Scan, Pwn, Next! – exploiting service accounts in Windows networks

Presented at BSidesSF 2016, Feb. 28, 2016, 3 p.m. (55 minutes)

Service accounts are prevalent in Windows networks, but are often mismanaged and ripe for exploitation. Too often these accounts are over-privileged, dual-used (both by human users and automated processes), and have credentials omnipresent in the network. The services that use these accounts are easily discovered, as they are registered as SPNs on the Active Directory, thus presenting a lucrative target for an attacker.In this talk we will discuss how service accounts can be mismanaged and thus exploited, and present new research examining the exposure of service accounts in real-world networks.We will demonstrate exploitation techniques and introduce an open source tool for detecting potentially vulnerable service accounts in Windows networks. We will also discuss how targeted behavioral analytics can be employed to detect potential abuse of service accounts.Armed with the knowledge and tools from this presentation, you can now go and test your own networks - and, perhaps, prevent that sneaky attacker from exploiting your service accounts.

Presenters:

• Matan Hart
  Matan Hart is a security researcher (he doesn't like the term cyber) at CyberArk Labs, where he researches targeted attacks (he doesn't like the term APT neither) and hacking techniques to come up with novel detection and mitigation capabilities. Based on his extensive experience in the IAF and IDF as a forensics investigator and malware analyst, Matan believes that defense is an open field for innovation and improvement - and the bad guys shouldn't always win.
• Andrey Dulkin
  Andrey Dulkin has over 15 years of experience in information security research and development, both in technical and leadership positions. In his current position, Andrey heads the CyberArk Labs, where his research focuses on targeted attacks mitigation, critical infrastructure security, security architecture and various aspects of organizational information systems protection. Andrey is an active member of several cybersecurity forums and a frequent speaker at various security conferences (BSides, RSA, BlackHat, InfoSec, Cybertech and others), and his interests include Internet technologies, machine learning and programming for Android.

Links:

• https://bsidessf2016.sched.com/event/661I/scan-pwn-next-exploiting-service-accounts-in-windows-networks

Similar Presentations:

• BSidesLV 2023 / Passwords: Policies, Securing, Cracking, and More
• BSidesLV 2015 / Privileges in the Real World: Securing Password Management
• DEF CON 27 (2019) / We Hacked Twitter… And the World Lost Their Sh*t Over It!