It is amazing the amount of responders who accidentally gave the adversaries they are investigating their domain credentials accidentally by simply logging in to the system to perform IR or using a simple tool such as psexec from sysinternals. Tomorrow Mike Pilkington is giving a talk on the proper way to interact with remote systems you are investigating to prevent accidental help to the groups we are investigating during IR. This topic is one that I realized I had been bitten by the bug of doing it the “wrong way”. Windows is incredibly complex and the understanding of this series will make it easier for you not to “make the problem worse” by performing IR.
From Mike - “Have you ever made a connection to a potentially compromised remote machine using a privileged domain account and wondered if there was any chance that your privileged credentials could be revealed in some way to the attacker? I have. After wondering and worrying about it, the curiosity (and paranoia) finally got to me and so I set off on a journey to research attacks against domain credentials, and in particular, their implication for incident responders. I’ve presented on this topic a few times and now I will (finally) take the time to document my findings. This is the first article in what will be a multi-part series on this research. I find this to be a fascinating topic and one which should be of interest to the entire IR community. That said, be forewarned that these articles will not be quick reads. If you’ll stick with me though, I believe it will be worth your time because you should walk away knowing exactly what you can and cannot do safely with your privileged domain accounts.”
BLOG SERIES