4/ What is nice from a #DFIR perspective is that inside the config.txt, there is a log file specified:
> C:\Windows\vbox\debug.log
5/ Which logs the amount of data sent back and forth (or not, in our case). This could prove or disprove that a TA used that backdoor to enter or re-enter the network:
[notice] Heartbeat: Tor's uptime is 3 days 0:00 hours, with 0 circuits open I've sent 0 kB and received 0 kB
• • •
Missing some Tweet in this thread? You can try to
force a refresh
1/ Real-World #PingCastle Finding #13: Allow log on locally
➡️ Domain Users are eligible to log into DC's 🤯🙈
"When you grant an account the Allow logon locally right, you are allowing that account to log on locally to all domain controllers in the domain." [1]
"If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges." [1]
3/ I encountered this finding several times in our AD assessments, so you better check your settings in your domain right now (better safe than sorry 🔒).
2/ @threatpunter wrote a detailed blog about WMI persistences and how to remove them.
"The simplest method to remove the entry from the WMI database is to use Autoruns. Launch Autoruns as an administrator and select the WMI tab to review WMI-related persistence." ✂️
3/ "Alternatively, you can remove the WMI event subscriptions from the command line." [2]
This is the last thread in this AD hardening measure series, but there would still be so much to discuss 😅
Here are more points you should focus on to defend your networks even better.
"Administrative accounts should never be enabled for delegation.
You can prevent these privileged accounts from being targeted by enabling the ‘Account is sensitive and cannot be delegated’ flag on them. You can optionally add these accounts to the ‘Protected Users’ group.
2/ There exists a ton of different techniques of how attackers can relaying credentials to another host in order to raise their privileges or get a shell on the target server.
3/ @TrustedSec has written an excellent blog post about the different relaying techniques, how they work and which prerequisites have to be in place that the attack is successful. [1]
2/ A running print spooler service on domain controllers is still a relatively common finding in our AD assessments, even though an attack path via spooler service and unconstrained delegations have been known for years. [1]
3/ Apart from the (older) attack technique with unconstrained delegations (see above), the printer spooler has had various critical vulnerabilities over the last two years. [3]