Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Administrator's Password Bad Practice

Published: 2018-03-20
Last Updated: 2018-03-20 09:10:42 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

Just a quick reminder about some bad practices while handling Windows Administrator credentials. I'm constantly changing my hunting filters on VT. A few days ago, I started to search for files/scripts that use the Microsoft SysInternals tool psexec[1]. For system administrators, this a great tool to execute programs on remote systems but it is also used by attackers to pivot internally. This morning, my filter returned an interesting file with a VT score of 11/66. The file is a compiled AutoIT script. This kind of malicious files is coming back via regular waves[2]. AutoIT executable can be easily decompiled. To achieve this, I'm using Exe2Aut.exe[3]. This tool has not been updated for a while but is still doing a good job.

I decompiled the malicious file which was not malicious at all. It was a script created by a Windows administrator to automate the creation of users' directories. This seems a legit script, however, there were two security issues in this very little script:

The first one was the hardcoded domain admin credentials in the script:

$adusername = "Administrator"
$adpassword = "*C0rnHu******"

The password was a strong one but once the file is published on VT, you can consider the password as lost. Other interesting information are also hardcoded:

$server = "Pithos"
$folderpath = "E:\Users\"
$server = "RMT-SLIA-FILE01" 

Note: the Microsoft domain was also present in the file and a simple Google search helped to guess the company. Could we call this a "virtual compromisation"?

The second issue is nastier. The developer is using PsExec to execute a script on a remote server:

RunWait("C:\pstools\psexec.exe \\" & $server & " -u " & @LogonDomain & "\" & $adusername & " -p " & $adpassword & " C:\createudir.bat")

Used in this way (with '-u' and '-p' options), PsExec sends the credentials in clear text across the network. Hopefully, it has been fixed by Microsoft starting with PsExec version 2.1. An alternative to this to protect the credentials is to open a NULL session to the remote host prior to calling PsExec. This way, NTML or Kerberos will be used. According to a post written by Mike Pilkington on the Digital Forensics SANS Blog[4], the $IPC NULL session will also prevent the domain administrator's hash to be captured by dumping tools on the remote system!

Some tips to protect your credentials:

  • Do not use an outdated version of system tools
  • Do not store credentials into scripts/source code (binaries can be decompiled/reversed!)
  • Do not publish internal tools on VT (or any other cloud services)
  • Use strong authentication mechanism to prevent credentials to cross networks and be stored in memory

Stay safe!


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Wireshark and USB
Mar 17th 2018
2 days ago by DidierStevens (2 comments)

[Wireshark-announce] Wireshark 2.5.1 is now available
Mar 16th 2018
4 days ago by Basil (0 comments)

VMWARE Security Advisory: VMSA-2018-0008
Mar 16th 2018
4 days ago by Basil (0 comments)

SPECTRE and Meltdown To patch or not to patch?..and HOW (Guest Diary)
Mar 15th 2018
5 days ago by Johannes (3 comments)

Malspam pushing Sigma ransomware
Mar 14th 2018
6 days ago by Brad (0 comments)

Microsoft March 2018 Patch Tuesday
Mar 13th 2018
6 days ago by Johannes (8 comments)

How did it all start? Early Memcached DDoS Attack Precursors and Ransom Notes
Mar 13th 2018
6 days ago by Johannes (0 comments)

View All Diaries →

Latest Discussions

Splunk: Any way to fetch logs via ssh
created Mar 15th 2018
5 days ago by Anonymous (1 reply)

Possible new worm activity
created Mar 13th 2018
6 days ago by Anonymous (0 replies)

Detecting the memcached issue
created Mar 9th 2018
1 week ago by David (0 replies)

OSINT tools and links
created Mar 9th 2018
1 week ago by Anonymous (0 replies)

IPhone VPN connection error.
created Mar 7th 2018
1 week ago by Janecollen (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
8 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
7 months ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
3 months ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
6 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
7 months ago by Xme (2 comments)