The Enemy Within: Stopping Advanced Attacks Against Local Users
- 1. The Enemy Within: Stopping Advanced Attacks
Against Local Users
Tal Be’ery, Sr. Security Research Manager, Microsoft ATA, @TalBeerySec
Marina Simakov, Security Researcher, Microsoft ATA
- 47. Win version Who can query SAMR by default Can default be changed
< Win10 Any domain user No
Win10 Any domain user Yes (only via registry)
> Win10 (e.g.
anniversary)
Only local administrators Yes (registry or GPO)
Editor's Notes
- Initial Recon:
Attackers Goal: Identify interesting assets. Find all users, machines, etc.
Attackers are not administrator on the machine
Means:
SAMR Recon (net group/user)
DNS Recon
Local privilege escalation
Attackers Goal: become local administrator
Means
Compromised Creds
Of a Domain User who has Local administrator privileges
Of a Local administrator privileges
0 days / Known vulnerabilities (CVEs)
Compromise Credentials
Attacker Goals: Get creds to expand toward destination
Means:
Windows cred harvesting Tools
Mimikatz
Passwords in Group Policy
Passwords in plaintext
“passwords.txt”
In E-mail
Admin recon
Attackers’ Goal: Find machines that has Admin creds on
Means:
NetSess
Luring admin
Creating an IT ticket and waiting for admin to connect
Remote Code Execution
Attackers’ Goals: take over another machine using compromised creds
Means:
PsExec (new remote service)
Remote ScheduleTask
WMI
Remote PowerShell
RDP
Remote Registry
Lateral Movement
Vehicle is Remote Code Execution
Fuel is Compromised Creds
Map is provided by Recon
Ignition Key is Local privilege Escalation
That’s how real world attacks look like. There are multiple stages in the APT taking place within months.
None of the traditional security vendors like SIEMs, IPSs,IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT.
ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA.
That’s why there’s why a new market for UEBA solutions emerged in the last year:
Detect attackers before they cause damage.
That’s how real world attacks look like. There are multiple stages in the APT taking place within months.
None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT.
ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA.
That’s why there’s why a new market for UEBA solutions emerged in the last year:
Detect attackers before they cause damage.
- Domain dominance
Attackers Goal: Get full control over the domain, i.e. access all assets, all the time
Means
NTDS.DIT stealing to get all keys
DC-SYNC
Backup utils
Create new admins
Compromise KRBTGT key for Golden Ticket
Install the Skeleton Key Malware
Get more secrets with DPAPI
Attacking Data
Attackers Goal: Get the data they are after
Lateral Movement
Same Same, But different
Fast and Easy: attackers’ has all credentials
Some Subject Matter Expertise (SME) might be required
Reading documents -
That’s how real world attacks look like. There are multiple stages in the APT taking place within months.
None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT.
ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA.
That’s why there’s why a new market for UEBA solutions emerged in the last year:
Detect attackers before they cause damage.
- This is where ATA focuses on.
Detect attackers before they cause damage.
That’s how real world attacks look like. There are multiple stages in the APT taking place within months.
None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT.
ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA.
That’s why there’s why a new market for UEBA solutions emerged in the last year:
- Infiltrate the network by compromising domain account (phishing etc)
Eventually compromise domain admin creds
Shortest path
- Prioritize list of assets
Be aware of relationships & dependencies
- Not enough to think in graphs
Explicitly – IT wants a “master key”
Implicitly – Image prepared in advance
Local Users are copied
- Remove such policies
- No password is needed
A graph “link” from any other computer to such machines
- Local Privilege Escalation: Attackers can escalate to local Admin with BruteForce
Compromise creds:
Local user hash can be harvested from memory/disk
If the remote machine’s local user has the same password PtH works (no cracking)
Admin Recon: Local admins of a machine can be remotely queried
Remote Code Execution: Can be done with remote machine local user’s creds
- Brute force to obtain local privileged user credentials
Small tool written in C#
Expects a username & password dictionary
High rate – more than 200k attempts per minute
Authentication is performed locally
No traffic overhead
- Valuable information
- Misconception that the damage of local accounts is limited to the boundaries of the individual machine
However – these accounts can be used to compromise the entire domain
- How common is the use of local credentials during real attacks?
Enables attackers to execute the PtH attack using local accounts
Used in most cases!
Attackers one step ahead of the defenders
- More ways for attackers to use local accounts during an attack
Adding
For persistency
“Reverse hardening”
Disrupts defenders
- Again – how common is this scenario?
Here is a real example of a malware found on Azure
One of the things that it does is add…
- Periodically query Local Users over SAMR
Users Info
Group membership
Discover security issues:
Abnormal login patterns
BruteForce attempts
Enabled Guest accounts
Privileged group modifications
Password configuration issues
Cloned Local Users
- Fetches all domain machines records from DC over LDAP
Remotely scans all domain machines using the SAMR protocol
Retrieves all local accounts’ data from SAM
- 2 types of detections:
Configuration issues found from a single scan (cloned, guest)
Deltas found between each 2 consecutive scans that may indicate a potential attack