ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Active Directory Malware Defense

    IT Discussion
    4
    6
    535
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • s.hacklemanS
      s.hackleman
      last edited by

      I came across a virus the other day, and I am just brainstorming how it could have been prevented or mitigated. The virus infected a computer, and started looking for AD user names by looking at folder names in C:\Users. It would then attempt to spread to other local computer and repeat. It kept spreading and brute forcing login attempts with these user names and slowly locking out all user accounts. Critical systems were not affected, and this variation was not caught by anti-virus software when it first hit. The question becomes, what if critical systems were hit. What can you change from a design standpoint that would help prevent this kind of attack. My first thought is maybe having a separate domain for critical systems that has a one way trust to the primary domain. My other thought is critical systems shouldn't rely on active directory, but that seems counter intuitive. I just wanted to open up a chat about what best practices exist for mitigating internal brute force attacks.

      scottalanmillerS 1 Reply Last reply Reply Quote 1
      • DustinB3403D
        DustinB3403
        last edited by DustinB3403

        My guess would be process monitoring and killing of said processes.

        I've read about a few different services that search for this kind of behavior and will kill off processes that attempt this, but can't recall their names off hand.

        1 Reply Last reply Reply Quote 0
        • travisdh1T
          travisdh1
          last edited by

          Off the top of my head, the following are the first things that come to mind:

          • User Education

          • App white listing

          • central syslog and/or intrusion detection (OSSIM)

          That's the short list. Antivirus just can't keep up today. Also, app white listing sounds more of a pain that it really is. Just about every web browser that would automatically run something is going to drop the nasty in a very limited number of locations. I just disabled programs from running in those directories.... now granted, I'm only dealing with 3 Windows workstations anymore, but no trouble yet knocks on wood

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            I feel like I just posted this, oh wait, I did. LAN-based security and Active Directory are points of vulnerability here. Not that other things don't carry their own risks. But AD is an old technology and isn't well prepared for this type of security problem.

            Youtube Video

            s.hacklemanS 1 Reply Last reply Reply Quote 2
            • scottalanmillerS
              scottalanmiller @s.hackleman
              last edited by

              @s.hackleman said in Active Directory Malware Defense:

              My other thought is critical systems shouldn't rely on active directory, but that seems counter intuitive.

              Or it seems totally obvious. Depends on your perspective. Doesn't seem counter-intuitive to me whatsoever.

              1 Reply Last reply Reply Quote 2
              • s.hacklemanS
                s.hackleman @scottalanmiller
                last edited by

                @scottalanmiller I sat down when this was first posted and watched the whole thing. I know the future is heading in this direction, I guess it didn't sit in until witnessing it first hand and seeing how real a threat like this can be.

                1 Reply Last reply Reply Quote 3
                • 1 / 1
                • First post
                  Last post