Discover and read the best of Twitter Threads about #PingCastle

Most recents (9)

1/ Real-World #PingCastle Finding #13: Allow log on locally

➡️ Domain Users are eligible to log into DC's 🤯🙈

"When you grant an account the Allow logon locally right, you are allowing that account to log on locally to all domain controllers in the domain." [1]

#CyberSecurity Image
2/ Why is this a bad idea?

"If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges." [1]
3/ I encountered this finding several times in our AD assessments, so you better check your settings in your domain right now (better safe than sorry 🔒).

Good luck 🍀
Read 4 tweets
1/ Number #10 of the #ActiveDirectory hardening measures:

Easy Wins (for Attackers)

🧵 #CyberSecurity
This is the last thread in this AD hardening measure series, but there would still be so much to discuss 😅

Here are more points you should focus on to defend your networks even better.
"Administrative accounts should never be enabled for delegation.

You can prevent these privileged accounts from being targeted by enabling the ‘Account is sensitive and cannot be delegated’ flag on them. You can optionally add these accounts to the ‘Protected Users’ group.
Read 11 tweets
1/ Number #9 of the #ActiveDirectory hardening measures:

Relaying

🧵 #CyberSecurity
2/ There exists a ton of different techniques of how attackers can relaying credentials to another host in order to raise their privileges or get a shell on the target server.
3/ @TrustedSec has written an excellent blog post about the different relaying techniques, how they work and which prerequisites have to be in place that the attack is successful. [1]
Read 8 tweets
1/ Number #8 of the #ActiveDirectory hardening measures:

Print Spooler Service

🧵 #CyberSecurity
2/ A running print spooler service on domain controllers is still a relatively common finding in our AD assessments, even though an attack path via spooler service and unconstrained delegations have been known for years. [1]

Screenshot below from #PingCastle (@mysmartlogon)
3/ Apart from the (older) attack technique with unconstrained delegations (see above), the printer spooler has had various critical vulnerabilities over the last two years. [3]
Read 8 tweets
1/ Number #6 of the #ActiveDirectory hardening measures:

Privileges and Permissions

🧵 #CyberSecurity
2/ #PingCastle lists, among many other things, the privileges assigned to domain users via GPOs.

The screenshot shows that the Default Notebook Policy grants Domain Users the SeLoadDriverPrivilege privilege.

Why is this bad?
3/ As @0xdf put it:

"If I can load a driver, I can load a vulnerable driver, and then exploit it." [1]

I know that some EDR's raise an alert when a vulnerable driver is loaded or dropped to disk, as such a driver could be exploited for a LPE.
Read 13 tweets
/1 Sin #4: Insufficient AD Hardening

Of course, there are many AD attack paths, misconfigurations, and ways to get DA credentials.

But still, companies should try to set the bar as high as possible to force attackers to make mistakes we might detect.

🧵 #CyberSecurity
2/ Passwords in the GPO

My first "Real-World #PingCastle Finding" talks exactly about this issue:
3/ Service accounts are DA

Service accounts should never be part of the Domain Admins group.

Check and clean the DA group regularly because a TA could try to "Kerberoast" the service account, which is primarily a problem if the service account use a weak password (next point).
Read 9 tweets
Real-World #PingCastle Finding #8: Non-admin users can add computers to a domain. A customer called us because he discovered two new computer objects. Such new computer objects can be a sign of more targeted attacks against the #ActiveDirectory.
1/8

#CyberSecurity #dfir
The computer names are relatively unique, and one quickly finds a GitHub repository with corresponding exploit code.

The code tries to exploit the two vulnerabilities CVE-2021-42278 and CVE-2021-42287 (from an authenticated user directly to DA).
2/8

github.com/WazeHell/sam-t…
Inside the exploit code, a new computer name is generated following the pattern SAMTHEADMIN-(random number from 1 to 100), precisely the naming scheme we see in the client's AD.
3/8
Read 8 tweets
Many people knows be about AD stuff (#PingCastle) but I'm also an expert in Windows & smart card.
If you have to remember one thing, it is:
certutil -scinfo

Thread
Main problem being smart card recognition.
If you see a card name, it's ok
Sometimes, this is obvious: no smart card
Read 6 tweets
#Campaign in tweets - @Guardicore Labs in a new tradition; we find the attacks, you get to know them and learn the attackers' tricks and techniques. This time, let's get familiarized with "Lemon_Duck", a #cryptomining campaign involving a sophisticated #propagation tool. 🍋🦆
Before we start: all scripts, binaries and IOCs are available on our github repository. In addition, malicious IPs, attack servers and domains appear on @Guadicore Cyber Threat Intelligence portal. You're welcome to take a look :)
threatintelligence.guardicore.com/?utm_medium=or…
github.com/guardicore/lab…
Lemon_Duck starts by breaching machines over the #MSSQL service or the #SMB protocol. We'll focus on the MS-SQL flow. Once inside the machine, the attacker enables #xp_cmdshell to run shell commands. It will take only a single command line to trigger the rest of the attack.
Read 12 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!