Corporate Intrusion #

Privilege escalation #

An attacker starts with no privilege and no ability to access anything
- Initial entry point: sending a fake PDF to a lawyer, sending a fake Excel spreadsheet to an accountant, etc
Attackers want to end with privileges necessary for their objectives
Escalation may happen remotely or locally

Limited accounts (jails) - programs run with limited privileges to trap any attackers who successfully compromise them
Normal user account - ability to run programs and access data in home and shared directories; but cannot install software and access data from other users
Administrator/root - highest privileged user account, can access anything on the device but cannot necessarily modify OS itself
Service accounts - used by software that runs in the background, has lots of power but cannot modify running system
System/kernel - fully privileged to interact directly with hardware, access all data, modify running system

Computers on a corporate network are managed by a central authority (i.e., IT department) to provide a consistent environment
Corporate endpoints (i.e., user laptops, servers, other equipment) connect to corporate domain server that manages endpoints

To exploit:

Send payload (i.e., compromised Excel file or phishing email) to endpoint
Example: attack via legal department, malware jumps from endpoint to domain server which can then attack more endpoints
However, modern firewalls can do detection of data exfiltration

A hash is a function that creates a “fingerprint” of an arbitrary input that is

Brute-force (alphabetical) attack
- Computationally expensive, many strings unlikely to be passwords
Dictionary attack: maintain dictionary of common passwords, check them all
Can do password cracking with GPUs for speedup

Exploit engineered by NSA in Microsoft Windows SMB server (file sharing protocol for local servers)
- Functionality was enabled for all Windows computers as late as 2017
Leaked by hacking group Shadow Brokers in April 2017