If you’ve been reading the attack blog series until now, you’ve seen we have focused on attacks against Active Directory – like attacking core AD infrastructure, leveraging AD service accounts to attack, attacking AD with misconfigured permissions, and our series on Mimikatz attacks. Of course, AD is the hub for so much access to data in any organization that it may feel like those attacks actually compromise everything else. Today we’re kicking off our first series focusing on attacks directly against data. Like the AD attacks, these will leverage everything from built in features that have been completely misconfigured or unknowingly exposed to vulnerabilities that could be fixed with a patch but too often aren’t.
Since we’ve started covering these attacks on the blog, the question we get most often is: why? Why do these attacks work? Why would anyone create these powerful tools to exploit these vulnerabilities and common misconfigurations? Why would you teach someone how to do such destructive things? One misunderstanding is that when we build out the labs to do these stories we’re downloading dangerous malware like software that would be toxic to our network should it get loose. That couldn’t be further from the truth. The tools we cover in this series are all developed by people trying to do good, are quite stable, and are only really dangerous if you use them to do something bad. The people who make these tools are mostly penetration testers working to keep the bad guys out by outsmarting them before they even know they are in a contest. These tools do get used by the bad guys for sure, but the hope of their creators is that by the time the bad guys are using their tools, it’s too late because the tools have done their job. That job is to expose where things aren’t secure enough so people can get themselves into a better security posture to make sure the bad guy showing up with the same tool won’t stand a chance.
The series up to this point have been four parts, but this one will be three. Jeff has stolen all the thunder on grabbing elevated privileges, and that, of course, will be needed to make these attacks work as well. Unless you’re one very lucky bad guy, the person who clicks on the phishing email is seldom powerful enough on their own to compromise all the data from an organization you’re trying to exfiltrate. Where we need these rights, I’ll be sure to point it out. So we’re going to get to the good data in three parts:
As we go through each step, we’ll talk about why it was able to happen and how you can make sure it can’t happen to you.
Learn about how STEALTHbits addresses file system security and governance with StealthAUDIT for File Systems.
Start a Free Stealthbits Trial!
No risk. No obligation.