Add Windows Privileged Access Reference

This commit is contained in:
pe3zx 2017-12-12 20:20:48 +07:00
parent d7a42ce76c
commit 36f7551a00
2 changed files with 189 additions and 0 deletions

View File

@ -10,6 +10,7 @@ My curated list of awesome links, resources and tools
- [Awesome](#awesome)
- [Anti Forensics](#anti-forensics)
- [Certifications](#certifications)
- [Digital Forensics and Incident Response](#digital-forensics-and-incident-response)
- [Exploitation](#exploitation)
- [Malware Analysis](#malware-analysis)
- [Reverse Engineering](#reverse-engineering)
@ -52,6 +53,11 @@ My curated list of awesome links, resources and tools
- [Offensive Security Certified Professional (OSCP) Review](https://www.jimwilbur.com/2017/07/oscp-review/)
- [OSCP Course & Exam Preparation](https://411hall.github.io/OSCP-Preparation/)
### Digital Forensics and Incident Response
- [Windows Privileged Access Reference](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ATLT_BM)
- Mirror copy of the table is available at [files/dfir/windows-privileged-access.md](files/dfir/windows-privileged-access.md)
### Exploitation
#### Software Exploitation

View File

@ -0,0 +1,183 @@
<table>
<tr>
<th>Connectionmethod</th>
<th>Logon type</th>
<th>Reusable credentials on destination</th>
<th>Comments</th>
</tr>
<tr>
<td>Log on at console</td>
<td>Interactive</td>
<td>v</td>
<td>Includes hardware remote access / lights-out cards and network KVMs.</td>
</tr>
<tr>
<td>RUNAS</td>
<td>Interactive</td>
<td>v</td>
<td></td>
</tr>
<tr>
<td>RUNAS /NETWORK</td>
<td>NewCredentials</td>
<td>v</td>
<td>Clones current LSA session for local access, but uses new credentials when connecting to network resources.</td>
</tr>
<tr>
<td>Remote Desktop (success)</td>
<td>RemoteInteractive</td>
<td>v</td>
<td>If the remote desktop client is configured to share local devices and resources, those may be compromised as well.</td>
</tr>
<tr>
<td>Remote Desktop (failure - logon type was denied)</td>
<td>RemoteInteractive</td>
<td>-</td>
<td>By default, if RDP logon fails credentials are only stored very briefly. This may not be the case if the computer is compromised.</td>
</tr>
<tr>
<td>Net use * \\SERVER</td>
<td>Network</td>
<td>-</td>
<td></td>
</tr>
<tr>
<td>Net use * \\SERVER /u:user</td>
<td>Network</td>
<td>-</td>
<td></td>
</tr>
<tr>
<td>MMC snap-ins to remote computer</td>
<td>Network</td>
<td>-</td>
<td>Example: Computer Management, Event Viewer, Device Manager, Services</td>
</tr>
<tr>
<td>PowerShell WinRM</td>
<td>Network</td>
<td>-</td>
<td>Example: Enter-PSSession server</td>
</tr>
<tr>
<td>PowerShell WinRM with CredSSP</td>
<td>NetworkClearText</td>
<td>v</td>
<td>New-PSSession server-Authentication Credssp-Credential cred</td>
</tr>
<tr>
<td>PsExec without explicit creds</td>
<td>Network</td>
<td>-</td>
<td>Example: PsExec \\server cmd</td>
</tr>
<tr>
<td>PsExec with explicit creds</td>
<td>Network + Interactive</td>
<td>v</td>
<td>PsExec \\server -u user -p pwd cmdCreates multiple logon sessions.</td>
</tr>
<tr>
<td>Remote Registry</td>
<td>Network</td>
<td>-</td>
<td></td>
</tr>
<tr>
<td>Remote Desktop Gateway</td>
<td>Network</td>
<td>-</td>
<td>Authenticating to Remote Desktop Gateway.</td>
</tr>
<tr>
<td>Scheduled task</td>
<td>Batch</td>
<td>v</td>
<td>Password will also be saved as LSA secret on disk.</td>
</tr>
<tr>
<td>Run tools as a service</td>
<td>Service</td>
<td>v</td>
<td>Password will also be saved as LSA secret on disk.</td>
</tr>
<tr>
<td>Vulnerability scanners</td>
<td>Network</td>
<td>-</td>
<td>Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk.</td>
</tr>
<tr>
<td>IIS "Basic Authentication"</td>
<td>NetworkCleartext(IIS 6.0+)Interactive(prior to IIS 6.0)</td>
<td>v</td>
<td></td>
</tr>
<tr>
<td>IIS "Integrated Windows Authentication"</td>
<td>Network</td>
<td>-</td>
<td>NTLM and Kerberos Providers.</td>
</tr>
</table>
<table>
<tr>
<th>Logon type</th>
<th>#</th>
<th>Authenticators accepted</th>
<th>Reusable credentials in LSA session</th>
<th>Examples</th>
</tr>
<tr>
<td>Interactive (a.k.a., Logon locally)</td>
<td>2</td>
<td>Password, Smartcard,other</td>
<td>Yes</td>
<td>Console logon;RUNAS;Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server)IIS Basic Auth (before IIS 6.0)</td>
</tr>
<tr>
<td>Network</td>
<td>3</td>
<td>Password,NT Hash,Kerberos ticket</td>
<td>No (except if delegation is enabled, then Kerberos tickets present)</td>
<td>NET USE;RPC calls;Remote registry;IIS integrated Windows auth;SQL Windows auth;</td>
</tr>
<tr>
<td>Batch</td>
<td>4</td>
<td>Password (usually stored as LSA secret)</td>
<td>Yes</td>
<td>Scheduled tasks</td>
</tr>
<tr>
<td>Service</td>
<td>5</td>
<td>Password (usually stored as LSA secret)</td>
<td>Yes</td>
<td>Windows services</td>
</tr>
<tr>
<td>NetworkCleartext</td>
<td>8</td>
<td>Password</td>
<td>Yes</td>
<td>IIS Basic Auth (IIS 6.0 and newer);Windows PowerShell with CredSSP</td>
</tr>
<tr>
<td>NewCredentials</td>
<td>9</td>
<td>Password</td>
<td>Yes</td>
<td>RUNAS /NETWORK</td>
</tr>
<tr>
<td>RemoteInteractive</td>
<td>10</td>
<td>Password, Smartcard,other</td>
<td>Yes</td>
<td>Remote Desktop (formerly known as "Terminal Services")</td>
</tr>
</table>