The other one was what we call the “golden key.” It was a service account that had been created to pull security information from all the domain controllers. One was a service account that performed storage area network (SAN) maintenance and also had local administrative access to a large portion of the environment. Even server administrators were restricted to only accessing the servers for which they had direct responsibility.ĭuring the lateral movement and credential dumping phase of the test, we came across two different service accounts. Additionally, the client implemented logging, monitoring and session management around the use of the domain administrator accounts. As is best practice, the client only allowed domain administrator accounts to log onto domain controllers. This organization restricted its administrator account privileges and segregated administrator and user roles. CrowdStrike Red Team Use CaseĬrowdStrike recently performed an adversary emulation penetration test for a client organization that had gone through a large effort to make improvements to its AD structure. Exploitation of these administrator privileges allows malware to easily spread throughout an organization. Hidden administrator accounts are also often targeted by self-propagating malware, including those used in ransomware and cryptomining attacks. As a result, they present an attractive target for adversaries, who leverage these service accounts for both lateral movement and gaining access to multiple systems. Of concern is that these accounts don’t typically receive the same attention regarding configuration review or password management and monitoring as administrative accounts belonging to human users. In addition, hidden administrator accounts often have access to multiple systems in the environment. These hidden administrator accounts are often service or maintenance accounts that perform automated, routine tasks in the environment. The permissions for these accounts are directly assigned using access control lists (ACL) on AD objects. Domain Admins), but they still have access to the same systems. These accounts may not belong to privileged Active Directory (AD) groups (i.e. Hidden administrator accounts are domain accounts that provide administrator access to sensitive systems like domain controllers, exchange servers or database servers. What is a Hidden Administrator Account and Why Do I Care? It also introduces a tool originally designed for red teams that now provides blue teams with the ability to detect and remediate this common security issue. This blog focuses on a common security issue frequently observed during red team engagements: hidden administrator accounts. However, security professionals can often optimize their efforts and gain a strategic advantage by anticipating likely attack paths and taking steps to block attackers from using these paths. This dynamic often drives an ongoing arms race between blue teams and red teams, with both seeking increasingly sophisticated tooling and detection capabilities. To be effective, security teams must have well-defined policies and solid detection capabilities. It often requires security teams to be ready at a moment’s notice to respond to an incident, in addition to managing the day-to-day responsibilities of securing the organization. Defending an organization from today’s sophisticated attacks is no easy task.
0 Comments
Leave a Reply. |