Malicious JIT: Abusing the Just-In-Time Administration concept to avoid detection
The Just-In-Time Administration was introduced in order to defend the environment from attackers – users do not have permanent high privileges, and when such privileges are required they can only be obtained for a limited amount of time. This concept is being incorporated into many environments in hopes of preventing attackers from taking control of the environment, or at the very least make it harder for them to obtain high privileges. On the other hand, attackers may abuse a similar concept to avoid any detection mechanisms which might be incorporated in the environment, we call this concept ‘Malicious JIT’. This concept can be used to gain persistence in an environment once high privileges are already obtained. Since maintaining high privileges without being detected is not an easy task, using methods which rely on this concept can significantly reduce the risk of detection and give attackers the ability to regain high privileges at any given time. We focus on how this concept can be abused in Active Directory environments. In this talk we discuss this concept from two points of view – both the attackers and the defenders.