TrickBot Steals AD Credentials – Expert Comments

By   ISBuzz Team
Writer , Information Security Buzz | Jan 24, 2020 03:25 am PST

Active Directory expert Gerrit Lansing, field CTO at STEALTHbits Technologies, addressed this week’s discovery of a new module for the TrickBot trojan that targets the Active Directory database stored on compromised Windows domain controllers.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Gerrit Lansing
Gerrit Lansing , Field CTO
January 24, 2020 11:27 am

A compromise of NTDS.dit is one of the worst things that can happen to an organization. Not only does it expose the hashes for user credentials that may be brute forced, it also exposes the hash for the KRBTGT account, which is the root of all authentication trust in Active Directory, enabling an attacker to create a \”golden ticket.\” A golden ticket allows an attacker to forge authentication and authorization information, granting them hard-to-detect and unlimited access to the network.

That TrickBot\’s creators and contributors are finding this effort worthwhile suggests that we still have lots to do to improve Active Directory privilege security. Whether a breach begins at a workstation or server, denying the attacker or malware\’s ability to escalate privileges to the domain controller is essential. Organizations should look to solutions that help them deploy strong identity boundaries and eliminate the \”always on\” standing privilege abused by adversaries — whether they be human or malware.

Last edited 4 years ago by Gerrit Lansing

Recent Posts

Would love your thoughts, please comment.x