Topics

The Problem Attack Scenario Demo Mitigations and Recommendations Next Steps

Aaron Margosis Ahmad Mahdi Ambrose Leung Benjamin Godard Bret Arsenault Brian Fielder Charlie Kaufman Crispin Cowan David Hoyle Dean Wells Eric Leonard Fernando Cima Georgeo Pulikkathara Jason Krolak Joe Bialek John Lambert Jonathan Ness Justin Hendricks Laura A. Robinson Lori Woehler Mark Cartwright Mark Novak Mark Oram Mark Russinovich Mark Simos Matt Thomlinson Michael Howard Michiko Short Mike Reavey Mohamed Rouatbi Nate Morin Patrick Arnold Patrick Jungles Paul Rich Peter Zdebski Roger Grimes Scott Robinson Scott V. Cleave Sean Finnegan Steve Patrick Tim Rains Tony Rice

Nation States Ideological Movements Organized Crime

…They were next spotted in March 2010, after signing on with the stolen password of a network administrator… …The hackers logged on through the company’s remote access system, just like any employee… The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing all of it with an image of a burning American flag.

Attack activities Lateral movement Description

In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of the same value to the organization

Privilege escalation

In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of a higher value to the organization.

Power:

Domain Controllers

Data:

Servers and Applications

Access:

Users and Workstations 1. Bad guy targets workstations en masse 2. User running as local admin compromised, Bad guy harvests credentials.

3. Bad guy uses credentials for lateral traversal 4. Bad guy acquires domain admin credentials and associated privileges – privilege escalation 5. Bad guy has direct or indirect access to read/write/destroy data and systems in the environment.

The same single sign-on (SSO) mechanism that brings significant benefits to the user experience also increases the risk of a PtH attack if an operating system is compromised.

Credentials must be stored or cached to allow the operating system to perform actions on behalf of the user to make the system usable.

Location Plaintext passwords (Reversibly encrypted) NT Hash

Security Accounts Manager (SAM) database Local Security Authority Subsystem (LSASS) process memory Active Directory Database The Credential Manager (CredMan) store LSA Secrets in the registry HKLM\Security Yes Maybe 2 Service Accounts, Scheduled Tasks, etc.

Yes Yes Yes Computer Account -

LM Hash TGT Windows logon cached password verifiers

Maybe 1 Yes Maybe 1 Yes Yes

Mitigation

Mitigation 1: Restrict and protect high privileged domain accounts Mitigation 2: Restrict and protect local accounts with administrative privileges

Effectiveness

Excellent Excellent Mitigation 3: Restrict inbound traffic using the Windows Firewall Excellent

Effort required

Medium

Privilege escalation

√ Low Medium -

Lateral movement

√ √

Objective How Outcome This mitigation restricts the ability of administrators to inadvertently expose privileged credentials to higher risk computers.

• • • • • Restrict DA/EA accounts from authenticating to lower trust computers Provide admins with accounts to perform administrative duties Assign dedicated workstations for administrative tasks.

Mark privileged accounts as “sensitive and cannot be delegated” Do not configure services or schedule tasks to use privileged domain accounts on lower trust computers An attacker cannot steal credentials for an account if the credentials are never used on the compromised computer.

Objective How Outcome This mitigation restricts the ability of attackers to use local administrator accounts or their equivalents for lateral movement PtH attacks.

• • • Enforce the restrictions available in Windows Vista and newer that prevent local accounts from being used for remote administration.

Explicitly deny network and Remote Desktop logon rights for all administrative local accounts.

Create unique passwords for local accounts with administrative privileges.

An attacker who successfully obtains local account credentials from a compromised computer will not be able to use those credentials to perform lateral movement on the organization's network.

Objective How Outcome This mitigation restricts the ability of attackers from initiating lateral movement from a compromised workstation by blocking inbound connections.

• Restrict all inbound connections to all workstations except for those with expected traffic originating from trusted sources, such as helpdesk workstations, security compliance scanners and servers.

An attacker who successfully obtains any type of account credentials will not be able to connect to other workstations. Note: Whitepaper update recently released with guidance for authorized peer to peer applications

Recommendations

Remove standard users from the local administrators group Limit the number and use of privileged domain accounts Configure outbound proxies to deny Internet access to privileged accounts

Effectiveness

Excellent Good Good

Effort required

High Medium Low Ensure administrative accounts do not have email accounts Good Low

Privilege escalation

√ √ √ √

Lateral movement

-

More recommendations

Use remote management tools that do not place reusable credentials on a remote computer’s memory Avoid logons to potentially compromised computers Update applications and operating systems Secure and manage domain controllers Remove LM Hashes

Effectiveness

Good

Effort required

Medium Good Partial Partial Partial Low Medium Medium Low

Privilege escalation

√ √ -

Lateral movement

√ -

Other mitigation

Disable NTLM Smart cards and multifactor authentication Jump servers Rebooting workstations and servers

Effectiveness

Minimal Minimal

Effort required

High High Minimal Minimal High Low

Privilege escalation

√ -

Lateral movement

-

Mitigations and recommendations in the paper are what can be done today (easily).

Whitepaper and Next Steps

Next Steps



Read the Whitepaper

Mitigating Pass-the-Hash Attacks and other Credential Theft Techniques http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques_English.pdf



Spread the Word



Questions? Interested in advanced architectures?



Mark.Simos [at] Microsoft.com

The PtH workgroup will continue to investigate mitigations for credential theft and reuse.

  

Credential Partitioning Hardened Admin Environment



Hardened Workstations



Network security Accounts and smartcards

   

Tamper-resistant audit Assist with mitigating risks



Services & Applications



Auto-Patching Security Alerting Lateral Traversal Production Domain(s) Power:

Domain Controllers

Data:

Servers and Applications

Threats:

Internet

Access:

Users and Workstations

IPsec

Admin Environment Domain Admins Management and Monitoring Red Card Admins Break Glass Account(s)

http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn

Logon type

Interactive (a.k.a., Logon locally) Network Batch Service

#

2 3

Authenticators accepted

Password, Smartcard, other Password, NT Hash, Kerberos ticket 4 5 Password (usually stored as LSA secret) Password (usually stored as LSA secret)

Reusable credentials in LSA session Examples

Yes No (except if delegation is enabled, then Kerberos tickets present) Yes Console logon; RUNAS; Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server) IIS Basic Authn (before IIS 6.0) NET USE; RPC calls; Remote registry; IIS integrated Windows authn; SQL Windows authn; Scheduled tasks Yes Windows services

Logon type #

NetworkCleartext 8

Authenticators accepted

Password

Reusable credentials in LSA session

Yes

Examples

IIS Basic Authn (IIS 6.0 and newer); Windows PowerShell with CredSSP NewCredentials 9 Password Yes RUNAS /NETWORK RemoteInteractive 10 Password, Smartcard, other Yes Remote Desktop (formerly known as “Terminal Services”)

Connection method

Log on at console

Logon type

Interactive RUNAS Interactive RUNAS /NETWORK Remote Desktop (success) Remote Desktop (failure - logon type was denied) NewCredentials RemoteInteractive √ RemoteInteractive -

Reusable credentials on destination

√

Comments

Includes hardware remote access / lights-out cards and network KVMs.

√ √ Clones current LSA session for local access, but uses new credentials when connecting to network resources.

If the remote desktop client is configured to share local devices and resources, those may be compromised as well.

By default, if RDP logon fails credentials are only stored very briefly. This may not be the case if the computer is compromised.

Connection method

Net use * \\SERVER

Logon type

Network Net use * \\SERVER /u:user Network MMC snap-ins to remote computer Network PowerShell WinRM Network PowerShell WinRM with CredSSP NetworkClearText √

Reusable credentials on destination Comments

Example: Computer Management, Event Viewer, Device Manager, Services Example: Enter-PSSession server New-PSSession server -Authentication Credssp -Credential cred

Connection method

PsExec without explicit creds

Logon type

Network PsExec with explicit creds Network + Interactive Remote Registry Network Remote Desktop Gateway Scheduled task Network Batch √

Reusable credentials on destination Comments

Example: PsExec \\server cmd √ PsExec \\server -u user -p pwd cmd Creates multiple logon sessions.

Authenticating to Remote Desktop Gateway.

Password will also be saved as LSA secret on disk.

Connection method

Run tools as a service Vulnerability scanners

Logon type

Service Network

Reusable credentials on destination Comments

Password will also be saved as LSA secret on disk.

√ Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk.