Month: December 2017

Don’t Forget about Domain Trusts

I recently was talking to an organization about their security posture and mostly everything I recommended to them, they had already implemented and plus some. The audits I conducted for them seconded what they were saying. I must say, I was thoroughly impressed. There was, however, one gray area that stood out to me and that was Domain Trusts. In their eyes, they didn’t have any but the Domain Controller displayed otherwise.

I’m sure everyone knows how to check via the GUI but did you also know it can be done through PowerShell? If not, let’s proceed.

From within a Domain Controller of a system with Remote System Administration Tools (RSAT) installed, we can utilize the Active Directory module which contains the Get-AdTrust cmdlet. For us to view Trusts, we can do the following:

From the above, we see the trust is with the Multiverse domain. We can also see that the direction is bi-directional, meaning it is a Two-Way Trust. It is also non-transitive, noted by the numerical one listed in the Trust Attributes property.

We can also get this same information using WMI, which we will use on the same server. To do so, we can do the following:

A simple script for this can be found at HERE.

From the above, we see the Trust Attributes property again along with a Trusted Domain property, which depicts the name of the domain we have a trust with. In addition, we see the Trust Direction property with a value of three, which depicts two-way.

For future reference, the meanings for each available value in Trusted Attributes and Trusted Direction are below.

Hidden Gems in McAfee ePO Audit Logs

There is no shortage of organizations these days running McAfee’s ePolicy Orchestrator in an effort to combat maliciousness. Much like any endpoint security platform, it has its strengths and weaknesses. One of the great features of the application is that it contains an audit log containing authentication information to include any supplied usernames, as shown below.

As weird as it may seem, sometimes people will type in their username AND their password on the same line and submit them for authentication, not realizing the mistake. Well, McAfee ePO logs that information as is. In the example below, the password is likely ‘PA$$word1337’.

This happens more often than what you may think and users with the applicable permissions can see this information in the audit logs. From a blue team perspective, being cognizant of the likelihood of this artifact is vital. As a red team member, this is easy pickings. Not only will it likely get you into the application with the user’s information in the logs but that user could also have more rights than the user you may be currently using. Also, whatever the password is for the user whose information is in the log, it is also likely to be that user’s password to their local or domain account or possibly to other applications in the network.