Артём Синицын, Microsoft. Падение Олимпа: как защитить ваш домен Active Directory от современных векторов атак
- 3. Tier 2 Workstation & Device Admins Tier 0 Domain & Enterprise Admins Tier 1 Server Admins 1. Beachhead (Phishing Attack, etc.) 2. Lateral Movement a. Steal Credentials b. Compromise more hosts & credentials 3. Privilege Escalation a. Compromise unpatched servers b. Get Domain Admin credentials 4. Execute Attacker Mission a. Steal data, destroy systems, etc. b. Persist Presence 24-48 Hours
- 12. 1. Single IT Pro’s machine is compromised IT Pro manages kiosks/shared devices on network Attacker steals IT Pro’s access token 2. Using IT Pros access token attacker looks for kiosk/shared devices and mines them for tokens 3. Repeat TODAY’S SECURITY CHALLENGE: PASS THE HASH ATTACKS 1. How Pass-the-Hash works PDF 2. Mitigating Pass-the-Hash and Other Credential Theft v1 3. Mitigating Pass-the-Hash and Other Credential Theft v2 https://aka.ms/pth
- 13. TODAY’S SOLUTION: CREDENTIAL GUARD à Pass the Hash (PtH) attacks are the #1 go-to tool for hackers. Used in nearly every major breach and APT type of attack à Credential Guard uses VBS to isolate Windows authentication from Windows operating system à Protects LSA Service (LSASS) and derived credentials (NTLM Hash) à Fundamentally breaks derived credential theft using MimiKatz, Kernel Windows Platform Services Apps Kernel Windows Defender System Guard Credential Guard Trustlet#2 Trustlet#3 Hypervisor Device Hardware Windows Operating System Hyper-VHyper-V
- 21. CODE TODAY’S CHALLENGE: OUR ANSWER: CODE MUST EARN TRUST BEFORE USE