If an attacker succeeds in getting the password of an IT support privileged account (that has Domain Control rights), can he successfully carry out the attack and do the lateral movement needed between the Domain Controllers and/or users?
Asked
Active
Viewed 197 times
1
-
1To understand better user privileges you cant take a look at this page: [Domain Admins vs. Administrators in Windows](https://serverfault.com/questions/174200/domain-admins-vs-administrators-in-windows-ad-dc) – neo Aug 20 '21 at 21:58
2 Answers
3
Yes, if an attacker has domain admin rights they can usually encrypt anything on any system that's joined to the domain.
You don't even need administrative rights for most ransomware attacks - normal users have permissions to access lots of files and network shares. However, they're unlikely to be able to encrypt or destroy any backups that exist.
Gh0stFish
- 4,664
- 14
- 15
-
So, this means that he is able to run powershell command (remotely) and do many more stuff. But what can't he do? He can not encrypt or destroy backups, is there something else? Thanks for your answer and consider it marked as right after you answer me this tiny little question. Thank you a lot! :-) – oolnux Aug 21 '21 at 06:22
-
1@oolnux I'm not sure that you read the answer correctly. Domain Admins can give themselves whatever permissions they like. Even access to backups. There is nothing that a Domain Admin can't do. "Normal users" are unlikely to access backups. – schroeder Aug 21 '21 at 08:23
-
1Oh, my bad. Thank you very much for your answer. This is everything I wanted. – oolnux Aug 21 '21 at 11:26
0
I found more interesting explanation on this site: What Does 'Privileged Account' Really Mean?
What Does 'Privileged Account' Really Mean?
Privileged access has become a hot topic recently. For the first time ever, the Verizon Data Breach Investigations Report actually included privileged access as its own section in the report with some not so surprising results. Below are a couple of interesting takeaways from the report:
> Weak or common passwords were the cause of 63 percent of all breaches > 53 percent of the breaches were due to the misuse of privileged accountsNow that we know how important these accounts are, how do we know exactly what makes an account 'privileged'? One easy rule of thumb is to count any account with access to monetizable data (protected health information, credit card numbers, social security numbers, etc.) as a privileged account.
However that’s not all. There are other kinds of privileged accounts. What you have to decide for your organization is what privilege data is, where it is, and who has access to it. Control of privileged accounts is a major factor in compliance across all regulations in every industry. If that definition is a bit too broad, here are the most common types of privileged accounts: ...
Domain Admin Accounts
Domain admins have privileged access across all workstations and servers on a Windows domain. These are the most extensive and robust accounts across your network because they have complete control over all domain controllers and the ability to modify membership of every administrative account within the domain. Compromise of these accounts are often listed as the 'worst case scenario' and should be monitored very closely.
-
Please do not post link-only answers. Include the relevant parts of the link here – schroeder Aug 20 '21 at 22:07
-
Please include the ***relevant*** parts of the link. Not the entire contents. – schroeder Aug 21 '21 at 08:21