Some backdoors have built-in functionality to control VSS − Windows Task Scheduler Default: No scheduleĬreated when system updates are applied or on application installationīuilt-in tools for accessing Volume Shadow Copies: − − If domain controller is secured, take the Active Directory databases for offline password recovery Problem: NTDS.DIT is locked for readingĭesigned to back up files that are in-use First introduced in Windows XP Shadow copies can be created on a regular schedule − − Involves transferring tools to the remote system Can be detected by Antivirus or HIPS Unsigned code difficult to run on domain controllers using application whitelisting Usually leaves behind forensic evidence of password harvesting Usually involves dumping memory from lsass.exe Typically the best method to obtain account passwords Examples: Mimikatz, Windows Credentials Editor, etc Mitigating Password Harvesting Attacks Focus on Windows 2008 & 2012ĭirectory Services for Windows Domains Active Directory Data Store − − −ĮSE (Extensible Storage Engine) file that contains domain user account password hashes Stored on Disk Default Location: %systemroot%\NTDS\ntds.dit Volume Shadow Copy Service (VSS) PowerShell Forensic Artifacts and Investigation Techniques Audit Settings Password Harvesting Techniques from Active Directory − − Principal Consultant Joined Mandiant in 2010 9.5 years of incident response and forensics experience Contributor to Incident Response & Computer Forensics Third Edition Twitter: Principal Consultant Joined Mandiant in 2010 Forensic, IR, application and network penetration experience Big Yankees fan Attempting to learn guitar Twitter: Prosco Mike Middleton Justin Prosco Mandiant, A FireEye Company Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |