TrickBot released a new Active Directory dumping module called ADll in October 2019 that was recently discovered by @sandornemes on January 17th.
-
-
Prikaži ovu nit
-
The ADll TrickBot module will execute various commands on a Windows domain controller to dump the ntds.dit Active Directory database and various Registry hives. It will then compress these files and exfiltrate them back to the attacker's server.pic.twitter.com/HP8CpmFDPj
Prikaži ovu nit -
To illustrate how the attackers can use these files, BleepingComputer created a Windows domain to test the commands on.
Prikaži ovu nit -
Using the saved SYSTEM hive, attackers can use various tools to extract the BootKey. This key is used to decrypt the encrypted ntds.dit database.pic.twitter.com/nFwsFPUbnf
Prikaži ovu nit -
Attackers can then utilize the BootKey and various scripts (we used the DSInternals PowerShell modules by
@MGrafnetter ) to decrypt the AD database and list the accounts and their NTLM password hashes.pic.twitter.com/kMkVw6xRXU
Prikaži ovu nit -
These NTLM hashes can be fed into a various cracking tools to get access to the plain-text passwords, which can then be used by the attackers to compromise further devices on the network.
Prikaži ovu nit -
Exploiting a Windows Active Directory was incredibly easy. In fact, too easy. Windows administrators should familiarize themselves with how attackers exploit AD services.
Prikaži ovu nit -
There are a lot of good articles out there, but we recommend "Att&ckingActive Directory for fun and profit" by
@DebugPrivilege. …https://identityaccessdotmanagement.files.wordpress.com/2020/01/attcking-ad-for-fun-and-profit-1.pdf …Prikaži ovu nit -
This video by
@VK_Intel is also highly recommended.https://www.youtube.com/watch?v=u1XvMcwdvgI …Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.