Discover and read the best of Twitter Threads about #pingcastle
Most recents (9)
1/ Real-World #PingCastle Finding #13: Allow log on locally
➡️ Domain Users are eligible to log into DC's 🤯🙈
"When you grant an account the Allow logon locally right, you are allowing that account to log on locally to all domain controllers in the domain." [1]
#CyberSecurity
➡️ Domain Users are eligible to log into DC's 🤯🙈
"When you grant an account the Allow logon locally right, you are allowing that account to log on locally to all domain controllers in the domain." [1]
#CyberSecurity
2/ Why is this a bad idea?
"If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges." [1]
"If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges." [1]
3/ I encountered this finding several times in our AD assessments, so you better check your settings in your domain right now (better safe than sorry 🔒).
Good luck 🍀
Good luck 🍀
1/ Number #10 of the #ActiveDirectory hardening measures:
Easy Wins (for Attackers)
🧵 #CyberSecurity
Easy Wins (for Attackers)
🧵 #CyberSecurity
This is the last thread in this AD hardening measure series, but there would still be so much to discuss 😅
Here are more points you should focus on to defend your networks even better.
Here are more points you should focus on to defend your networks even better.
"Administrative accounts should never be enabled for delegation.
You can prevent these privileged accounts from being targeted by enabling the ‘Account is sensitive and cannot be delegated’ flag on them. You can optionally add these accounts to the ‘Protected Users’ group.
You can prevent these privileged accounts from being targeted by enabling the ‘Account is sensitive and cannot be delegated’ flag on them. You can optionally add these accounts to the ‘Protected Users’ group.
2/ There exists a ton of different techniques of how attackers can relaying credentials to another host in order to raise their privileges or get a shell on the target server.
3/ @TrustedSec has written an excellent blog post about the different relaying techniques, how they work and which prerequisites have to be in place that the attack is successful. [1]
2/ A running print spooler service on domain controllers is still a relatively common finding in our AD assessments, even though an attack path via spooler service and unconstrained delegations have been known for years. [1]
Screenshot below from #PingCastle (@mysmartlogon)
Screenshot below from #PingCastle (@mysmartlogon)
3/ Apart from the (older) attack technique with unconstrained delegations (see above), the printer spooler has had various critical vulnerabilities over the last two years. [3]
1/ Number #6 of the #ActiveDirectory hardening measures:
Privileges and Permissions
🧵 #CyberSecurity
Privileges and Permissions
🧵 #CyberSecurity
2/ #PingCastle lists, among many other things, the privileges assigned to domain users via GPOs.
The screenshot shows that the Default Notebook Policy grants Domain Users the SeLoadDriverPrivilege privilege.
Why is this bad?
The screenshot shows that the Default Notebook Policy grants Domain Users the SeLoadDriverPrivilege privilege.
Why is this bad?
3/ As @0xdf put it:
"If I can load a driver, I can load a vulnerable driver, and then exploit it." [1]
I know that some EDR's raise an alert when a vulnerable driver is loaded or dropped to disk, as such a driver could be exploited for a LPE.
"If I can load a driver, I can load a vulnerable driver, and then exploit it." [1]
I know that some EDR's raise an alert when a vulnerable driver is loaded or dropped to disk, as such a driver could be exploited for a LPE.
/1 Sin #4: Insufficient AD Hardening
Of course, there are many AD attack paths, misconfigurations, and ways to get DA credentials.
But still, companies should try to set the bar as high as possible to force attackers to make mistakes we might detect.
🧵 #CyberSecurity
Of course, there are many AD attack paths, misconfigurations, and ways to get DA credentials.
But still, companies should try to set the bar as high as possible to force attackers to make mistakes we might detect.
🧵 #CyberSecurity
3/ Service accounts are DA
Service accounts should never be part of the Domain Admins group.
Check and clean the DA group regularly because a TA could try to "Kerberoast" the service account, which is primarily a problem if the service account use a weak password (next point).
Service accounts should never be part of the Domain Admins group.
Check and clean the DA group regularly because a TA could try to "Kerberoast" the service account, which is primarily a problem if the service account use a weak password (next point).
Real-World #PingCastle Finding #8: Non-admin users can add computers to a domain. A customer called us because he discovered two new computer objects. Such new computer objects can be a sign of more targeted attacks against the #ActiveDirectory.
1/8
#CyberSecurity #dfir
1/8
#CyberSecurity #dfir
The computer names are relatively unique, and one quickly finds a GitHub repository with corresponding exploit code.
The code tries to exploit the two vulnerabilities CVE-2021-42278 and CVE-2021-42287 (from an authenticated user directly to DA).
2/8
github.com/WazeHell/sam-t…
The code tries to exploit the two vulnerabilities CVE-2021-42278 and CVE-2021-42287 (from an authenticated user directly to DA).
2/8
github.com/WazeHell/sam-t…
Inside the exploit code, a new computer name is generated following the pattern SAMTHEADMIN-(random number from 1 to 100), precisely the naming scheme we see in the client's AD.
3/8
3/8
Many people knows be about AD stuff (#PingCastle) but I'm also an expert in Windows & smart card.
If you have to remember one thing, it is:
certutil -scinfo
Thread
If you have to remember one thing, it is:
certutil -scinfo
Thread
Main problem being smart card recognition.
If you see a card name, it's ok
If you see a card name, it's ok
Sometimes, this is obvious: no smart card
#Campaign in tweets - @Guardicore Labs in a new tradition; we find the attacks, you get to know them and learn the attackers' tricks and techniques. This time, let's get familiarized with "Lemon_Duck", a #cryptomining campaign involving a sophisticated #propagation tool. 🍋🦆
Before we start: all scripts, binaries and IOCs are available on our github repository. In addition, malicious IPs, attack servers and domains appear on @Guadicore Cyber Threat Intelligence portal. You're welcome to take a look :)
threatintelligence.guardicore.com/?utm_medium=or…
github.com/guardicore/lab…
threatintelligence.guardicore.com/?utm_medium=or…
github.com/guardicore/lab…
Lemon_Duck starts by breaching machines over the #MSSQL service or the #SMB protocol. We'll focus on the MS-SQL flow. Once inside the machine, the attacker enables #xp_cmdshell to run shell commands. It will take only a single command line to trigger the rest of the attack.
