Win10盗版win8.1升级win10
盗版win8.1升级win10 时间:2021-01-20 阅读:()
1WindowsCredentialsAttackMitigationDefenseChadTilbury@chadtilburySeniorInstructorandCo-Author:FOR500:WindowsForensicsFOR508:AdvancedForensicsandIncidentResponseE-mail:chad.
tilbury@crowdstrike.
comLinkedIn:ChadTilburyTwitter:@chadtilburyComputerCrimeInvestigationsCrowdStrikeMandiantUSAirForceOSISpecialAgentCHADTILBURYTECHNICALADVISORCROWDSTRIKESERVICESSANSINSTITUTECONNECT15+YEARSPriority#1post-exploitationDomainadminisultimategoalNearlyeverythinginWindowsistiedtoanaccountDifficulttomovewithoutoneEasyandrelativelystealthymeanstotraversethenetworkAccountlimitationsarerare"Sleeper"credentialscanprovideaccessafterremediationCompromisingCredentials3PillageAchieveDomainAdminDumpMoarCredentials_MoveLaterallyDumpCredentialsGainFootholdUserAccessControl(UAC)ManagedServiceAccountsKB2871997SSPplaintextpasswordmitigationsLocaladminremotelogonrestrictionsProtectedProcessesRestrictedAdminDomainProtectedUsersSecurityGroupLSACachecleanupGroupManagedServiceAccountsCredentialGuardRemoteCredentialGuardDeviceGuard(preventexecutionofuntrustedcode)EvolutionofCredentialAttackMitigation4CompromisingCredentials:HashesThepasswordforeachuseraccountinWindowsisstoredinmultipleformats:LMandNThashesaremostwellknown.
TsPkg,WDigest,andLiveSSPcanbedecryptedtoprovideplaintextpasswords(priortoWin8.
1)HowaretheyacquiredandusedHashesareavailableintheLSASSprocessandcanbeextractedwithadminprivileges.
Oncedumped,hashescanbecrackedorusedimmediatelyinaPasstheHashattack.
Commontools:MimikatzfgdumpgsecdumpMetasploitSMBshellPWDumpXcreddumpWCEHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT5AdminActionLogonTypeCredentialsonTargetNotesConsolelogon2Yes**ExceptwhenCredentialGuardisenabledRunas2Yes**ExceptwhenCredentialGuardisenabledRemoteDesktop10Yes**ExceptforenabledRemoteCredentialGuardNetUse3NoIncluding/u:parameterPowerShellRemoting3NoInvoke-Command;Enter-PSSessionPsExecalternatecreds3+2Yes-u-pmicrosoft.
com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-materialHashDumping(Gsecdump)8PasstheHash(Mimikatz)10PreventadminaccountcompromiseStopremoteinteractivesessionswithhighlyprivilegedaccountsProperterminationofRDPsessionsWin8.
1+forcetheuseofRestrictedAdminWin10deployRemoteCredentialGuardUpgradetoWindows10CredentialGuardTsPkg,WDigest,etc.
--SSOcredsobsolescenceDomainProtectedUsersGroup(PtHmitigation)DefendingCredentials:Hashes12CompromisingCredentials:TokensDelegatetokensarepowerfulauthenticationresourcesusedforSSO.
Theyallowattackerstoimpersonateauser'ssecuritycontext,includingoverthenetwork.
HowaretheyacquiredandusedTheSeImpersonateprivilegeletstokensbecopiedfromprocesses.
Thenewtokencanthenbeusedtoauthenticateasthenewuser.
Atargetuserorservicemustbeloggedonorhaverunningprocesses.
Commontools:IncognitoMetasploitPowerShellMimikatzHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT13TokenStealing(Mimikatz)14PreventadminaccountcompromiseStopremoteinteractivesessionswithhighlyprivilegedaccountsProperterminationofRDPsessionsWin8.
1+forcetheuseofRestrictedAdminModeWin10deployRemoteCredentialGuardAccountdesignationof"AccountisSensitiveandCannotbeDelegated"inActiveDirectoryDomainProtectedUserssecuritygroupaccountsdonotcreatedelegatetokensDefendingCredentials:Tokens16CompromisingCredentials:CachedCredentialsStoreddomaincredentialstoallowlogonswhendomaincontrolleraccessisunavailable.
Mostsystemscachethelast10logonhashesbydefault.
HowaretheyacquiredandusedCachedcredentialsmustbecracked.
Hashesaresaltedandcase-sensitive,makingdecryptionveryslow.
ThesehashescannotbeusedforPasstheHashattacks.
Commontools:cachedumpMetasploitPWDumpXcreddumpHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT17Thecreddumputilitiescanextracthashes,cachedcredentialsandLSASecretsfromofflineregistryhives:github.
com/Neohapsis/creddump7OfflineCachedCredentialsExtraction(Creddump)18LocalNTHashesCachedHashesPreventadminaccountcompromiseLimitnumberofcachedlogonaccountsSOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon(cachedlogonscountvalue)AcachedlogonscountofzerooroneisnotalwaystherightanswerEnforcepasswordlengthandcomplexityrulesBruteforcecrackingisrequiredforthisattackDomainProtectedUserssecuritygroupaccountsdonotcachecredentialsDefendingCredentials:CachedCredentials20CompromisingCredentials:LSASecretsCredentialsstoredintheregistrytoallowservicesortaskstoberunwithuserprivileges.
Inadditiontoserviceaccounts,mayalsoholdapplicationpasswordslikeVPNorauto-logoncredentials.
HowaretheyacquiredandusedAdministratorprivilegesallowaccesstoencryptedregistrydataandthekeysnecessarytodecrypt.
PasswordsareplaintextCommontools:CainMetasploitMimikatzgsecdumpPWDumpXcreddumpPowerShellHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT21Get-LsaSecret.
ps1fromtheNishangPowerShellpentestframeworkusedtodump(anddecrypt)LSASecretshttps://github.
com/samratashok/nishangDecryptingLSASecrets(Nishang)22PreventadminaccountcompromiseDonotemployservicesorscheduletasksrequiringprivilegedaccountsonlowtrustsystemsReducenumberofservicesthatrequiredomainaccountstoexecuteHeavilyauditanyaccountsthatmustbeused(Group)ManagedServiceAccountsDefendingCredentials:LSASecrets23CompromisingCredentials:TicketsKerberosissuesticketstoauthenticatedusersthatcanbereusedwithoutadditionalauthentication.
Ticketsarecachedinmemoryandarevalidfor10hours.
HowaretheyacquiredandusedTicketscanbestolenfrommemoryandusedtoauthenticateelsewhere(PasstheTicket).
Further,accesstotheDCallowsticketstobecreatedforanyuserwithnoexpiration(GoldenTicket).
Serviceaccountticketscanberequestedandforged,includingofflinecrackingofserviceaccounthashes(Kerberoasting).
Commontools:MimikatzWCEkerberoastHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT24PasstheTicket(Mimikatz)25KerberosAttacks27PasstheTicketStealticketfrommemoryandpassorimportonothersystemsOverpasstheHashUseNThashtorequestaserviceticketforthesameaccountKerberoastingRequestserviceticketforhighlyprivilegedservice&crackNThashGoldenTicketKerberosTGTforanyaccountwithnoexpiration.
SurvivesfullpasswordresetSilverTicketAll-accesspassforasingleserviceorcomputerSkeletonKeyPatchLSASSondomaincontrollertoaddbackdoorpasswordthatworksforanydomainaccountCredentialGuard(Win10+)DomainProtectedUsersGroup(Win8+)–SomeattacksRemoteCredentialGuard(Win10+)RestrictedAdmin(Win8+)Long&complexpasswordsonserviceaccounts(topreventKerberoasting)ChangeserviceaccountpasswordsregularlyGroupManagedServiceAccountsareagreatmitigationAuditserviceaccountsforunusualactivityChangeKRBTGTpasswordregularly(yearly)DefendingCredentials:Tickets28AttackTypeDescriptionMitigationPasstheTicketStealticketfrommemoryandpassorimportonothersystemsCredentialGuard;RemoteCredentialGuardOverpasstheHashUseNThashtorequestaserviceticketforthesameaccountCredentialGuard;ProtectedUsersGroup;DisableRC4authenticationKerberoastingRequestserviceticketforhighlyprivilegedservice&crackNThashLongandcomplexserviceaccountpasswords;ManagedServiceAccountsGoldenTicketKerberosTGTforanyaccountwithnoexpiration.
SurvivesfullpasswordresetProtectdomainadminaccounts;ChangeKRBTGTpasswordregularlySilverTicketAll-accesspassforasingleserviceorcomputerRegularcomputeraccountpasswordupdatesSkeletonKeyPatchLSASSondomaincontrollertoaddbackdoorpasswordtoanyaccountProtectdomainadminaccounts;SmartcardusageforprivilegedaccountsKerberosAttackMitigations29CompromisingCredentials:NTDS.
DITHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DITActiveDirectoryDomainServices(ADDS)databaseholdsalluserandcomputeraccounthashes(LM/NT)inthedomain.
Encrypted,butalgorithmiswellknownandeasytodefeat.
HowisitacquiredandusedLocatedinthe\Windows\NTDSfolderonthedomaincontroller.
Thefileislocked,soadminaccessisrequiredtoloadadrivertoaccessrawdisk,orusetheVolumeShadowCopyService.
Commontools:ntdsutilVSSAdminNTDSXtractVSSOwn.
vbsPowerShellntdsdump30CommandProcess:conhost.
exePid:141716CommandHistory:0x1b8f80Application:cmd.
exeFlags:Allocated,ResetCommandCount:12LastAdded:11LastDisplayed:11FirstCommand:0CommandCountMax:50ProcessHandle:0x60Cmd#0@0x196970:vssadminlistshadowsCmd#1@0x1bd240:cd\Cmd#2@0x1b9290:dirCmd#3@0x1bd260:cdtempCmd#4@0x1b92b0:dirCmd#5@0x19c6a0:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\system32\config\SYSTEM.
Cmd#6@0x19c760:dirCmd#7@0x19c780:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\system32\config\SAM.
Cmd#8@0x19c830:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\ntds\ntds.
dit.
Cmd#9@0x1c1ab0:dirStealingNTDS.
DIT31Don'tallowDomainAdminaccountstobecompromised.
DefendingCredentials:NTDS.
DIT32CredentialAttackDetection33"Asanypass-the-ticketattack,theattackerreplaysthegoldenticketinastandardKerberosprotocol.
Therefore,thereisnoclearindicationofsuchattackinWindowslogs.
"34"GoldenTicketeventsmayhaveoneoftheseissues:TheAccountDomainfieldisblankwhenitshouldbeDOMAINTheAccountDomainfieldisDOMAINFQDNwhenitshouldbeDOMAIN.
"–SeanMetcalf,adsecurity.
org3536Asanexample…KerberoastingusesRC4encryptiondowngrade(butalmostnoonelogstheseevents)AuthenticationAuditingMappingAdmin$SharesPsExecScheduledTasksVSSAdminRDP/VPNactivityToolArtifactsNewServicesRandomFile/HostnamesCodeInjectionCrashesandSecurityAlertsBehavioralAnalysisLocalAdminAccountUseDomainAdminAnomaliesServiceAccountAnomaliesWorkstation-to-workstationconnectionsCredentialAttackDetection38EventlogsarecriticalfordetectionAuthenticationevents(EID4624,4762,4648,4720,etc.
)Newservices(EID7045)ApplicationandProcessCrashesFailedandanomalousSMBactivity(EID5140)AV/SecuritylogsDomainProtectedUsersecuritygrouplogsApplicationsandServicesLogs\Microsoft\Windows\Microsoft\AuthenticationProcesstrackingCommandlinecapturesPowerShellauditingCredentialAttackDetection39CredentialAttackDetection:PasstheHash40CredentialAttackDetection:PsExecandfgdumpInitiationoftwonear-simultaneousservicesbyhelpdeskaccount42CredentialAttackDetection:LSASSCrashSystemEventLogApplicationEventLog**ReviewandcorrelateyourAnti-Viruslogs**44CredentialAttackDetection:CapturingCommandLines46RegistrychangesDisabledcomputeraccountpwdupdates(SilverTickets)SYSTEM\CurrentControlSet\Services\Netlogon\ParametersDisablePasswordChange=1EnabledWDigestcredentials(postWin8.
1)SYSTEM\CurrentControlSet\Control\SecurityProviders\WdigestUseLogonCredential=1MemoryAnalysisProcessinjectionLoadeddriversKernel-levelsecurityagentdetectionsBehavioralAnalyticsCredentialAttackDetection:OtherDataSources48CredentialBestPractices49RestrictandProtectPrivilegedDomainAccountsReducethenumberofDomain/EnterpriseAdminsEnforcemulti-factorauthentication(MFA)forallnetworkandcloudadminaccountsSeparateadministrativeaccountsfromuseraccountsforadministrativepersonnelCreatespecificadministrativeworkstationhostsforadministratorsUsetheDomainProtectedUserssecuritygroup!
BestPractices:ControlYourAdminAccounts50LimitLocalAdminAccountsDon'tgiveusersadminUniqueandcomplexpasswordsforlocaladmin(LAPS)DenynetworklogonsforlocalaccountsAuditaccountusageandmonitorforanomaliesBestPractices:ControlYourAdminAccounts(2)51Imagesource:LocalAdministratorPasswordSolutionhttps://technet.
microsoft.
com/en-us/mt227395.
aspxUseaTieredAdministrativeAccessModelAdministrationofADServersandApplicationsWorkstationsandDevicesBestPractices:ControlYourAdminAccounts(3)52Imagesource:SecuringPrivilegedAccessReferenceMaterialbyCoreyPlett(Microsoft)AuditandlimitthenumberofservicesrunningassystemanddomainaccountsUtilizeGroupManagedServiceAccounts…orregularlychangeanduselong&complexpasswordsUpgradetoWindows10/Server2016EnableCredentialGuard&RemoteCredentialGuardForceLSASSasprotectedprocessonlegacyWin8.
1EstablishremoteconnectionsusingnetworklogoninsteadofinteractivelogonwhenpossibleBestPractices:ReducetheCredentialAttackSurface53LimitworkstationtoworkstationcommunicationRestrictinboundNetBIOS,SMBtrafficusingtheWindowsFirewall…orVLANsegmentationofworkstationsSomanyhacktoolsleverageSMBauthenticationIsworkstationtoworkstationRDPreallynecessaryEnablestricterKerberossecurityDisableLM&NTLM(forceKerberos)ShortvalidityforticketsNoaccountdelegationBestPractices:ReducetheCredentialAttackSurface(2)54ChartbyBenjaminDelpy:https://goo.
gl/1K3AC7IncreaseAwarenessofNewAttacks5556Materialsfrom:http://dfir.
to/FOR508
tilbury@crowdstrike.
comLinkedIn:ChadTilburyTwitter:@chadtilburyComputerCrimeInvestigationsCrowdStrikeMandiantUSAirForceOSISpecialAgentCHADTILBURYTECHNICALADVISORCROWDSTRIKESERVICESSANSINSTITUTECONNECT15+YEARSPriority#1post-exploitationDomainadminisultimategoalNearlyeverythinginWindowsistiedtoanaccountDifficulttomovewithoutoneEasyandrelativelystealthymeanstotraversethenetworkAccountlimitationsarerare"Sleeper"credentialscanprovideaccessafterremediationCompromisingCredentials3PillageAchieveDomainAdminDumpMoarCredentials_MoveLaterallyDumpCredentialsGainFootholdUserAccessControl(UAC)ManagedServiceAccountsKB2871997SSPplaintextpasswordmitigationsLocaladminremotelogonrestrictionsProtectedProcessesRestrictedAdminDomainProtectedUsersSecurityGroupLSACachecleanupGroupManagedServiceAccountsCredentialGuardRemoteCredentialGuardDeviceGuard(preventexecutionofuntrustedcode)EvolutionofCredentialAttackMitigation4CompromisingCredentials:HashesThepasswordforeachuseraccountinWindowsisstoredinmultipleformats:LMandNThashesaremostwellknown.
TsPkg,WDigest,andLiveSSPcanbedecryptedtoprovideplaintextpasswords(priortoWin8.
1)HowaretheyacquiredandusedHashesareavailableintheLSASSprocessandcanbeextractedwithadminprivileges.
Oncedumped,hashescanbecrackedorusedimmediatelyinaPasstheHashattack.
Commontools:MimikatzfgdumpgsecdumpMetasploitSMBshellPWDumpXcreddumpWCEHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT5AdminActionLogonTypeCredentialsonTargetNotesConsolelogon2Yes**ExceptwhenCredentialGuardisenabledRunas2Yes**ExceptwhenCredentialGuardisenabledRemoteDesktop10Yes**ExceptforenabledRemoteCredentialGuardNetUse3NoIncluding/u:parameterPowerShellRemoting3NoInvoke-Command;Enter-PSSessionPsExecalternatecreds3+2Yes-u-p
com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-materialHashDumping(Gsecdump)8PasstheHash(Mimikatz)10PreventadminaccountcompromiseStopremoteinteractivesessionswithhighlyprivilegedaccountsProperterminationofRDPsessionsWin8.
1+forcetheuseofRestrictedAdminWin10deployRemoteCredentialGuardUpgradetoWindows10CredentialGuardTsPkg,WDigest,etc.
--SSOcredsobsolescenceDomainProtectedUsersGroup(PtHmitigation)DefendingCredentials:Hashes12CompromisingCredentials:TokensDelegatetokensarepowerfulauthenticationresourcesusedforSSO.
Theyallowattackerstoimpersonateauser'ssecuritycontext,includingoverthenetwork.
HowaretheyacquiredandusedTheSeImpersonateprivilegeletstokensbecopiedfromprocesses.
Thenewtokencanthenbeusedtoauthenticateasthenewuser.
Atargetuserorservicemustbeloggedonorhaverunningprocesses.
Commontools:IncognitoMetasploitPowerShellMimikatzHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT13TokenStealing(Mimikatz)14PreventadminaccountcompromiseStopremoteinteractivesessionswithhighlyprivilegedaccountsProperterminationofRDPsessionsWin8.
1+forcetheuseofRestrictedAdminModeWin10deployRemoteCredentialGuardAccountdesignationof"AccountisSensitiveandCannotbeDelegated"inActiveDirectoryDomainProtectedUserssecuritygroupaccountsdonotcreatedelegatetokensDefendingCredentials:Tokens16CompromisingCredentials:CachedCredentialsStoreddomaincredentialstoallowlogonswhendomaincontrolleraccessisunavailable.
Mostsystemscachethelast10logonhashesbydefault.
HowaretheyacquiredandusedCachedcredentialsmustbecracked.
Hashesaresaltedandcase-sensitive,makingdecryptionveryslow.
ThesehashescannotbeusedforPasstheHashattacks.
Commontools:cachedumpMetasploitPWDumpXcreddumpHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT17Thecreddumputilitiescanextracthashes,cachedcredentialsandLSASecretsfromofflineregistryhives:github.
com/Neohapsis/creddump7OfflineCachedCredentialsExtraction(Creddump)18LocalNTHashesCachedHashesPreventadminaccountcompromiseLimitnumberofcachedlogonaccountsSOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon(cachedlogonscountvalue)AcachedlogonscountofzerooroneisnotalwaystherightanswerEnforcepasswordlengthandcomplexityrulesBruteforcecrackingisrequiredforthisattackDomainProtectedUserssecuritygroupaccountsdonotcachecredentialsDefendingCredentials:CachedCredentials20CompromisingCredentials:LSASecretsCredentialsstoredintheregistrytoallowservicesortaskstoberunwithuserprivileges.
Inadditiontoserviceaccounts,mayalsoholdapplicationpasswordslikeVPNorauto-logoncredentials.
HowaretheyacquiredandusedAdministratorprivilegesallowaccesstoencryptedregistrydataandthekeysnecessarytodecrypt.
PasswordsareplaintextCommontools:CainMetasploitMimikatzgsecdumpPWDumpXcreddumpPowerShellHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT21Get-LsaSecret.
ps1fromtheNishangPowerShellpentestframeworkusedtodump(anddecrypt)LSASecretshttps://github.
com/samratashok/nishangDecryptingLSASecrets(Nishang)22PreventadminaccountcompromiseDonotemployservicesorscheduletasksrequiringprivilegedaccountsonlowtrustsystemsReducenumberofservicesthatrequiredomainaccountstoexecuteHeavilyauditanyaccountsthatmustbeused(Group)ManagedServiceAccountsDefendingCredentials:LSASecrets23CompromisingCredentials:TicketsKerberosissuesticketstoauthenticatedusersthatcanbereusedwithoutadditionalauthentication.
Ticketsarecachedinmemoryandarevalidfor10hours.
HowaretheyacquiredandusedTicketscanbestolenfrommemoryandusedtoauthenticateelsewhere(PasstheTicket).
Further,accesstotheDCallowsticketstobecreatedforanyuserwithnoexpiration(GoldenTicket).
Serviceaccountticketscanberequestedandforged,includingofflinecrackingofserviceaccounthashes(Kerberoasting).
Commontools:MimikatzWCEkerberoastHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT24PasstheTicket(Mimikatz)25KerberosAttacks27PasstheTicketStealticketfrommemoryandpassorimportonothersystemsOverpasstheHashUseNThashtorequestaserviceticketforthesameaccountKerberoastingRequestserviceticketforhighlyprivilegedservice&crackNThashGoldenTicketKerberosTGTforanyaccountwithnoexpiration.
SurvivesfullpasswordresetSilverTicketAll-accesspassforasingleserviceorcomputerSkeletonKeyPatchLSASSondomaincontrollertoaddbackdoorpasswordthatworksforanydomainaccountCredentialGuard(Win10+)DomainProtectedUsersGroup(Win8+)–SomeattacksRemoteCredentialGuard(Win10+)RestrictedAdmin(Win8+)Long&complexpasswordsonserviceaccounts(topreventKerberoasting)ChangeserviceaccountpasswordsregularlyGroupManagedServiceAccountsareagreatmitigationAuditserviceaccountsforunusualactivityChangeKRBTGTpasswordregularly(yearly)DefendingCredentials:Tickets28AttackTypeDescriptionMitigationPasstheTicketStealticketfrommemoryandpassorimportonothersystemsCredentialGuard;RemoteCredentialGuardOverpasstheHashUseNThashtorequestaserviceticketforthesameaccountCredentialGuard;ProtectedUsersGroup;DisableRC4authenticationKerberoastingRequestserviceticketforhighlyprivilegedservice&crackNThashLongandcomplexserviceaccountpasswords;ManagedServiceAccountsGoldenTicketKerberosTGTforanyaccountwithnoexpiration.
SurvivesfullpasswordresetProtectdomainadminaccounts;ChangeKRBTGTpasswordregularlySilverTicketAll-accesspassforasingleserviceorcomputerRegularcomputeraccountpasswordupdatesSkeletonKeyPatchLSASSondomaincontrollertoaddbackdoorpasswordtoanyaccountProtectdomainadminaccounts;SmartcardusageforprivilegedaccountsKerberosAttackMitigations29CompromisingCredentials:NTDS.
DITHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DITActiveDirectoryDomainServices(ADDS)databaseholdsalluserandcomputeraccounthashes(LM/NT)inthedomain.
Encrypted,butalgorithmiswellknownandeasytodefeat.
HowisitacquiredandusedLocatedinthe\Windows\NTDSfolderonthedomaincontroller.
Thefileislocked,soadminaccessisrequiredtoloadadrivertoaccessrawdisk,orusetheVolumeShadowCopyService.
Commontools:ntdsutilVSSAdminNTDSXtractVSSOwn.
vbsPowerShellntdsdump30CommandProcess:conhost.
exePid:141716CommandHistory:0x1b8f80Application:cmd.
exeFlags:Allocated,ResetCommandCount:12LastAdded:11LastDisplayed:11FirstCommand:0CommandCountMax:50ProcessHandle:0x60Cmd#0@0x196970:vssadminlistshadowsCmd#1@0x1bd240:cd\Cmd#2@0x1b9290:dirCmd#3@0x1bd260:cdtempCmd#4@0x1b92b0:dirCmd#5@0x19c6a0:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\system32\config\SYSTEM.
Cmd#6@0x19c760:dirCmd#7@0x19c780:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\system32\config\SAM.
Cmd#8@0x19c830:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\ntds\ntds.
dit.
Cmd#9@0x1c1ab0:dirStealingNTDS.
DIT31Don'tallowDomainAdminaccountstobecompromised.
DefendingCredentials:NTDS.
DIT32CredentialAttackDetection33"Asanypass-the-ticketattack,theattackerreplaysthegoldenticketinastandardKerberosprotocol.
Therefore,thereisnoclearindicationofsuchattackinWindowslogs.
"34"GoldenTicketeventsmayhaveoneoftheseissues:TheAccountDomainfieldisblankwhenitshouldbeDOMAINTheAccountDomainfieldisDOMAINFQDNwhenitshouldbeDOMAIN.
"–SeanMetcalf,adsecurity.
org3536Asanexample…KerberoastingusesRC4encryptiondowngrade(butalmostnoonelogstheseevents)AuthenticationAuditingMappingAdmin$SharesPsExecScheduledTasksVSSAdminRDP/VPNactivityToolArtifactsNewServicesRandomFile/HostnamesCodeInjectionCrashesandSecurityAlertsBehavioralAnalysisLocalAdminAccountUseDomainAdminAnomaliesServiceAccountAnomaliesWorkstation-to-workstationconnectionsCredentialAttackDetection38EventlogsarecriticalfordetectionAuthenticationevents(EID4624,4762,4648,4720,etc.
)Newservices(EID7045)ApplicationandProcessCrashesFailedandanomalousSMBactivity(EID5140)AV/SecuritylogsDomainProtectedUsersecuritygrouplogsApplicationsandServicesLogs\Microsoft\Windows\Microsoft\AuthenticationProcesstrackingCommandlinecapturesPowerShellauditingCredentialAttackDetection39CredentialAttackDetection:PasstheHash40CredentialAttackDetection:PsExecandfgdumpInitiationoftwonear-simultaneousservicesbyhelpdeskaccount42CredentialAttackDetection:LSASSCrashSystemEventLogApplicationEventLog**ReviewandcorrelateyourAnti-Viruslogs**44CredentialAttackDetection:CapturingCommandLines46RegistrychangesDisabledcomputeraccountpwdupdates(SilverTickets)SYSTEM\CurrentControlSet\Services\Netlogon\ParametersDisablePasswordChange=1EnabledWDigestcredentials(postWin8.
1)SYSTEM\CurrentControlSet\Control\SecurityProviders\WdigestUseLogonCredential=1MemoryAnalysisProcessinjectionLoadeddriversKernel-levelsecurityagentdetectionsBehavioralAnalyticsCredentialAttackDetection:OtherDataSources48CredentialBestPractices49RestrictandProtectPrivilegedDomainAccountsReducethenumberofDomain/EnterpriseAdminsEnforcemulti-factorauthentication(MFA)forallnetworkandcloudadminaccountsSeparateadministrativeaccountsfromuseraccountsforadministrativepersonnelCreatespecificadministrativeworkstationhostsforadministratorsUsetheDomainProtectedUserssecuritygroup!
BestPractices:ControlYourAdminAccounts50LimitLocalAdminAccountsDon'tgiveusersadminUniqueandcomplexpasswordsforlocaladmin(LAPS)DenynetworklogonsforlocalaccountsAuditaccountusageandmonitorforanomaliesBestPractices:ControlYourAdminAccounts(2)51Imagesource:LocalAdministratorPasswordSolutionhttps://technet.
microsoft.
com/en-us/mt227395.
aspxUseaTieredAdministrativeAccessModelAdministrationofADServersandApplicationsWorkstationsandDevicesBestPractices:ControlYourAdminAccounts(3)52Imagesource:SecuringPrivilegedAccessReferenceMaterialbyCoreyPlett(Microsoft)AuditandlimitthenumberofservicesrunningassystemanddomainaccountsUtilizeGroupManagedServiceAccounts…orregularlychangeanduselong&complexpasswordsUpgradetoWindows10/Server2016EnableCredentialGuard&RemoteCredentialGuardForceLSASSasprotectedprocessonlegacyWin8.
1EstablishremoteconnectionsusingnetworklogoninsteadofinteractivelogonwhenpossibleBestPractices:ReducetheCredentialAttackSurface53LimitworkstationtoworkstationcommunicationRestrictinboundNetBIOS,SMBtrafficusingtheWindowsFirewall…orVLANsegmentationofworkstationsSomanyhacktoolsleverageSMBauthenticationIsworkstationtoworkstationRDPreallynecessaryEnablestricterKerberossecurityDisableLM&NTLM(forceKerberos)ShortvalidityforticketsNoaccountdelegationBestPractices:ReducetheCredentialAttackSurface(2)54ChartbyBenjaminDelpy:https://goo.
gl/1K3AC7IncreaseAwarenessofNewAttacks5556Materialsfrom:http://dfir.
to/FOR508
- Win10盗版win8.1升级win10相关文档
- 项目编号:宣公共采【2017】57号
- 惠普盗版win8.1升级win10
- Brownian盗版win8.1升级win10
- 投标人盗版win8.1升级win10
- 互联网网络安全信息通报
- 广州盗版win8.1升级win10
星梦云:四川100G高防4H4G10M月付仅60元
星梦云怎么样?星梦云资质齐全,IDC/ISP均有,从星梦云这边租的服务器均可以备案,属于一手资源,高防机柜、大带宽、高防IP业务,一手整C IP段,四川电信,星梦云专注四川高防服务器,成都服务器,雅安服务器。星梦云目前夏日云服务器促销,四川100G高防4H4G10M月付仅60元;西南高防月付特价活动,续费同价,买到就是赚到!点击进入:星梦云官方网站地址1、成都电信年中活动机(成都电信优化线路,封锁...
raksmart:全新cloud云服务器系列测评,告诉你raksmart新产品效果好不好
2021年6月底,raksmart开发出来的新产品“cloud-云服务器”正式上线对外售卖,当前只有美国硅谷机房(或许以后会有其他数据中心加入)可供选择。或许你会问raksmart云服务器怎么样啊、raksm云服务器好不好、网络速度快不好之类的废话(不实测的话),本着主机测评趟雷、大家受益的原则,先开一个给大家测评一下!官方网站:https://www.raksmart.com云服务器的说明:底层...
wordpress公司网站模板 wordpress简洁高级通用公司主题
wordpress公司网站模板,wordpresss简洁风格的高级通用自适应网站效果,完美自适应支持多终端移动屏幕设备功能,高级可视化后台自定义管理模块+规范高效的搜索优化。wordpress公司网站模板采用标准的HTML5+CSS3语言开发,兼容当下的各种主流浏览器: IE 6+(以及类似360、遨游等基于IE内核的)、Firefox、Google Chrome、Safari、Opera等;同时...
盗版win8.1升级win10为你推荐
-
手机内存卡数据恢复如何恢复手机储存卡里面的数据桌面背景图片淡雅桌面壁纸的壁纸美化输入法哪个好用手机输入法哪个好?燃气热水器和电热水器哪个好电热水器和燃气热水器的优缺点,那个更实用?机械表和石英表哪个好买石英表还是机械表好啊播放器哪个好哪个播放器最好空间登录页面登录QQ空间时,如何使登陆界面不直接进入个人中心?群空间登录手机如何登录腾讯qq群空间51个人空间登录我在电脑上用的是Q号登录51个人空间,在手机上怎么却不能用Q号登录51个人空间了dns服务器地址dns服务器地址