Abstract
A savvy defender understands that they may not be able to prevent a capable attacker from gaining an initial foothold on their network. On any real network, the collection of potential attack vectors is large, and the attacker only needs to be successful once to get that initial foothold. Even something as simple as a phishing attack can be used to obtain that initial shell.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Even by Microsoft standards, this feels more like the incantation of a spell rather than an engineered feature. Kurt Falde, from Microsoft on Microsoft TechNet writes, “So the first thing to make note of with regards to __PSLockDownPolicy is that this setting is completely undocumented from a Microsoft perspective. Yes, I’m a Microsoft employee and No this is not official documentation as to how this works from a Product Group but just my observations on how it seems to work from testing.” https://blogs.technet.microsoft.com/kfalde/2017/01/20/pslockdownpolicy-and-powershell-constrained-language-mode/ . This page also examines the impact of other values of __PSLockdownPolicy.
- 2.
Yes, the directory is always named v1.0 regardless of the version of PowerShell.
- 3.
Or did they? Just because a binary has the same name as the binary for Process Explorer, that does not mean that the binary is Process Explorer.
- 4.
Though these five keys are important, and all were used in Chapter 11 to configure persistence, they are not the only ways to use the registry to establish persistence.
- 5.
This is the same approach used to install Sysmon across a domain in Chapter 10.
- 6.
- 7.
https://doi.org/10.6028/NIST.SP.800-63b . Appendix A is particularly useful.
- 8.
Malware authors are probably going to spend some time obfuscating the name of their malware.
- 9.
- 10.
- 11.
Schema Admins is another security group on a Windows Domain; members of this group can modify the domain’s Active Directory structure (schema). This group is separate from the Domain Admins group.
- 12.
This list is taken directly from https://technet.microsoft.com/en-us/library/dn311466(v=ws.11).aspx .
- 13.
- 14.
/usr/share/doc/python-impacket/examples/psexec.py; see also Chapter 8.
- 15.
- 16.
This is not a typographical error - “Bowser” is intended. No, I don’t know what Microsoft was thinking. I seem to say that a lot in these footnotes.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2019 Mike O'Leary
About this chapter
Cite this chapter
O’Leary, M. (2019). Defending the Windows Domain. In: Cyber Operations. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-4294-0_12
Download citation
DOI: https://doi.org/10.1007/978-1-4842-4294-0_12
Published:
Publisher Name: Apress, Berkeley, CA
Print ISBN: 978-1-4842-4293-3
Online ISBN: 978-1-4842-4294-0
eBook Packages: Professional and Applied ComputingProfessional and Applied Computing (R0)Apress Access Books