The Enemy Within: Stopping Advanced Attacks Against Local Users

Editor's Notes

• #7: Initial Recon: Attackers Goal: Identify interesting assets. Find all users, machines, etc. Attackers are not administrator on the machine Means: SAMR Recon (net group/user) DNS Recon Local privilege escalation Attackers Goal: become local administrator Means Compromised Creds Of a Domain User who has Local administrator privileges Of a Local administrator privileges 0 days / Known vulnerabilities (CVEs) Compromise Credentials Attacker Goals: Get creds to expand toward destination Means: Windows cred harvesting Tools Mimikatz Passwords in Group Policy Passwords in plaintext “passwords.txt” In E-mail Admin recon Attackers’ Goal: Find machines that has Admin creds on Means: NetSess Luring admin Creating an IT ticket and waiting for admin to connect Remote Code Execution Attackers’ Goals: take over another machine using compromised creds Means: PsExec (new remote service) Remote ScheduleTask WMI Remote PowerShell RDP Remote Registry Lateral Movement Vehicle is Remote Code Execution Fuel is Compromised Creds Map is provided by Recon Ignition Key is Local privilege Escalation That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs,IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year: Detect attackers before they cause damage. That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year: Detect attackers before they cause damage.
• #8: Domain dominance Attackers Goal: Get full control over the domain, i.e. access all assets, all the time Means NTDS.DIT stealing to get all keys DC-SYNC Backup utils Create new admins Compromise KRBTGT key for Golden Ticket Install the Skeleton Key Malware Get more secrets with DPAPI Attacking Data Attackers Goal: Get the data they are after Lateral Movement Same Same, But different Fast and Easy: attackers’ has all credentials Some Subject Matter Expertise (SME) might be required Reading documents - That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year: Detect attackers before they cause damage.
• #9: This is where ATA focuses on. Detect attackers before they cause damage. That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year:
• #15: Infiltrate the network by compromising domain account (phishing etc) Eventually compromise domain admin creds Shortest path
• #16: Prioritize list of assets Be aware of relationships & dependencies
• #17: Not enough to think in graphs Explicitly – IT wants a “master key” Implicitly – Image prepared in advance Local Users are copied
• #18: Remove such policies
• #19: No password is needed A graph “link” from any other computer to such machines
• #20: Local Privilege Escalation: Attackers can escalate to local Admin with BruteForce Compromise creds: Local user hash can be harvested from memory/disk If the remote machine’s local user has the same password PtH works (no cracking) Admin Recon: Local admins of a machine can be remotely queried Remote Code Execution: Can be done with remote machine local user’s creds
• #22: Brute force to obtain local privileged user credentials Small tool written in C# Expects a username & password dictionary High rate – more than 200k attempts per minute Authentication is performed locally No traffic overhead
• #25: Valuable information
• #26: Misconception that the damage of local accounts is limited to the boundaries of the individual machine However – these accounts can be used to compromise the entire domain
• #28: How common is the use of local credentials during real attacks? Enables attackers to execute the PtH attack using local accounts Used in most cases! Attackers one step ahead of the defenders
• #29: More ways for attackers to use local accounts during an attack Adding For persistency “Reverse hardening” Disrupts defenders
• #30: Again – how common is this scenario? Here is a real example of a malware found on Azure One of the things that it does is add…
• #35: Periodically query Local Users over SAMR Users Info Group membership Discover security issues: Abnormal login patterns BruteForce attempts Enabled Guest accounts Privileged group modifications Password configuration issues Cloned Local Users
• #36: Fetches all domain machines records from DC over LDAP Remotely scans all domain machines using the SAMR protocol Retrieves all local accounts’ data from SAM
• #37: 2 types of detections: Configuration issues found from a single scan (cloned, guest) Deltas found between each 2 consecutive scans that may indicate a potential attack