TrickBot Steals AD Credentials – Expert Comments

Active Directory expert Gerrit Lansing, field CTO at STEALTHbits Technologies, addressed this week’s discovery of a new module for the TrickBot trojan that targets the Active Directory database stored on compromised Windows domain controllers.

Experts Comments

January 24, 2020
Gerrit Lansing
Field CTO
STEALTHbits Technologies
A compromise of NTDS.dit is one of the worst things that can happen to an organization. Not only does it expose the hashes for user credentials that may be brute forced, it also exposes the hash for the KRBTGT account, which is the root of all authentication trust in Active Directory, enabling an attacker to create a "golden ticket." A golden ticket allows an attacker to forge authentication and authorization information, granting them hard-to-detect and unlimited access to the network. That .....Read More
A compromise of NTDS.dit is one of the worst things that can happen to an organization. Not only does it expose the hashes for user credentials that may be brute forced, it also exposes the hash for the KRBTGT account, which is the root of all authentication trust in Active Directory, enabling an attacker to create a "golden ticket." A golden ticket allows an attacker to forge authentication and authorization information, granting them hard-to-detect and unlimited access to the network. That TrickBot's creators and contributors are finding this effort worthwhile suggests that we still have lots to do to improve Active Directory privilege security. Whether a breach begins at a workstation or server, denying the attacker or malware's ability to escalate privileges to the domain controller is essential. Organizations should look to solutions that help them deploy strong identity boundaries and eliminate the "always on" standing privilege abused by adversaries -- whether they be human or malware.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.