The presentation on my "Shadow Admins" research

•Als PPTX, PDF herunterladen•

2 gefällt mir•1,352 views

Asaf Hecht

Shadow Admins are powerful and stealthy privileged accounts - attacker & defenders must know about them.

Technologie

Lavi Lazarovitz
Security Research Team Lead
Asaf Hecht
Security Researcher
Shadow Admins

Shadow Admins: Underground Accounts That
Undermine The Network
Admin A
Privileged Accounts
Admin B
Shadow Admin

Shadow Admins: Underground Accounts That
Undermine The Network
Industry Standards
SHADOW ADMIN

Shadow Admins: Underground Accounts That
Undermine The Network
Industry Standards
Privileged account An information system account with authorizations of a
privileged user
Privileged user
[CNSSI 4009]
A user that is authorized (and therefore, trusted) to perform
security-relevant functions that ordinary users are not
authorized to perform

Shadow Admins: Underground Accounts That
Undermine The Network
Discovering Privileged Accounts
Built-in Admin Groups
Active Directory
Shadow Admins
C: NET GROUPS /Domain
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
* Enterprise Admins
* Domain Admins
* Account Operators
* Schema Admins
C: NET GROUPS /Domain
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
* Administrators_Global
* A_Admins_UK
* Server_Admins_Local
* WS_Admins_Local
Organization Defined Groups

Shadow Admins: Underground Accounts That
Undermine The Network
Shadow Admins
Name: Shadow Admin
D.O.B.: Not part of any privilege group
ID #: S-1-5-21-3623812015-
3361044358-30301820-1014
Issued: 08/06/2017
Expires: NEVER
IDENTIFICATION CARD
Shadow Admin has Direct Privilege Permissions!

Shadow Admins: Underground Accounts That
Undermine The Network
Permissions and ACLs - on directories
READ ONLY
SYSTEM
Administrators
User1
Guest
FULL CONTROL
READ & WRITE

Shadow Admins: Underground Accounts That
Undermine The Network
Permissions and ACLs - in Active Directory
SYSTEM
Enterprise Admins
Domain Admins
Authenticated Users
User1
User2
ACLAD Objects
Groups
Domain root
Containers
GPOs
FULL CONTROL
CREATE CHILD OBJECTS
DELETE CHILD OBJECTS
CHANGE PASSWORD
READ ONLY
READ ONLY
READ ONLY
CHANGE PASSWORD

Shadow Admins: Underground Accounts That
Undermine The Network
Active Directory - Object tree and ACL

Shadow Admins: Underground Accounts That
Undermine The Network
Group assignment: Direct assignment:
Direct vs Group ACL Assignment

Shadow Admins: Underground Accounts That
Undermine The Network
Direct vs Group ACL Assignment
Account Emily has DC Sync permission:
Domain and can steal all the passwords:
Account Emily has Reset Password permission: on
Administrator account Administrator account:

Shadow Admins: Underground Accounts That
Undermine The Network
Privilege Escalation
The Red Side Scenarios
Persistence

Shadow Admins: Underground Accounts That
Undermine The Network
C: NET LOCALGROUP
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
* Administrators
** Load and unload device drivers
** Manage Auditing and security logs
* Remote Desktop Users
** Allow logon through remote desktop services
User Rights - Local Privileged Accounts

Shadow Admins: Underground Accounts That
Undermine The Network
Local User Rights

Shadow Admins: Underground Accounts That
Undermine The Network
User Rights Attack

Shadow Admins: Underground Accounts That
Undermine The Network
Our Free Tool - ACLight - Shadow Admin Scanner
PowerShell
GitHub
Automatic

Shadow Admins: Underground Accounts That
Undermine The Network
Privilege ACL Scanner - Results

Shadow Admins: Underground Accounts That
Undermine The Network
Privilege ACL Scanner - Results
Full CSV output – every account and its privileged permission:

Shadow Admins: Underground Accounts That
Undermine The Network
Light In The Shadows
Domain Groups Shadow Admins Local Groups

Shadow Admins: Underground Accounts That
Undermine The Network
Download & Run Free:
https://github.com/CyberArkLabs/ACLight
Lavi.Lazarovitz@cyberark.com, @LaviLazarovitz
Asaf.Hecht@cyberark.com, @Hechtov

Shadow Admins: Underground Accounts That
Undermine The Network
Actionable Takeaways
KNOW all your privileged accounts in the network:
• By group assignments
• By ACLs analysis of the Active Directory
HOW:
• Scan your network for Shadow Admins - who have sensitive direct permissions
• Use our free privileged ACLs scanning tool:
https://github.com/CyberArkLabs/ACLight
SECURE those new detected privileged accounts!

Weitere ähnliche Inhalte

Was ist angesagt?

DAST in CI/CD pipelines using Selenium & OWASP ZAP

srini0x00

Thick client pentesting_the-hackers_meetup_version1.0pptx

Anurag Srivastava

Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges. While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory. This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts. The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets. We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups. Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...

DirkjanMollema

Ppt on sql injection

ashish20012

AllDayDevOps ZAP automation in CI

Simon Bennetts

HTTP HOST header attacks

DefconRussia

Identity & access management

Vandana Verma

OWASP Serbia - A6 security misconfiguration

Nikola Milosevic

OWASP Top Ten 2017

Michael Furman

Understanding Windows Access Token Manipulation

Justin Bui

Security Testing for Web Application

Precise Testing Solution

CSSLP & OWASP & WebGoat

Surachai Chatchalermpun

Secure coding presentation Oct 3 2020

Moataz Kamel

The CyberArk Certification is for Cybersecurity experts who want to enhance their learning skills in the critical identity and access management layer of security. CyberArk is a privileged access management company that provides the most comprehensive security solution for any identity, human or machine, across business apps, remote workforces, hybrid cloud workloads, and the DevOps lifecycle.

CyberArk Interview.pdf

Infosec Train

SQL injection prevention techniques

SongchaiDuangpan

Sql injections - with example

Prateek Chauhan

Sql injection

Sasha-Leigh Garret

With more APIs in circulation than ever before, there has been a direct correlation to the number of API abuses reported across industries. This is because APIs are such a valuable asset to bad actors, but many organizations have not yet woken up to the realities of the need to protect their APIs from abuse. If you couple that with the fact that attacks on APIs have become more sophisticated, with some attackers even using AI themselves, then you can see why even some of the more security-conscious organizations can have trouble properly securing their APIs. A robust API Security posture can be broken down into several areas including: Proper design and coding during the development process API governance and compliance through visibility of all your APIs (shadow too!) and a mapping of how they connect to each other. General application and API protection from tools such as API gateways, WAFs, NG-WAF, and RASPS An always-updating understanding of your user behaviors regarding your APIs. You won’t have comprehensive API security without solutions in each of these areas. We will also discuss: The roles of API developers, infosec, support, and enterprise architects as it relates to API security Microservices role in making it difficult to secure your APIs The importance of inventorying your APIs How technologies like Traceable can help protect your APIs against advanced attacks Key takeaways: Why your API's are a key attack surface for modern bad actors Why APi's are so much harder to secure than traditional web traffic What's necessary to secure your APIs Why yesterday's solutions can't solve today's new API security challenges

API Security - Everything You Need to Know To Protect Your APIs

AaronLieberman5

ReCertifying Active Directory

Will Schroeder

OWASP Secure Coding

bilcorry

Was ist angesagt? (20)

DAST in CI/CD pipelines using Selenium & OWASP ZAP

Thick client pentesting_the-hackers_meetup_version1.0pptx

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...

Ppt on sql injection

AllDayDevOps ZAP automation in CI

HTTP HOST header attacks

Identity & access management

OWASP Serbia - A6 security misconfiguration

OWASP Top Ten 2017

Understanding Windows Access Token Manipulation

Security Testing for Web Application

CSSLP & OWASP & WebGoat

Secure coding presentation Oct 3 2020

CyberArk Interview.pdf

SQL injection prevention techniques

Sql injections - with example

Sql injection

API Security - Everything You Need to Know To Protect Your APIs

ReCertifying Active Directory

OWASP Secure Coding

Ähnlich wie The presentation on my "Shadow Admins" research

Shadow admins

Lavi Lazarovitz

You wouldn’t leave the front or back door of your house unlocked and wide open, would you? Then why aren’t you as diligent with your work environment? Idle permissions and forgotten accounts – which often aren’t cleaned up – are two key areas ripe for compromise in your identity system. Learn how: - An attacker can use back doors into your Active Directory environment to gain access to your systems, applications, and confidential information. - Having your administrators make a few minor changes, can increase your security footprint and lower your attack surface. Session Outcomes: - Learn 5 free methods to secure your Active Directory. - Deploy validated and tested policies that enhance your security footprint. - Identify and define privileged groups in your organization.

Secure active directory in one day without spending a single dollar

David Rowe

Escalation defenses ad guardrails every company should deploy

David Rowe

Is the door to your active directory wide open and unsecure

David Rowe

UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptx

LeahRachael

Owasp web security

Pankaj Kumar Sharma

Windows Server 2012 Managing Active Directory Domain

Napoleon NV

Hunting for Privilege Escalation in Windows Environment

Teymur Kheirkhabarov

Secure Active Directory in one Day Without Spending a Single Dollar

David Rowe

CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL

EstelaJeffery653

User id installation and configuration

Alberto Rivai

Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc. If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you. Topics : • Red Team philosophy/overview • Red Teaming vs Penetration Testing • Active Directory Fundamentals – Forests, Domains, OU’s etc • Assume Breach Methodology • Insider Attack Simulation • Introduction to PowerShell • Initial access methods • Privilege escalation methods through abuse of misconfigurations • Domain Enumeration • Lateral Movement and Pivoting • Single sign-on in Active Directory • Abusing built-in functionality for code execution • Credential Replay • Domain privileges abuse • Dumping System and Domain Secrets • Kerberos – Basics and its Fundamentals • Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc) https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/

BSides SG Practical Red Teaming Workshop

Ajay Choudhary

Catch the full webinar at: https://www.beyondtrust.com/resources/webinar/managing-unix-accounts-todays-complex-world-stop-shadow-efficient/ In this presentation from his webinar, InfoSec expert consultant and CISO, Chris Ray, shares his experiences for identifying the potential pitfalls both Unix Administrators and Security teams face when managing user accounts across multiple Unix environments. Tune in to get insights into: •Regulatory requirements to watch for; •What works and what doesn’t work with “sudo”; •Strategies to lessen the audit impact to Unix administrators; and •Tips for getting executive buy-in for what you need fixed.

Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...

BeyondTrust

Dynamics CRM Harsha PPT

Harsha T

by Roy Feintuch, Dome9 Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.

The Perimeter Is Dead

Amazon Web Services

Cis controls v8_guide (1)

MHumaamAl

Today there are more privileged users than ever before. Providing access is not optional it is a business necessity. But how do you avoid excessive access? Providing the right access at the right time is the formula for reducing your risk and securing a world of data. At FedEx empowering the right people at the right time is not only good business, but it's also good security. For more information on Security, please visit: http://cainc.to/CAW17-Security

Case Study: Privileged Access in a World on Time

CA Technologies

Creating a fortress in your active directory environment

David Rowe

Ceh v5 module 04 enumeration

Vi Tính Hoàng Nam

IT103Microsoft Windows XP/OS Chap13

blusmurfydot1

Ähnlich wie The presentation on my "Shadow Admins" research (20)

Shadow admins

Secure active directory in one day without spending a single dollar

Escalation defenses ad guardrails every company should deploy

Is the door to your active directory wide open and unsecure

UNIT 6-EXPLAINING THE ROLE OF THE NETWORK ADMINISTRATOR AND SUPPORT.pptx

Owasp web security

Windows Server 2012 Managing Active Directory Domain

Hunting for Privilege Escalation in Windows Environment

Secure Active Directory in one Day Without Spending a Single Dollar

CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL

User id installation and configuration

BSides SG Practical Red Teaming Workshop

Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...

Dynamics CRM Harsha PPT

The Perimeter Is Dead

Cis controls v8_guide (1)

Case Study: Privileged Access in a World on Time

Creating a fortress in your active directory environment

Ceh v5 module 04 enumeration

IT103Microsoft Windows XP/OS Chap13

Kürzlich hochgeladen

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

ICT role in 21st century education and its challenges

rafiqahmad00786416

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Manulife - Insurer Transformation Award 2024

The Digital Insurer

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

DBX First Quarter 2024 Investor Presentation

Dropbox

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Architecting Cloud Native Applications

WSO2

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

MINDCTI Revenue Release Quarter One 2024

MIND CTI

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Kürzlich hochgeladen (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors

ICT role in 21st century education and its challenges

MS Copilot expands with MS Graph connectors

How to Troubleshoot Apps for the Modern Connected Worker

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Manulife - Insurer Transformation Award 2024

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

DBX First Quarter 2024 Investor Presentation

Axa Assurance Maroc - Insurer Innovation Award 2024

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Architecting Cloud Native Applications

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

MINDCTI Revenue Release Quarter One 2024

Ransomware_Q4_2023. The report. [EN].pdf

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

The presentation on my "Shadow Admins" research

1. Lavi Lazarovitz Security Research Team Lead Asaf Hecht Security Researcher Shadow Admins

2. Shadow Admins: Underground Accounts That Undermine The Network Admin A Privileged Accounts Admin B Shadow Admin

3. Shadow Admins: Underground Accounts That Undermine The Network Industry Standards SHADOW ADMIN

4. Shadow Admins: Underground Accounts That Undermine The Network Industry Standards Privileged account An information system account with authorizations of a privileged user Privileged user [CNSSI 4009] A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform

5. Shadow Admins: Underground Accounts That Undermine The Network Discovering Privileged Accounts Built-in Admin Groups Active Directory Shadow Admins C: NET GROUPS /Domain _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Enterprise Admins * Domain Admins * Account Operators * Schema Admins C: NET GROUPS /Domain _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Administrators_Global * A_Admins_UK * Server_Admins_Local * WS_Admins_Local Organization Defined Groups

6. Shadow Admins: Underground Accounts That Undermine The Network Shadow Admins Name: Shadow Admin D.O.B.: Not part of any privilege group ID #: S-1-5-21-3623812015- 3361044358-30301820-1014 Issued: 08/06/2017 Expires: NEVER IDENTIFICATION CARD Shadow Admin has Direct Privilege Permissions!

7. Shadow Admins: Underground Accounts That Undermine The Network Permissions and ACLs - on directories READ ONLY SYSTEM Administrators User1 Guest FULL CONTROL READ & WRITE

8. Shadow Admins: Underground Accounts That Undermine The Network Permissions and ACLs - in Active Directory SYSTEM Enterprise Admins Domain Admins Authenticated Users User1 User2 ACLAD Objects Groups Domain root Containers GPOs FULL CONTROL CREATE CHILD OBJECTS DELETE CHILD OBJECTS CHANGE PASSWORD READ ONLY READ ONLY READ ONLY CHANGE PASSWORD

9. LET’S SEE IT

10. Shadow Admins: Underground Accounts That Undermine The Network Active Directory - Object tree and ACL

11. Shadow Admins: Underground Accounts That Undermine The Network Active Directory - Object tree and ACL

12. Shadow Admins: Underground Accounts That Undermine The Network Group assignment: Direct assignment: Direct vs Group ACL Assignment

13. Shadow Admins: Underground Accounts That Undermine The Network Direct vs Group ACL Assignment Account Emily has DC Sync permission: Domain and can steal all the passwords: Account Emily has Reset Password permission: on Administrator account Administrator account:

14. Shadow Admins: Underground Accounts That Undermine The Network Privilege Escalation The Red Side Scenarios Persistence

15. Shadow Admins: Underground Accounts That Undermine The Network C: NET LOCALGROUP _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ * Administrators ** Load and unload device drivers ** Manage Auditing and security logs * Remote Desktop Users ** Allow logon through remote desktop services User Rights - Local Privileged Accounts

16. WATCH THE USER RIGHTS

17. Shadow Admins: Underground Accounts That Undermine The Network Local User Rights

18. Shadow Admins: Underground Accounts That Undermine The Network User Rights Attack

19. Shadow Admins: Underground Accounts That Undermine The Network Our Free Tool - ACLight - Shadow Admin Scanner PowerShell GitHub Automatic

20. SHADOW ADMIN SCANNER

21. Shadow Admins: Underground Accounts That Undermine The Network Privilege ACL Scanner - Results

22. Shadow Admins: Underground Accounts That Undermine The Network Privilege ACL Scanner - Results Full CSV output – every account and its privileged permission:

23. Shadow Admins: Underground Accounts That Undermine The Network Light In The Shadows Domain Groups Shadow Admins Local Groups

24. Shadow Admins: Underground Accounts That Undermine The Network Download & Run Free: https://github.com/CyberArkLabs/ACLight Lavi.Lazarovitz@cyberark.com, @LaviLazarovitz Asaf.Hecht@cyberark.com, @Hechtov

25. Shadow Admins: Underground Accounts That Undermine The Network Actionable Takeaways KNOW all your privileged accounts in the network: • By group assignments • By ACLs analysis of the Active Directory HOW: • Scan your network for Shadow Admins - who have sensitive direct permissions • Use our free privileged ACLs scanning tool: https://github.com/CyberArkLabs/ACLight SECURE those new detected privileged accounts!

The presentation on my "Shadow Admins" research

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie The presentation on my "Shadow Admins" research

Ähnlich wie The presentation on my "Shadow Admins" research (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

The presentation on my "Shadow Admins" research