Win10盗版win8.1升级win10

盗版win8.1升级win10  时间:2021-01-20  阅读:()
1WindowsCredentialsAttackMitigationDefenseChadTilbury@chadtilburySeniorInstructorandCo-Author:FOR500:WindowsForensicsFOR508:AdvancedForensicsandIncidentResponseE-mail:chad.
tilbury@crowdstrike.
comLinkedIn:ChadTilburyTwitter:@chadtilburyComputerCrimeInvestigationsCrowdStrikeMandiantUSAirForceOSISpecialAgentCHADTILBURYTECHNICALADVISORCROWDSTRIKESERVICESSANSINSTITUTECONNECT15+YEARSPriority#1post-exploitationDomainadminisultimategoalNearlyeverythinginWindowsistiedtoanaccountDifficulttomovewithoutoneEasyandrelativelystealthymeanstotraversethenetworkAccountlimitationsarerare"Sleeper"credentialscanprovideaccessafterremediationCompromisingCredentials3PillageAchieveDomainAdminDumpMoarCredentials_MoveLaterallyDumpCredentialsGainFootholdUserAccessControl(UAC)ManagedServiceAccountsKB2871997SSPplaintextpasswordmitigationsLocaladminremotelogonrestrictionsProtectedProcessesRestrictedAdminDomainProtectedUsersSecurityGroupLSACachecleanupGroupManagedServiceAccountsCredentialGuardRemoteCredentialGuardDeviceGuard(preventexecutionofuntrustedcode)EvolutionofCredentialAttackMitigation4CompromisingCredentials:HashesThepasswordforeachuseraccountinWindowsisstoredinmultipleformats:LMandNThashesaremostwellknown.
TsPkg,WDigest,andLiveSSPcanbedecryptedtoprovideplaintextpasswords(priortoWin8.
1)HowaretheyacquiredandusedHashesareavailableintheLSASSprocessandcanbeextractedwithadminprivileges.
Oncedumped,hashescanbecrackedorusedimmediatelyinaPasstheHashattack.
Commontools:MimikatzfgdumpgsecdumpMetasploitSMBshellPWDumpXcreddumpWCEHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT5AdminActionLogonTypeCredentialsonTargetNotesConsolelogon2Yes**ExceptwhenCredentialGuardisenabledRunas2Yes**ExceptwhenCredentialGuardisenabledRemoteDesktop10Yes**ExceptforenabledRemoteCredentialGuardNetUse3NoIncluding/u:parameterPowerShellRemoting3NoInvoke-Command;Enter-PSSessionPsExecalternatecreds3+2Yes-u-pmicrosoft.
com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-materialHashDumping(Gsecdump)8PasstheHash(Mimikatz)10PreventadminaccountcompromiseStopremoteinteractivesessionswithhighlyprivilegedaccountsProperterminationofRDPsessionsWin8.
1+forcetheuseofRestrictedAdminWin10deployRemoteCredentialGuardUpgradetoWindows10CredentialGuardTsPkg,WDigest,etc.
--SSOcredsobsolescenceDomainProtectedUsersGroup(PtHmitigation)DefendingCredentials:Hashes12CompromisingCredentials:TokensDelegatetokensarepowerfulauthenticationresourcesusedforSSO.
Theyallowattackerstoimpersonateauser'ssecuritycontext,includingoverthenetwork.
HowaretheyacquiredandusedTheSeImpersonateprivilegeletstokensbecopiedfromprocesses.
Thenewtokencanthenbeusedtoauthenticateasthenewuser.
Atargetuserorservicemustbeloggedonorhaverunningprocesses.
Commontools:IncognitoMetasploitPowerShellMimikatzHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT13TokenStealing(Mimikatz)14PreventadminaccountcompromiseStopremoteinteractivesessionswithhighlyprivilegedaccountsProperterminationofRDPsessionsWin8.
1+forcetheuseofRestrictedAdminModeWin10deployRemoteCredentialGuardAccountdesignationof"AccountisSensitiveandCannotbeDelegated"inActiveDirectoryDomainProtectedUserssecuritygroupaccountsdonotcreatedelegatetokensDefendingCredentials:Tokens16CompromisingCredentials:CachedCredentialsStoreddomaincredentialstoallowlogonswhendomaincontrolleraccessisunavailable.
Mostsystemscachethelast10logonhashesbydefault.
HowaretheyacquiredandusedCachedcredentialsmustbecracked.
Hashesaresaltedandcase-sensitive,makingdecryptionveryslow.
ThesehashescannotbeusedforPasstheHashattacks.
Commontools:cachedumpMetasploitPWDumpXcreddumpHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT17Thecreddumputilitiescanextracthashes,cachedcredentialsandLSASecretsfromofflineregistryhives:github.
com/Neohapsis/creddump7OfflineCachedCredentialsExtraction(Creddump)18LocalNTHashesCachedHashesPreventadminaccountcompromiseLimitnumberofcachedlogonaccountsSOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon(cachedlogonscountvalue)AcachedlogonscountofzerooroneisnotalwaystherightanswerEnforcepasswordlengthandcomplexityrulesBruteforcecrackingisrequiredforthisattackDomainProtectedUserssecuritygroupaccountsdonotcachecredentialsDefendingCredentials:CachedCredentials20CompromisingCredentials:LSASecretsCredentialsstoredintheregistrytoallowservicesortaskstoberunwithuserprivileges.
Inadditiontoserviceaccounts,mayalsoholdapplicationpasswordslikeVPNorauto-logoncredentials.
HowaretheyacquiredandusedAdministratorprivilegesallowaccesstoencryptedregistrydataandthekeysnecessarytodecrypt.
PasswordsareplaintextCommontools:CainMetasploitMimikatzgsecdumpPWDumpXcreddumpPowerShellHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT21Get-LsaSecret.
ps1fromtheNishangPowerShellpentestframeworkusedtodump(anddecrypt)LSASecretshttps://github.
com/samratashok/nishangDecryptingLSASecrets(Nishang)22PreventadminaccountcompromiseDonotemployservicesorscheduletasksrequiringprivilegedaccountsonlowtrustsystemsReducenumberofservicesthatrequiredomainaccountstoexecuteHeavilyauditanyaccountsthatmustbeused(Group)ManagedServiceAccountsDefendingCredentials:LSASecrets23CompromisingCredentials:TicketsKerberosissuesticketstoauthenticatedusersthatcanbereusedwithoutadditionalauthentication.
Ticketsarecachedinmemoryandarevalidfor10hours.
HowaretheyacquiredandusedTicketscanbestolenfrommemoryandusedtoauthenticateelsewhere(PasstheTicket).
Further,accesstotheDCallowsticketstobecreatedforanyuserwithnoexpiration(GoldenTicket).
Serviceaccountticketscanberequestedandforged,includingofflinecrackingofserviceaccounthashes(Kerberoasting).
Commontools:MimikatzWCEkerberoastHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT24PasstheTicket(Mimikatz)25KerberosAttacks27PasstheTicketStealticketfrommemoryandpassorimportonothersystemsOverpasstheHashUseNThashtorequestaserviceticketforthesameaccountKerberoastingRequestserviceticketforhighlyprivilegedservice&crackNThashGoldenTicketKerberosTGTforanyaccountwithnoexpiration.
SurvivesfullpasswordresetSilverTicketAll-accesspassforasingleserviceorcomputerSkeletonKeyPatchLSASSondomaincontrollertoaddbackdoorpasswordthatworksforanydomainaccountCredentialGuard(Win10+)DomainProtectedUsersGroup(Win8+)–SomeattacksRemoteCredentialGuard(Win10+)RestrictedAdmin(Win8+)Long&complexpasswordsonserviceaccounts(topreventKerberoasting)ChangeserviceaccountpasswordsregularlyGroupManagedServiceAccountsareagreatmitigationAuditserviceaccountsforunusualactivityChangeKRBTGTpasswordregularly(yearly)DefendingCredentials:Tickets28AttackTypeDescriptionMitigationPasstheTicketStealticketfrommemoryandpassorimportonothersystemsCredentialGuard;RemoteCredentialGuardOverpasstheHashUseNThashtorequestaserviceticketforthesameaccountCredentialGuard;ProtectedUsersGroup;DisableRC4authenticationKerberoastingRequestserviceticketforhighlyprivilegedservice&crackNThashLongandcomplexserviceaccountpasswords;ManagedServiceAccountsGoldenTicketKerberosTGTforanyaccountwithnoexpiration.
SurvivesfullpasswordresetProtectdomainadminaccounts;ChangeKRBTGTpasswordregularlySilverTicketAll-accesspassforasingleserviceorcomputerRegularcomputeraccountpasswordupdatesSkeletonKeyPatchLSASSondomaincontrollertoaddbackdoorpasswordtoanyaccountProtectdomainadminaccounts;SmartcardusageforprivilegedaccountsKerberosAttackMitigations29CompromisingCredentials:NTDS.
DITHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DITActiveDirectoryDomainServices(ADDS)databaseholdsalluserandcomputeraccounthashes(LM/NT)inthedomain.
Encrypted,butalgorithmiswellknownandeasytodefeat.
HowisitacquiredandusedLocatedinthe\Windows\NTDSfolderonthedomaincontroller.
Thefileislocked,soadminaccessisrequiredtoloadadrivertoaccessrawdisk,orusetheVolumeShadowCopyService.
Commontools:ntdsutilVSSAdminNTDSXtractVSSOwn.
vbsPowerShellntdsdump30CommandProcess:conhost.
exePid:141716CommandHistory:0x1b8f80Application:cmd.
exeFlags:Allocated,ResetCommandCount:12LastAdded:11LastDisplayed:11FirstCommand:0CommandCountMax:50ProcessHandle:0x60Cmd#0@0x196970:vssadminlistshadowsCmd#1@0x1bd240:cd\Cmd#2@0x1b9290:dirCmd#3@0x1bd260:cdtempCmd#4@0x1b92b0:dirCmd#5@0x19c6a0:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\system32\config\SYSTEM.
Cmd#6@0x19c760:dirCmd#7@0x19c780:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\system32\config\SAM.
Cmd#8@0x19c830:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\ntds\ntds.
dit.
Cmd#9@0x1c1ab0:dirStealingNTDS.
DIT31Don'tallowDomainAdminaccountstobecompromised.
DefendingCredentials:NTDS.
DIT32CredentialAttackDetection33"Asanypass-the-ticketattack,theattackerreplaysthegoldenticketinastandardKerberosprotocol.
Therefore,thereisnoclearindicationofsuchattackinWindowslogs.
"34"GoldenTicketeventsmayhaveoneoftheseissues:TheAccountDomainfieldisblankwhenitshouldbeDOMAINTheAccountDomainfieldisDOMAINFQDNwhenitshouldbeDOMAIN.
"–SeanMetcalf,adsecurity.
org3536Asanexample…KerberoastingusesRC4encryptiondowngrade(butalmostnoonelogstheseevents)AuthenticationAuditingMappingAdmin$SharesPsExecScheduledTasksVSSAdminRDP/VPNactivityToolArtifactsNewServicesRandomFile/HostnamesCodeInjectionCrashesandSecurityAlertsBehavioralAnalysisLocalAdminAccountUseDomainAdminAnomaliesServiceAccountAnomaliesWorkstation-to-workstationconnectionsCredentialAttackDetection38EventlogsarecriticalfordetectionAuthenticationevents(EID4624,4762,4648,4720,etc.
)Newservices(EID7045)ApplicationandProcessCrashesFailedandanomalousSMBactivity(EID5140)AV/SecuritylogsDomainProtectedUsersecuritygrouplogsApplicationsandServicesLogs\Microsoft\Windows\Microsoft\AuthenticationProcesstrackingCommandlinecapturesPowerShellauditingCredentialAttackDetection39CredentialAttackDetection:PasstheHash40CredentialAttackDetection:PsExecandfgdumpInitiationoftwonear-simultaneousservicesbyhelpdeskaccount42CredentialAttackDetection:LSASSCrashSystemEventLogApplicationEventLog**ReviewandcorrelateyourAnti-Viruslogs**44CredentialAttackDetection:CapturingCommandLines46RegistrychangesDisabledcomputeraccountpwdupdates(SilverTickets)SYSTEM\CurrentControlSet\Services\Netlogon\ParametersDisablePasswordChange=1EnabledWDigestcredentials(postWin8.
1)SYSTEM\CurrentControlSet\Control\SecurityProviders\WdigestUseLogonCredential=1MemoryAnalysisProcessinjectionLoadeddriversKernel-levelsecurityagentdetectionsBehavioralAnalyticsCredentialAttackDetection:OtherDataSources48CredentialBestPractices49RestrictandProtectPrivilegedDomainAccountsReducethenumberofDomain/EnterpriseAdminsEnforcemulti-factorauthentication(MFA)forallnetworkandcloudadminaccountsSeparateadministrativeaccountsfromuseraccountsforadministrativepersonnelCreatespecificadministrativeworkstationhostsforadministratorsUsetheDomainProtectedUserssecuritygroup!
BestPractices:ControlYourAdminAccounts50LimitLocalAdminAccountsDon'tgiveusersadminUniqueandcomplexpasswordsforlocaladmin(LAPS)DenynetworklogonsforlocalaccountsAuditaccountusageandmonitorforanomaliesBestPractices:ControlYourAdminAccounts(2)51Imagesource:LocalAdministratorPasswordSolutionhttps://technet.
microsoft.
com/en-us/mt227395.
aspxUseaTieredAdministrativeAccessModelAdministrationofADServersandApplicationsWorkstationsandDevicesBestPractices:ControlYourAdminAccounts(3)52Imagesource:SecuringPrivilegedAccessReferenceMaterialbyCoreyPlett(Microsoft)AuditandlimitthenumberofservicesrunningassystemanddomainaccountsUtilizeGroupManagedServiceAccounts…orregularlychangeanduselong&complexpasswordsUpgradetoWindows10/Server2016EnableCredentialGuard&RemoteCredentialGuardForceLSASSasprotectedprocessonlegacyWin8.
1EstablishremoteconnectionsusingnetworklogoninsteadofinteractivelogonwhenpossibleBestPractices:ReducetheCredentialAttackSurface53LimitworkstationtoworkstationcommunicationRestrictinboundNetBIOS,SMBtrafficusingtheWindowsFirewall…orVLANsegmentationofworkstationsSomanyhacktoolsleverageSMBauthenticationIsworkstationtoworkstationRDPreallynecessaryEnablestricterKerberossecurityDisableLM&NTLM(forceKerberos)ShortvalidityforticketsNoaccountdelegationBestPractices:ReducetheCredentialAttackSurface(2)54ChartbyBenjaminDelpy:https://goo.
gl/1K3AC7IncreaseAwarenessofNewAttacks5556Materialsfrom:http://dfir.
to/FOR508

wordpress投资主题模版 白银黄金贵金属金融投资网站主题

wordpress投资主题模版是一套适合白银、黄金、贵金属投资网站主题模板,绿色大气金融投资类网站主题,专业高级自适应多设备企业CMS建站主题 完善的外贸企业建站功能模块 + 高效通用的后台自定义设置,简洁大气的网站风格设计 + 更利于SEO搜索优化和站点收录排名!点击进入:wordpress投资主题模版安装环境:运行环境:PHP 7.0+, MYSQL 5.6 ( 最低主机需求 )最新兼容:完美...

2021年全新Vultr VPS主机开通云服务器和选择机房教程(附IP不通问题)

昨天有分享到"2021年Vultr新用户福利注册账户赠送50美元"文章,居然还有网友曾经没有注册过他家的账户,薅过他们家的羊毛。通过一阵折腾居然能注册到账户,但是对于如何开通云服务器稍微有点不对劲,对于新人来说确实有点疑惑。因为Vultr采用的是预付费充值方式,会在每月的一号扣费,当然我们账户需要存留余额或者我们采用自动扣费支付模式。把笔记中以前的文章推送给网友查看,他居然告诉我界面不同,看的不对...

Hostodo(年付12美元),美西斯波坎机房Linux VPS主机66折

Hostodo 商家是比较小众的国外VPS主机商,这不看到商家有推送促销优惠在美国西岸的斯波坎机房还有少部分库存准备通过低价格促销,年付低至12美元Linux VPS主机,且如果是1GB内存方案的可以享受六六折优惠,均是采用KVM架构,且可以支付宝付款。第一、商家优惠码优惠码:spokanessd 1GB+内存方案才可以用到优惠码,其他都是固定的优惠低至年12美元。第二、商家促销这里,我们可以看到...

盗版win8.1升级win10为你推荐
桌面背景图片淡雅电脑自带的桌面背景图片原来合适现在不合适了怎么办电脑杀毒软件哪个好电脑杀毒软件那个最好??985和211哪个好985和211哪个强?具体分析点。压缩软件哪个好电脑常用压缩软件哪个好石英表和机械表哪个好手表是电子手表好还是机械手表好?宝来和朗逸哪个好朗逸和宝来买哪个好英语词典哪个好英语词典哪个好手机炒股软件哪个好手机炒股软件红茶和绿茶哪个好红茶和绿茶,哪个好?网页qq空间登录网页查看qq空间
vps安全设置 如何注销域名备案 linuxapache虚拟主机 中国万网域名 主机评测 awardspace yardvps 秒解服务器 便宜建站 远程登陆工具 ev证书 新站长网 hnyd 什么是刀片服务器 服务器维护方案 工信部icp备案号 美国网站服务器 路由跟踪 免费的域名 国外网页代理 更多