Enterprise security tools provide a deep level of insight, and access, to the
organizations they are designed to protect. Although, in the right hands these
tools can be powerful assets for a blue team, they can be equally valuable for
an attacker. Attackers can subvert legitimate functionality to gain and
maintain access to an enterprise's crown jewels.
Solutions such as Splunk, Tanium, Tripwire, Carbon Black Response, in addition
to providing detailed reporting on an organizations assets, all offer the
ability to run commands or scripts for administrative purposes on end points.
Many of these systems by default, or only, run commands as the 'System' user
on Windows. This can be leveraged to gain access to critical systems, pivot
into 'segmented' networks, and maintain stealthy command and control.
Unfortunately, these tools are commonly deployed with inadequate hardening, or
with excessive number of administrative user accounts. One reason for this
could be the prior knowledge required to leverage the power of these
applications in a safe and controlled manner during a pentest, causing them to
largely go unnoticed, or unreported on most tests. We want to bring awareness
to the importance of protecting deployed security tools and provide a
framework for pentesters and red team teamers to leverage these tools on
engagements. The tool we are releasing is called secsmash, and provides a
handy commandline tool to turn credentials you've acquired for a supported
tool into enterprise pwnage.