Loading embed note
從這開始
KrbRelayUp 問題可能還沒好解法
臺資安業者揭露國內AD防護現況,盤點AD攻擊路徑與管理者帳號是當務之急另一AD安全問題,是今年2月揭露的KrbRelayUp漏洞。正如前幾年多人討論Kerberos Relay的漏洞,這次KrbRelayUp以兩個漏洞組合形成新的攻擊,攻擊者可將任意網域帳號在本地電腦提權,目前看來恐怕無解,甚至有研究人員稱其為永遠的零時差漏洞。
https://www.ithome.com.tw/news/151458
No admin group
大家都是 domain admins
預設群組用好用滿
(大部分人不用 admin,一個人失守全部淪陷)
建議動作:權限分隔 人員與維運帳號分開
管理群組成員關聯強烈
知道要管 但力不從心
pwd mgmt 看起來是管理密碼群組,但有 general All 權限
管理帳號到處留下蹤跡
管理帳號沒切割 造成 Credential Dumping(超常見)
惡意者 cache Credential
mimikatz
rubeus
mscash
relay auth
krb relay(kerberos relay)
RemotePotato0(NTLM relay)
Lsarelayx(NTLM relay+downgrade)
現象 7天有279帳號 rdp 到同一台電腦,再 RDP 到自己主機
因為設定 Server 電腦讓員工共用主機
惡意者攻擊方式
各種設定錯誤
Default Component
Group Policy 讓不預期人員改 GPO
SPN on Users 被破解密碼的風
Network Shares 權限開太大
Auth related
AD CS權限
錯誤設定憑證範本權限
要賦予所有使用者註冊權限 多給予修改權限
造成使用者可以修改"範本內容" 從而提權到 Domain Admins
對於特定資產該賦予權限沒概念
Tier 0:
Tier 1:
Tier 2:
scan the privilege
monitoring
professional advise
HITCON2022
,HITCON
or
or
By clicking below, you agree to our terms of service.
New to HackMD? Sign up
Syntax | Example | Reference | |
---|---|---|---|
# Header | Header | 基本排版 | |
- Unordered List |
|
||
1. Ordered List |
|
||
- [ ] Todo List |
|
||
> Blockquote | Blockquote |
||
**Bold font** | Bold font | ||
*Italics font* | Italics font | ||
~~Strikethrough~~ | |||
19^th^ | 19th | ||
H~2~O | H2O | ||
++Inserted text++ | Inserted text | ||
==Marked text== | Marked text | ||
[link text](https:// "title") | Link | ||
 | Image | ||
`Code` | Code |
在筆記中貼入程式碼 | |
```javascript var i = 0; ``` |
|
||
:smile: | ![]() |
Emoji list | |
{%youtube youtube_id %} | Externals | ||
$L^aT_eX$ | LaTeX | ||
:::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Do you want to remove this version name and description?
Syncing