Post on 13-Apr-2017
The Enemy Within: Stopping Advanced Attacks Against Local Users
Tal Be’ery, Sr. Security Research Manager, Microsoft ATA, @TalBeerySecMarina Simakov, Security Researcher, Microsoft ATA
Speaker Info – Tal Be’erySr. Security Research Manager @MicrosoftDeveloping Microsoft ATA (Advanced Threat Analytics)Former VP for Research @Aorato (Acquired by Microsoft)15 years of security researchAuthor of the TIME attack on SSLRegular speaker in top conventionsNamed a “Facebook Whitehat”Twitter: @TalBeerySec
• Security Researcher @Microsoft• Developing Microsoft ATA (Advanced Threat
Analytics)• B.Sc and an M.Sc degree in Computer
Science (Magna cum laude)• Published several papers in the field of
Computational Geometry
Speaker Info – Marina Simakov
Agenda• Intro • Targeted Attackers TTPs and Windows Authentication• Local users authentication
• Local users in Targeted Attacks• Hidden links in the Attack Graph• Lateral Movement
• Hardening and Defending• Local Hero Scanner: Remotely Monitoring Local Users • Hardening: SAMRi10, Group Policy, LAPS
• DEMO!!! Blue + Red • Outro: Summary + Call for Action!
Intro
Attack kill chain
Attack kill chain
Attack kill chain and ATA
Walking through doors
Attackers Lateral Movement MONot going through walls
• Windows’ machines doors are usually locked• Lock = Auth Protocol• Keys = Credentials
• Good News: Multiple locks!• Bad News: in a “Daisy Chain”
Windows Authentication
NTLM Kerberos
Cached Credential
s
Local
PtH Remote Butler
OverPtH
NTLMRelay
Skeleton
Key MS14-068
PtT
?
• The oldest Windows’ auth protocol
• Credentials of local accounts:• Stored in the local SAM database• Encrypted in the registry
• NT-hashes = MD4(password)• No Salt• Same password, different user/computer
same NT password hash!• No “Key-Stretching” (PBKDF2)• Easy to crack
Local Authentication: Local Users
• “The Enemy Within: Stopping Advanced Attacks Against Local Users”, Be’ery and Simakov, BlueHat Israel 2017
• Good thing you are here!
Attacks Against Local Users Authentication?
“When the Cyber Kill-Chain Met Local Users”
Attackers Think in Graphs!Group:
IT Admin
s
User:
BobMemberOf
AdminTo
Computer: Server1 HasSession
User:
Mary
MemberOf
Group: Domain Admins
http://www.slideshare.net/AndyRobbins3/six-degrees-of-domain-admin-bloodhound-at-def-con-24
Defenders Must Think in Graphs Too!
• Same local admin user + password• Explicitly• Implicitly
• One edge away!
Beware of Invisible Links!
• Local users created via Group Policy
• Unsafe -> no longer supported • Relics on DC and Local Users
Beware of Invisible Links! (Again…)
• Enabled Guest Account • Even in tech savvy organizations users leave the front door
open…
Beware of Invisible Links! (And again…)
https://www.safety.com/wp-content/uploads/2012/12/Burglar-Entry-300x300.jpg
• Local Privilege Escalation• Compromise Credentials• Admin Recon • Remote Code Execution
Lateral Movement and Local Users + Groups
• Compromise domain credentials
• Brute force to get local admin password
Local Privilege Escalation
• Brute force a privileged local account• High attempt rate• Local authentication• No traffic overhead
Local Privilege Escalation: BruteForce Tool
• Run elevated cmd• Through logon screen• Using a scheduled task
• Perform privileged operations
Local Privilege Escalation: Switch to Local Admin
• Use mimikatz to extract all users hashes and keys• mimikatz by Benjamin Delpy• https://github.com/gentilkiwi/mimikatz
• Local users included!
Compromise Creds
• ‘Get-NetLocalGroup’• PowerSploit by @mattifestation
• List local groups & users• Queries over SAMR protocol• Required Permissions: Any domain
user
Admin Recon
Remote Code Execution
• Local Privilege Escalation:• ‘local_admin’ password guessed by Brute-Force
• Compromise Credentials: • Extract ‘Administrator’ hash
• Admin Recon: • Discover ‘Administrator’ on remote machine
• Remote Code Execution:• Using ‘Administrator’ hash
Lateral Movement and Local Users: Wrap-Up
• Identical passwords problem is common• PtH against local admins is very prevalent
In the Wild: Access via Local Users
Source: Praetorian
• Adding local user + adding it to privileged local groups• “Reverse hardening”: • Attackers remove other users’ privileges
Local Users + Groups Modifications
In the Wild: Adding Users
https://twitter.com/JohnLaTwC/status/777569424156921856
Defending
• Hardening:• Limit SAMR querying• Deny remote access using local credentials• Manage passwords of local accounts
• Not enough against advanced attackers!• There is a need to monitor local accounts’ activities
Protect Local Accounts
• Local users authentication is… well… Local• Local groups modifications are local too• A network monitoring security device cannot see it
Local Visibility Problem
Featuring the Local Hero Tool
• Periodic scans• Discover security issues• Abnormal login patterns• BruteForce attempts• Enabled Guest accounts• Privileged group modifications• Password configuration issues• Cloned Local Users
• Forensic data for Hunters
Local Hero Visibility Solution
• Fetch all domain machines records• Remotely scan all domain machines• Retrieve all local accounts’ data from SAM
• Load results into a database• Analysis is implemented as queries over DB• High performance• Scans ~13,000 machines in ~7 minutes
• No need to install agents
Local Hero: Under the Hood
• Dormant Local User Logon:
• Local User Brute Force
Local User Logon Anomalies Detection
User Added to Privileged Local Group Detection
Users Removed from Privileged Group Detection
• “Shallow copied” Local users: Hidden Attack Graph Links • Identified via identical PasswordLastSet password change time• 64 bit, 100 nano-second resolution• Timestamp identical only if copied
Duplicate Local Users Credentials Detection
• Execute Get-GPPPassword.ps1 (PowerSploit)• Compare results with Local Hero Scan
Group Policy Generated Local Users Detection
• Local Hero scan results
Enabled Guest Account
Local Hero Demo!
http://s1206.photobucket.com/user/harbottle1/media/Posters%202/LocalHeroQuad.jpg.html
Parting Thoughts
• An in-depth Survey of Targeted Attackers use of Local Users + Groups• Local Users are relevant to all Lateral Movement phases • Local Privilege Escalation• Compromise creds • Admin Recon• Remote Code Execution
• Local Users create hidden links in the attack graph• It really happens in the wild!
• Solutions and Mitigations:• Local Hero Scanner• Hardening with:
• SAMRi10• LAPS• Deny remote access for Local Users
What We Learned?
• Remember: each step in a targeted attack is just a link in the Cyber attack Kill-chain
• Defenders can break the chain, by breaking ANY of the links• Even if Defenders miss a step, they can still catch the next step• Therefore:• Harden your environment • SAMRi10• LAPS• Deny remote access for Local Users
• Monitor Local Users + Groups• Local Hero Scanner
Call for Action: Defense in Depth
Questions?
©2015 Microsoft Corporation. All rights reserved. This presentation is provided "as-is." Information and views expressed in this presentation, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples are for illustration only and/or are fictitious. No real association is intended or inferred. This presentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use the contents of this presentation for your internal, reference purposes.
• Local users and groups querying can be limited!• “SAMR Moved On”
• Win10 allows admins to control SAMR Recon• Registry:
HKLM/System/CurrentControlSet/Control/Lsa/RestrictRemoteSAM• GP: “Network Access: Restrict clients allowed to make remote calls to
SAM”
Local Users & Group Recon Hardening
Win version
Who can query SAMR by default
Can default be changed
< Win10 Any domain user No
Win10 Any domain user Yes (only via registry)
> Win10 (e.g. anniversary)
Only local administrators Yes (registry or GPO)
• A free, easy to use tool by MicrosoftATA Researcher Itai Grady• https://gallery.technet.microsoft.com/SAMRi10-Hardening-
Remote-48d94b5b
Hardening with SAMRi10
• Group policies to restrict remote use of local credentials: • “Deny access to this computer from the network” • “Deny log on through Remote Desktop Services”
• Add the following security identifiers (SIDs) (introduced in KB 2871997):• S-1-5-113: NT AUTHORITY\Local account • S-1-5-114: NT AUTHORITY\Local account and member of
Administrators group
Group Policy to Deny Local Users’ Remote Access
• Local users cannot login through the network
• Local users cannot connect to a machine using RDP
Hardening Results
• Local Administrator Password Solution• Each Local Admin user’s password is generated• Strong random password• Changes periodically • Implemented as Group Policy
• Password is kept on DC• In plain-text• Accessible to Domain’s privileged users only
• Results:• No more identical passwords • No more guessable passwords
LAPS