
in the SOC*
Security Information and Event Management
Security Operations Center

DC Sync
Step by step
1 – We want to manage a DC from an attackers machine
2 – Because communications between DCs are very noisy,
lets use this. We are going to issue a command as a DC
3 – After the creation of the command(s), we issue a “push”
and for a second we will have a Rogue DC.
Long enough to issue add a new user to the Domain Admins
without “noise”

Basically, I have a Rogue DC for a few seconds, and the
SIEM won’t see this records / logs, because….
DCShadow

Possíveis
soluções
de
mitigação
https://cloudblogs.microsoft.com/microsoftsecure/2012/12/11/new-guidance-to-mitigate-determined-adversaries-favorite-attack-pass-the-hash/

Possíveis
soluções
de
mitigação
https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics
https://www.blackhat.com/docs/us-17/thursday/us-17-Mittal-Evading-MicrosoftATA-for-ActiveDirectory-Domination.pdf

Similar to DevOps Braga #3: Admin rights, everyone gets Admin rights!

In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation. I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!

Hacker Halted 2014 - Post-Exploitation After Having Remote Access

EC-Council

20-security.ppt

ajajkhan16

CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT

CanSecWest

hacking and crecjing

parth jasani

To demonstrate the need for a holistic security approach by utilizing publicly available tools and social engineering techniques to gain unauthorized access to systems, data, and network resources. I'll create different scenarios in which various tools will be used for hacking purposes, after the target computer is successfully compromise I'll go over different security measures that could have been implemented to stop or mitigate the likelihood of a security breach. Some tools and scenarios will be more technical than others but as security professional our job is not to defeat tools but to protect the resources even from unsophisticated events such as someone stealing the physical computer. As a side note, some of the Scenarios are real cases in the business world. Sophisticated or not they could have been avoided with the right security security measures. Any identifiable information has been modified to protect the privacy of those affected. An unmanaged network is an insecure network, when the network is just a few people the office environment might be able to get away with a lot of the most stringiest controls but once the office has matured in its business practices the need for centralized administration and management is paramount. Let me clear, centralized administration, such as Windows Active Directory, Centralized AV, IPS-IDS, are not a silver bullet against attacks like this but it provides the necessary tools for someone with the technical knowledge to apply the appropriate controls to avoid situations like the ones described.

Hacking tools and the case for layered security

JDTechSolutions

HKUST Security Lab Opening Ceremony

Kelvin Chan

Introduction to Trusted Computing

Maksim Djackov

Ultimate pen test compromising a highly secure environment (nikhil)

ClubHack

There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices. To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.

CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols

PROIDEA

When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.

Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014

Jakub Kałużny

Project: Malware Analysis CS 6262 Project 3 Agenda • Part 1: Analyzing Windows Malware • Part 2: Analyzing Android Malware Scenario • Analyzing Windows Malware • You got a malware sample from the wild. Your task is to discover what malware does by analyzing it • How do you discover the malware’s behaviors? • Static Analysis • Manual Reverse Engineering • Programming binary analysis • Dynamic Analysis • Network behavioral tracing • Run-time system behavioral tracing(File/Process/Thread/Registry) • Symbolic Execution • Fuzzing Scenario • In our scenario, you are going to analyze the given malware with tools that we provide. • The tools help you to analyze the malware with static and dynamic analysis. • Objective 1. Find which server controls the malware (the command and control (C2) server) 2. Discover how the malware communicates with the command and control (C2) server • URL and Payload 3. Discover what activities are done by the malware payload • Attack Activities Scenario • Requirement • Make sure that no malware traffic goes out from the virtual machine • But, updating of malware (stage 2), and downloading payload (stage 3) are required to be allowed (set as default option) • The command and control server is dead. You need to reconstruct it • Use tools to reconstruct the server, then reveal hidden behaviors of the malware • Analyze network traffic on the host, and figure out the list of available commands for the malware • Analyze network traffic trace of the host, and figure out what malware does • Write down your answer into assignment-questionnaire.txt Project Structure • A Virtual Machine for Malware analysis • Please download and install the latest version or update your virtual box. • https://www.virtualbox.org/wiki/Downloads • Download the VM • Download links • http://ironhide.gtisc.gatech.edu/vm_2018.7z • http://bombshell.gtisc.gatech.edu/vm_2018.7z • Verify the md5 hash of the 7z file: 537e70c4cb4662d3e3b46af5d8223fd • Please install 7zip or p7zip • Windows, Linux and MacOs: http://www.7-zip.org/download.html • Unarchive the 7z file • Password: GTVM! https://www.virtualbox.org/wiki/Downloads http://ironhide.gtisc.gatech.edu/vm_2018.7z http://bombshell.gtisc.gatech.edu/vm_2018.7z http://www.7-zip.org/download.html Project Structure • Open VirtualBox • Go to File->Import Appliance. • Select the ova file and import it. • For detailed information on how to import the VM, see: • https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html • VM user credentials • Username: analysis • Password: analysis https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html Project Structure • In the Virtual Machine (VM) • Files • init.py • This initializes the project environment • Type your Georgia Tech username (same login name as Canvas) after running this • update.sh • This script updates the VM if any further update has been made by TA • DO NOT execute the scri.

Project Malware AnalysisCS 6262 Project 3Agenda.docx

briancrawford30935

Electornic evidence collection

Fakrul Alam

Mimikatz

rishabh sharma

These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later. Abstract: For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut

Owning computers without shell access 2

Royce Davis

Preventing Advanced Targeted Attacks with IAM Best Practices

Andy Thompson

DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents

Christopher Gerritz

Получение прав администратора домена не всегда означает, что сразу появляется доступ ко всем хостам, общим ресурсам или базам данных сети. Хитрость в том, чтобы найти нужный аккаунт. Докладчик приведет примеры различных сценариев внутреннего тестирования на проникновение, расскажет о сложностях, с которыми столкнулась его команда и о том, как разрабатывался инструмент, позволивший справиться с ними.

Заполучили права администратора домена? Игра еще не окончена

Positive Hack Days

In the time when software is so complex and rapidly changing so, the users cannot trust their own computers and smartphones to protect their secrets from attackers, more and more solutions rely on hardware to be the last measure of protection. As a result, there are a number of manufacturers developing hardware wallets which are meant to protect cryptocurrency private keys. This talk presents a wide range of attacks, which can be successfully applied to most popular hardware wallets on the market, from app isolation bypass to fault injection attacks on the microcontroller. Additionally the talk presents secure design requirements and countermeasures making life of an attacker much more difficult, which are applicable to all kings of secure hardware devices.

[CB19] Hardware Wallet Security

CODE BLUE

Remote login

sarjoo prasad yadav

JTAM Poster

Ashish Kamra

Similar to DevOps Braga #3: Admin rights, everyone gets Admin rights! (20)

Hacker Halted 2014 - Post-Exploitation After Having Remote Access

20-security.ppt

CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT

hacking and crecjing

Hacking tools and the case for layered security

HKUST Security Lab Opening Ceremony

Introduction to Trusted Computing

Ultimate pen test compromising a highly secure environment (nikhil)

CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols

Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014

Project Malware AnalysisCS 6262 Project 3Agenda.docx

Electornic evidence collection

Mimikatz

Owning computers without shell access 2

Preventing Advanced Targeted Attacks with IAM Best Practices

DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents

Заполучили права администратора домена? Игра еще не окончена

[CB19] Hardware Wallet Security

Remote login

JTAM Poster

Recently uploaded

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

The action of the next cyber saga takes place in the mystical lands of the Asia-Pacific region, where the main characters began their digital activities in the middle of 2021 and qualitatively strengthened it in 2022. Corporate espionage, document theft, audio recordings, and data leaks from messaging platforms were all a matter of one day for Dark Pink. Their geographical focus may have started in the Asia-Pacific region, but their ambitions knew no bounds, targeting a European government ministry in a bold move to expand their portfolio. Their victim profile was as diverse as a UN meeting, targeting military organizations, government agencies, and even a religious organization. Because discrimination is not a fashionable agenda. In the world of cybercrime, they serve as a reminder that sometimes the most serious threats come in the most unassuming packages with a pink bow.

Cyberprint. Dark Pink Apt Group [EN].pdf

Overkill Security

DBX First Quarter 2024 Investor Presentation

Dropbox

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Recently uploaded (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Apidays New York 2024 - The value of a flexible API Management solution for O...

Ransomware_Q4_2023. The report. [EN].pdf

Cyberprint. Dark Pink Apt Group [EN].pdf

DBX First Quarter 2024 Investor Presentation

CNIC Information System with Pakdata Cf In Pakistan

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Artificial Intelligence Chap.5 : Uncertainty

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

MS Copilot expands with MS Graph connectors

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Boost Fertility New Invention Ups Success Rates.pdf

How to Troubleshoot Apps for the Modern Connected Worker

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Why Teams call analytics are critical to your entire business

Exploring the Future Potential of AI-Enabled Smartphone Processors

Axa Assurance Maroc - Insurer Innovation Award 2024

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Strategies for Landing an Oracle DBA Job as a Fresher

DevOps Braga #3: Admin rights, everyone gets Admin rights!

1. Admin rights, everyone gets Admin rights! Pedro Tarrinho tarrinho at gmail punto com

2. DCShadow

3. Expectation! Reality! Presentation -> Real World!

5. Steps Cyber Atack? Entities

9. + Services provided

10. Kerberos Tickets Ticket Granting Ticket Ticket Granting Service

11. Scenario 1 • Developer with Local Admin Rights • Requested recently IT Support • Sometimes, access lsass.exe process memory doesn’t show clear passwords but…..

12. Pass The Hash Step by step 1 – Access privileged memory 2 – Copy RC4 password for NTLM authentication 3 – Execute the PassTheHash attack and start a command prompt 4 – Now, with Domain Admin Rights, do: Whatever you want!

13. https://youtu.be/IrrcJK-HKD4

14.

15. Scenario 2 • Access for 1 minute in a computer with Local Admin Rights • Requested recently IT Support • Without being in the domain • But with access to the network!

16. Pass The Ticket Step by step 1 – Access privileged memory 2 – Because the machine had a recent access from a Domain Admin, exporting the Tickets, we manage to get one ticket from the pt.adm user 3 – In a non controlled machine, we do the Pass The Ticket and are able to access everything in that Domain Note: in a machine that doesn’t have protection, sky is the limit

17. https://youtu.be/amlFaq-Yc9w

18.

19. Scenario 3 • Access for 1 minute in a computer with Local Admin Rights • User doesn’t have Domain Admin Rights, but belongs to the Administrator group • In a machine outside of the domain • But with access to the network!

20. DC Sync Step by step 1 – We want to manage a DC from an attackers machine 2 – Even thought its not in the Network Administrator group, but because the user is misconfigured, and has access to the Administrator group, he can request the Kerberos Ticket (Golden Ticket) 3 – After that, the only thing to do is, in a non controlled machine, do the Pass The Ticket and are able to access everything in that Domain

21. https://youtu.be/HdBYmomN3Zg

22.

23.

24. Scenario 4 • Access 1 minute to a computer without Local Admin Rights • Without IT Support • Without being in the domain • But with access to the network!

25. Kerberos Delegation Step by step 1 – Request the Delegation ticket 2 – In a machine outside the Domain, use that ticket 3 – Now, with a user access in controlled machine, do: Whatever you want! – Escalation? Note: now, the machine doesn’t have protection!

26. https://youtu.be/bZDAj17KLEQ

27. Start the Escalation Process!!! (Yourself)

28.

29. Scenario 5 • Access for 1 minute in a computer with Local Admin Rights • Having requested IT Support • Monitorization of the AD with a SIEM* in the SOC* Security Information and Event Management Security Operations Center

30. DC Sync Step by step 1 – We want to manage a DC from an attackers machine 2 – Because communications between DCs are very noisy, lets use this. We are going to issue a command as a DC 3 – After the creation of the command(s), we issue a “push” and for a second we will have a Rogue DC. Long enough to issue add a new user to the Domain Admins without “noise”

31. https://youtu.be/vQkM41rpECw

32. Basically, I have a Rogue DC for a few seconds, and the SIEM won’t see this records / logs, because…. DCShadow

33.

34. Possíveis soluções de mitigação https://cloudblogs.microsoft.com/microsoftsecure/2012/12/11/new-guidance-to-mitigate-determined-adversaries-favorite-attack-pass-the-hash/

35. Possíveis soluções de mitigação https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics https://www.blackhat.com/docs/us-17/thursday/us-17-Mittal-Evading-MicrosoftATA-for-ActiveDirectory-Domination.pdf

DevOps Braga #3: Admin rights, everyone gets Admin rights!

Recommended

Recommended

More Related Content

Similar to DevOps Braga #3: Admin rights, everyone gets Admin rights!

Similar to DevOps Braga #3: Admin rights, everyone gets Admin rights! (20)

More from DevOps Braga

More from DevOps Braga (8)

Recently uploaded

Recently uploaded (20)

DevOps Braga #3: Admin rights, everyone gets Admin rights!