Pass-the-Hash Attacks

Similar documents
Pass-the-Hash Attacks. Michael Grafnetter

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Active Directory Attacks and Detection

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Pentesting Windows Domains

Active Directory Attacks and Detection

Premediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.

Windows Server Security Guide

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

PLANNING AZURE INFRASTRUCTURE SECURITY - AZURE ADMIN ACCOUNTS PROTECTION & AZURE NETWORK SECURITY

Active Directory Attacks and Detection Part -II

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

Attacking and Defending Active Directory July, 2017

10 Active Directory Misconfigurations That Lead to Total Compromise Austin, TX 201 W 5th St.

MCSM:Directory2012 MCM:Directory2008 MVP:Enterprise Security Certified Ethical Hacker CISA.

7 EASY ATTACKS AGAINST ACTIVE DIRECTORY

Windows 10 Security & Audit

Deploy and Configure Microsoft LAPS. Step by step guide and useful tips

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Security Fundamentals for your Privileged Account Security Deployment

Bojan Ždrnja, CISSP, GCIA, GCIH, GWAPT INFIGO IS

Lateral Movement Defcon 26. Walter Mauricio

Modern Realities of Securing Active Directory & the Need for AI

When the admin fails on security Christoph Falta ITSECX

Active Directory Security: The Journey. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.

Critical Hygiene for Preventing Major Breaches

Active Directory Security: The Journey. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.

Install and Configure Active Directory Domain Services

Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

Mike Pilkington. SANS Forensics and IR Summit June, 2011

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

Microsoft: What s new and cool FY16

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

News and Updates June 1, 2017

Incident Scale

Active Directory Attacks and Detection Part -III

Enterprise Mobility + Security

Useful Hacking Series

Identity with Windows Server 2016 (742)

Tactics, Techniques, and Procedures

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

The 3 Pillars of SharePoint Security

MODERN DESKTOP SECURITY

Course Outline. Course Outline :: 20744A::

70-742: Identity in Windows Server Course Overview

[MS20744]: Securing Windows Server 2016

Training: Hardening Microsoft Environments

Course Outline 20744B

Desktop features placemat

This course provides students with the knowledge and skills to administer Windows Server 2012.

Windows Authentication Concepts

the SWIFT Customer Security

Securing Windows Server 2016

Securing Windows Server 2016

Identity & Access Management

#BLACKALPS17. Harman Singh DEFENDZA LTD. 1

Hacking in the Attack Kill Chain

20744: Securing Windows Server Sobre o curso. Microsoft. Nível: Avançado Duração: 35h

Office 365 and Azure Active Directory Identities In-depth

A Process is No One: Hunting for Token Manipulation. Jared Atkinson & Robby Winchester

Active directory : How to change a weak point into a leverage for security monitoring Vincent LE TOUX ENGIE France OSSIR 2017 Paris (France) April,

CyberArk Privileged Threat Analytics

Unified CCE Security Compliance for Windows Server 2012 R2

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Hardcore PI System Hardening

Hunting for Credentials Dumping in Windows Environment. Teymur Kheirhabarov

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

ALL ROADS LEAD TO DOMAIN ADMIN BREACH TO CDE A SECTOR CONFERENCE PRESENTATION OCTOBER 2016

"Charting the Course... MOC C: Securing Windows Server Course Summary

DirectDefense. Catch Me If You Can. PenTester/Hacker vs. BlueTeam Defender

CIS Top 20 #5. Controlled Use of Administrative Privileges

MOC 20411B: Administering Windows Server Course Overview

Privileged Account Security: A Balanced Approach to Securing Unix Environments

n Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems

HAROLD BAELE MICROSOFT CLOUD TECHNICAL CONSULTANT MICROSOFT CERTIFIED TRAINER. New protection capabilities in Windows Server 2016

Securing Windows Server 2016 (20744)

Man-In-The-Browser Attacks. Daniel Tomescu

CIS Controls Measures and Metrics for Version 7

The Common Access Card The problems it solves (and the ones it doesn t) Quest Software/One Identity Dan Conrad Federal CTO

Server Tailgating A Chosen- Plaintext Attack on RDP. - Eyal Karni - Yaron Zinar - Roman Blachman

Jay Ferron. CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM blog.mir.

Windows Hash Reinjection Using GSECDUMP and MSVCTL By Deron Grzetich

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Windows 10 and the Enterprise. Craig A. Brown Prepared for: GMIS

Enterprise Ransomware Mitigations

CIS Controls Measures and Metrics for Version 7

Hunting Lateral Movement with Windows Events Logs. SANS Threat Hunting Summit 2018 Mauricio

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Securing Windows Server 2016 (20744)

MOC 6419B: Configuring, Managing and Maintaining Windows Server based Servers

Windows Server 2008 Training

Windows Server 2008 Administration

microsoft. Number: Passing Score: 800 Time Limit: 120 min.

Keywords: Pass the Hash, PtH, NTLM hash, Windows authentication, credential security

CS 356 Operating System Security. Fall 2013

PENETRATION TESTING EXTREME VERSION 1

An Analysis of Local Security Authority Subsystem

Securing Active Directory Administration

Becoming the Adversary

Transcription:

Pass-the-Hash Attacks Mgr. Michael Grafnetter www.dsinternals.com

Agenda PtH Attack Anatomy Mitigation Proactive Reactive Windows 10 + Windows Server 2016 Microsoft Advanced Threat Analytics

PtH Attack Anatomy Theft Use Compromise

Lateral and Vertical Movement

Mimikatz

Metasploit Framework

Metasploit Framework

DEMO Pass-the-Hash + RDP

LSASS NTLM Hashes

Passing the Hash

Stealing the Hash

Credentials Lifecycle / Attack Vectors

Credentials Lifecycle / Attack Vectors

Hashes in SAM/AD Authentication Method Hash Function LM DES NO NTLM, NTLMv2 MD4 NO Kerberos (RC4) MD4 NO Kerberos (AES) PBKDF2 (4096*HMAC_SHA1) Salted YES Digest MD5 YES

Active Directory Database - Offline Files C:\Windows\NTDS\ntds.dit C:\Windows\System32\config\SYSTEM Acquire Locally: ntdsutil IFM Remotely: WMI (Win32_Process), psexec Offline: VHDs, VMDKs, Backups Extract Windows: DSInternals PowerShell Module Linux: NTDSXtract

DEMO Extracting hashes from ntds.dit

Proactive Measures Encryption RODC Backup protection Regular password changes

Active Directory Database - Online MS-DRSR/RPC

DEMO Extracting hashes from ntds.dit

Proactive Measures Avoid using administrative accounts Do not run untrusted SW Do not delegate the right to replicate directory changes Use an application firewall / IDS

SAM Database Offline Files C:\Windows\System32\config\SAM C:\Windows\System32\config\SYSTEM Tools Windows Password Recovery Online Mimikatz

Online SAM Dump

Proactive Measures Bitlocker Randomize local Administrator passwords Restrict administrative access LSA Protected Process

GP Local Admin Password Management Solution

Restrict Local Admins - KB2871997

Credentials Lifecycle / Attack Vectors

Windows Integrated Authentication

LSASS NTLM Hashes

LSASS Kerberos Keys

LSASS Kerberos Tickets

Memory Dump

Memory Dump

SSP Cached Creds (SSO)

Proactive Measures Enable Additional LSA Protection? Restrict administrative access Applocker/SRP whitelisting Protected Users group Restricted Admin RDP Authentication Policies and Silos Disable Automatic Restart Sign-On Do not submit minidumps

Enabling LSA Protected Process

Disabling LSA Protected Process

Protected LSA

Protected LSA

Bypassing the LSA protection

Debug Privilege

RestrictedAdmin RDP - KB2871997

Credential Delegation Security vs. Comfort

Disable Wdigest SSO KB2871997

Protected Users Group

Blacklisting?

Credentials Lifecycle / Attack Vectors

ARP Poisoning + NTLM Downgrade

Using the Hash/Key/Ticket

Passing the Hash

PTH Firefox

RDP NTLM Authentication

Kerberos Golden and Silver Tickets

Proactive Measures Disable NTLM Authentication Disable Kerberos RC4-HMAC Shorten Kerberos ticket lifetime Implement Smartcard Authentication

Strengthening Kerberos Security

Kerberos Ticket Lifetime

SmartCard Authentication

PtH Mitigation Strategies

NIST Framework for Improving Critical Infrastructure Cybersecurity

High-Value Accounts Admins Domain Adminis Enterprise Admin Schema Adminis BUILTIN\Administrators BUILTIN\Hyper-V Adminstrators Service Accounts SCCM, SCOM, DPM, Software Installation, BMC Accounts

Tier Model

Tier Model - Administrative logon restrictions

Authentication Policies and Silos

PtH Detection

Attack Graph

Events Authentication Success Failure Replication Traffic Group Membership Changes Process Creation

Audit Process Creation

Audit Process Creation

Audit Process Creation

Reactive Measures Change account passwords (including services!) Reset computer account passwords Disable+Enable smartcard-enforced accounts Reset KRBTGT account Implement countermeasures

Windows 10 + Windows Server 2016

Hypervisor Code Integrity protected by VSM

Device Guard

Privileged Access Management for AD

Microsoft Passport (FIDO) + Windows Hello

Microsoft Advanced Threat Analytics

Introducing Microsoft Advanced Threat Analytics An on-premises platform to identify advanced security attacks before they cause damage Detection for known attacks and issues Behavioral Analytics Advanced Threat Detection

Key ATA Benefits Speed Adaptability Simplicity Accuracy

What ATA Detects Security issues and risks Broken trust Weak protocols LDAP Simple Binds Known protocol vulnerabilities Malicious attacks Pass-the-Ticket (PtT) Pass-the-Hash (PtH) Overpass-the-Hash Golden Ticket MS-DRSR Attack DPAPI Backup Key Retrieval Abnormal Behavior Password sharing Anomalous logins Remote execution Lateral movement BruteForce Encryption Downgrade Forged PAC (MS14-068) Silver PAC (MS11-013) Skeleton key malware Kerberos Account Enumeration DNS Reconnaissance SMB Session Enumeration Massive Object Deletion

ATA Architecture

Alert Sample

Next Steps

Learn more about PtH Attacks

Have fun with the tools

Secure your network

Pass-the-Hash Attacks Mgr. Michael Grafnetter www.dsinternals.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback