We have had a fairly busy week here at ITC Towers and it has come to our attention that some fairly basic advice which we have discussed before remains an issue.
In the vast majority of real life breaches (mwahahaha) and red team activities (look how clever we are are are) that we have had the pleasure/pain or befuddlement to observe, a primary vector is the local administration credentials on Windows machines.
You might have wondered how you can log in to your domain connected Windows machine when not connected to the domain, or maybe not. It is not black magic or voodoo. What is going on is that a local process called lsass.exe has cached the credentials of all users that have logged onto your machine since the last reboot.
Can you see what could possibly go wrong here? For instance, if you had local Admin rights or some support operator from hell had accessed your machine.
Turns out that one Benjamin Delpy Esq, and others nameless, have written tools to extract the cached credentials, decrypt them and use them for nefarious business such as privilege escalation.
That is very Kool for Katz.
Dumping passwords from the lsass.exe process involves little more than a command line or task manager furtle. The output can then be tested until it gives up its secrets. Simples
Imagine if the target happened to be a server. Carnage.
Hardening server images is part of the basic hygiene that we have been banging on about for some time.
There is a very simple setting on Windows 2012 servers and some workstations to prevent this. We recommend that you implement it.
Please do not do it on your Windows 10 machines because we think it borks them, like they do on the discovery channel.
If you would like some help on hardening standards for your environment, we learnt from the master, or at least his associates (former, on the missing list), please contact us at [email protected] or call 020 7517 3900. The perfect time for an in-depth discussion would be 1500hrs on Saturday the 7th of July, our crack team are more rugby than football.
That being said, we hope you will join us in over optimism. Just one more time.
Come On England.