Top Banner
Credential Assessment Mapping Privilege Escalation at Scale Matt Weeks @scriptjunkie1
45
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Credential Assessment - Mapping Privilege Escalation at Scale

Credential AssessmentMapping Privilege Escalation at Scale

Matt Weeks

@scriptjunkie1

Page 2: Credential Assessment - Mapping Privilege Escalation at Scale
Page 3: Credential Assessment - Mapping Privilege Escalation at Scale
Page 4: Credential Assessment - Mapping Privilege Escalation at Scale
http://www.aorato.com/blog/untold-story-target-attack-step-step/
Page 5: Credential Assessment - Mapping Privilege Escalation at Scale
Page 6: Credential Assessment - Mapping Privilege Escalation at Scale
Page 7: Credential Assessment - Mapping Privilege Escalation at Scale
Page 8: Credential Assessment - Mapping Privilege Escalation at Scale
Page 9: Credential Assessment - Mapping Privilege Escalation at Scale
Page 10: Credential Assessment - Mapping Privilege Escalation at Scale

Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10

Adversary access (# boxes owned) 1 1 2 2 2 10000 10000 10000 10000 10000

1

10

100

1000

10000

Adversary access (# boxes owned)

Page 11: Credential Assessment - Mapping Privilege Escalation at Scale

Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10

Adversary access (# boxes owned) 1 1 2 2 2 10000 10000 10000 10000 10000

1

10

100

1000

10000

Adversary access (# boxes owned)

Find and fix all the

vulnerabilities, block

contractor access

Pentests, vuln

assessments

Many companies try this.

Find known malware.

The entire AV industry does this.

Hunt anomalies

Fewer do this.

Both are important parts of a security program

Page 12: Credential Assessment - Mapping Privilege Escalation at Scale

Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10

Adversary access (# boxes owned) 1 1 2 2 2 10000 10000 10000 10000 10000

1

10

100

1000

10000

Adversary access (# boxes owned)

What happened

here?!

Page 13: Credential Assessment - Mapping Privilege Escalation at Scale

Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10

Adversary access (# boxes owned) 1 1 2 2 2 10000 10000 10000 10000 10000

1

10

100

1000

10000

Adversary access (# boxes owned)

Bad guys got a DA token;

Creds left on a webserver.

Page 14: Credential Assessment - Mapping Privilege Escalation at Scale

Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10

Adversary access (# boxes owned) 1 1 2 2 2 10000 10000 10000 10000 10000

1

10

100

1000

10000

Adversary access (# boxes owned)

Malware detection and vulnerable boxes are not the biggest enterprise problem, admin creds lying

around all over the domain is.

Bad guys got a DA token;

Creds left on a webserver.

Page 15: Credential Assessment - Mapping Privilege Escalation at Scale
Page 16: Credential Assessment - Mapping Privilege Escalation at Scale
Page 17: Credential Assessment - Mapping Privilege Escalation at Scale
Page 18: Credential Assessment - Mapping Privilege Escalation at Scale
Page 19: Credential Assessment - Mapping Privilege Escalation at Scale
Page 20: Credential Assessment - Mapping Privilege Escalation at Scale

Scanners Collectors

DatabaseAnalysis UI

Page 21: Credential Assessment - Mapping Privilege Escalation at Scale
Page 22: Credential Assessment - Mapping Privilege Escalation at Scale

http://extract.ntdsd.it/

http://extract.ntdsd.it/
Page 23: Credential Assessment - Mapping Privilege Escalation at Scale
Page 24: Credential Assessment - Mapping Privilege Escalation at Scale

Uh oh!

Page 25: Credential Assessment - Mapping Privilege Escalation at Scale
https://www.facebook.com/video.php?v=775771782450420
Page 26: Credential Assessment - Mapping Privilege Escalation at Scale
Page 27: Credential Assessment - Mapping Privilege Escalation at Scale
Page 28: Credential Assessment - Mapping Privilege Escalation at Scale
Page 29: Credential Assessment - Mapping Privilege Escalation at Scale
Page 30: Credential Assessment - Mapping Privilege Escalation at Scale
Page 31: Credential Assessment - Mapping Privilege Escalation at Scale
Page 32: Credential Assessment - Mapping Privilege Escalation at Scale
Page 33: Credential Assessment - Mapping Privilege Escalation at Scale
Page 34: Credential Assessment - Mapping Privilege Escalation at Scale
Page 35: Credential Assessment - Mapping Privilege Escalation at Scale
Page 36: Credential Assessment - Mapping Privilege Escalation at Scale
Page 37: Credential Assessment - Mapping Privilege Escalation at Scale
Page 38: Credential Assessment - Mapping Privilege Escalation at Scale

It can be done!

Page 39: Credential Assessment - Mapping Privilege Escalation at Scale
Page 40: Credential Assessment - Mapping Privilege Escalation at Scale
Page 41: Credential Assessment - Mapping Privilege Escalation at Scale
Page 42: Credential Assessment - Mapping Privilege Escalation at Scale
Page 43: Credential Assessment - Mapping Privilege Escalation at Scale
Page 44: Credential Assessment - Mapping Privilege Escalation at Scale
Page 45: Credential Assessment - Mapping Privilege Escalation at Scale

Related Documents
CSW2017 Privilege escalation on high-end servers due to implementation gaps in CPU Hot-Add flow

CSW2017 Privilege escalation on high-end servers due to...

Category: Internet
~qwertyoruiop@bluehatIL · trigger a kernel-mode privilege escalation or capture some data • Kernel-mode privilege escalation requires a separate kernel info leak (or a vulnerability

~qwertyoruiop@bluehatIL · trigger a kernel-mode privilege....

Category: Documents
Windows privilege escalation by Dhruv Shah

Windows privilege escalation by Dhruv Shah

Category: Internet
Towards Taming Privilege-Escalation Attacks on Android · PDF fileTowards Taming Privilege-Escalation Attacks on Android ... Android’s security framework has been an ... Android

Towards Taming Privilege-Escalation Attacks on Android ·...

Category: Documents
20191025 - Windows Privilege Escalation Tricks€¦ · privilege escalation –There are FAR more misconfigurations than vulns –Vulns will be detected and patched by Nessus, Nexpose,

20191025 - Windows Privilege Escalation Tricks€¦ ·...

Category: Documents
Logging. What is a log? What gets logged? Logins / logouts Privilege escalation Security relevant events.

Logging. What is a log? What gets logged? Logins / logouts.....

Category: Documents
WINDOWS PRIVILEGE ESCALATION THROUGH …MS03-031 - Cumulative Patch for Microsoft SQL Server (Privilege escalation) MS04-044 - Vulnerabilities in Windows Kernel and LSASS (Privilege

WINDOWS PRIVILEGE ESCALATION THROUGH …MS03-031 -...

Category: Documents
Extreme Privilege Escalation on Windows 8/UEFI Systems · This style of privilege escalation has been well explored by other researchers such as [6][7]. There are other, more extreme,

Extreme Privilege Escalation on Windows 8/UEFI Systems ·.....

Category: Documents
Preventing Privilege Escalation

Preventing Privilege Escalation

Category: Documents
| 1 | Using ATT&CK to Find Cyber Threats and Bolster Cyber Defense€¦ · Deconstructing the Lifecycle Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential

| 1 | Using ATT&CK to Find Cyber Threats and Bolster Cyber.....

Category: Documents
Privilege Escalation via Client Management Software · for privilege escalation attacks within corporate networks. November 21, 2015 Matthias Deeg | BSidesVienna 0x7DF 5. Common Security

Privilege Escalation via Client Management Software · for....

Category: Documents
Preventing Privilege Escalation Presented By Chad Frommeyer.

Preventing Privilege Escalation Presented By Chad Frommeyer.

Category: Documents