Zapezeka chaka chino imalola aliyense wogwiritsa ntchito madambwe kuti apeze ufulu wa oyang'anira madambwe ndi kusokoneza Active Directory (AD) ndi makamu ena olumikizidwa. Lero tikuuzani momwe kuukiraku kumagwirira ntchito komanso momwe mungazindikire.
Umu ndi momwe kuwukiraku kumagwirira ntchito:
- Wowukira amatenga akaunti ya aliyense wogwiritsa ntchito domeni ndi bokosi la makalata logwira ntchito kuti alembetse ku zidziwitso zokankhira kuchokera ku Exchange.
- Wowukirayo amagwiritsa ntchito NTLM relay kunyengerera seva ya Kusinthana: Zotsatira zake, seva ya Kusinthana imalumikizana ndi kompyuta ya wogwiritsa ntchitoyo pogwiritsa ntchito njira ya NTLM pa HTTP, yomwe wowukirayo amagwiritsa ntchito kutsimikizira kwa woyang'anira dera kudzera pa LDAP yokhala ndi zidziwitso za akaunti ya Exchange.
- Wowukirayo amatha kugwiritsa ntchito zidziwitso za akaunti ya Exchange kuti achulukitse mwayi wawo. Gawo lomalizali litha kuchitidwanso ndi woyang'anira wankhanza yemwe ali ndi mwayi wovomerezeka kuti asinthe chilolezo chofunikira. Popanga lamulo kuti muzindikire izi, mudzatetezedwa ku izi ndi zina zofananira.
Pambuyo pake, wowukira atha, mwachitsanzo, kuyendetsa DCSync kuti apeze mawu achinsinsi a ogwiritsa ntchito onse omwe ali mu domain. Izi zidzamulola kuti agwiritse ntchito mitundu yosiyanasiyana ya kuukira - kuyambira kuukira kwa matikiti agolide kupita ku hashi.
Gulu lofufuza la Varonis laphunzira mwatsatanetsatane vector iyi ndikukonza kalozera kuti makasitomala athu azindikire ndipo nthawi yomweyo ayang'ane ngati asokonezedwa kale.
Domain Privilege Escalation Detection
В Pangani lamulo lachizoloŵezi kuti muwone kusintha kwa zilolezo zenizeni pa chinthu. Idzayambika powonjezera maufulu ndi zilolezo ku chinthu chomwe chili ndi chidwi mu domain:
- Tchulani dzina lalamulo
- Khazikitsani gulu kuti "Elevation of Privilege"
- Khazikitsani mtundu wazinthu kukhala "mitundu yonse yazothandizira"
- Fayilo Server = DirectoryServices
- Tchulani dera lomwe mukufuna, mwachitsanzo, ndi dzina
- Onjezani zosefera kuti muwonjezere zilolezo pa chinthu cha AD
- Ndipo musaiwale kusiya kusankha "Sakani muzinthu za ana" osasankhidwa.
Ndipo tsopano lipoti: kuzindikira kwa kusintha kwa ufulu wa chinthu chamtundu
Kusintha kwa zilolezo pa chinthu cha AD ndikosowa, kotero chilichonse chomwe chidayambitsa chenjezoli chiyenera kufufuzidwa. Zingakhalenso lingaliro labwino kuyesa maonekedwe ndi zomwe zili mu lipotilo musanakhazikitse lamulo lokha kunkhondo.
Lipotili likuwonetsanso ngati mwasokonezedwa kale ndi izi:
Lamuloli likangotsegulidwa, mutha kufufuza zochitika zina zonse zachitukuko pogwiritsa ntchito mawonekedwe a DatAlert:
Mukakonza lamuloli, mutha kuyang'anira ndikuteteza ku zovuta zachitetezo izi ndi zina zofananira, fufuzani zochitika ndi zinthu za AD directory services, ndikuwonetsetsa ngati mungakhale pachiwopsezo chachikuluchi.
Source: www.habr.com
