Conversation

Notices

1. Embed this notice
   Halligan (halligan@infosec.exchange)'s status on Friday, 29-Sep-2023 05:37:19 JST Halligan

   in reply to

   • Tinker ☀️

   @tinker As a defender, when you are doing your audit for stale abandoned accounts to clear out and delete, don't. Make some of them canarys. They look just like old forgotten about accounts 'cause they are :)

   • Embed this notice
     Tinker ☀️ (tinker@infosec.exchange)'s status on Friday, 29-Sep-2023 05:37:20 JST Tinker ☀️

     Hackers / Pentests - Wanna sniff out canary tokens?

     Ya worried the blue team seeded fake credentials throughout their environment? Put them in LSASS, LSA, or even that suspicious "too good to be true" passwords.txt file?

     Ya worried that if you use those creds, blue team will get alerted that you used them because no one ever uses those creds and any login attempt triggers massive alarms?!?!?!

     Just dump Active Directory (with other valid creds) via LDAP and go through the resulting LDIF.

     Look up the sus account and look for the parameter "lastLogon:" : Was it a while back? Has anyone used the account in a while?

     Now look for the parameter "pwdLastSet:" - Is it close to the lastLogon? Did blue team set the password, set the alert, and then leave it to sit?

     If they are recent dates, maybe it's a new hire. So maybe it's fine.

     But if its older... thats a little suspicious.

     Look for other parameters and paint a picture. Look at passwordExpirationTime. Is it 0? Look for accountExpires, is it set for near forever? (or a long way off).

     Big thing is, compare it to other accounts, especially accounts you know are good. Look at normal and then conduct anomaly analysis and see how well your sus account stacks against known good or known normal.

     Active Directory gives a lot of information. Dive into it.

     #infosec #hacking #pentesting #honeyTokens

     Jake Hildreth (acorn) :blacker_heart_outline: repeated this.