Computers Gone Rogue Abusing Computer Accounts to Gain Control in an Active Directory Environment Marina Simakov & Itai Grady
Motivation Credentials are a high value target for attackers No need for 0-day exploits Easy to move laterally in the network Main focus user & service accounts Highest privileges What about computer accounts? Can they cause significant damage? Are they properly monitored? Should they be? (Clue: YES!)
Agenda Abusing computer accounts during different attack stages: Reconnaissance Lateral movement Persistence Demo Mitigations
Attack Flow Domain Account or Local System Access Pass-The-Hash Pass-The-Ticket ACL Manipulation Domain Admin Enterprise Admin NO ACCESS PIVOTING PRIVILEGED PERSISTENCE BUSTED!
Attack Flow: Reconnaissance Pre-created computer accounts Create an AD computer object under the desired OU Join the physical machine later Why? Users are not authorized to add new computers to the domain Placing the account in the OU with the desired GPOs Problem Pre-created computer accounts with an easy\empty password Corresponding physical machine is never joined to the domain Password is never changed!
Attack Flow: Reconnaissance Scan AD to get all computer accounts Find accounts with an empty\easy password: Logon Computer accounts have a ServicePrincipalName! => Kerberos TGS request => Try to decrypt ticket Nathan Muggli, Mark Gamache (@markgamachenerd)
Attack Flow: Lateral Movement SMB relay using Man-in-the-middle technique (i.e. Responder) Move laterally to various servers Mitigation enforce signed SMB traffic Traffic must be signed with a User session key known only to the client/server http://www.cyberdefensemagazine.com/ms-patch-tuesday-fixes-19-critical-issues-including-two-ntlmzero-day-flaws/
Bypass signed SMB traffic - CVE-2015-0005 UserSessionKey is calculated by the client/user Sent to the server by the DC over their secure channel UserSessionKey is based on user s secret key Vulnerability attacker with a compromised machine account can open a secure channel on behalf of other servers Use the fake secure channel to get the UserSessionKey
Accessing Domain Controller - CVE-2017-8563 Relay authentication request of a domain admin to a Windows LDAP server Using LDAPS protocol Get an administrative LDAPS session
Attack Flow: Persistence Trust the computer account for delegation => Request tickets on behalf of other users Allow delegation to krbtgt => Request TGTs on behalf of other users
Attack Flow: Persistence ACL Manipulation (@_wald0, @harmj0y) Deny Read useraccountcontrol permission from everyone Deny Read msds-allowedtodelegateto permissions from everyone
Attack Flow: Persistence We now have a computer account which: Is not a member of any sensitive groups Can obtain an administrative TGT at any time Doesn t look suspicious in scans Having control of a high privileged account is no longer required Machine password will not change
DEMO
Mitigations Reconnaissance phase If an attacker can do it, so can we! => Scan for pre-created computer accounts => Delete machine account \ join physical machine Monitor massive failed logons \ massive ticket retrieval Lateral movement phase Patch patch patch!
Mitigations Persistence Delegation: Monitor accounts trusted for delegation To which SPNs the account is allowed to delegate Account is sensitive and cannot be delegated Visibility: Hidden attributes: Monitor ACLs! Hidden objects: You might not see the account in AD, but you can see the traffic it generates
Mitigations Visibility: LsaLookupSids API: Given a SID, returns the account name No access check required to perform the mapping Scan to see what you cannot see Scan all SIDs, compare to LDAP query results https://cloudblogs.microsoft.com/microsoftsecure/2017/10/11/what-am-imissing-how-to-see-the-users-youre-denied-from-seeing/ (@MichaelDubinsky)
Thank you!