Hacker News new | past | comments | ask | show | jobs | submit login

No it makes perfect sense. If you want to land an advanced persistent threat but your entry is detectable a distraction is ALWAYS a great psychological tool. The very best and long lasting victories are made when you convince the loser that they've won.

So the premise is that they clear the ransomware and think its over. But its not.




And the standard way to clear the ransomware is to re-image the machine and restore from backups. So the infection has to be hidden above the operating system level. BIOS/SSD/HDD firmware etc.

Unless of course you don't provision machines, or keep backups. In which case hiding on a machine being "cleaned" would be simples.


If you capture user credentials it doesn't really matter because you can just come back a month later. Especially if they had domain admin access and created a golden ticket. Also if you infect a user as opposed to a machine your infection will be back the moment the user logs in.


Would it not also be standard procedure to update credentials after being compromised? How long would those credentials even typically be valid for?


Ahh well if you only compromised passwords then it depends on the domain policy. Often something like 90 or 180 days, but sometimes also only 1 month. But the ticket is different. An attacker can sign and create their own ticket and determine how long it is valid. Obviously an attacker is going for the maximum time which I think is indefinitely for golden tickets (can't quite recall now). Also it's hard to remove the trust in such a ticket once it's been created, it user to be so bad that the entire Forest (with all domains had to be rebuilt) but afaik it's easier(but not trivial) now.


What does golden ticket mean here? Is some kind of microsoft credential? you should be able to detect any kind of leftover account. a backdoor would seem be better.

and on this whole area, i would not encrypt someones machine - unless you are trying to scare someone, it would be better to have never known.


"The very best and long lasting victories are made when you convince the loser that they've won"

saved!


"The very best and long lasting victories are made when you convince the loser that they've won." -- that's catchy, but I don't agree. Often the result will be "damn that was close, better enhance the defences". Whereas the ignorant just carry on.


yeah except that they were found out because of this "distraction," so it seems to have been a mistake




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: