Active Directory expert Gerrit Lansing, field CTO at STEALTHbits Technologies, addressed this week’s discovery of a new module for the TrickBot trojan that targets the Active Directory database stored on compromised Windows domain controllers.
Active Directory expert Gerrit Lansing, field CTO at STEALTHbits Technologies, addressed this week’s discovery of a new module for the TrickBot trojan that targets the Active Directory database stored on compromised Windows domain controllers.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
A compromise of NTDS.dit is one of the worst things that can happen to an organization. Not only does it expose the hashes for user credentials that may be brute forced, it also exposes the hash for the KRBTGT account, which is the root of all authentication trust in Active Directory, enabling an attacker to create a \”golden ticket.\” A golden ticket allows an attacker to forge authentication and authorization information, granting them hard-to-detect and unlimited access to the network.
That TrickBot\’s creators and contributors are finding this effort worthwhile suggests that we still have lots to do to improve Active Directory privilege security. Whether a breach begins at a workstation or server, denying the attacker or malware\’s ability to escalate privileges to the domain controller is essential. Organizations should look to solutions that help them deploy strong identity boundaries and eliminate the \”always on\” standing privilege abused by adversaries — whether they be human or malware.