• EN

Fun Friday: Which Common Sysadmin Tool have you seen do the Most Damage?

MicoolPaul
Userlevel 7
Badge +20

Happy Friday all!

 

Today, lets talk tools, the right tool in the wrong hands can be catastrophic.

 

What tool have you seen so the most damage to an environment? Whether it’s a built in tool/feature or 3rd party, I wanna hear!

 

For me, it’s Remote PowerShell. I witnessed this being used by a malicious script to deploy ransomware to every device in the domain and the rest of the network. The script was harvesting credentials from users working on the infected endpoint and the moment a domain admin signed in, BANG, remote PowerShell to all!

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social

31 comments

Cragdoo
Userlevel 7
Badge +9

any automation tool ...lol
 

Veeam Vanguard | www.cragdoo.co.uk
Geoff Burke
Userlevel 7
Badge +22

Format or rm -r /

VMCA2022, VMCE2023, CKA, CKAD, KCNA, LFCS, PCA,TARS
Geoff Burke
Userlevel 7
Badge +22

ah yes.. adduser newmanager

VMCA2022, VMCE2023, CKA, CKAD, KCNA, LFCS, PCA,TARS
Stabz
Userlevel 7
Badge +7

Apply an update to all the production Vms without test, for more fun apply it during the weekend.

Lack of knowledge, the wrong click in the Disk managements especially with Veeam and Direct San and bye bye the production.

Philippe DUPUIS |Veeam Certified Engineer | https://original-network.com/
JMeixner
Userlevel 7
Badge +17

“In the old days” I managed to kill a OS/2 server with “rm -r” only. Just started it from the wrong directory At these times this was the whole environment… :wink:

So, I don’t need a special tool for this….  :laughing::laughing::laughing:

Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2023 | Veeam Certified Architect (VMCA) 2022 | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
Kseniya
Userlevel 7
Badge +3

So, I don’t need a special tool for this….  :laughing::laughing::laughing:


 😂😂😂😂😂

Twitter @frainpan
Chris.Childerhose
Userlevel 7
Badge +20

“In the old days” I managed to kill a OS/2 server with “rm -r” only. Just started it from the wrong directory At these times this was the whole environment… :wink:

So, I don’t need a special tool for this….  :laughing::laughing::laughing:

:rofl::rofl:

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Chris.Childerhose
Userlevel 7
Badge +20

Not so much a tool but reading documentation I have seen be one of the most dangerous.  If you have the docs and design - follow them!!  That way I don’t have to fix things later. :joy:

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Link State
Userlevel 7
Badge +7

i was a beginner, i typed "exit" on a domino server, like to exit the cmd lol the server shut down LMAO

 

 

Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104 - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)
Cragdoo
Userlevel 7
Badge +9

or how about forgetting ctrl+al+ins (The VMware VM console combination on Windows VMs for ctrl+alt+del) on some linux systems is ‘reboot’ system ….been burned a few times with that one

 

Veeam Vanguard | www.cragdoo.co.uk
LostInEther
Userlevel 3

or how about forgetting ctrl+al+ins (The VMware VM console combination on Windows VMs for ctrl+alt+del) on some linux systems is ‘reboot’ system ….been burned a few times with that one

 

I learned this the hard way also.

dmartin
LostInEther
Userlevel 3

psexec and having to clean up other people’s messes.

dmartin
LostInEther
Userlevel 3

as root from the root directory:

rm -rf * &; exit

dmartin
Iams3le
Userlevel 7
Badge +9

@MicoolPaul wants us to mention a tool, and I think some of us deviated! To be honest, all tools can be taken over by bad actors and this is why we need to run or allow these tools to run with administrative privilege. By default, standard users shouldn't be able to run these tools. 

I would say any of the configuration management tools (such as Ansible, Puppet etc) if you do not know what you are doing. Therefore, I agree with @Cragdoo above, anything automation and PowerShell is as well :) 

Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3*
Mildur
Userlevel 7
Badge +12

Powershell and Pipe |
Can lead to unwanted changes if you are not careful 😂

Product Management Analyst @ Veeam Software
MicoolPaul
Userlevel 7
Badge +20

@MicoolPaul wants us to mention a tool, and I think some of us deviated! To be honest, all tools can be taken over by bad actors and this is why we need to run or allow these tools to run with administrative privilege. By default, standard users shouldn't be able to run these tools. 

I would say any of the configuration management tools (such as Ansible, Puppet etc) if you do not know what you are doing. Therefore, I agree with @Cragdoo above, anything automation and PowerShell is as well :) 

It’s one of the great community things, you go in asking a question and people then give you additional perspectives and stories! I don’t always reply to everyone but I love seeing the life lessons learned!

 

Good shouts on automation…

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
MicoolPaul
Userlevel 7
Badge +20

Powershell and Pipe |
Can lead to unwanted changes if you are not careful 😂

Definitely! Especially when filters are used which are believed to be a safety net but the logic isn’t as strict as the writer thinks it is!

 

So far the themes are automation and scripting!

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
Chris.Childerhose
Userlevel 7
Badge +20

Powershell and Pipe |
Can lead to unwanted changes if you are not careful 😂

Definitely this can if not careful with inputs. 😂

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
vNote42
Userlevel 7
Badge +13

Shutting down a (wrong) ESXi host without reading the message that there are still VMs running.

Wolfgang | vnote42.net | @vNote42
MicoolPaul
Userlevel 7
Badge +20

Shutting down a (wrong) ESXi host without reading the message that there are still VMs running.

Related to what you said but unrelated to the original topic:

 

A client I used to deal with infrequently had ESXi servers going offline unexpectedly. They were in a managed datacentre and the technicians kept on powering off some of their servers when OTHER customers’ servers needed reboots mistakenly.

 

The latest time this happened the client (quite rightly) got very irate and demanded to know what happened this time and why they couldn’t tell their servers apart. Their support team claimed that a cable must’ve leaned on the server’s power button whilst they were working on another server in the rack. If true it makes you question what the cabling looks like in that place!

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
vNote42
Userlevel 7
Badge +13

Shutting down a (wrong) ESXi host without reading the message that there are still VMs running.

Related to what you said but unrelated to the original topic:

 

A client I used to deal with infrequently had ESXi servers going offline unexpectedly. They were in a managed datacentre and the technicians kept on powering off some of their servers when OTHER customers’ servers needed reboots mistakenly.

 

The latest time this happened the client (quite rightly) got very irate and demanded to know what happened this time and why they couldn’t tell their servers apart. Their support team claimed that a cable must’ve leaned on the server’s power button whilst they were working on another server in the rack. If true it makes you question what the cabling looks like in that place!

Right! I guess all of us have seen such cabling in different server locations :grinning:

Wolfgang | vnote42.net | @vNote42
marcofabbri
Userlevel 7
Badge +13

RDP in some internal sysadmin’s hands who woke up to update something on servers because that day got inspired… :see_no_evil:

Backups are like pizza, I love them. | Linkedin: @marco-fabbri-it
vNote42
Userlevel 7
Badge +13

RDP in some internal sysadmin’s hands who woke up to update something on servers because that day got inspired… :see_no_evil:

Right! When you also think about RDP-manager with stored authentication credentials to be able to double-click a server to connect without entering anything. :fearful:

Wolfgang | vnote42.net | @vNote42
Link State
Userlevel 7
Badge +7

  

RDP in some internal sysadmin’s hands who woke up to update something on servers because that day got inspired… :see_no_evil:

Right! When you also think about RDP-manager with stored authentication credentials to be able to double-click a server to connect without entering anything. :fearful:

 

mimikatz ftw :joy:

I recommend not to leave the possibility to cache credentials on Windwos or Windows server in AD domain it is strongly recommended to implement a set of GPO to prevent this kind of attacks. 

Preventing Mimikatz Attacks. Mimikatz is playing a vital role in… | by Panagiotis Gkatziroulis | Blue Team | Medium

 

Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104 - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)
BertrandFR
Userlevel 7
Badge +8

running ansible playbook on bad target, obivoulsly veeam backup save my ass :sweat_smile: .Thanks to instant recovery nobody notices the failure. Since this i wrote more sanity check in my code

Comment


Terms & Conditions