Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Windows 10 CredentialGuard vs Mimikatz - SEC599

193 views

Published on

In this presentation, Erik Van Buggenhout (NVISO founder & SANS Instructor) zooms in on Windows 10 CredentialGuard and how it can be used to protect against LSASS hash dumping (e.g. using Mimikatz). Want to learn more? Join us at SANS SEC599!

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Windows 10 CredentialGuard vs Mimikatz - SEC599

  1. 1. Erik Van Buggenhout CredentialGuard vs Mimikatz The showdown InfoSecurity – 14 March 2018
  2. 2. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Who am I? 2 • Co-founder • Incident Response & Threat Hunting • Lead Author & Instructor SEC599 • Instructor SEC560, 561, 562, 542
  3. 3. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 3 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  4. 4. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 4 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  5. 5. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Stealing Windows credentials – where in the Cyber Kill Chain? 5 Reconnaissan ce Delivery Installation Action on Objectives Weaponizatio n Exploitation Command & Control Windows credentials are typically a target for adversaries in the later stages of the compromise. After obtaining an initial foothold, credentials are stolen to further escalate privileges / move laterally in the environment!
  6. 6. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows credentials attacks 6 Aside from generic attacks such as phishing or keylogging, the table below lists some of the most common ways used by adversaries to obtain Windows credentials: SANS Senior Instructor Chad Tilbury has an excellent presentation on Windows Credentials Attacks, Mitigations & Defence: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
  7. 7. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing some of these tools – Capturing NTLMv2 7 For different reasons, Kerberos could not be available, in which case Windows will revert to NTLMv2 Challenge / Response authentication: Domain Controller 1. Request authentication Service Database Server 2. Challenge 3. Response Client Workstation 6. Server sends response to client The authenticating system uses the hashed credential to calculate a response based on the challenge sent by the server In a Windows domain environment, the NTLM challenge & response will be forwarded to the domain controller for validation of credentials 4. Forward Chal + Resp 5. Validation
  8. 8. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing some of these tools – Responder – Capturing NTLMv2 8 Responder is (amongst others) an LLMNR, NBT-NS and MDNS poisoner. It will attempt to trick systems to connect / authenticate to the system it is running on. It will then attempt to sniff the authentication challenge (e.g. NTLMv2), which could be cracked by a password cracking tool.
  9. 9. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory 9 Once an initial entry point in the network has been obtained, dumping credentials from LSASS memory in particular has become extremely popular: • Open ups attack vector against users that aren’t locally configured (domain users). Furthermore, stolen credentials are in clear-text (Windows 7) or NT hash (Windows 10) format, so can immediately be reused in Pass-the-Hash attacks • Common attack flow: 1. Obtain local admin access to one system in domain 2. Lure domain admin to machine (e.g. Call Helpdesk) 3. Dump credentials from memory 4. Own the domain (“Domain dominance”) 5. Persist domain ownage (Golden ticket, DCSync, Skeleton Key,…) • Tools like Bloodhound create entire attack trees that reveal relationships between accounts and systems to facilitate this
  10. 10. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Common technique 10 Due to its size & complexity, it’s often difficult for administrators to retain a good overview of how privileges are assigned across the environment. Adversaries can leverage this to spot excessive privileges which can be used in lateral movement… AD structure diagrams The below diagram (generated by the attacking tool BloodHoundAD), reveals an interesting way of how adversaries could laterally move through the target environment: In a few steps, Erik could easily steal the hashes of Stephen, thereby obtaining Domain Admin privileges. User: Erik Group: Work- station admins PC: Work- station 1 Group: Domain admins User: Stephen HasSession
  11. 11. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Mimikatz 11 Due to its high reliability & flexibility, it is used by adversaries and penetration testers alike. Several variations have been created and it has been included as a module in the Metasploit Meterpreter attacking tool. Mimikatz is a free, open-source Windows tool built by Benjamin Delpy (@gentilkiwi) to extract credentials from Windows computers. Its second version is often referred to as “Kiwi”. “Mimikatz is a tool I've made to learn C and make somes experiments with Windows security. It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. Mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.”
  12. 12. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – The primacy of Mimikatz 12 Executing command privilege::debug to enable the debug privilege. Executing command lsadump::lsa /inject will dump the hashes from the LSA process (lsaass.exe).
  13. 13. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Mimikatz in the news 13 The popularity of Mimikatz has sky-rocketed over the last few years: • In 2017, the NotPetya ransomware used various components of Mimikatz to supports its lateral movement • In several APT investigations, Mimikatz is part of the standard toolkit used by advanced adversaries (Amongst others, Oilrig, Cobalt Kitty & APT-28 have been observed to use (variants of) Mimikatz) • Penetration testing & red teaming frameworks include (variants of) Mimikatz: • Metasploit Meterpreter has a built-in Mimikatz module Powershell Empire has a built-in version of Mimikatz
  14. 14. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Some advanced Mimikatz features 14 • To prevent AV detection, Mimikatz supports an offline mode, where a dump of the LSASS process can be fed to Mimikatz. This dump-file can be created by built-in Windows tools (e.g. Task Manager) or the SysInternals toolkit. This removes the need of running a “hacking tool” like Mimikatz on the target system… • Mimikatz can impersonate a Domain Controller and replicate all password hashes using MS-DRSR (Directory Replication Service Remote Protocol), labelled “DCSync” in Mimikatz • Mimikatz can create AD persistence by generating golden tickets or installing a backdoor in memory of the Domain Controller (“Skeleton Key” attack)
  15. 15. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 15 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  16. 16. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What’s left behind? 16 http://technet.microsoft.com/en-us/windows-server-docs/security/securing- privileged-access/securing-privileged-access-reference-material
  17. 17. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What’s left behind? – Mimikatz point of view 17
  18. 18. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Isolate Domain Controllers 18 Put domain controllers in a different network than other servers and workstations. Use at least firewalls to separate the networks. Domain controllers network Inner network
  19. 19. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Privileged Access Workstations 19 Domain controllers network Privileged Access Workstations Inner Network
  20. 20. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Identity & Access Management 20
  21. 21. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 21 The idea of “Restricted Admin” mode is that credentials are not sent upon establishing of an RDP session, so the chances of capturing them using Mimikatz are lower! Source: https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard
  22. 22. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 22 In a bit more detail: Normal RDP • Erik enters his password to the RDP client. • RDP client performs network logon to the target server to authorize Erik. • Erik is authorized & the RDP client securely relays the credentials to the target machine over a secure channel. • The target server uses there credentials to perform an interactive logon on behalf of Erik. Restricted Admin • RDP will try to interactively log on to the remote machine without sending credentials • The actual credentials are not required in order to set up the connectivity
  23. 23. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 23
  24. 24. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 24 In order to prevent hash dumping attacks aimed at the LSA process, Microsoft introduced “Protected Processes” as of Windows 8 & Windows Server 2012. • Protected processes were first introduced in Windows Vista for DRM (Digital Rights Management) purposes, but were adapted for “security purposes” in Windows 8 • The screenshot on the right provides an example of the lsass.exe process running as a “protected process” • Protected Processes are implemented in the Kernel software and can thus be defeated…
  25. 25. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 25
  26. 26. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 26
  27. 27. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Domain Protected Users 27 “Protected Users” enforces a number of restrictions on affected users, which try to defend against several of the attack strategies previously mentioned: Disable authentication using NTLM => Protect against Responder-style attacks Wdigest & CredSSP clear-text credentials no longer stored in LSASS => Less results when LSASS memory dumping On a device running Windows 8.1, passwords are not cached => Protect against dumping of cached credentials (default Windows: 10 latest users) Kerberos will not use DES or RC4 during pre-authentication => Protect against “Kerberoasting” attacks
  28. 28. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 28 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  29. 29. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing CredentialGuard 29
  30. 30. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – Without CredentialGuard 30
  31. 31. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Having a look at the processes – Without CredentialGuard 31
  32. 32. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – With CredentialGuard 32 When Credential Guard is enabled, the LSA process still runs in userland. The actual credentials are stored in the isolated LSA process (LsaIso.exe). This process does not run under Windows, but in the Virtual Secure Mode.
  33. 33. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – With CredentialGuard 33
  34. 34. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Some caveats 34
  35. 35. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Some caveats – Another interesting attack strategy! 35
  36. 36. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 36 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  37. 37. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Demo time 37
  38. 38. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Conclusion 38
  39. 39. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Want to learn more? 39 Want support? Get in touch with NVISO’s experts, we’d be happy to discuss how we can help further! Want to learn more? Join SEC599 – Defeating Advanced Adversaries! • London – April 2018 • Amsterdam – September 2018 • Brussels – October 2018 More locations available at https://www.sans.org/course/defeating-advanced-adversaries- kill-chain-defenses

×