Credentials Are the Means to Attack Data
If you’ve been reading the attack blog series until now, you’ve seen we have focused on attacks against Active Directory – like attacking core AD infrastructure, leveraging AD service accounts to attack, attacking AD with misconfigured permissions, and our series on Mimikatz attacks. Of course, AD is the hub for so much access to data in any organization that it may feel like those attacks actually compromise everything else. Today we’re kicking off our first series focusing on attacks directly against data. Like the AD attacks, these will leverage everything from built in features that have been completely misconfigured or unknowingly exposed to vulnerabilities that could be fixed with a patch but too often aren’t.
Why Do These Attacks Work So Well?
Since we’ve started covering these attacks on the blog, the question we get most often is: why? Why do these attacks work? Why would anyone create these powerful tools to exploit these vulnerabilities and common misconfigurations? Why would you teach someone how to do such destructive things? One misunderstanding is that when we build out the labs to do these stories we’re downloading dangerous malware like software that would be toxic to our network should it get loose. That couldn’t be further from the truth. The tools we cover in this series are all developed by people trying to do good, are quite stable, and are only really dangerous if you use them to do something bad. The people who make these tools are mostly penetration testers working to keep the bad guys out by outsmarting them before they even know they are in a contest. These tools do get used by the bad guys for sure, but the hope of their creators is that by the time the bad guys are using their tools, it’s too late because the tools have done their job. That job is to expose where things aren’t secure enough so people can get themselves into a better security posture to make sure the bad guy showing up with the same tool won’t stand a chance.
How We Will Attack the File System
The series up to this point have been four parts, but this one will be three. Jeff has stolen all the thunder on grabbing elevated privileges, and that, of course, will be needed to make these attacks work as well. Unless you’re one very lucky bad guy, the person who clicks on the phishing email is seldom powerful enough on their own to compromise all the data from an organization you’re trying to exfiltrate. Where we need these rights, I’ll be sure to point it out. So we’re going to get to the good data in three parts:
- First we’ll perform our reconnaissance to find out where data lives. This will involve identifying where it’s likely we can find any data that may be interesting with as little rights as we can.
- Then we will zero in on what data is worth the effort by scanning for sensitive information. Unless an attacker feels they can get away with huge data movement, they will try to find just the right data and move as little as they can for the biggest possible reward. That means being able to sift through the mountains of data they find in every organization and picking out which bits are most likely to have value.
- Finally, we’ll look at how an attacker can use some of the odd features of the file system to make themselves persistent or hide things from view to ensure they aren’t easy to get rid of.
As we go through each step, we’ll talk about why it was able to happen and how you can make sure it can’t happen to you.
Learn about how STEALTHbits addresses file system security and governance with StealthAUDIT for File Systems.