Win10盗版win8.1升级win10
盗版win8.1升级win10 时间:2021-01-20 阅读:()
1WindowsCredentialsAttackMitigationDefenseChadTilbury@chadtilburySeniorInstructorandCo-Author:FOR500:WindowsForensicsFOR508:AdvancedForensicsandIncidentResponseE-mail:chad.
tilbury@crowdstrike.
comLinkedIn:ChadTilburyTwitter:@chadtilburyComputerCrimeInvestigationsCrowdStrikeMandiantUSAirForceOSISpecialAgentCHADTILBURYTECHNICALADVISORCROWDSTRIKESERVICESSANSINSTITUTECONNECT15+YEARSPriority#1post-exploitationDomainadminisultimategoalNearlyeverythinginWindowsistiedtoanaccountDifficulttomovewithoutoneEasyandrelativelystealthymeanstotraversethenetworkAccountlimitationsarerare"Sleeper"credentialscanprovideaccessafterremediationCompromisingCredentials3PillageAchieveDomainAdminDumpMoarCredentials_MoveLaterallyDumpCredentialsGainFootholdUserAccessControl(UAC)ManagedServiceAccountsKB2871997SSPplaintextpasswordmitigationsLocaladminremotelogonrestrictionsProtectedProcessesRestrictedAdminDomainProtectedUsersSecurityGroupLSACachecleanupGroupManagedServiceAccountsCredentialGuardRemoteCredentialGuardDeviceGuard(preventexecutionofuntrustedcode)EvolutionofCredentialAttackMitigation4CompromisingCredentials:HashesThepasswordforeachuseraccountinWindowsisstoredinmultipleformats:LMandNThashesaremostwellknown.
TsPkg,WDigest,andLiveSSPcanbedecryptedtoprovideplaintextpasswords(priortoWin8.
1)HowaretheyacquiredandusedHashesareavailableintheLSASSprocessandcanbeextractedwithadminprivileges.
Oncedumped,hashescanbecrackedorusedimmediatelyinaPasstheHashattack.
Commontools:MimikatzfgdumpgsecdumpMetasploitSMBshellPWDumpXcreddumpWCEHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT5AdminActionLogonTypeCredentialsonTargetNotesConsolelogon2Yes**ExceptwhenCredentialGuardisenabledRunas2Yes**ExceptwhenCredentialGuardisenabledRemoteDesktop10Yes**ExceptforenabledRemoteCredentialGuardNetUse3NoIncluding/u:parameterPowerShellRemoting3NoInvoke-Command;Enter-PSSessionPsExecalternatecreds3+2Yes-u-pmicrosoft.
com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-materialHashDumping(Gsecdump)8PasstheHash(Mimikatz)10PreventadminaccountcompromiseStopremoteinteractivesessionswithhighlyprivilegedaccountsProperterminationofRDPsessionsWin8.
1+forcetheuseofRestrictedAdminWin10deployRemoteCredentialGuardUpgradetoWindows10CredentialGuardTsPkg,WDigest,etc.
--SSOcredsobsolescenceDomainProtectedUsersGroup(PtHmitigation)DefendingCredentials:Hashes12CompromisingCredentials:TokensDelegatetokensarepowerfulauthenticationresourcesusedforSSO.
Theyallowattackerstoimpersonateauser'ssecuritycontext,includingoverthenetwork.
HowaretheyacquiredandusedTheSeImpersonateprivilegeletstokensbecopiedfromprocesses.
Thenewtokencanthenbeusedtoauthenticateasthenewuser.
Atargetuserorservicemustbeloggedonorhaverunningprocesses.
Commontools:IncognitoMetasploitPowerShellMimikatzHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT13TokenStealing(Mimikatz)14PreventadminaccountcompromiseStopremoteinteractivesessionswithhighlyprivilegedaccountsProperterminationofRDPsessionsWin8.
1+forcetheuseofRestrictedAdminModeWin10deployRemoteCredentialGuardAccountdesignationof"AccountisSensitiveandCannotbeDelegated"inActiveDirectoryDomainProtectedUserssecuritygroupaccountsdonotcreatedelegatetokensDefendingCredentials:Tokens16CompromisingCredentials:CachedCredentialsStoreddomaincredentialstoallowlogonswhendomaincontrolleraccessisunavailable.
Mostsystemscachethelast10logonhashesbydefault.
HowaretheyacquiredandusedCachedcredentialsmustbecracked.
Hashesaresaltedandcase-sensitive,makingdecryptionveryslow.
ThesehashescannotbeusedforPasstheHashattacks.
Commontools:cachedumpMetasploitPWDumpXcreddumpHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT17Thecreddumputilitiescanextracthashes,cachedcredentialsandLSASecretsfromofflineregistryhives:github.
com/Neohapsis/creddump7OfflineCachedCredentialsExtraction(Creddump)18LocalNTHashesCachedHashesPreventadminaccountcompromiseLimitnumberofcachedlogonaccountsSOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon(cachedlogonscountvalue)AcachedlogonscountofzerooroneisnotalwaystherightanswerEnforcepasswordlengthandcomplexityrulesBruteforcecrackingisrequiredforthisattackDomainProtectedUserssecuritygroupaccountsdonotcachecredentialsDefendingCredentials:CachedCredentials20CompromisingCredentials:LSASecretsCredentialsstoredintheregistrytoallowservicesortaskstoberunwithuserprivileges.
Inadditiontoserviceaccounts,mayalsoholdapplicationpasswordslikeVPNorauto-logoncredentials.
HowaretheyacquiredandusedAdministratorprivilegesallowaccesstoencryptedregistrydataandthekeysnecessarytodecrypt.
PasswordsareplaintextCommontools:CainMetasploitMimikatzgsecdumpPWDumpXcreddumpPowerShellHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT21Get-LsaSecret.
ps1fromtheNishangPowerShellpentestframeworkusedtodump(anddecrypt)LSASecretshttps://github.
com/samratashok/nishangDecryptingLSASecrets(Nishang)22PreventadminaccountcompromiseDonotemployservicesorscheduletasksrequiringprivilegedaccountsonlowtrustsystemsReducenumberofservicesthatrequiredomainaccountstoexecuteHeavilyauditanyaccountsthatmustbeused(Group)ManagedServiceAccountsDefendingCredentials:LSASecrets23CompromisingCredentials:TicketsKerberosissuesticketstoauthenticatedusersthatcanbereusedwithoutadditionalauthentication.
Ticketsarecachedinmemoryandarevalidfor10hours.
HowaretheyacquiredandusedTicketscanbestolenfrommemoryandusedtoauthenticateelsewhere(PasstheTicket).
Further,accesstotheDCallowsticketstobecreatedforanyuserwithnoexpiration(GoldenTicket).
Serviceaccountticketscanberequestedandforged,includingofflinecrackingofserviceaccounthashes(Kerberoasting).
Commontools:MimikatzWCEkerberoastHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT24PasstheTicket(Mimikatz)25KerberosAttacks27PasstheTicketStealticketfrommemoryandpassorimportonothersystemsOverpasstheHashUseNThashtorequestaserviceticketforthesameaccountKerberoastingRequestserviceticketforhighlyprivilegedservice&crackNThashGoldenTicketKerberosTGTforanyaccountwithnoexpiration.
SurvivesfullpasswordresetSilverTicketAll-accesspassforasingleserviceorcomputerSkeletonKeyPatchLSASSondomaincontrollertoaddbackdoorpasswordthatworksforanydomainaccountCredentialGuard(Win10+)DomainProtectedUsersGroup(Win8+)–SomeattacksRemoteCredentialGuard(Win10+)RestrictedAdmin(Win8+)Long&complexpasswordsonserviceaccounts(topreventKerberoasting)ChangeserviceaccountpasswordsregularlyGroupManagedServiceAccountsareagreatmitigationAuditserviceaccountsforunusualactivityChangeKRBTGTpasswordregularly(yearly)DefendingCredentials:Tickets28AttackTypeDescriptionMitigationPasstheTicketStealticketfrommemoryandpassorimportonothersystemsCredentialGuard;RemoteCredentialGuardOverpasstheHashUseNThashtorequestaserviceticketforthesameaccountCredentialGuard;ProtectedUsersGroup;DisableRC4authenticationKerberoastingRequestserviceticketforhighlyprivilegedservice&crackNThashLongandcomplexserviceaccountpasswords;ManagedServiceAccountsGoldenTicketKerberosTGTforanyaccountwithnoexpiration.
SurvivesfullpasswordresetProtectdomainadminaccounts;ChangeKRBTGTpasswordregularlySilverTicketAll-accesspassforasingleserviceorcomputerRegularcomputeraccountpasswordupdatesSkeletonKeyPatchLSASSondomaincontrollertoaddbackdoorpasswordtoanyaccountProtectdomainadminaccounts;SmartcardusageforprivilegedaccountsKerberosAttackMitigations29CompromisingCredentials:NTDS.
DITHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DITActiveDirectoryDomainServices(ADDS)databaseholdsalluserandcomputeraccounthashes(LM/NT)inthedomain.
Encrypted,butalgorithmiswellknownandeasytodefeat.
HowisitacquiredandusedLocatedinthe\Windows\NTDSfolderonthedomaincontroller.
Thefileislocked,soadminaccessisrequiredtoloadadrivertoaccessrawdisk,orusetheVolumeShadowCopyService.
Commontools:ntdsutilVSSAdminNTDSXtractVSSOwn.
vbsPowerShellntdsdump30CommandProcess:conhost.
exePid:141716CommandHistory:0x1b8f80Application:cmd.
exeFlags:Allocated,ResetCommandCount:12LastAdded:11LastDisplayed:11FirstCommand:0CommandCountMax:50ProcessHandle:0x60Cmd#0@0x196970:vssadminlistshadowsCmd#1@0x1bd240:cd\Cmd#2@0x1b9290:dirCmd#3@0x1bd260:cdtempCmd#4@0x1b92b0:dirCmd#5@0x19c6a0:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\system32\config\SYSTEM.
Cmd#6@0x19c760:dirCmd#7@0x19c780:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\system32\config\SAM.
Cmd#8@0x19c830:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\ntds\ntds.
dit.
Cmd#9@0x1c1ab0:dirStealingNTDS.
DIT31Don'tallowDomainAdminaccountstobecompromised.
DefendingCredentials:NTDS.
DIT32CredentialAttackDetection33"Asanypass-the-ticketattack,theattackerreplaysthegoldenticketinastandardKerberosprotocol.
Therefore,thereisnoclearindicationofsuchattackinWindowslogs.
"34"GoldenTicketeventsmayhaveoneoftheseissues:TheAccountDomainfieldisblankwhenitshouldbeDOMAINTheAccountDomainfieldisDOMAINFQDNwhenitshouldbeDOMAIN.
"–SeanMetcalf,adsecurity.
org3536Asanexample…KerberoastingusesRC4encryptiondowngrade(butalmostnoonelogstheseevents)AuthenticationAuditingMappingAdmin$SharesPsExecScheduledTasksVSSAdminRDP/VPNactivityToolArtifactsNewServicesRandomFile/HostnamesCodeInjectionCrashesandSecurityAlertsBehavioralAnalysisLocalAdminAccountUseDomainAdminAnomaliesServiceAccountAnomaliesWorkstation-to-workstationconnectionsCredentialAttackDetection38EventlogsarecriticalfordetectionAuthenticationevents(EID4624,4762,4648,4720,etc.
)Newservices(EID7045)ApplicationandProcessCrashesFailedandanomalousSMBactivity(EID5140)AV/SecuritylogsDomainProtectedUsersecuritygrouplogsApplicationsandServicesLogs\Microsoft\Windows\Microsoft\AuthenticationProcesstrackingCommandlinecapturesPowerShellauditingCredentialAttackDetection39CredentialAttackDetection:PasstheHash40CredentialAttackDetection:PsExecandfgdumpInitiationoftwonear-simultaneousservicesbyhelpdeskaccount42CredentialAttackDetection:LSASSCrashSystemEventLogApplicationEventLog**ReviewandcorrelateyourAnti-Viruslogs**44CredentialAttackDetection:CapturingCommandLines46RegistrychangesDisabledcomputeraccountpwdupdates(SilverTickets)SYSTEM\CurrentControlSet\Services\Netlogon\ParametersDisablePasswordChange=1EnabledWDigestcredentials(postWin8.
1)SYSTEM\CurrentControlSet\Control\SecurityProviders\WdigestUseLogonCredential=1MemoryAnalysisProcessinjectionLoadeddriversKernel-levelsecurityagentdetectionsBehavioralAnalyticsCredentialAttackDetection:OtherDataSources48CredentialBestPractices49RestrictandProtectPrivilegedDomainAccountsReducethenumberofDomain/EnterpriseAdminsEnforcemulti-factorauthentication(MFA)forallnetworkandcloudadminaccountsSeparateadministrativeaccountsfromuseraccountsforadministrativepersonnelCreatespecificadministrativeworkstationhostsforadministratorsUsetheDomainProtectedUserssecuritygroup!
BestPractices:ControlYourAdminAccounts50LimitLocalAdminAccountsDon'tgiveusersadminUniqueandcomplexpasswordsforlocaladmin(LAPS)DenynetworklogonsforlocalaccountsAuditaccountusageandmonitorforanomaliesBestPractices:ControlYourAdminAccounts(2)51Imagesource:LocalAdministratorPasswordSolutionhttps://technet.
microsoft.
com/en-us/mt227395.
aspxUseaTieredAdministrativeAccessModelAdministrationofADServersandApplicationsWorkstationsandDevicesBestPractices:ControlYourAdminAccounts(3)52Imagesource:SecuringPrivilegedAccessReferenceMaterialbyCoreyPlett(Microsoft)AuditandlimitthenumberofservicesrunningassystemanddomainaccountsUtilizeGroupManagedServiceAccounts…orregularlychangeanduselong&complexpasswordsUpgradetoWindows10/Server2016EnableCredentialGuard&RemoteCredentialGuardForceLSASSasprotectedprocessonlegacyWin8.
1EstablishremoteconnectionsusingnetworklogoninsteadofinteractivelogonwhenpossibleBestPractices:ReducetheCredentialAttackSurface53LimitworkstationtoworkstationcommunicationRestrictinboundNetBIOS,SMBtrafficusingtheWindowsFirewall…orVLANsegmentationofworkstationsSomanyhacktoolsleverageSMBauthenticationIsworkstationtoworkstationRDPreallynecessaryEnablestricterKerberossecurityDisableLM&NTLM(forceKerberos)ShortvalidityforticketsNoaccountdelegationBestPractices:ReducetheCredentialAttackSurface(2)54ChartbyBenjaminDelpy:https://goo.
gl/1K3AC7IncreaseAwarenessofNewAttacks5556Materialsfrom:http://dfir.
to/FOR508
tilbury@crowdstrike.
comLinkedIn:ChadTilburyTwitter:@chadtilburyComputerCrimeInvestigationsCrowdStrikeMandiantUSAirForceOSISpecialAgentCHADTILBURYTECHNICALADVISORCROWDSTRIKESERVICESSANSINSTITUTECONNECT15+YEARSPriority#1post-exploitationDomainadminisultimategoalNearlyeverythinginWindowsistiedtoanaccountDifficulttomovewithoutoneEasyandrelativelystealthymeanstotraversethenetworkAccountlimitationsarerare"Sleeper"credentialscanprovideaccessafterremediationCompromisingCredentials3PillageAchieveDomainAdminDumpMoarCredentials_MoveLaterallyDumpCredentialsGainFootholdUserAccessControl(UAC)ManagedServiceAccountsKB2871997SSPplaintextpasswordmitigationsLocaladminremotelogonrestrictionsProtectedProcessesRestrictedAdminDomainProtectedUsersSecurityGroupLSACachecleanupGroupManagedServiceAccountsCredentialGuardRemoteCredentialGuardDeviceGuard(preventexecutionofuntrustedcode)EvolutionofCredentialAttackMitigation4CompromisingCredentials:HashesThepasswordforeachuseraccountinWindowsisstoredinmultipleformats:LMandNThashesaremostwellknown.
TsPkg,WDigest,andLiveSSPcanbedecryptedtoprovideplaintextpasswords(priortoWin8.
1)HowaretheyacquiredandusedHashesareavailableintheLSASSprocessandcanbeextractedwithadminprivileges.
Oncedumped,hashescanbecrackedorusedimmediatelyinaPasstheHashattack.
Commontools:MimikatzfgdumpgsecdumpMetasploitSMBshellPWDumpXcreddumpWCEHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT5AdminActionLogonTypeCredentialsonTargetNotesConsolelogon2Yes**ExceptwhenCredentialGuardisenabledRunas2Yes**ExceptwhenCredentialGuardisenabledRemoteDesktop10Yes**ExceptforenabledRemoteCredentialGuardNetUse3NoIncluding/u:parameterPowerShellRemoting3NoInvoke-Command;Enter-PSSessionPsExecalternatecreds3+2Yes-u-p
com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-materialHashDumping(Gsecdump)8PasstheHash(Mimikatz)10PreventadminaccountcompromiseStopremoteinteractivesessionswithhighlyprivilegedaccountsProperterminationofRDPsessionsWin8.
1+forcetheuseofRestrictedAdminWin10deployRemoteCredentialGuardUpgradetoWindows10CredentialGuardTsPkg,WDigest,etc.
--SSOcredsobsolescenceDomainProtectedUsersGroup(PtHmitigation)DefendingCredentials:Hashes12CompromisingCredentials:TokensDelegatetokensarepowerfulauthenticationresourcesusedforSSO.
Theyallowattackerstoimpersonateauser'ssecuritycontext,includingoverthenetwork.
HowaretheyacquiredandusedTheSeImpersonateprivilegeletstokensbecopiedfromprocesses.
Thenewtokencanthenbeusedtoauthenticateasthenewuser.
Atargetuserorservicemustbeloggedonorhaverunningprocesses.
Commontools:IncognitoMetasploitPowerShellMimikatzHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT13TokenStealing(Mimikatz)14PreventadminaccountcompromiseStopremoteinteractivesessionswithhighlyprivilegedaccountsProperterminationofRDPsessionsWin8.
1+forcetheuseofRestrictedAdminModeWin10deployRemoteCredentialGuardAccountdesignationof"AccountisSensitiveandCannotbeDelegated"inActiveDirectoryDomainProtectedUserssecuritygroupaccountsdonotcreatedelegatetokensDefendingCredentials:Tokens16CompromisingCredentials:CachedCredentialsStoreddomaincredentialstoallowlogonswhendomaincontrolleraccessisunavailable.
Mostsystemscachethelast10logonhashesbydefault.
HowaretheyacquiredandusedCachedcredentialsmustbecracked.
Hashesaresaltedandcase-sensitive,makingdecryptionveryslow.
ThesehashescannotbeusedforPasstheHashattacks.
Commontools:cachedumpMetasploitPWDumpXcreddumpHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT17Thecreddumputilitiescanextracthashes,cachedcredentialsandLSASecretsfromofflineregistryhives:github.
com/Neohapsis/creddump7OfflineCachedCredentialsExtraction(Creddump)18LocalNTHashesCachedHashesPreventadminaccountcompromiseLimitnumberofcachedlogonaccountsSOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon(cachedlogonscountvalue)AcachedlogonscountofzerooroneisnotalwaystherightanswerEnforcepasswordlengthandcomplexityrulesBruteforcecrackingisrequiredforthisattackDomainProtectedUserssecuritygroupaccountsdonotcachecredentialsDefendingCredentials:CachedCredentials20CompromisingCredentials:LSASecretsCredentialsstoredintheregistrytoallowservicesortaskstoberunwithuserprivileges.
Inadditiontoserviceaccounts,mayalsoholdapplicationpasswordslikeVPNorauto-logoncredentials.
HowaretheyacquiredandusedAdministratorprivilegesallowaccesstoencryptedregistrydataandthekeysnecessarytodecrypt.
PasswordsareplaintextCommontools:CainMetasploitMimikatzgsecdumpPWDumpXcreddumpPowerShellHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT21Get-LsaSecret.
ps1fromtheNishangPowerShellpentestframeworkusedtodump(anddecrypt)LSASecretshttps://github.
com/samratashok/nishangDecryptingLSASecrets(Nishang)22PreventadminaccountcompromiseDonotemployservicesorscheduletasksrequiringprivilegedaccountsonlowtrustsystemsReducenumberofservicesthatrequiredomainaccountstoexecuteHeavilyauditanyaccountsthatmustbeused(Group)ManagedServiceAccountsDefendingCredentials:LSASecrets23CompromisingCredentials:TicketsKerberosissuesticketstoauthenticatedusersthatcanbereusedwithoutadditionalauthentication.
Ticketsarecachedinmemoryandarevalidfor10hours.
HowaretheyacquiredandusedTicketscanbestolenfrommemoryandusedtoauthenticateelsewhere(PasstheTicket).
Further,accesstotheDCallowsticketstobecreatedforanyuserwithnoexpiration(GoldenTicket).
Serviceaccountticketscanberequestedandforged,includingofflinecrackingofserviceaccounthashes(Kerberoasting).
Commontools:MimikatzWCEkerberoastHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT24PasstheTicket(Mimikatz)25KerberosAttacks27PasstheTicketStealticketfrommemoryandpassorimportonothersystemsOverpasstheHashUseNThashtorequestaserviceticketforthesameaccountKerberoastingRequestserviceticketforhighlyprivilegedservice&crackNThashGoldenTicketKerberosTGTforanyaccountwithnoexpiration.
SurvivesfullpasswordresetSilverTicketAll-accesspassforasingleserviceorcomputerSkeletonKeyPatchLSASSondomaincontrollertoaddbackdoorpasswordthatworksforanydomainaccountCredentialGuard(Win10+)DomainProtectedUsersGroup(Win8+)–SomeattacksRemoteCredentialGuard(Win10+)RestrictedAdmin(Win8+)Long&complexpasswordsonserviceaccounts(topreventKerberoasting)ChangeserviceaccountpasswordsregularlyGroupManagedServiceAccountsareagreatmitigationAuditserviceaccountsforunusualactivityChangeKRBTGTpasswordregularly(yearly)DefendingCredentials:Tickets28AttackTypeDescriptionMitigationPasstheTicketStealticketfrommemoryandpassorimportonothersystemsCredentialGuard;RemoteCredentialGuardOverpasstheHashUseNThashtorequestaserviceticketforthesameaccountCredentialGuard;ProtectedUsersGroup;DisableRC4authenticationKerberoastingRequestserviceticketforhighlyprivilegedservice&crackNThashLongandcomplexserviceaccountpasswords;ManagedServiceAccountsGoldenTicketKerberosTGTforanyaccountwithnoexpiration.
SurvivesfullpasswordresetProtectdomainadminaccounts;ChangeKRBTGTpasswordregularlySilverTicketAll-accesspassforasingleserviceorcomputerRegularcomputeraccountpasswordupdatesSkeletonKeyPatchLSASSondomaincontrollertoaddbackdoorpasswordtoanyaccountProtectdomainadminaccounts;SmartcardusageforprivilegedaccountsKerberosAttackMitigations29CompromisingCredentials:NTDS.
DITHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DITActiveDirectoryDomainServices(ADDS)databaseholdsalluserandcomputeraccounthashes(LM/NT)inthedomain.
Encrypted,butalgorithmiswellknownandeasytodefeat.
HowisitacquiredandusedLocatedinthe\Windows\NTDSfolderonthedomaincontroller.
Thefileislocked,soadminaccessisrequiredtoloadadrivertoaccessrawdisk,orusetheVolumeShadowCopyService.
Commontools:ntdsutilVSSAdminNTDSXtractVSSOwn.
vbsPowerShellntdsdump30CommandProcess:conhost.
exePid:141716CommandHistory:0x1b8f80Application:cmd.
exeFlags:Allocated,ResetCommandCount:12LastAdded:11LastDisplayed:11FirstCommand:0CommandCountMax:50ProcessHandle:0x60Cmd#0@0x196970:vssadminlistshadowsCmd#1@0x1bd240:cd\Cmd#2@0x1b9290:dirCmd#3@0x1bd260:cdtempCmd#4@0x1b92b0:dirCmd#5@0x19c6a0:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\system32\config\SYSTEM.
Cmd#6@0x19c760:dirCmd#7@0x19c780:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\system32\config\SAM.
Cmd#8@0x19c830:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\ntds\ntds.
dit.
Cmd#9@0x1c1ab0:dirStealingNTDS.
DIT31Don'tallowDomainAdminaccountstobecompromised.
DefendingCredentials:NTDS.
DIT32CredentialAttackDetection33"Asanypass-the-ticketattack,theattackerreplaysthegoldenticketinastandardKerberosprotocol.
Therefore,thereisnoclearindicationofsuchattackinWindowslogs.
"34"GoldenTicketeventsmayhaveoneoftheseissues:TheAccountDomainfieldisblankwhenitshouldbeDOMAINTheAccountDomainfieldisDOMAINFQDNwhenitshouldbeDOMAIN.
"–SeanMetcalf,adsecurity.
org3536Asanexample…KerberoastingusesRC4encryptiondowngrade(butalmostnoonelogstheseevents)AuthenticationAuditingMappingAdmin$SharesPsExecScheduledTasksVSSAdminRDP/VPNactivityToolArtifactsNewServicesRandomFile/HostnamesCodeInjectionCrashesandSecurityAlertsBehavioralAnalysisLocalAdminAccountUseDomainAdminAnomaliesServiceAccountAnomaliesWorkstation-to-workstationconnectionsCredentialAttackDetection38EventlogsarecriticalfordetectionAuthenticationevents(EID4624,4762,4648,4720,etc.
)Newservices(EID7045)ApplicationandProcessCrashesFailedandanomalousSMBactivity(EID5140)AV/SecuritylogsDomainProtectedUsersecuritygrouplogsApplicationsandServicesLogs\Microsoft\Windows\Microsoft\AuthenticationProcesstrackingCommandlinecapturesPowerShellauditingCredentialAttackDetection39CredentialAttackDetection:PasstheHash40CredentialAttackDetection:PsExecandfgdumpInitiationoftwonear-simultaneousservicesbyhelpdeskaccount42CredentialAttackDetection:LSASSCrashSystemEventLogApplicationEventLog**ReviewandcorrelateyourAnti-Viruslogs**44CredentialAttackDetection:CapturingCommandLines46RegistrychangesDisabledcomputeraccountpwdupdates(SilverTickets)SYSTEM\CurrentControlSet\Services\Netlogon\ParametersDisablePasswordChange=1EnabledWDigestcredentials(postWin8.
1)SYSTEM\CurrentControlSet\Control\SecurityProviders\WdigestUseLogonCredential=1MemoryAnalysisProcessinjectionLoadeddriversKernel-levelsecurityagentdetectionsBehavioralAnalyticsCredentialAttackDetection:OtherDataSources48CredentialBestPractices49RestrictandProtectPrivilegedDomainAccountsReducethenumberofDomain/EnterpriseAdminsEnforcemulti-factorauthentication(MFA)forallnetworkandcloudadminaccountsSeparateadministrativeaccountsfromuseraccountsforadministrativepersonnelCreatespecificadministrativeworkstationhostsforadministratorsUsetheDomainProtectedUserssecuritygroup!
BestPractices:ControlYourAdminAccounts50LimitLocalAdminAccountsDon'tgiveusersadminUniqueandcomplexpasswordsforlocaladmin(LAPS)DenynetworklogonsforlocalaccountsAuditaccountusageandmonitorforanomaliesBestPractices:ControlYourAdminAccounts(2)51Imagesource:LocalAdministratorPasswordSolutionhttps://technet.
microsoft.
com/en-us/mt227395.
aspxUseaTieredAdministrativeAccessModelAdministrationofADServersandApplicationsWorkstationsandDevicesBestPractices:ControlYourAdminAccounts(3)52Imagesource:SecuringPrivilegedAccessReferenceMaterialbyCoreyPlett(Microsoft)AuditandlimitthenumberofservicesrunningassystemanddomainaccountsUtilizeGroupManagedServiceAccounts…orregularlychangeanduselong&complexpasswordsUpgradetoWindows10/Server2016EnableCredentialGuard&RemoteCredentialGuardForceLSASSasprotectedprocessonlegacyWin8.
1EstablishremoteconnectionsusingnetworklogoninsteadofinteractivelogonwhenpossibleBestPractices:ReducetheCredentialAttackSurface53LimitworkstationtoworkstationcommunicationRestrictinboundNetBIOS,SMBtrafficusingtheWindowsFirewall…orVLANsegmentationofworkstationsSomanyhacktoolsleverageSMBauthenticationIsworkstationtoworkstationRDPreallynecessaryEnablestricterKerberossecurityDisableLM&NTLM(forceKerberos)ShortvalidityforticketsNoaccountdelegationBestPractices:ReducetheCredentialAttackSurface(2)54ChartbyBenjaminDelpy:https://goo.
gl/1K3AC7IncreaseAwarenessofNewAttacks5556Materialsfrom:http://dfir.
to/FOR508
- Win10盗版win8.1升级win10相关文档
- 项目编号:宣公共采【2017】57号
- 惠普盗版win8.1升级win10
- Brownian盗版win8.1升级win10
- 投标人盗版win8.1升级win10
- 互联网网络安全信息通报
- 广州盗版win8.1升级win10
快云科技:香港沙田CN2云服务器低至29元/月起;美国高防弹性云/洛杉矶CUVIP低至33.6元/月起
快云科技怎么样?快云科技是一家成立于2020年的新起国内主机商,资质齐全 持有IDC ICP ISP等正规商家。云服务器网(yuntue.com)小编之前已经介绍过很多快云科技的香港及美国云服务器了,这次再介绍一下新的优惠方案。目前,香港云沙田CN2云服务器低至29元/月起;美国超防弹性云/洛杉矶CUVIP低至33.6元/月起。快云科技的云主机架构采用KVM虚拟化技术,全盘SSD硬盘,RAID10...
RackNerd:特价美国服务器促销,高配低价,美国多机房可选择,双E526**+AMD3700+NVMe
racknerd怎么样?racknerd今天发布了几款美国特价独立服务器的促销,本次商家主推高配置的服务器,各个配置给的都比较高,有Intel和AMD两种,硬盘也有NVMe和SSD等多咱组合可以选择,机房目前有夏洛特、洛杉矶、犹他州可以选择,性价比很高,有需要独服的朋友可以看看。点击进入:racknerd官方网站RackNerd暑假独服促销:CPU:双E5-2680v3 (24核心,48线程)内存...
LayerStack$10.04/月(可选中国香港、日本、新加坡和洛杉矶)高性能AMD EPYC (霄龙)云服务器,
LayerStack(成立于2017年),当前正在9折促销旗下的云服务器,LayerStack的云服务器采用第 3 代 AMD EPYC™ (霄龙) 处理器,DDR4内存和企业级 PCIe Gen 4 NVMe SSD。数据中心可选中国香港、日本、新加坡和洛杉矶!其中中国香港、日本和新加坡分为国际线路和CN2线路,如果选择CN2线路,价格每月要+3.2美元,付款支持paypal,支付宝,信用卡等!...
盗版win8.1升级win10为你推荐
-
软银孙正义日本的孙正义是阿里的最大股东,马云没有孙正义的股份多,为什么马云是亚洲首富而不是孙正义?p图软件哪个好用什么p图软件好用?不是p人照片的那种软件骁龙750g和765g哪个好高通骁龙845和骁龙835哪个好压缩软件哪个好压缩软件用哪个会比较好用机械表和石英表哪个好自动石英表与全自动机械表哪个好朗逸和速腾哪个好速腾和朗逸哪个更好?朗逸和速腾哪个好朗逸跟速腾的最大区别在哪朗逸跟速腾买那个好音乐播放器哪个好哪个音乐播放器最好ps软件哪个好Photoshop哪个软件好用点?等额本息等额本金哪个好等额本金和等额本息哪个划算?如果想在5-10年内还清贷款哪类更划算一些?