Windows Credential Attacks and Mitigations

[Music] okay well welcome to Lake City I am thrilled to be back at b-sides I'm actually a local here in Utah and I feel very fortunate how many how many folks are not from Utah on here a handful cool no talk to some folks from Vegas LA I know Leslie coming up all the way from Chicago so great to have you here I am always thrilled and excited by our security community I'm always amazed at what's been built out here I'm I feel privileged to be invited to be a part of that and I'd say really the security key to me is kind of all of you sitting in those seats so I just want to thank you for doing such an

amazing job or for such a small area we have an awesome community so awesome to be here what I want to talk to you guys about is a little bit of credentials and it we've got a problem we have a credential problem ladies and gentlemen and I think you're all aware that I think we you've been in security community for any period of time you are well aware that credentials are a vulnerability however I've got this sneaking suspicion that most people in our field actually don't know the extent of the problem it's incredibly complex the windows authentication system and I think frankly it's almost too complex for someone that doesn't dedicate a lot of time to fully understand

I'll give you example I've done you know over the last couple of years probably a hundred plus interviews for folks on the CrowdStrike team these are top tier security professionals and I've walked away from almost every single one of those interviews largely with the the sinking feeling that my god you know this person really doesn't understand credentials it's one of the common questions I ask because I think it's so important and very rarely will anyone nail sometimes even the most simple questions and that's a problem and this is both red teamers and blue team's amazing I expect kind of blue team or sometimes we kind of get get our heads down you know kind of got our artifacts we look for I

was especially surprised of red teamers not truly understanding what they're constantly taking advantage of they certainly know that they're stealing tickets or tokens and they may be reusing those in order to move to the environment but commonly they don't know why the tickets or tokens are there and that's going to be a big problem because we're going to see in this presentation there's some good mitigations coming Microsoft the sleeping giant has finally woken up maybe and started to try to fix some of these problems and we're going to have some you know pen testers red team is and hopefully attackers which are going to start stumbling because what their old-school techniques that work every time all the sudden are going

to stop working with any luck right we can only hope but the idea this presentation is really to kind of get us all up to speed on credentials this is actually something I sat down I was just so kind of down just with with the level of kind of understanding of this but I just sat down and kind of wrote what we're about to see actually this is a part of a class that I co-author for sans is 508 instant response class and you guys will be some of the first ones to get a look at it and so I also wanted to get you to the slides so you have kind of all the

the bulk behind it but we're going to talk about credentials now think about the common attack cycle I'm an instant responder kind of bitrates I'm more blue team and so I'm constantly looking at what I call funnel points looking for areas where I can actually sift that big haystack and actually find where the attackers are right hundreds of thousands of endpoints where do I know they're going to be what I know they're going to do that I can learn to track and in my experience or really in my opinion probably credentials are the most critical part of any attack I can't think of anything more important and so let's kind of go to the cycle a little

bit here yeah so an attack our first gains a foothold on the network this is almost never going to be the place they want to end up unless they get incredibly lucky they're going to have goals that extend far beyond this first foothold this first user workstation we're going to have to somehow get credentials where they can move around that environment the great thing about Windows is that everything is tied to an account to give you an example Computers themself have accounts right registry keys are tied to specific accounts right everything so if you don't have credentials you're stuck so very commonly if they're already admins well they're ready to rock and they can kind

of dump credentials if they're not admin yet they're going to have to do some sort of privilege escalation attack to get there because one of the key components of credentials and windows is there's nothing native that can just allow you to get them you're going to have to use some sort of attack technique some sort of tool and as we go through these slides I'm going to try to point out kind of the common tools that we'll see attackers use all right so they're going to dump their first set of credentials now similar to the all the data they want not being on this box it's very unlikely that all the credentials they want are going to be on

this initial box so they're going to take whatever they gather here and with any luck they're going to be able to move laterally through the environment they're going to start kind of expanding their influence throughout the environment now everywhere they go this is very early in their tax cycle they're going to as you might have guessed dumped more credentials you're going to see them over and over and over again dumping credentials as they move through the environment I've seen attackers send out a schedule task to 150 systems just to dump credentials from every system and bring them back the goal of course is that one of those credentials is going to take them to the

next level and so they're going to continue to dump credentials until they achieve some sort of what I think Microsoft nicely calls domain dominance this means total ownage right once you get domain admin now you have new unpaid admins in your environment and you get to deal with all the fun that comes along with that and so this of course is the the primary goal of the attackers early attack cycle and eventually they are going to get to a system where they're going to achieve those it's almost inevitable how many pin testers do I have in here don't be shy I know we've got you guys never want to self-identify all right of my pen

testers when's the last time you did not get domain admin the new one not get domain admin in their last attack you scoped was that the problem so you didn't do ain't doing pen testing in a Windows environment yes yeah it's so funny I was talking to someone it was actually a computer network exploitation individual that actually was formerly at the Fort Meade NSA and I was like ah okay well tell me how you simply do your attack so you can is specialize on in UNIX systems you know what's your what's your initial kind of entry point when you get there well we first go to the Windows Network and we gather credentials there inevitably some of

those credentials we'll be able to reuse in the Linux environment like that is not very exciting right that is not what I expected you to say right I want to hear some ninja techniques you know kind of attacking Linux so bottom line is are eventually going to get their domain admin and this is where they're finally going to achieve their goals and in my experience a dedicated attack group likely achieving domain admin 24 to 48 hours into the into the attack but the good news is the techniques that they're using and what they're gathering a relatively finite set so these are things we can watch for these things we can detect and if we get lucky and

detect it we are very early in the attack cycle we can stop it well before they can accomplish their goals all right my pen testers has anyone ever written a 140 character pen test report anybody 200 characters yeah anybody raise their hand I'm going to switch over I'm moving to the red team right but I will bet you your 50 page pen test report doesn't really say much more than this typically all right this is pretty much the way it always goes right get an initial foothold spear fish attack get access dump credentials move around get domain admin and get paid all right now there is some hope on the horizon I will tell you and you

think about the XP timeframe total security disaster all right there are basically nothing stopping credential attacks in that world we get the Windows 7 sort of not much we got user access control which really just upset users more than anything but not you know user access control can frustrate some firts to gain credentials you know the whole idea of the UAC was being able to have users run as admin but not allowing kind of all their processes you know to run as admin even even at that kind of level so kind of restricting kind of that lease privilege or enforcing lease privilege the fortunate thing UAC is not a security boundary and if you do some

searching you'll see there are plenty of UAC kind of attacks that allow kind of easy in runs around it right but at least causes attackers to work a little harder to get that initial first kind of admin rights to dump credentials about the only other good thing that came out of Windows 7 was something called managed service accounts now we'll come back to these but this was the idea of recognized effective service accounts are a huge liability in your environment and managed service accounts will basically allow you to automatically set very complex passwords on your service accounts and rotate those right now it's I think every 30 days by default and this is all managed

to Active Directory the initial implantation of it was totally kludgy and almost impossible to use at scale there's a new version called grouped managed service accounts which came out subsequently much better and much more realistic so you'll see that's one of the things that I'm going to point out the in as one of the most important things you start thinking about now between Windows 7 and Windows 8 we had a little thing called mini cats who sort of that yeah thank you I know that almost every in the room is heard about you know some of the most evil kind of malware we've seen in recent memory and Mimi Katz did something that kind of

punched Microsoft in the face basically did something that no one thought was even possible which is start to pull out things like clear text passwords and so when Windows 8 really 8.1 rolled out Microsoft finally you know kind of woke up and said my god we've got to do something about this this is insane and so we get a lot of great mitigation to come out in the 8.1 world right so that idea of now the removal of those a lot of those clear text passwords from memory assuming that they're not added back you know through some stupid configuration the admin is done we get some better account restrictions there's a much easier way to restrict local

accounts from being all eldest indicate over the network this is going to go reduce the attack surface for things like pass the hash tickets or sorry that's the hash attacks and so this is a this is a big win a really easy thing to kind of get implemented protected processes almost all of the credentials helping tools will deal with attack else as you often inject into else ask to get access to those credentials so now we have a bility to set protected processes to greatly restrict who is access to something that frankly no one should have access to we get into things like we stricted admin that's an idea of trying to reduce the attack servers by

not leaving your credentials everywhere that admin has actually interacted with your environment you know right now the current state is basically shotgunning domain admin everywhere that admins ever been and that's totally a fail so restricted admin starts us down that path of maybe reducing that attack surface and then probably the most important thing we'll talk about the entire deck the domain protected users group this is a huge win this is a new group that comes out starting with Windows 8 that allows you to now put your highly privileged accounts inside of it and it greatly reduces the capabilities of those accounts to read they're really sensitive tokens hashes kind of around the environment now so

we're going to see we're going to see that kind of reference as we go through as a excellent kind of mitigation piece it's a no-brainer to do you know it'll make your admins job maybe a little more difficult you have to figure out some ways for instance delegate tokens they won't be able to just single sign-on to third-party systems but it is a huge win from preventing attackers from getting access to those credentials another good news is these were so popular that most of these have now been back ported to Windows 7 so you really have no excuse to not implement some of these so you might be familiar with the past the hash patch which didn't really prevent past

the hash but certainly added a bunch of these capabilities that's now been back ported back to your older systems then finally in the new world we live in Windows 10 I'm sure you're all implementing Windows 10 in your enterprise right now and when we get there we do get some additional capabilities credential guard here is probably the big win this is a truly kind of revolutionary piece finally we get to a point where we may be able to prevent the access to things like caches and tickets basically what's happening is they're taking that L SAS process moving into a protected hypervisor so all of your kind of credentials now are in a very protected space like an enclave with very very few

functions that can access them I'm not saying this will never be compromised but certainly it breaks all current set of tools out there the only problem is you need certain hardware and certain software to get it up and running but this is something that's going to be a potential big win finally for us to finally stop attackers from getting those those easy wins remote credential guard is an update to restricted admin that's a better implementation not just admin but any account again protecting any accounts that are authenticating over the network right through things like RDP and then finally device guard is basically an upgrade to a blocker whitelisting capability that will prevent certain binaries from running so

this implemented correctly could basically break again all of our known attack tools because essentially doing application whitelisting so hope on there ivan as we're going to see we're severely outmatched these mitigations are not going to be the Silver Bullet for us but what I'm going to do is reference these as we go through with a thought of trying to talk about how we can at least make our attackers life's more difficult ok so who's been in security more than 10 years Thank You Han all right of those ahead your hands up who remembers talking about hashes over ten years ago yeah this is a gimme right we've been talking about hashes forever right we started with land man hashes those have

been largely deprecated although there's probably environments that you guys are working and where it may still be present now we're at the in T hash we've known the NT hashes are incredibly insecure for I don't know a good decade or longer right no salt totally vulnerable to things like pre-computation attacks and rainbow tables these are one of the first things that attackers will try to dump when they get on a system right it's been this way for probably 15 plus years maybe two decades attackers have been going after our hashes now the old-school techniques when you know new old timers were getting your initial training was to dump the hashes and do what crack them right so

you dump them crack them we still do that a day because it's fun we still like hackers but I'm telling you we don't even have to do that anymore all right so hopefully you've heard of things like pass the hash where you don't even need to crack the hash anymore you're nice 25 character passwords so long and complex it makes your fingers bleed when you type it in it doesn't matter because if you have the hash we can simply replay it through the environment and I'll syndicate with just a hash one of the biggest vulnerabilities that's come out as you can see tons of tools down here that allow us access to these hashes you know kind of the the rogues

gallery here now one of the interesting things I've seen in the wild is that while we get a lot of custom malware you know we're all dealing with nation-states now or highly resourced criminal syndicates with obvious capabilities to develop their own malware one of the most interesting things is that the one tool that most attack groups are not implementing are the credential dumping tools these works so well there's just no incentive for them to go build their own and so it's a you know you took at any attack I think every attack I've seen in the last five years probably had me me cats involved in it right you just got to learn to look for that type of attack and your

role along your way all right so we get our hashes right now one thing I think the security community has absolutely woken up to is this idea of where our hashes are being stored I think finally we're realizing this is an important concept so you know just as a quick review any interactive logon your credentials are going to be in play interactive logon smeeting at the console RDP you do a run as alright when you do those and you're authenticated to that remote system your credentials are now present on that remote system for the length of your session if an attacker happens to stumble upon that box they can easily dump your credentials and now they're off using

your credentials for evil so what we have to do is we have to take the knowledge as a security community we have to filter that down to the admins where it really matters I think most of us are probably good with this but I know that most admins are not most elements have no idea that when they RDP to assist them with their domain admin creds the the domain creds are now going to be present on every mo system right even worse than that they make stupid mistakes now so when you RDP you can either close your RDP session alright so you can actually log off or you can do what just X out and close the client

right when you X out and close that client your session is still present on that remote system you might have run into this sometimes you'll run into a box like your own you'll go into work in the morning and you'll go to login I'll say do you want me to log out the admin because they were I in your system overnight maybe patching it and they just closed their RDP client they didn't actually log out of your box your their credentials are still present on that system we've got to retrain well we got a retrain our admin and we've got to take the keys to the kingdom out of their hands until they can actually use

it effectively map so lots of different ways probably the most effective way on this on this chart PowerShell when you get to PowerShell remoting all of a sudden it's no matter what you're doing if you open up a remote terminal using PowerShell that's still a non interactive logon it's about the best-case scenario using the best of Windows authentication and you're not sending your credentials all over the place so we've got to train our admins to do this more reasonable alright so how does this work GG sect dump a very very common tool so often see this actually in this example this is a very common place we'll see it what this example was done on a domain controller

so what we're seeing here is at the top we're elevating our privileges from admin up to the system account so a lot of these tools require actually system level privileges to actually do the injection kind of into L SAS to actually pull the credentials out and then we're simply just running the tool ji-suk dump and dumping the output to a text file the contents of text file look like this this won't surprise anyone we get a huge collection of hashes but remember what I just said I just said that I should only be seeing the hashes on the system of the current login sessions this is actually something that wasn't always the case I think XP service pack 2 started to

enforce that where they try to clean up the sessions when you close them out but we're seeing hundreds in this in this example there were hundreds of hashes available on this box and the reason is because what I just mentioned this actually happen to be a domain controller the domain controller is leveraging hundreds of current concurrent kind of logon sessions through that environment and this is why you'll see a lot of attackers taking the very risky move of dropping to your domain controller and running you know pretty evil malware on it you know if you're a good attacker stay away from the domain controller right this is the one place that admins will actually kind

of look at and monitor but sometimes you just got to do what you got to do right and so a common technique you'll see is dropping over the main controller running a tool like g6 dump now I've got you know 100 plus hashes on there the odds of one of those being a highly privileged user very high alright so once I get these hashes well now I can go to a tool like Mimi cats or Metasploit or your tool of choice and do what we call pass the hash attack all I'm doing is essentially feeding one of those hashes I just retrieved to my tool and as that to authenticate now I'm actually authenticating as that user in

this case we yanked the helpdesk account so now I've got the hash and I'm able to start to traverse or laterally move the network as that helped us account literally one line using mimic acts and now in that person this is a classic example what we call pass the hash attack take the hash replay get through the environment to accomplish my goals anybody seen this in real life anybody done this I hope we've got some pin testers you must certainly have done pass the hash all right how do we protect about against this simple this is all you have to do seriously so go back and just stop attackers from getting admin rights and when you figure

out how to do that please email me tell me how you did it it's basically impossible right now sad so sad but this is just something we have proven as a community we're just virtually impossible at this point but if we could all of these attacks I'll talk about for the rest of this deck I actually require admin rights so if we ever got to this magic land where we could enforce privileges well we'd be we be well off to a head start on the attackers but assuming that that's not possible there are other things we can do certainly stop spraying your most important accounts to the environment get your admins to stop RT peeing with

their domain admin crits right teach them about how to properly terminate those sessions think about if you're in a Windows 10 or 8 world in place on the like restricted admin or remote credential guard which Beth means even if they already pee with their domain admin creds those won't be present on those remote systems they're protected now with these new mitigations obviously when we get to Windows 10 we can start to prevent the ability to get the credentials themselves if you have credential guard running on a system no current attack tool can actually dump the hashes so you don't don't worry about them passing them because they can't get them and obviously things like that the main protected users group

that's again going to be probably the most important takeaway of the entire talk today which is if you can get your most important accounts in that those also aren't providing those hashes around your network and that can easily be stolen all right hashes I think hashes are the gimme here tokens where I see a lot of people falling down on this is just a surprisingly complicated authentication mechanism in Windows and so the idea of a token is that when you log in to a session a token is created the token as your your security identifier it has all the groups you belong to it has all of your privileges now this token is reused all over the

place every process that you spawn and your session actually gets a copy of your token right this is how these processes know kind of what your levels of privileges are all right you'll have things like a view attached to like a file share something like that very calmly that process attaching will need to do something that we call impersonate your token you'll need to load your token up into their process space in order to basically restrict or keep keep all of your privileges in place to make sure that you can't exceed those rights and privileges that you have so this is an idea of impersonate is used all over the place in Windows they see something else taking your

token and reusing it as you now as you can imagine if a standard Windows processor service can do this so can an attack tool and what our attackers do is when they get those admin rights they get on the box they can basically look at all the open tokens in the environment or on the system that they're currently on grab one and start reusing it they can basically impersonate you so very commonly this is used for privilege escalation all right your admin currently you want to be domain admin so I can find a machine that a domain admin is on or didn't properly terminate a session on I can steal their token I automatically become

domain admin maybe the simplest way to achieve domain admin rights kind of in the wild this also allows us to do things that maybe hashes don't allow us to do let's say I want to create like a user account I can't really do that through a pass the hash account or pass the hash attack but having like a token impersonation I can and probably even worse and by far the most biggest liability of tokens is that certain impersonation tokens can be what we call delegate tokens delegate tokens are essentially single sign-on they allow you to authenticate to remote resources using your token so if you have a domain admin token that's a delegate token basically now you can

move around the environment using that account so it's a huge problem you see we've got some pretty classic tools that allow us to do this this is what it looks like so me me cats has a one-line command right so we're currently sitting here as a tea as a key Dungan user all right I run the very simple command with a mini cats elevate domain admin but it does is search through all the tokens on the current system if it finds a domain admin level token it will immediately grab it and load that into memory for me so I can start to interact as that user and you'll notice in this case look at the impersonation down at the bottom

this case we found a domain admin token that had the delegation of capability so now we can immediately start laterally moving as users I now essentially owned the environment so extremely common will a to to achieve that next level or that next rung up on the credential scale you know how many how many of my pen testers have actually still wanted token in the last year anybody you have scary yeah so I know we probably have you know almost every pin tester is probably done token stealing last year how many of the blue teamers so I assume the rest of your have actually found token stealing in your environment it's really hard it leaves very very few clues you'll see

some event logs some you know essentially some chemist indication events start to show up but actually identifying the fact that a token was stolen unless you have really really good auditing you're basically blind so again our best-case scenario is going to be to essentially stop these tokens from being available so yes if we could have proven admin we'd be alright so I mean that's not first cases stop the madness I stop these interactive sessions from being kind of using highly privileged accounts we just can't do that anymore right yeah so again something like remote credential guard when you have that in place it actually does not push your token to that remote system simple way so even if you can't get to some of

the new hotness like remote credential guard in Windows 10 well-protected users group you can easily go to Active Directory and for your most important accounts just mark them to not delegate right that essentially killed that well it doesn't kill it still allows on the system impersonation which you can still get kind of the next rung up from a privilege escalation but it prevents you from you under use that token now remotely just what most attackers want so that's a big win and then certainly if you can get two protected users group so if you can employ that in your environment that by default does not push tokens actually all tokens in that group are non delegate by definition you

can't change it right so you automatically get like this wonderful kind of group of protections around the accounts in that group all right so hashes tokens right let's say that you do everything right right you are on the ball you've already implemented credential guard in your environment right you are high-fiving your team right you get to actually have a weekend for a change right so the attackers get on the box they can't dump tokens they cannot dump hashes you you've locked everything down there's no delegate tokens you got your hashes in in your protected enclave of credential guard and sadly all attackers have to do is go and dump something called caster controls and they're off to the races

again now there's another super old-school kind of authentication mechanism all right how many have heard of this probably a lot more than tokens right this is something we've known about forever the idea is that in a domain environment usually your accounts I'll Finnick eight to the domain controller the only problem is what if you've got all your Knights laptops in front of you and you're not currently connected your domain controller how do you actually log on with your domain account well to do that the account credentials has to be stored someplace outside of domain controller all right where this is stored is actually something called cached credentials basically allows you to use a domain account offline by

default ten of these are stored some brilliant individual at Microsoft decided with that the 2008 server release to upgrade this the last 25 for the chills beam cache now I want you to think about this all right first of all how often should a server not be connected to domain and that's pretty darn rare right also on your laptops do we have a lot of shared computers anymore how many people have actually logged onto your laptop in the last year I said you know I'll be you and you and you and maybe the helpdesk right why do we need to cache 10 credentials that's often an historical record of everyone who's ever logged onto that box including the

domain admin who set it up for you three years ago hopefully they've changed the password since then but if they haven't their credentials are still archives on every machine that they've been to so cache credentials are are a huge liability all right the good news is they are not in the same format as your traditional and Killam hashes so they are salted so rainbow tables don't work against these this is one of the few places where actually having a really good password policy can actually help you because the only attack against these is they have to be correct they can't be replayed like an entail and hashes that's the only kind of saving grace here but check this out so

one of the trends that we've seen recently is moving away from dumping credentials on a standard box so dropping your G SEC dump or your Muni cat store whatever that is because obviously we're starting to look for that we have security tools that know what all of those tools look like and we're catching that so a common mitigation to that from the attack your side is basically to come and just dump your L SAS process or in this case dump your registry hives and take them for an offline attack that way I don't have to run my nasty tool on your box I just have to figure out some way to get your Sam and security hi and I can do

everything offline without triggering your intrusion protection system whatever that is so this is a pretty cool little project just written in Python and so as you notice the top we did a PW dump from the Sam hive now those are just going to be the local accounts all right those won't be a domain account so I'll just be what's stored in your Sam your local accounts notice there's not many same thing same project did the cash dump tool now running it against your security hi and look at everything else that pops up these are what you really want these are your domain account and actually in this environment one of those was actually the domain admin and so now we've got

the domain admins crashed cached credentials all I have to do is go back to my cracking rig practice using MS cache - in John the Ripper you're curios and with any luck they'll have a weak enough password that I'll have domain admin tomorrow

all right how do we prevent cash credentials well a lot of you will see guidance like turn your class potential to zero sometimes a good idea NSA has had some guidance to tell people to do that a lot of your DoD guidance comes out to four or less depending on if the system's mobile or not you can tweak that just be careful zero is not always the right answer the reason why is that it's not always just your personal account that's being cashed things like that computer account sometimes good cashed here and so if you drop it to like only one cash credential well you might edge edge out the actual users credential or even things like

smart cards sometimes a smart card authentication is actually two different authentication or so two different things get cashed and that can override or kind of age out the actual person's credentials that need to be cashed all right so you could have a lot of brick systems if you turn this down to low by far probably the best option just have a good password complexity you know usually I laugh at the complexity rules because get things like pass the hash for the totally useless this is one of the few areas left where it still matters and then of course if you have something the protected users group by definition those accounts don't cache credentials and remote boxes so another

big win seeing the trend here get some users into that group all right so cast credentials super old-school something maybe even older than that LS a secret I will tell you this is very old school but I've seen more red team's get big wins from this and almost anything else when we've talked about LS a secrets we're not talking about user accounts now we're actually talking more about service accounts and so what happens you have things like services remember a service has to run without user interaction all right so if you set up a service to use like a domain account well that domain account has to somehow authenticate and the way it up indicates

without interaction is it has to store the credentials locally and so what happens let's say you have your backup software and your backup software requires a service being run across your environment as some sort of highly privileged domain account right so they can access all the boxes to back them up well that's awesome but what you just did is you just shotgun that entire highly privileged account into the LSA sequence of every machines that service runs on and wonderfully once you can get access to the machine you can dump it out in plaintext the particular dangers here of serving accounts is they are rarely changed right you have probably have certain accounts in your environment that haven't been

changed in three or four years people are scared to change them because you don't know what it will break right some admin three you know three generations ago set something up it's still running so just keep it as is these are often also very highly privileged accounts and so this is kind of the just the syndrome and the kind of worst case scenario coming to light with these service accounts so very very simple these are stored directly in the registry with admin rights you can do something like this dump out all the LSA secrets this case this is a big win this is the sequel server we pull out a relatively strong password that sequel server

account and now we can start to authenticate on that around the network now I don't know about you guys but I've actually seen environments where people have been told to run their sequel server using domain admin rights and if that's the case you just own the network with one command another thing you'll notice on this this is actually PowerShell another trend we've seen is a many many tools are now being rewritten to to work in the PowerShell environment you might be familiar with power sploit this is a lesser-known framework called nishang which is also a pentesting slash offensive power partial exploit kit does an awesome job of pulling LSA secrets out all right so how do we protect about

this well this is where your big takeaway you're probably the second most important takeaway of today go audit your service accounts alright these things are such a liability in your environment right if you do one thing this year go back identify all the service accounts identify which ones are running as domain accounts because they're by far the most vulnerable I'll figure out if you need them forget if you've changed the password recently and if you've done all of that start to audit those service accounts right this is a wonderful place when you're hunting to your environment identify malicious servers account usage can be very easy consider these sort of accounts do the same thing that backup service probably

authenticates type 3 log on throughout your environment so your server environment right if you start seeing that accounts indicating with a type 10 like an RDP type authentication that's a god-given clue that you are owned right go find that and kill it and so you've got we've got to wrap our head around these service accounts if anything just doing this will prepare you for when you do get that intrusion almost inevitably you're going to end up doing a full passive reset of your environment at some point in your career if you've already gone out and identified well your service accounts are your 50% of the way there you know the level of hardship that it puts teams on to

identify these is just astonishing so get ahead of the game would be my recommendation and of course if you can Microsoft has have a solution for this called those group managed service accounts and this will provide really strong passwords and roll them over every 30 days by default all right so you guys are probably thinking Chad I know about all that right tell me something that's I don't know right this is you're boring me this is all old-school we've been doing this for 10 years and you're right although I will say it 99% your environment this stuff still works ridiculous but this is was we're supposed to fix it for us like Kerberos I remember that Kerberos comes out of

MIT this was going to provide some sanity to our authentication mess and windows way back in in two days now unfortunately as an idea in theory Kerberos is pretty darn secure right it has wonderful things like the ability to prevent replay attacks you know there's a timing mechanism in Kerberos but you'll notice in the implementation in real life is that it's been just largely riddled with holes in order to make it work effectively it has an example yes you can actually prevent replay attacks in Kerberos but what happens is that everything in your environment is tied to an account so it unde AIT's the domain controller with all these requests for accessing you know every

single object in the environment and simply you can't do that the procedures performance goes kind of nose done all right so what happens is you see here you often have tickets that are valid for 10 hours so I get a ticket I can reuse that ticket for 10 hours which shouldn't be possible in the kind of the Kerberos Beck right there's all these kind of you know vulnerabilities have kind of been introduced there so I would say that while this is probably the most advanced piece of Windows authentication it has the biggest vulnerabilities it's the typical kind of the more complex it is the more holes are in place and traditionally like the last couple of years

Kerberos has just been under fire right we've just seen how it sirs being aimed at curbs and blowing giant holes into here's the simplest so just like pass the hash well if I can get access to a ticket which is kind of the core unit of Kerberos I can just pass that ticket in the same exact way we saw passed the hash it's all I have to do is in this case we're running as a standard user to Duncan here all I have to do now is just dump a ticket from anywhere import it into this computer and in this case this was the domain admin ticket and now I'm that domain admin all right so I can

just take a ticket and move it around the environment import it and it's off to the races you can see now I must syndicated as that in this case domain admin all right so that's the Mimi katz tool it's way way more complicated than passed the ticket so pass the ticket is like level 1 if you get into things called like over pass the hash this one's clever so if you start to run into issues where maybe pass the hash isn't working you could actually go and just take the hash supply the hash to the domain controller and get a ticket back and now you've got a ticket that you can then use to do things like pass the

ticket let's call this over pass the hash relatively new technicals come out called Kerberos ting this one you know literally I had to sit down and almost came to tears when I saw their amazingly the way the whole Kerberos environment is set up is that any user account can request a ticket or service ticket for any service in the environment the domain controller doesn't know whether you have privileges to a certain computer or certain service right it says yeah here's the ticket provide this to that remote and it will authenticate whether you have access or not the only problem is that ticket is encrypted with the empty hash of that service so basically I can

request every service every account in the environment get all of their empty hashes back nicely Kerberos provides them to me take them offline find one that's a domain account with high level privileges crack it offline and I'm back in the game ridiculous but extremely possible very hard to detect who's sort of a golden ticket Willy Wonka golden ticket I'm glad to see so many hands go up this was another kind of a-ha moment that again came out via the Mimi Katz tool this is an ability to create a ticket that can literally work indefinitely to any account you can make yourself match the domain admin you can make it a CAPA doesn't even exist in the environment

domain admin and authenticate the crazy thing here this is the worst case scenario you successfully remediate your environment you do a full password reset of every account in the environment right your attackers go away they come back the next month they get their initial foothold again through another spear phishing attempt once they have local access they can re import that old golden ticket in and they immediately become domain admin I they can own the entire domain there's only one way to prevent this you've got to change that KRV GT password and twice actually at the domain controller if you forget to do that Golden Tickets lasts indefinitely silver tickets are kind of a the not they at first they don't seem

as hot or useful but these things can be incredibly useful this is similar to the golden ticket but only is valid for a single resource like a single computer or a single service what's really valuable about these is that they don't authenticate against the domain controller so you get no logging the domain controller ponies are used right so become a very stealthy way to move through the environment and just to punch Microsoft Munoz one more time we got the skeleton key that came out a while ago which essentially once you have actual domain controller you can go patch else ask the domain controller and since you create a backdoor into any account you want where your password

always works right so it basically is a very very easy backdoor with essentially zero logging part of it right unless you're logging your driver usage on that system which is pretty rare all right so the and then and this is growing right we're going to see probably three or four more attacks the next year or two kind of incur both the latest hotness which isn't on here things like DC sinking you can set up a fake DC or pretend like your DC and get the entire DC to sink if all this accounts to you effortlessly alright so how do we prevent about this I know this is a depressed yet I'm kind of depressed are we valuing preventers well

credential guard for past the ticket so it certainly that will protect all your tickets you can't just dump tickets from a local system any more remote credential guard will prevent your credentials from being kind of placed all in all those remote systems that your users are authenticating to Kerberos or Kerberos link is completely reliant upon cracking of those hashes so if you can have very complex passwords on your service accounts which is basically what Kerberos thing is attacking then you will since you prevent that attack you know your service attack accounts are valuable and interesting so set up really good monitoring around those and then finally some of the guidance and that I've been giving to people is basically changed

regardless of what happens change that Kara BG krbtgt ticket at least once a year that way you at least are expiring golden tickets that may be out in the wild on your environment at least once per year now that's scary in itself some some admins don't want to touch that cuz afraid though it'll break the entire domain you might as well do it now because you're probably have to do it later anyway all right get the pain while you while he can plan for it and then get it into your regular rotation alright and if it wasn't bad enough I I feel like hands on heads like seriously the nuclear option of course is why do I

need a single hash or I might just dumping hashes all over once I've got domain admin privileges I can just go straight to the main controller and I can just download the entire Active Directory and so this is a very very common technique view see in modern attacks the attackers will just go to the main controller find some way often through valid volume shadow copies get a back door into that locked account which is called the NTS dip and that is all your password hashes not just all the password hashes that are current it also has a history of all the hashes of that account you have things like you know kind of a history of how

many times someone has changed their password so they can't reuse the same password when you force them to change it every 90 days you can get all their previous hashes as well which can sometimes be valuable because you can predict things like password reuse through that so basically we can just yank that file take it offline and your entire active directory's is now the attackers right so extremely common this is a great example this is actually pulling it out this was Italy or these were commands pulled out of memory and so we see the attackers essentially going using VSS admin to list the shadow copies they must have found a shadow copy because they just copy out the

three files they need number to extract those hashes pull them offline and if you look back one you get a tool like the NTDs extract nice free tool online which will yank all those hashes out and allow you to start cracking them pass the hash attack over pass the hash attacks you know as you can imagine you're pretty much good to go at this point you ever wonder why attackers continue to do things like this even after they've they've achieved domain dominance why do why do they keep jumping credentials right once you've got 20 good credentials at work why do I need to actually go get everything it just because I pack rats password reuse

or often what I've seen is you do a full password reset in the environment do you ever do a full password reset that's so hard to do right commonly you're going to miss a account or two they've got all of them so when they come back but to start rolling through all the admin accounts you might have an old admin account you haven't touched in three years right if you haven't changed that password they're back in the next day this is almost like a get-out-of-jail-free card this is their you know kind of their big dumpster-dive of all your data so knowing this and knowing they're coming right do we have any soccer players in here

you have a giant soccer field right where are the attackers going help me so your goal right goal right you know where they're going they're going to your domain controller if you do anything watch that it's just like the soccer goal we know they're coming at some point now there's a million different ways they can come at you you know using PowerShell or any variety PS exact or any variety of other tools but we know they're coming so this is a great place to kind of put some effort towards some detection mechanisms all right this one's simple a lot of mine is how do you protect this you don't don't give them domain advocates again that's hard

the other way is detection you know the way that you create those things like the skeleton key or dumping in TDs did or going and creating a golden ticket you got to get the domain controller to get those credentials to make all that happen so let's sit and watch and look for unusual activities all right I could sit here for literally another three hours and we can keep digging into this this is only the start of the credential problem in Windows there are so many more issues you know we haven't talked about things like the Windows vault things like smart card pins the Microsoft cloud accounts just total disaster the Microsoft hello it's coming out on all the newer systems right if

history has taught us anything we are seeing an escalated amount of attacks against credentials right so we're going to be surprised at what attackers are coming up with in the next couple of years so you've got to stay on top of those right there's a great chart put out by Benjamin Delpy who is the author of mini caps he continues to to surprise us with new attacks against credential if you're not watching him you absolutely should be all right so we are in a red state so I know that we're all happy that them we have a matter in chief up here to to encourage us along I will tell you your mission is to go back

and do something about this right if you are a blue team err go back and start to audit those servers start to look at your highly privileged account can you move some of those into things like that domain protected users group right can you actually start to think about things like remote credential guard preventing not if your credentials from being shotgunned around the environment can you retrain your admins can you simple things like simply turn off delegation for tokens of your highly published accounts right every little bit counts right and for those red teamers out there you've got up your game right it's been really easy up till now but I will tell you with some of these new

mitigations in place I've seen attackers currently that are trying to pass the hash in environments and failing and they can't figure out why we're sitting there watching them on the wire and it's failing failing and they're not realizing that now in the Windows 7 and above environment local accounts don't have the ability to pass the hash right if the environment set up correctly so their attacks are totally for not what they're leaving behind clues that we can track anyway those red team is you're going to have to up your game because you're going to start running into some some brick walls alright so if you're not familiar with sans this is part of the 508 advanced forensics in

its response class you guys have some hopefully some great notes that will help you kind of with that charge from the commander in chief and if you want any more information my contact informations kind of on this deck or feel free to hit me up during the rest of the conference we've got a few minutes for questions oh you're you're waiting because multifactor helped on any of this the answer is not much all right so we got these you know you talked about like the DoD environment we have kind of a smart cards it turns out the smart cards once you authenticate with that smart card you have many of the same keys of the tickets the tokens

are still all in play and once the authentication occurs those can still be stolen and moved around irregardless of of that kind of smart cards so in general sadly multi factors is not a great mitigation at this time

so are there any attacks that you don't need admin level privileges to to accomplish that we talked about today man I not that I not that I can think of almost everything so even some of the offline attacks that you saw like things like grabbing the system Sam highs you gotta have admin to get access to those if you could get around if you can get access to the raw disk but you need admin rights to get access to the raw disk so you pretty much have to have admin rights in my at least in my knowledge for all these attacks to work now as you probably know that's not a very high hurdle right there are so many

privilege escalation ataxic once you get your user account getting to admin it's just not that difficult in majority of environments but if we could stop it if you can make your environment or hostile you stop you know almost all of the attacks that maybe everything I talked about today outside of maybe Kerberos tting Kerberos things an example where you don't need admin because you just request any ticket and it just comes out so it's probably a few in there that maybe don't but for the most part you need admin yes sir

yeah they're like Samson could be added to the hash to prevent things like past the hash there are actually a fair amount of timestamp used for instance Kerberos is very timestamp dependent it's just as we saw it didn't work well scale so they had to like let these things kind of persist for for long periods of time so now I don't see timing really working at least I can envision what the next up indications is going to be but they've they've effectively prevented a lot of pass the hash no but yeah I just don't I don't see that as being a big big mitigation all right well thank you all very much so awesome to be here I hope you have a

great rest of the conference [Applause]