,
8 tweets,
2 min read
Read on Twitter
Some things attackers like:
-Domain Admin accounts that do logon type 4 or 5 to workstations
-Accounts with weak Kerberos configs like DES encryption or no preauth
-GPO settings that allow unexpected admin actions like loading drivers
Why not check for these before they do?
-Domain Admin accounts that do logon type 4 or 5 to workstations
-Accounts with weak Kerberos configs like DES encryption or no preauth
-GPO settings that allow unexpected admin actions like loading drivers
Why not check for these before they do?
Highly privileged accounts doing logon type 4 or 5 to workstations are useful to attackers because they leave credentials in memory and on disk - so an attacker can transmute one local administrator account into a domain wide compromise.
Weak Kerberos configurations in accounts are useful to attackers because they can be utilized to get offline password hashes to crack, or to modify Kerberos requests. Especially dangerous when combined with a weak/short password or no password required setting.
GPO settings can have a goldmine of legacy settings attackers can use to elevate privileges in a domain. Have you reviewed your Default Domain controller policy lately?
When legacy Active Directory decisions get combined with something like published apps or authentication services attackers can easily let themselves in, without utilizing vulnerabilities or fancy tradecraft. Audit the settings that likely predate current technology workflows.
Any ‘unsophisticated’ attacker who gets access to your network with a phishing email or banking trojan can easily take advantage of configurations like this - threat model mitigating the everyday threats and you’ll find it applies really well for the works case scenario too.
Also please enable host firewalls
If you want to find accounts doing dangerous or shady things and don’t have an existing solution, I made a thing for that:
