Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Impact report #168

Open
ruppde opened this issue Mar 15, 2023 · 6 comments
Open

Feature request: Impact report #168

ruppde opened this issue Mar 15, 2023 · 6 comments

Comments

@ruppde
Copy link
Contributor

ruppde commented Mar 15, 2023

So far most metrics show how difficult it would be to attack an AD but pingcastle also has already a lot of data, which can show the impact of that actually happening. It would be useful to show the management, how many eggs actually are in the same basket and what would happen, if it gets broken in a short section:

  • number of servers, desktops, users, services, non-windows-systems, ... (from the operating systems list)
  • trusts which could be abused to break even more baskets
  • cloud
  • exchange servers
  • this would make a bit of work: check if the backup servers are also attached to the AD and therefor could be wiped by a ransomware gang in one go. could be done by checking for strings like backup, veritas, netbackup, ... in the names of servers and accounts.
@vletoux
Copy link
Contributor

vletoux commented Mar 15, 2023

The information you described are already in the report (which contains a lot of data)
For the backup servers, I’ll be happy if you can share some algorithm, at least for a few brands

@ruppde
Copy link
Contributor Author

ruppde commented Mar 15, 2023

It would be great to have all of that in one screenshotable area with the title "Impact of a theoretical compromise of domain ..." because lots of management (and security) people don't understand the importance of an AD. hey, it's 2h of work and will increase your sales like "wow, what are we doing to prevent this?" :)

searching should be done in names and description of users, groups, ou, services. title maybe "Potential AD-joined backup servers".

here's a list of backup software. included some regexish .? in places, where somebody might include a dash or underscore. also included some generic terms like restore and tape. with backup it might hit on stuff like a fallback-server or a backup-connection, so including that is a decision between missing stuff and false positives. maybe leave it out in the first run?

(backup ??)
Acronis
CyberProtect
BackupExec
CloudBerry 
MSP360
Commvault
Crashplan
NetWorker
Data.?Protector
Spectrum.?Protect 
Tivoli.?Storage 
Storage.?Manager
NetVault 
Retrospect
Rubrik
SpiderOak
Syncovery
Tonido 
Veeam 
Bacula
Duplicati
Restore
Cohesity
Druva
Nakivo
Zerto
StorageCraft
Backupify
Datto
NearStore
Tape

would be happy to test drive it.

have some memes :)

image

image

@vletoux
Copy link
Contributor

vletoux commented Mar 17, 2023

it's not that simple.
For each backup software, an algorithm has to be design to do the match
(special schema extension ? service point ?)
There is also some edge cases : if backup of tier 0 done offline, tier 1 may be connected

Looking for keywords is not effective:
Imagine word matching partially any regular expression

Comments are even worse

@ruppde
Copy link
Contributor Author

ruppde commented Mar 17, 2023

yes, would be really lots of work to make it perfect. but why not start with an informational rule titled "Potential AD-joined backup servers" ? if that shows a bunch of entries the pentester/ISO can ask his backup-team(s) on the details.

@An-dir
Copy link

An-dir commented Aug 2, 2023

I can't think of any algorithm that could get this data in a way that would fit into PingCastle. There are a lot of possible false positives if you focus on getting the data from Active Directory.

  • Computer objects of old backup servers may be there, but no longer be used for backup.
  • some vendors have other software. Not all of them are related to backup.

It is a BAD idea to have backup servers (and anything that can control them and the backup data) in the AD. This information should be in the area "Anomalies" -> "Backup" area, and it could also include more details about what was backed up (each NC) like Repadmin.exe /showbackup does. It would be great to have information like the useful life of a backup is the same as the "tombstone lifetime" setting for the enterprise or something helpful like that.

So i can only imagine improving the backup section with more details, and maybe a tiny statistical data area at the Active Directory Indicators area that tells you in a few lines something about that domain. The following table is just an idea of what i think that is possible.

Text Value Info
User (total) 31415
User (enabled and inactive for at least X days) 3141 Relatively much - keep it as low as possible
User (disabled) 314 Average amount - keep it as low as possible
Computer (total) 124816
Computer (enabled and inactive for at least X day) 12481 Average - keep it as low as possible
Computer (disabled) 4816 a lot - keep it as small as possible
Domain Controller (RWDC) 4 Have at least 2 for redundancy but not more than you can handle ....
Domain Controller (RODC) 41 ...
Last full AD backup 01.02.2023 (oldest NC backup date) should not be older than you require it
Trusts detected 4 be aware that trusting can bring more security risks and you should remove unnecessary/risky trusts
Domain Functional Level 2003 (Not OK) Some security features require a newer functional level
Forest Functional Level 2003 (Not OK) Some security features require a newer functional level
Recycle Bin disabled (Not OK) Can help a lot
Microsoft or Windows LAPS Schema is extended (OK) Using LAPS can help to reduce fraudulent lateral movement
Total Findings 49 Reduce your security risk by working continuously...

@ruppde
Using PowerShell and the ad_hc_*.xml created by PingCastle, you could create a copy&paste or screenshot of the PowerShell or a HTML file like this yourself.
Here is a tiny example

([xml](gc .\ad_hc_yourcustomer_domain.xml)).HealthcheckData | select DomainFQDN,DomainCreation,LastADBackup,IsRecycleBinEnabled,LAPSInstalled,
@{Name="Findings count";Expression={$_.RiskRules.HealthcheckRiskRule.Count}},
@{Name="Trusts count";Expression={$_.Trusts.HealthCheckTrustData.Count}},
@{Name="DomainController count";Expression={$_.DomainControllers.HealthcheckDomainController.count}}  |
ConvertTo-Html -As List | Out-File NeedsMoreCSS.html

The result may look like this, but it can easily be improved and extended.

DomainFQDN             : yourcustomer_domain
DomainCreation         : 2022-07-16T09:4:23
LastADBackup           : 2023-05-23T23:28:15+02:00
IsRecycleBinEnabled    : true
LAPSInstalled          : 9999-12-31T23:59:59.9999999
Findings count         : 44
Trusts count           : 2
DomainController count : 3

The ConvertTo-Html accepts more parameter to add header and CSS so you get a great look if you woul like it that way.

@ruppde
Copy link
Contributor Author

ruppde commented Aug 3, 2023

Thanks for the ideas. I would image the table like this:

Potential Ransomware Impact

Object Value Info
Users (active) 31415  
Computers (active) 124816  Servers and desktop systems
Trusts detected 4 be aware that trusting can bring more security risks and you should remove unnecessary/risky trusts
Exploitable Trusts 2 Trust that could be exploited to compromise further domains
Potential file backup systems 42 It is a BAD idea to have backup servers (and anything that can control them and the backup data) in the AD, as it will end up encrypted in a domain compromise by a ransomware actor.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants