BlueHat v18 || May i see your credentials, please
0 likes803 views
This document discusses Windows Credential Manager and how attackers can target it. It provides an overview of Credential Manager, how it stores login credentials, and how applications interface with it. It then outlines how the Windows Defender ATP security solution protects credentials by collecting Windows event logs and other telemetry, using its cloud-based machine learning to detect anomalies and known threat patterns that could indicate credential theft.
BlueHat v18 || May i see your credentials, please
- 1. May I see your credentials, please? Dana Baril Security Software Engineer Credential Theft Detection From Windows Credential Manager
- 2. WHY IS IT IMPORTANT NotPetya
- 3. THE ATTACK LIFECYCLE Intelligence Gathering Point Of Entry Command & Control Lateral Movement Data Exfiltration Asset / Data Delivery
- 4. • Windows Credential Manager is a central place to save login information for websites, connected applications and networks • Credentials can be passwords, certificates, access tokens WINDOWS CREDENTIAL MANAGER
- 9. WINDOWS CREDENTIAL MANAGER Lsass.exe Remote Desktop ChromeEdge Windows Explorer CredMan/Vault API CredMan/Vault RPC server RPC GetCredential FindCredential Enumerate
- 10. WINDOWS CREDENTIAL MANAGER Lsass.exe Remote Desktop ChromeEdge Windows Explorer CredMan/Vault API CredMan/Vault RPC server RPC User Profile Encrypt/ Decrypt GetCredential FindCredential Enumerate
- 11. WINDOWS CREDENTIAL MANAGER Lsass.exe Remote Desktop ChromeEdge Windows Explorer CredMan/Vault API CredMan/Vault RPC server RPC User Profile Encrypt/ Decrypt GetCredential FindCredential Enumerate Mimikatz.exe
- 13. POST BREACH PROTECTION • EPP vs. EDR
- 14. Threat Intelligence from partnerships Threat Intelligence by Microsoft hunters Customers' Windows Defender ATP tenant Windows APT Hunters, MCS Cyber EDR HIGH LEVEL ARCHITECTURE Security ML analytics Behavioral IOAs Dictionary Files and URLs detonation Known adversaries unknown Customer own Threat IntelligenceTI Forensic collection Always-on endpoint behavioral sensors Response Investigation Alerts SecOps console Response
- 15. Threat Intelligence from partnerships Threat Intelligence by Microsoft hunters Customers' Windows Defender ATP tenant Windows APT Hunters, MCS Cyber EDR HIGH LEVEL ARCHITECTURE Security ML analytics Behavioral IOAs Dictionary Files and URLs detonation Known adversaries unknown Customer own Threat IntelligenceTI Forensic collection Always-on endpoint behavioral sensors Response Investigation Alerts SecOps console Response
- 17. WINDOWSOS TELEMETRY Event Logs Lsass.exe Remote Desktop ChromeEdge Windows Explorer CredMan/Vault API CredMan/Vault RPC server RPC User Profile Encrypt/ Decrypt GetCredential FindCredential Enumerate Mimikatz.exe
- 19. DEMO
- 20. Threat Intelligence from partnerships Threat Intelligence by Microsoft hunters Customers' Windows Defender ATP tenant Windows APT Hunters, MCS Cyber HIGH LEVEL ARCHITECTURE Security ML analytics Behavioral IOAs Dictionary Files and URLs detonation Known adversaries unknown Customer own Threat IntelligenceTI Forensic collection Always-on endpoint behavioral sensors Response Investigation Alerts SecOps console Response
- 21. CLOUD-BASED DETECTION • Lots of data! • Anomaly detection • Apps credentials • Web credentials • Process signature and prevalence • ML based abnormality This Photo by Unknown Author is licensed under CC BY-NC-ND
- 22. SUMMARY • Windows Credential Manager • Credential Manager internals • Threats on Credential Manager API • Windows Defender ATP • Detection: • Windows OS telemetry • ATP cloud-based detections engine
- 23. THANK YOU • Alan Chan • Mark Wodrich • Jonathan Bar-Or • Jasika Bawa • Windows Defender Team • My husband, Daniel
- 24. QUESTIONS