I wanted to ask what mitigation steps you are taking against someone escalating their privileges using some of the tools available such as responder and mimikatz. Seems fairly trivial for someone to become DA with the help of these and then walk off with the DIT etc..
(Something beyond being up to date on security patches - that's not going to nullify such an attack..)
thanks and regards,-Ravi
Mimikatz / responder mitigation
- 429 Views
- Last Post 14 September 2015
I’ll start with the easiest and most effective. Mimikatz needs system or local admin to run. Regular users should have neither. There was a POC at DefCon of
using it via a remote shell to get the currently logged in user who is not a local admin. But it couldn’t get beyond that. Hopefully no one with DA is logging in locally on anything that could possibly give up a shell.
My feelings on these advanced attacks are pretty well known. It’s like Mortal Kombat, Mimikatz is the finishing move in the game, you have already lost. You
have to stop phishing, local admin, the ability to pop a remote/local shell….all of those smaller details that are used to get a foot in the door.
I would suggest to start of with taking a look at the document Mitigating Pass The Hash and other Credential Theft.
Robin, MS PFE
Sent from my Windows Phone
I would also suggest taking a look at LAPS https://www.microsoft.com/en-us/download/details.aspx?id=46899 as one piece to the possible mitigations. As well as this blog http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx
I really like some of the stuff Snover & co. have done around PowerShell constrained endpoints and DSC for configuring “Just Enough Administration (JEA)” and
creating safe harbors. This video starts to talk about it but there’s more stuff on the MS site:
It is pretty cool, although WMF 5.0 seems to have been in preview for ever. Looks like I missed this a couple of weeks back though: They released the ‘production
preview’ (almost GA) on 31st August which means it is supportable (couldn’t really use an unsupported preview for production security controls).
My understanding is that WMF 5.0 will ship in October (officially) although JEA is not dependent upon WMF 5. They were showing it in 4 as well. It is a bit
disconcerting that they essentially shipped a “non-production” version of WMF and Powershell in Windows 10, but that’s the new CICD world in which we live I suppose