It's been a while since I've written about this topic, and in that time, there have been some useful security updates provided by Microsoft, as well as some troubling developments with Microsoft's Kerberos implementation. In order to fully cover these topics, I'm going to split the discussion into two articles. This article will cover specific updates Microsoft has provided to help protect user credentials. I'll follow up next week to discuss the Kerberos issues in depth.
As a quick reminder, the major takeaway from my previous articles on this subject are that we can successfully protect our privileged domain accounts by taking these 3 steps:
- Avoid interactive logons to untrusted hosts
[Author's Note: This is the 6th in a multi-part series on the topic of "Protecting Privileged Domain Accounts". My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believe this information will be useful to anyone administering and defending a Windows environment.]
PsExec is an extremely powerful tool and is used commonly in enterprise networks, for both good and evil. Systems administrators and incident responders use it for its flexibility in interacting with remote machines, including a telnet-like ability to run command-line tools on remote machines and receive the output on their local console. Attackers utilize it for the same reasons, providing a convenient way to move laterally and interact with remote machines using compromised credentials.
Given its power, you might wonder what the