Ok so here’s the thing, I do NOT like getting pwn3d! I think you probably would rather your organisation does not too!
What I really don’t want to occur is a ransomware event! They suck, they are like a digital bomb going off.
So I’ve knocked up a quick list to get people thinking (these are NOT all the vulnerabilities I networks you should care about.. but they are some that could lead to a ransomware event!)
- Weak passwords
- Service accounts vulnerable to “Kerberoasting” attacks
- Insecure Active Directory Services Certificate Services configurations
- Overly permissive delegations
- Large number of people in high privilege roles/groups
- LDAP NULL Bind
- Passwords in description fields
- Passwords in SYSVOL
- Passwords in Files/SharePoint (ok that’s a bit away from AD but it’s important)
- Lack of MFA on internet facing access (e.g. VPN, Email etc.)
- Servers/PC devices with the same local administrator password (vulnerable to pass the hash attacks)
- Insecure SCCM Configurations
- Domain joined backups (e.g. joined to the corporate domain)
- Virtual infrastructure that is owned by the corporate domain
They key thing here is to think about identity planes and what impacts COULD occur?
Take vSphere environments… if your Active Directory environment gets compromised could a threat actor attack this? what about backups? If everything is linked from an identity point of view… if someone gets to Enterprise or Domain Admin… is everything at risk?
I’ll be looking at this subject again more in the future… and how we can discovery, remediate and re-design… so that ransomware (from an encryption perspective becomes a much less likely event, do bear in mind, data theft and extortion is still a risk!)