Credential AssessmentMapping Privilege Escalation at Scale

Matt Weeks

@scriptjunkie1

http://www.aorato.com/blog/untold-story-target-attack-step-step/

Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10

Adversary access (# boxes owned) 1 1 2 2 2 10000 10000 10000 10000 10000

1

10

100

1000

10000

Adversary access (# boxes owned)

Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10

Adversary access (# boxes owned) 1 1 2 2 2 10000 10000 10000 10000 10000

1

10

100

1000

10000

Adversary access (# boxes owned)

Find and fix all the

vulnerabilities, block

contractor access

Pentests, vuln

assessments

Many companies try this.

Find known malware.

The entire AV industry does this.

Hunt anomalies

Fewer do this.

Both are important parts of a security program

Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10

Adversary access (# boxes owned) 1 1 2 2 2 10000 10000 10000 10000 10000

1

10

100

1000

10000

Adversary access (# boxes owned)

What happened

here?!

Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10

Adversary access (# boxes owned) 1 1 2 2 2 10000 10000 10000 10000 10000

1

10

100

1000

10000

Adversary access (# boxes owned)

Bad guys got a DA token;

Creds left on a webserver.

Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10

Adversary access (# boxes owned) 1 1 2 2 2 10000 10000 10000 10000 10000

1

10

100

1000

10000

Adversary access (# boxes owned)

Malware detection and vulnerable boxes are not the biggest enterprise problem, admin creds lying

around all over the domain is.

Bad guys got a DA token;

Creds left on a webserver.

Scanners Collectors

DatabaseAnalysis UI

http://extract.ntdsd.it/

Uh oh!

https://www.facebook.com/video.php?v=775771782450420

It can be done!