Fun Friday: Which Common Sysadmin Tool have you seen do the Most Damage?
Happy Friday all!
Today, lets talk tools, the right tool in the wrong hands can be catastrophic.
What tool have you seen so the most damage to an environment? Whether it’s a built in tool/feature or 3rd party, I wanna hear!
For me, it’s Remote PowerShell. I witnessed this being used by a malicious script to deploy ransomware to every device in the domain and the rest of the network. The script was harvesting credentials from users working on the infected endpoint and the moment a domain admin signed in, BANG, remote PowerShell to all!
Page 1 / 2
any automation tool ...lol
Format or rm -r /
ah yes.. adduser newmanager
Apply an update to all the production Vms without test, for more fun apply it during the weekend.
Lack of knowledge, the wrong click in the Disk managements especially with Veeam and Direct San and bye bye the production.
“In the old days” I managed to kill a OS/2 server with “rm -r” only. Just started it from the wrong directory At these times this was the whole environment…
So, I don’t need a special tool for this….
So, I don’t need a special tool for this….
“In the old days” I managed to kill a OS/2 server with “rm -r” only. Just started it from the wrong directory At these times this was the whole environment…
So, I don’t need a special tool for this….
Not so much a tool but reading documentation I have seen be one of the most dangerous. If you have the docs and design - follow them!! That way I don’t have to fix things later.
i was a beginner, i typed "exit" on a domino server, like to exit the cmd lol the server shut down LMAO
or how about forgetting ctrl+al+ins (The VMware VM console combination on Windows VMs for ctrl+alt+del) on some linux systems is ‘reboot’ system ….been burned a few times with that one
or how about forgetting ctrl+al+ins (The VMware VM console combination on Windows VMs for ctrl+alt+del) on some linux systems is ‘reboot’ system ….been burned a few times with that one
I learned this the hard way also.
psexec and having to clean up other people’s messes.
as root from the root directory:
rm -rf * &; exit
@MicoolPaul wants us to mention a tool, and I think some of us deviated! To be honest, all tools can be taken over by bad actors and this is why we need to run or allow these tools to run with administrative privilege. By default, standard users shouldn't be able to run these tools.
I would say any of the configuration management tools (such as Ansible, Puppet etc) if you do not know what you are doing. Therefore, I agree with @Cragdoo above, anything automation and PowerShell is as well :)
Powershell and Pipe | Can lead to unwanted changes if you are not careful
@MicoolPaul wants us to mention a tool, and I think some of us deviated! To be honest, all tools can be taken over by bad actors and this is why we need to run or allow these tools to run with administrative privilege. By default, standard users shouldn't be able to run these tools.
I would say any of the configuration management tools (such as Ansible, Puppet etc) if you do not know what you are doing. Therefore, I agree with @Cragdoo above, anything automation and PowerShell is as well :)
It’s one of the great community things, you go in asking a question and people then give you additional perspectives and stories! I don’t always reply to everyone but I love seeing the life lessons learned!
Good shouts on automation…
Powershell and Pipe | Can lead to unwanted changes if you are not careful
Definitely! Especially when filters are used which are believed to be a safety net but the logic isn’t as strict as the writer thinks it is!
So far the themes are automation and scripting!
Powershell and Pipe | Can lead to unwanted changes if you are not careful
Definitely this can if not careful with inputs.
Shutting down a (wrong) ESXi host without reading the message that there are still VMs running.
Shutting down a (wrong) ESXi host without reading the message that there are still VMs running.
Related to what you said but unrelated to the original topic:
A client I used to deal with infrequently had ESXi servers going offline unexpectedly. They were in a managed datacentre and the technicians kept on powering off some of their servers when OTHER customers’ servers needed reboots mistakenly.
The latest time this happened the client (quite rightly) got very irate and demanded to know what happened this time and why they couldn’t tell their servers apart. Their support team claimed that a cable must’ve leaned on the server’s power button whilst they were working on another server in the rack. If true it makes you question what the cabling looks like in that place!
Shutting down a (wrong) ESXi host without reading the message that there are still VMs running.
Related to what you said but unrelated to the original topic:
A client I used to deal with infrequently had ESXi servers going offline unexpectedly. They were in a managed datacentre and the technicians kept on powering off some of their servers when OTHER customers’ servers needed reboots mistakenly.
The latest time this happened the client (quite rightly) got very irate and demanded to know what happened this time and why they couldn’t tell their servers apart. Their support team claimed that a cable must’ve leaned on the server’s power button whilst they were working on another server in the rack. If true it makes you question what the cabling looks like in that place!
Right! I guess all of us have seen such cabling in different server locations
RDP in some internal sysadmin’s hands who woke up to update something on servers because that day got inspired…
RDP in some internal sysadmin’s hands who woke up to update something on servers because that day got inspired…
Right! When you also think about RDP-manager with stored authentication credentials to be able to double-click a server to connect without entering anything.
RDP in some internal sysadmin’s hands who woke up to update something on servers because that day got inspired…
Right! When you also think about RDP-manager with stored authentication credentials to be able to double-click a server to connect without entering anything.
mimikatz ftw
I recommend not to leave the possibility to cache credentials on Windwos or Windows server in AD domain it is strongly recommended to implement a set of GPO to prevent this kind of attacks.
running ansible playbook on bad target, obivoulsly veeam backup save my ass .Thanks to instant recovery nobody notices the failure. Since this i wrote more sanity check in my code