TrickBot Steals AD Credentials – Expert Comments

Active Directory expert Gerrit Lansing, field CTO at STEALTHbits Technologies, addressed this week’s discovery of a new module for the TrickBot trojan that targets the Active Directory database stored on compromised Windows domain controllers.

Subscribe
Notify of
guest
1 Expert Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Gerrit Lansing
Gerrit Lansing , Field CTO
InfoSec Expert
January 24, 2020 11:27 am

A compromise of NTDS.dit is one of the worst things that can happen to an organization. Not only does it expose the hashes for user credentials that may be brute forced, it also exposes the hash for the KRBTGT account, which is the root of all authentication trust in Active Directory, enabling an attacker to create a \”golden ticket.\” A golden ticket allows an attacker to forge authentication and authorization information, granting them hard-to-detect and unlimited access to the network.

That TrickBot\’s creators and contributors are finding this effort worthwhile suggests that we still have lots to do to improve Active Directory privilege security. Whether a breach begins at a workstation or server, denying the attacker or malware\’s ability to escalate privileges to the domain controller is essential. Organizations should look to solutions that help them deploy strong identity boundaries and eliminate the \”always on\” standing privilege abused by adversaries — whether they be human or malware.

Last edited 2 years ago by Gerrit Lansing
1
0
Would love your thoughts, please comment.x
()
x