Protecting the keys to the castle – Restricted Admin Credential Exposure

Marcus Murray & Hasain AlshakartiTruesec Security Team, MVP-Enterprise Security x2

Marcus Murray Hasain Alshakarti

Who doesn’t want to be domain admin?

Passing the dutchie

Web Srv Mail Srv

File SrvDC

Client

UserAdmin

Client

Attacker

Mitigating Passing the dutchie

• SMB Signing! On domain controllers!

mimikatz• privilege::debug • inject::process lsass.exe sekurlsa.dll • @getLogonPasswords

• Passwords in CLEAR TEXT!!!

The ”Mandiant report”

Local account depencencies

Web Srv Mail Srv

File SrvDC Mail Srv

Client

CliAdmCliAdm

Client

Attacker

SrvAdm SrvAdm

Logged on account depencencies

Web Srv Mail Srv

File SrvDC Mail Srv

Client

Marcus_DAMarcus_DA

Client

Attacker

Marcus_DA Marcus_DA

Complete mission

Web Srv Mail Srv

File SrvDC Mail Srv

Client

UserAdmin

Client

Attacker

Attacker

Microsoft PtH Mitigations

Protecting!• Local firewalls• Non-admin• Cutting dependencies• Managed service accounts• AMA

Marcus Murray Hasain Alshakarti

Thank you for listening!