SlideShare a Scribd company logo
Escalation
Defenses
A D G u a r d R a i l s E v e r y
C o m p a n y S h o u l d D e p l o y.
© 2 0 2 0 : : D a v i d Ro w e : : S e c f ra m e . c o m
David Rowe, CISSP
Cloud Security at Boston Children's Hospital.
IR advisor for multiple incident response teams
responding to Advanced Persistent Threat (Nation
State) attacks.
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
David Rowe, CISSP
Secframe.com
/in/davidprowe
@davidprowe
david@secframe.com
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Today:
 What is Active Directory?
 Why is Access Important?
 Do you swear to talk about Active Directory, the
whole Active Directory and nothing but Active
Directory?
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
What is Active
Directory?
1
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Object Information Store
A.D. stores information about OBJECTS
on a computer network
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Object Information Store
Hierarchy: Parent/Child
Common Object Types:
Users
Computers
Groups
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Security Defined Through:
Via ACLs; Ownership, & Membership
Objects authorized to perform actions
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Ex A.D. Hierarchy:
So urce:
https://www.secframe.com/blog/account-operators-what-can-they-control
Ex: Account Operators
Top down access to
all these objects
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
AD
Administrative
Model
2
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Microsoft’s Solution ESAE
Enhanced
Security
Administrative
Environment
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
ESAE Purpose
Protect identity systems using a set of
buffer zones between full control of
the Environment (Tier 0) and the high
risk workstation assets that attackers
frequently compromise.
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
https://docs.microsoft.com/en-us/windows-
server/identity/securing-privileged-access/securing-privileged-
access-reference-material
Microsoft’s Solution ESAE
ESAE’s first presentation:
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
ESAE: 3 Stages, 14 Steps
Stage 1:
Separate Admin accounts for
Wo rks ta tio ns
Sepa ra te Admin a cco unts fo r Servers
Sepa ra te Admin a cco unts fo r Do ma in
Co ntro llers
Stage 2:
Privileged Acces s Wo rks ta tio ns fo r
Admins
U nique Lo ca l Pa s s wo rds fo r
Servers & Wo rks ta tio ns
T ime B o und Privileges
J us t E no ugh Adminis tra tio n
Lower Attack Surfaces
o f DCs : Limit Admins
Atta ck Detectio n
Stage 3
Mo dernize ro les a nd delega tio n
mo del to be co mplia nt with the tiers
Sma rtca rd a uthentica tio n fo r a ll
a dmins
Admin Fo res t fo r AD a dmins
W indo ws Defender Device Gua rd
Shielded V Ms
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Today’s Topic
Stage 1:
Separate Admin accounts for
Wo rks ta tio ns
Sepa ra te Admin a cco unts fo r Servers
Sepa ra te Admin a cco unts fo r Do ma in
Co ntro llers
Stage 2:
Privileged Acces s Wo rks ta tio ns fo r
Admins
U nique Lo ca l Pa s s wo rds fo r
Servers & Wo rks ta tio ns
T ime B o und Privileges
J us t E no ugh Adminis tra tio n
Lower Attack Surfaces
o f DCs : Limit Admins
Atta ck Detectio n
Stage 3
Mo dernize ro les a nd delega tio n
mo del to be co mplia nt with the tiers
Sma rtca rd a uthentica tio n fo r a ll
a dmins
Admin Fo res t fo r AD a dmins
W indo ws Defender Device Gua rd
Shielded V Ms
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Active Directory Tier Model
The highest level of privilege. Accounts which have administrative control
over the entire environment through the ability to manage identity and
permissions enterprise-wide.
Objects: Domain Controllers; Systems that manage DCs; Accounts with access to these systems
Tier 0
Domain &
Enterprise
Admins
Tier 1
Server
Admins
Accounts which have administrative control over enterprise resources
that serve many users or manage business-critical data and
applications. Cannot control Tier 0 resources.
Objects: Servers and Srv admins; Enterprise apps & admins; Cloud service administrators
Tier 2
Workstation
Admins
Accounts with administrative privileges over only standard user
accounts and single-user devices. Cannot control Tier 1 or Tier 0
resources.
Objects: Helpdesk support; Device support; User support
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Attacker’s
Access Path
3
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
What is an Access Path?
An access path, also called a compromise
path, is an indirect path to compromising
critical resources on a domain.
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
How can the Tiers help?
By limiting the use of administrators’
credentials, the exposure factor of the
credentials is decreased.
ELI5: If admins don’t log in everywhere,
passwords are harder to locate and crack
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Access Path Example 1
Attacker compromises desktop computer
Breaks MS Word
Steals Field Tech account when they log in
Finds server where stolen creds work
Dumps cached server admin creds
Jumps to other available servers dumping
creds
Finds server with DA creds
Dumps and decrypts AD Password Database
NTDS.DIT
Traverses and attack other trusted domains
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Access Path Example 2
Attacker compromises office printer
Printer interfaces with AD using LDAP
Attacker steals printer’s AD service account
Attacker uses creds to traverse desktops &
servers
Finds SCCM/Landesk/Ansible admin desktop
computer
Uses tool to add local admin privileges to
Jump Server
Harvests DA creds off Jump Server
Dump and decrypt AD Password Database
NTDS.DIT
Traverse and attack other trusted domains
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Access Path Example 3
Attacker compromises desktop computer
Requests Kerberos Tickets to any account
with an SPN - Kerberoasting
Cracks cached creds into plaintext
Jumps to other available servers dumping
other cached credentials
Harvests DA creds off Server
Dump and decrypt AD Password Database
NTDS.DIT
Traverse and attack other trusted domains
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
• An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• The attacker dumped the cached credentials on the server
• Finds a local administrator password identical across
machines
• Attacker moved laterally across the domain probing servers
until he/she finds a computer where a domain administrator
(DA) credential was stored
• Attacker dumps DA hash from machine and cracks it
• The attacker now has full administrative access on the
domain
The Breach & Prevention
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
• An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• The attacker dumped the cached credentials on the server
• Finds a local administrator password identical across
machines
• Attacker moved laterally across the domain probing servers
until he/she finds a computer where a domain administrator
(DA) credential was stored
• Attacker dumps DA hash from machine and cracks it
• The attacker now has full administrative access on the
domain
The Breach & PreventionThis will eventually happen
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
• An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• The attacker dumped the cached credentials on the server
• Finds a local administrator password identical across
machines
• Attacker moved laterally across the domain probing servers
until he/she finds a computer where a domain administrator
(DA) credential was stored
• Attacker dumps DA hash from machine and cracks it
• The attacker now has full administrative access on the
domain
The Breach & PreventionThis will eventually happen
Patch
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
• An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• Finds a local administrator password identical across
machines
• Attacker moved laterally across the domain probing servers
until he/she finds a computer where a domain administrator
(DA) credential was stored
• Attacker dumps DA hash from machine and cracks it
• The attacker now has full administrative access on the
domain
The Breach & PreventionThis will eventually happen
Patch
Cached
cred GPO
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
• An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• Attacker moved laterally across the domain probing servers
until he/she finds a computer where a domain administrator
(DA) credential was stored
• Attacker dumps DA hash from machine and cracks it
• The attacker now has full administrative access on the
domain
The Breach & PreventionThis will eventually happen
Patch
Cached
cred GPO
LAPS or PWD Script
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
• An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• Attacker dumps DA hash from machine and cracks it
• The attacker now has full administrative access on the
domain
The Breach & PreventionThis will eventually happen
Patch
Cached
cred GPO
LAPS or PWD Script
Block DA
login GPO
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
• An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• The attacker now has full administrative access on the
domain
The Breach & PreventionThis will eventually happen
Patch
Cached
cred GPO
LAPS or PWD Script
Block DA
login GPO
Cached
cred GPO
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
• An unpatched public facing web server was compromised
• An attacker exploited a vulnerability, granting admin access
to the server
• The attacker now has full administrative access on the
domain
The Breach & Prevention
© 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m
This will eventually happen
Patch
Cached
cred GPO
LAPS or PWD Script
Block DA
login GPO
Cached
cred GPO
Bad Actor Has No Direct
Path to DA
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
GPOS needed
4
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Block logins across tiers
 Start by blocking Domain Admins (DAs)
logins
 They should not be able to log into
workstations or servers
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Block logins across tiers
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Cached Creds GPO
Create GPOs to remove the cached credentials from
computers
…then reboot
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Cached Credentials?
 Computer level setting
 Interactive logon: Number of previous
logons to cache [store in memory] (in
case domain controller is not
available)
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Cached Credentials Defaults
 Value indicates stored users
credentials on device –
 Windows Operating Systems default to
10
 Default stored as RC4 hash on system
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Vulnerabilities
 Targeted Pass-the-hash -If you can’t
crack it, encapsulate and pass it
 RC4 Nomore – one type of RC4 Exploit
– 52 Hrs to crack
 One incident I observed evidence a
plaintext password 9 minutes after the
hash was compromised
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Playground: Exploit Tools
Mimikatz, Impacket, JtR, Hashcat,
Ophcrack, Taskmanager… + lsass.exe,
Pwdumpx + passwordPro
Google for more!
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Cached Creds: GPO Servers
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Cached Creds: GPO Workstations
© 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
Now what do I do?
D e p l o y t h e G P O s t o r e m o v e v u l n e ra b i l i t i e s
G u i d a n c e o n F ra m e w o r k s a n d To o l s
S e c u r i t y A u d i t s & Ro a d m a p s
Secframe.com/about
Slides available for
download at:
Secframe.com/presentations

More Related Content

What's hot

DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
BeyondTrust
 
Addios!
Addios!Addios!
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
Tomasz Jakubowski
 
2016 state of the internet threat advisory dnssec ddos amplification attacks
2016 state of the internet threat advisory dnssec ddos amplification attacks2016 state of the internet threat advisory dnssec ddos amplification attacks
2016 state of the internet threat advisory dnssec ddos amplification attacks
Andrey Apuhtin
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 
hacking and crecjing
hacking and crecjinghacking and crecjing
hacking and crecjing
parth jasani
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
Chong-Kuan Chen
 
Unearth Active Directory Threats Before They Bury Your Enterprise
Unearth Active Directory Threats Before They Bury Your EnterpriseUnearth Active Directory Threats Before They Bury Your Enterprise
Unearth Active Directory Threats Before They Bury Your Enterprise
BeyondTrust
 
IT Infrastrucutre Security
IT Infrastrucutre SecurityIT Infrastrucutre Security
IT Infrastrucutre Security
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
Chong-Kuan Chen
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Time-based DDoS Detection and Mitigation for SDN Controller
Time-based DDoS Detection and Mitigation for SDN ControllerTime-based DDoS Detection and Mitigation for SDN Controller
Time-based DDoS Detection and Mitigation for SDN Controller
Lippo Group Digital
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
Chong-Kuan Chen
 
Power of logs: practices for network security
Power of logs: practices for network securityPower of logs: practices for network security
Power of logs: practices for network security
Information Technology Society Nepal
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
G Prachi
 

What's hot (20)

DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
 
Addios!
Addios!Addios!
Addios!
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
2016 state of the internet threat advisory dnssec ddos amplification attacks
2016 state of the internet threat advisory dnssec ddos amplification attacks2016 state of the internet threat advisory dnssec ddos amplification attacks
2016 state of the internet threat advisory dnssec ddos amplification attacks
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
hacking and crecjing
hacking and crecjinghacking and crecjing
hacking and crecjing
 
System hacking
System hackingSystem hacking
System hacking
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
 
Unearth Active Directory Threats Before They Bury Your Enterprise
Unearth Active Directory Threats Before They Bury Your EnterpriseUnearth Active Directory Threats Before They Bury Your Enterprise
Unearth Active Directory Threats Before They Bury Your Enterprise
 
IT Infrastrucutre Security
IT Infrastrucutre SecurityIT Infrastrucutre Security
IT Infrastrucutre Security
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Time-based DDoS Detection and Mitigation for SDN Controller
Time-based DDoS Detection and Mitigation for SDN ControllerTime-based DDoS Detection and Mitigation for SDN Controller
Time-based DDoS Detection and Mitigation for SDN Controller
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
 
Power of logs: practices for network security
Power of logs: practices for network securityPower of logs: practices for network security
Power of logs: practices for network security
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 

Similar to Escalation defenses ad guardrails every company should deploy

Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
Alert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
MarkAnnati
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Secure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarSecure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollar
David Rowe
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
Hacks in Taiwan (HITCON)
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
Will Schroeder
 
Case Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCase Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on Time
CA Technologies
 
Intro to Wordpress Security
Intro to Wordpress SecurityIntro to Wordpress Security
Intro to Wordpress Security
Chris Dodds
 
Module 8 System Hacking
Module 8   System HackingModule 8   System Hacking
Module 8 System Hacking
leminhvuong
 
Exploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesExploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator Insecurities
Priyanka Aash
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
Will Schroeder
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
enigma0x3
 
Simple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress WebsiteSimple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress Website
Rich Plakas
 
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Quest
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
Spiffy
 

Similar to Escalation defenses ad guardrails every company should deploy (20)

Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Secure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarSecure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollar
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Case Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCase Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on Time
 
Intro to Wordpress Security
Intro to Wordpress SecurityIntro to Wordpress Security
Intro to Wordpress Security
 
Module 8 System Hacking
Module 8   System HackingModule 8   System Hacking
Module 8 System Hacking
 
Exploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesExploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator Insecurities
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 
Simple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress WebsiteSimple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress Website
 
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
 

Recently uploaded

GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 

Recently uploaded (20)

GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 

Escalation defenses ad guardrails every company should deploy

  • 1. Escalation Defenses A D G u a r d R a i l s E v e r y C o m p a n y S h o u l d D e p l o y. © 2 0 2 0 : : D a v i d Ro w e : : S e c f ra m e . c o m
  • 2. David Rowe, CISSP Cloud Security at Boston Children's Hospital. IR advisor for multiple incident response teams responding to Advanced Persistent Threat (Nation State) attacks. © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 3. David Rowe, CISSP Secframe.com /in/davidprowe @davidprowe david@secframe.com © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 4. Today:  What is Active Directory?  Why is Access Important?  Do you swear to talk about Active Directory, the whole Active Directory and nothing but Active Directory? © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 5. What is Active Directory? 1 © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 6. Object Information Store A.D. stores information about OBJECTS on a computer network © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 7. Object Information Store Hierarchy: Parent/Child Common Object Types: Users Computers Groups © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 8. Security Defined Through: Via ACLs; Ownership, & Membership Objects authorized to perform actions © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 9. Ex A.D. Hierarchy: So urce: https://www.secframe.com/blog/account-operators-what-can-they-control Ex: Account Operators Top down access to all these objects © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 10. AD Administrative Model 2 © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 11. Microsoft’s Solution ESAE Enhanced Security Administrative Environment © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 12. ESAE Purpose Protect identity systems using a set of buffer zones between full control of the Environment (Tier 0) and the high risk workstation assets that attackers frequently compromise. © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m https://docs.microsoft.com/en-us/windows- server/identity/securing-privileged-access/securing-privileged- access-reference-material
  • 13. Microsoft’s Solution ESAE ESAE’s first presentation: © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 14. ESAE: 3 Stages, 14 Steps Stage 1: Separate Admin accounts for Wo rks ta tio ns Sepa ra te Admin a cco unts fo r Servers Sepa ra te Admin a cco unts fo r Do ma in Co ntro llers Stage 2: Privileged Acces s Wo rks ta tio ns fo r Admins U nique Lo ca l Pa s s wo rds fo r Servers & Wo rks ta tio ns T ime B o und Privileges J us t E no ugh Adminis tra tio n Lower Attack Surfaces o f DCs : Limit Admins Atta ck Detectio n Stage 3 Mo dernize ro les a nd delega tio n mo del to be co mplia nt with the tiers Sma rtca rd a uthentica tio n fo r a ll a dmins Admin Fo res t fo r AD a dmins W indo ws Defender Device Gua rd Shielded V Ms © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 15. Today’s Topic Stage 1: Separate Admin accounts for Wo rks ta tio ns Sepa ra te Admin a cco unts fo r Servers Sepa ra te Admin a cco unts fo r Do ma in Co ntro llers Stage 2: Privileged Acces s Wo rks ta tio ns fo r Admins U nique Lo ca l Pa s s wo rds fo r Servers & Wo rks ta tio ns T ime B o und Privileges J us t E no ugh Adminis tra tio n Lower Attack Surfaces o f DCs : Limit Admins Atta ck Detectio n Stage 3 Mo dernize ro les a nd delega tio n mo del to be co mplia nt with the tiers Sma rtca rd a uthentica tio n fo r a ll a dmins Admin Fo res t fo r AD a dmins W indo ws Defender Device Gua rd Shielded V Ms © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 16. Active Directory Tier Model The highest level of privilege. Accounts which have administrative control over the entire environment through the ability to manage identity and permissions enterprise-wide. Objects: Domain Controllers; Systems that manage DCs; Accounts with access to these systems Tier 0 Domain & Enterprise Admins Tier 1 Server Admins Accounts which have administrative control over enterprise resources that serve many users or manage business-critical data and applications. Cannot control Tier 0 resources. Objects: Servers and Srv admins; Enterprise apps & admins; Cloud service administrators Tier 2 Workstation Admins Accounts with administrative privileges over only standard user accounts and single-user devices. Cannot control Tier 1 or Tier 0 resources. Objects: Helpdesk support; Device support; User support © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 17. Attacker’s Access Path 3 © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 18. What is an Access Path? An access path, also called a compromise path, is an indirect path to compromising critical resources on a domain. © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 19. How can the Tiers help? By limiting the use of administrators’ credentials, the exposure factor of the credentials is decreased. ELI5: If admins don’t log in everywhere, passwords are harder to locate and crack © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 20. Access Path Example 1 Attacker compromises desktop computer Breaks MS Word Steals Field Tech account when they log in Finds server where stolen creds work Dumps cached server admin creds Jumps to other available servers dumping creds Finds server with DA creds Dumps and decrypts AD Password Database NTDS.DIT Traverses and attack other trusted domains © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 21. Access Path Example 2 Attacker compromises office printer Printer interfaces with AD using LDAP Attacker steals printer’s AD service account Attacker uses creds to traverse desktops & servers Finds SCCM/Landesk/Ansible admin desktop computer Uses tool to add local admin privileges to Jump Server Harvests DA creds off Jump Server Dump and decrypt AD Password Database NTDS.DIT Traverse and attack other trusted domains © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 22. Access Path Example 3 Attacker compromises desktop computer Requests Kerberos Tickets to any account with an SPN - Kerberoasting Cracks cached creds into plaintext Jumps to other available servers dumping other cached credentials Harvests DA creds off Server Dump and decrypt AD Password Database NTDS.DIT Traverse and attack other trusted domains © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 23. • An unpatched public facing web server was compromised • An attacker exploited a vulnerability, granting admin access to the server • The attacker dumped the cached credentials on the server • Finds a local administrator password identical across machines • Attacker moved laterally across the domain probing servers until he/she finds a computer where a domain administrator (DA) credential was stored • Attacker dumps DA hash from machine and cracks it • The attacker now has full administrative access on the domain The Breach & Prevention © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 24. • An unpatched public facing web server was compromised • An attacker exploited a vulnerability, granting admin access to the server • The attacker dumped the cached credentials on the server • Finds a local administrator password identical across machines • Attacker moved laterally across the domain probing servers until he/she finds a computer where a domain administrator (DA) credential was stored • Attacker dumps DA hash from machine and cracks it • The attacker now has full administrative access on the domain The Breach & PreventionThis will eventually happen © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 25. • An unpatched public facing web server was compromised • An attacker exploited a vulnerability, granting admin access to the server • The attacker dumped the cached credentials on the server • Finds a local administrator password identical across machines • Attacker moved laterally across the domain probing servers until he/she finds a computer where a domain administrator (DA) credential was stored • Attacker dumps DA hash from machine and cracks it • The attacker now has full administrative access on the domain The Breach & PreventionThis will eventually happen Patch © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 26. • An unpatched public facing web server was compromised • An attacker exploited a vulnerability, granting admin access to the server • Finds a local administrator password identical across machines • Attacker moved laterally across the domain probing servers until he/she finds a computer where a domain administrator (DA) credential was stored • Attacker dumps DA hash from machine and cracks it • The attacker now has full administrative access on the domain The Breach & PreventionThis will eventually happen Patch Cached cred GPO © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 27. • An unpatched public facing web server was compromised • An attacker exploited a vulnerability, granting admin access to the server • Attacker moved laterally across the domain probing servers until he/she finds a computer where a domain administrator (DA) credential was stored • Attacker dumps DA hash from machine and cracks it • The attacker now has full administrative access on the domain The Breach & PreventionThis will eventually happen Patch Cached cred GPO LAPS or PWD Script © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 28. • An unpatched public facing web server was compromised • An attacker exploited a vulnerability, granting admin access to the server • Attacker dumps DA hash from machine and cracks it • The attacker now has full administrative access on the domain The Breach & PreventionThis will eventually happen Patch Cached cred GPO LAPS or PWD Script Block DA login GPO © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 29. • An unpatched public facing web server was compromised • An attacker exploited a vulnerability, granting admin access to the server • The attacker now has full administrative access on the domain The Breach & PreventionThis will eventually happen Patch Cached cred GPO LAPS or PWD Script Block DA login GPO Cached cred GPO © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 30. • An unpatched public facing web server was compromised • An attacker exploited a vulnerability, granting admin access to the server • The attacker now has full administrative access on the domain The Breach & Prevention © 2 0 1 9 : : D a v i d R o w e : : S e c f r a m e . c o m This will eventually happen Patch Cached cred GPO LAPS or PWD Script Block DA login GPO Cached cred GPO Bad Actor Has No Direct Path to DA © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 31. GPOS needed 4 © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 32. Block logins across tiers  Start by blocking Domain Admins (DAs) logins  They should not be able to log into workstations or servers © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 33. Block logins across tiers © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 34. Cached Creds GPO Create GPOs to remove the cached credentials from computers …then reboot © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 35. Cached Credentials?  Computer level setting  Interactive logon: Number of previous logons to cache [store in memory] (in case domain controller is not available) © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 36. Cached Credentials Defaults  Value indicates stored users credentials on device –  Windows Operating Systems default to 10  Default stored as RC4 hash on system © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 37. Vulnerabilities  Targeted Pass-the-hash -If you can’t crack it, encapsulate and pass it  RC4 Nomore – one type of RC4 Exploit – 52 Hrs to crack  One incident I observed evidence a plaintext password 9 minutes after the hash was compromised © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 38. Playground: Exploit Tools Mimikatz, Impacket, JtR, Hashcat, Ophcrack, Taskmanager… + lsass.exe, Pwdumpx + passwordPro Google for more! © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 39. Cached Creds: GPO Servers © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 40. Cached Creds: GPO Workstations © 2 0 2 0 : : D a v i d R o w e : : S e c f r a m e . c o m
  • 41. Now what do I do? D e p l o y t h e G P O s t o r e m o v e v u l n e ra b i l i t i e s G u i d a n c e o n F ra m e w o r k s a n d To o l s S e c u r i t y A u d i t s & Ro a d m a p s Secframe.com/about
  • 42. Slides available for download at: Secframe.com/presentations

Editor's Notes

  1. Add three and label with correct stuff
  2. Add three and label with correct stuff
  3. Add three and label with correct stuff
  4. Add three and label with correct stuff
  5. Add three and label with correct stuff
  6. Add three and label with correct stuff
  7. Add three and label with correct stuff
  8. Add three and label with correct stuff