top of page
  • Writer's picturehunter

user id

Right, user names and passwords are still crucial and probably will stay with us for a long time - despite industry efforts to convince us that there are better ways to authenticate to the system.

Many of us quickly forget that username can be as important as the password itself.

I know that user login is not "protected" at all, but it is a crucial part of any security aspect.

For AAA, it is an actual component recognized as an Identification part. Without proper identification, even correct password has a limited if any usage. Why I'm even looking into this trivial process?

The answer is straightforward. Without correct pair: identification and password, there is no Authentication at all ( one of AAA model). Keeping an eye on unusual authentication noise, it's crucial for malware hunting inside and outside of any organization.

On the internet, there are a lot of automatic scanning systems trying to crack/break to the system and put some malware.

Those helpful data form my honeypots operated throughout different places all over the world.

As you can quickly see, boots are not very sophisticated in their quest to try to find and exploit easy target. Once there find it, they act very quickly to deploy malware on it. Most of them are trying to find a place with RWX permission and try to download even more malicious code using pre-installed standard operating system tools like curl or wget.

So what to do and how we can put some usefulness to that knowledge?

  • change username of builtin account

  • if you can't change it, try to disable it and create different one with some not obvious name

  • if you can generate a different username for each computer, system or device, ideally using a not obvious name generator

  • implement not so obvious company naming convention (something hard to enumerate and not related directly to a specific employee)

  • implement LAPS or CyberARK as an automatic password management solution

  • if you can use Microsoft MSA o GMSA strategy for technical accounts

  • create fake "decoy accounts" and track any activity on them. Configure them to be vulnerable to password guessing or kerberoast attack - remember to change their primary group membership (create an empty AD group, group with no access to anything it needs to look like one of your many AD groups. Why ? because by default primary group is Domain Users AD group, and wherever Domain User or Everyone exists on ACL, a fake account will also have access)

I know that usernames are not secret, especially if they are in e-mail format but if you can apply above rules for builtin or technical accounts, you can relay make a lot harder life of any attacker.

With any luck, the attacker will create enough noise to put some alerts on any SIEM solution.

I know, the IT department will not be pleased, but security isn't mended to make people happy.


64 views0 comments
bottom of page