The Enemy Within: Stopping Advanced Attacks Against Local Users
•Download as PPTX, PDF•
9 likes•2,635 views
Advanced targeted attackers utilize compromised credentials in order to move laterally within their victims' network. These compromised credentials may consist of either domain or local credentials. Local credentials, especially those of local admins, are a lucrative target for the attackers as they are less managed (password complexity and change policy) and less monitored (no traffic and logs besides the specific computer). In this talk, we will cover how advanced attackers are abusing local users' credentials in their attacks, including real examples as captured "in the wild". We would follow with suggested new methods and tools to detect and prevent such attacks. Most notably, we'd expose a tool that implements a method which allows visibility to local users' activity without installing an agent on the monitored machine. The visibility is based on periodic scans of the local users' directory, the Windows Security Account Manager (SAM), using the standard SAM-Remote (SAMR) protocol, messages and APIs. Using these methods defenders gain visibility to local users' logons, group membership, password change among others. Security applications enabled by this visibility include but are not limited to, abnormal logons detection, abnormal group additions and removal detection and abnormal password changes detection.
Report
Share
The Enemy Within: Stopping Advanced Attacks Against Local Users
- 1. The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager, Microsoft ATA, @TalBeerySec Marina Simakov, Security Researcher, Microsoft ATA
- 5. Intro
- 13. “When the Cyber Kill- Chain Met Local Users”
- 24. Admin Recon
- 30. Defending
- 43. Parting Thoughts
- 47. Win version Who can query SAMR by default Can default be changed < Win10 Any domain user No Win10 Any domain user Yes (only via registry) > Win10 (e.g. anniversary) Only local administrators Yes (registry or GPO)
Editor's Notes
- Initial Recon: Attackers Goal: Identify interesting assets. Find all users, machines, etc. Attackers are not administrator on the machine Means: SAMR Recon (net group/user) DNS Recon Local privilege escalation Attackers Goal: become local administrator Means Compromised Creds Of a Domain User who has Local administrator privileges Of a Local administrator privileges 0 days / Known vulnerabilities (CVEs) Compromise Credentials Attacker Goals: Get creds to expand toward destination Means: Windows cred harvesting Tools Mimikatz Passwords in Group Policy Passwords in plaintext “passwords.txt” In E-mail Admin recon Attackers’ Goal: Find machines that has Admin creds on Means: NetSess Luring admin Creating an IT ticket and waiting for admin to connect Remote Code Execution Attackers’ Goals: take over another machine using compromised creds Means: PsExec (new remote service) Remote ScheduleTask WMI Remote PowerShell RDP Remote Registry Lateral Movement Vehicle is Remote Code Execution Fuel is Compromised Creds Map is provided by Recon Ignition Key is Local privilege Escalation That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs,IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year: Detect attackers before they cause damage. That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year: Detect attackers before they cause damage.
- Domain dominance Attackers Goal: Get full control over the domain, i.e. access all assets, all the time Means NTDS.DIT stealing to get all keys DC-SYNC Backup utils Create new admins Compromise KRBTGT key for Golden Ticket Install the Skeleton Key Malware Get more secrets with DPAPI Attacking Data Attackers Goal: Get the data they are after Lateral Movement Same Same, But different Fast and Easy: attackers’ has all credentials Some Subject Matter Expertise (SME) might be required Reading documents - That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year: Detect attackers before they cause damage.
- This is where ATA focuses on. Detect attackers before they cause damage. That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year:
- Infiltrate the network by compromising domain account (phishing etc) Eventually compromise domain admin creds Shortest path
- Prioritize list of assets Be aware of relationships & dependencies
- Not enough to think in graphs Explicitly – IT wants a “master key” Implicitly – Image prepared in advance Local Users are copied
- Remove such policies
- No password is needed A graph “link” from any other computer to such machines
- Local Privilege Escalation: Attackers can escalate to local Admin with BruteForce Compromise creds: Local user hash can be harvested from memory/disk If the remote machine’s local user has the same password PtH works (no cracking) Admin Recon: Local admins of a machine can be remotely queried Remote Code Execution: Can be done with remote machine local user’s creds
- Brute force to obtain local privileged user credentials Small tool written in C# Expects a username & password dictionary High rate – more than 200k attempts per minute Authentication is performed locally No traffic overhead
- Valuable information
- Misconception that the damage of local accounts is limited to the boundaries of the individual machine However – these accounts can be used to compromise the entire domain
- How common is the use of local credentials during real attacks? Enables attackers to execute the PtH attack using local accounts Used in most cases! Attackers one step ahead of the defenders
- More ways for attackers to use local accounts during an attack Adding For persistency “Reverse hardening” Disrupts defenders
- Again – how common is this scenario? Here is a real example of a malware found on Azure One of the things that it does is add…
- Periodically query Local Users over SAMR Users Info Group membership Discover security issues: Abnormal login patterns BruteForce attempts Enabled Guest accounts Privileged group modifications Password configuration issues Cloned Local Users
- Fetches all domain machines records from DC over LDAP Remotely scans all domain machines using the SAMR protocol Retrieves all local accounts’ data from SAM
- 2 types of detections: Configuration issues found from a single scan (cloned, guest) Deltas found between each 2 consecutive scans that may indicate a potential attack