Compromise mgmt system for access:
- Microsoft SCCM admin account - push packages
- Microsoft SCOM admin account - run commands
- Splunk server - run scripts on system (Splunk Universal Forwarder)
- Vuln Scanners - extract stored credential.
- Endpoint Detection/Response (EDR) - run scripts/commands/code
- Microsoft Intune - run scripts on Azure AD.
Notes:
- DON'T run management tools on local workstations.
- Smart card PIN is cached and can be extracted by Mimikatz.
- Hijack Jump-server with tscon.exe (as SYSTEM).
- MFA is only as good as its configuration.
- MFA can be subverted. (self-service/SMS)
- MFA may be configured to be fail-open.
- Password vault becomes part of the AD security posture.
- Password vault: vulnerable to keylogger.
- Password vault: RDP Proxy (browser extension)
- Admin Deployment: AD admins, Virtual Infra admins, Cloud admins, Server admins, workstation admins.
- Admin Forest = Red Forest (ESAE)
- Admin Forest doesn't fix production AD security issues.
- Agents on DC will be the target.
- Modern Admin Forest = "Cloud" Admin Forest / ESAE
- Quick lockdown via Microsoft Intune by leveraging policies.