SEC599 - Breaking The Kill Chain

SANS Cyber Defense
Defense is doable
Breaking the Kill Chain
NETWORK SECURITY 2018 – 25 September 2018
Erik Van Buggenhout & Stephen Sims

Network Security 2018 – Defense is Doable - Breaking the Kill Chain
Who are we? – SEC599 Authors & Instructors
2
Stephen Sims
SANS Fellow
@Steph3nSims
Erik Van Buggenhout
SANS Certified Instructor
@ErikVaBu

What we’d like to discuss today
3
Quick Introduction
The Cyber Kill Chain
Windows credentials attacks
A deep-dive: Windows credentials attack in the
Kill Chain
Windows credentials defenses
A deep-dive: Effectiveness of Windows
credential defenses
Demo
The proof is in the pudding!CredentialGuard
VS

4
Quick Introduction
Kill Chain
credential defenses
Demo
VS

5
Reconnaissan
ce
Delivery Installation
Action on
Objectives
Weaponizatio
n
Exploitation
Command &
Control
Adversary perspective Defender perspective

What Is “Red Team” & “Blue Team”?
6
Vulnerability Assessments
Penetration Tests
Social Engineering
“Offense” “Defense”
Implementing Controls
Security Monitoring
Incident Response
COMMON GOAL
Improve organization
security posture

Although they share a common goal, blue and red teams are often not well-aligned,
which leads to organizations not leveraging the full value of their team's expertise. They
typically report to a different hierarchy, which leads to different objectives:
While we don’t necessarily think a purple team is a “third” team, think of it as a concept
aimed at bringing the red & blue teams together. Red & blue teams should be
encouraged to work as a joint team, share insights & create a strong feedback loop.
So, Why a Purple Team?
7
Report with many vulnerabilities = Well done!
Success is measured by # of failed controls
No big incentive to help blue team, as blue
team failure = red team success!
No alerts mean that preventive controls are
working!
Large volume of alerts means detection
controls are working (though may need
finetuning)
No big incentive to help red team, as red
team failure = blue team success!

The Purple Team Feedback Loop
8
VULNERABILITY REPORT
REPORT ON REMEDIATED FLAWS
What is happening now?:
But how about some of the following actions?:
• Red Team sharing TTPs of new actors with Blue Team
• Red Team helping with vulnerability management process (not just assessment)
• Blue Team sharing monitoring tactics in place with Red Team
• Blue Team sharing playbooks with Red Team
Offense must inform defense and defense must inform offense!

SEC599 – A True Purple Team Course
9
SEC599 – Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses
We illustrate what the
adversaries are
ACTUALLY doing with
real-world examples and
lab exercises
We provide EFFECTIVE
strategies to combat
adversary tactics
throughout all parts of the
Kill Chain!
SEC599 was built from the ground up by seasoned cyber security experts
with vast experience in both blue team & red team operations:

Purple Team – An Example Using Mimikatz & CredentialGuard
10
An example - As part of our “Lateral Movement” section, we will demonstrate
how adversaries are stealing credentials from Windows systems using the
infamous Mimikatz hacking tool.
1
During the first phase of the lab, you will dump credentials from the LSASS
process memory, thereby experiencing the attack (and its impact) first-hand!
2
During the second phase of the lab, we will provide an in-depth explanation
of how Windows 10 CredentialGuard works, after which it will be
implemented.
3
During the third and final part of the lab, we will re-attempt dumping
credentials from the LSASS process memory, thereby confirming
effectiveness of our control!

11
Quick Introduction
Kill Chain
credential defenses
Demo
VS

12
Aside from generic attacks such as phishing or keylogging, the table below lists some of the
most common ways used by adversaries to obtain Windows credentials:
SANS Senior Instructor Chad Tilbury has an excellent presentation on Windows Credentials Attacks, Mitigations & Defence:
https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf

Introducing some of these tools – Capturing NTLMv2
13
For different reasons, Kerberos could not be available, in which case Windows will revert
to NTLMv2 Challenge / Response authentication:
Domain
Controller
1. Request authentication
Service
Database
Server
2. Challenge
3. Response
Client
Workstation
6. Server sends response to
client
The authenticating system uses the
hashed credential to calculate a
response based on the challenge sent
by the server
In a Windows domain environment, the
NTLM challenge & response will be
forwarded to the domain controller for
validation of credentials
4. Forward Chal + Resp
5. Validation

Introducing some of these tools – Responder – Capturing NTLMv2
14
Responder is (amongst others) an LLMNR, NBT-NS and MDNS poisoner. It will attempt to trick systems
to connect / authenticate to the system it is running on. It will then attempt to sniff the authentication
challenge (e.g. NTLMv2), which could be cracked by a password cracking tool.

Dumping credentials from LSASS memory
15
Once an initial entry point in the network has been obtained, dumping credentials from LSASS memory in
particular has become extremely popular:
• Open ups attack vector against users that aren’t locally configured (domain users). Furthermore,
stolen credentials are in clear-text (Windows 7) or NT hash (Windows 10) format, so can immediately
be reused in Pass-the-Hash attacks
• Common attack flow:
1. Obtain local admin access to one system in domain
2. Lure domain admin to machine (e.g. Call Helpdesk)
3. Dump credentials from memory
4. Own the domain (“Domain dominance”)
5. Persist domain ownage (Golden ticket, DCSync, Skeleton Key,…)
• Tools like Bloodhound create entire attack trees that reveal relationships
between accounts and systems to facilitate this

Dumping credentials from LSASS memory – Common technique
16
Due to its size & complexity, it’s often difficult for administrators to retain a good
overview of how privileges are assigned across the environment. Adversaries
can leverage this to spot excessive privileges which can be used in lateral
movement…
AD structure diagrams
The below diagram
(generated by the attacking
tool BloodHoundAD), reveals
an interesting way of how
adversaries could laterally
move through the target
environment: In a few steps,
Erik could easily steal the
hashes of Stephen, thereby
obtaining Domain Admin
privileges.
User:
Erik
Group:
Work-
station
admins
PC:
Work-
station
1
Group:
Domain
admins
User:
Stephen
HasSession

Dumping credentials from LSASS memory – Mimikatz
17
Due to its high reliability & flexibility, it is used by adversaries and penetration
testers alike. Several variations have been created and it has been included as a
module in the Metasploit Meterpreter attacking tool.
Mimikatz is a free, open-source Windows tool built by Benjamin Delpy
(@gentilkiwi) to extract credentials from Windows computers. Its second
version is often referred to as “Kiwi”.
“Mimikatz is a tool I've made to learn C and make somes experiments with
Windows security. It's now well known to extract plaintexts passwords,
hash, PIN code and kerberos tickets from memory. Mimikatz can also
perform pass-the-hash, pass-the-ticket or build Golden tickets.”

Dumping credentials from LSASS memory – Mimikatz in the news
18
The popularity of Mimikatz has sky-rocketed over the last few years:
• In 2017, the NotPetya ransomware used various components of Mimikatz to supports its
lateral movement
• In several APT investigations, Mimikatz is part of the standard toolkit used by advanced
adversaries (Amongst others, Oilrig, Cobalt Kitty & APT-28 have been observed to use
(variants of) Mimikatz)
• Penetration testing & red teaming frameworks include (variants of) Mimikatz:
• Metasploit Meterpreter has a built-in Mimikatz module
Powershell Empire has a built-in version of Mimikatz

Dumping credentials from LSASS memory – Some interesting Mimikatz features
19
• To prevent AV detection, Mimikatz supports an offline mode, where a dump of the LSASS
process can be fed to Mimikatz. This dump-file can be created by built-in Windows tools
(e.g. Task Manager) or the SysInternals toolkit. This removes the need of running a “hacking
tool” like Mimikatz on the target system…
• Mimikatz can impersonate a Domain Controller and replicate all password hashes using
MS-DRSR (Directory Replication Service Remote Protocol), labelled “DCSync” in Mimikatz
• Mimikatz can create AD persistence by generating golden tickets or installing a backdoor in
memory of the Domain Controller (“Skeleton Key” attack)

20
Quick Introduction
Kill Chain
credential defenses
Demo
VS

What’s left behind?
21
http://technet.microsoft.com/en-us/windows-server-docs/security/securing-
privileged-access/securing-privileged-access-reference-material

What’s left behind? – Mimikatz point of view
22

Generic recommendations – Privileged Access Workstations
23
Domain controllers
network
Privileged Access
Workstations
Inner Network

Generic recommendations – Identity & Access Management
24

Focused improvements - Windows 8 / 2012 – Restricted Admin
25
The idea of “Restricted Admin” mode is that credentials are not sent upon establishing of an
RDP session, so the chances of capturing them using Mimikatz are lower!
Source: https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard

Focused improvements - Windows 8 / 2012 – Restricted Admin
26

Focused improvements - Windows 8 / 2012 – Protected Processes
27
In order to prevent hash dumping attacks aimed at the
LSA process, Microsoft introduced “Protected
Processes” as of Windows 8 & Windows Server 2012.
• Protected processes were first introduced in
Windows Vista for DRM (Digital Rights
Management) purposes, but were adapted for
“security purposes” in Windows 8
• The screenshot on the right provides an example of
the lsass.exe process running as a “protected
process”
• Protected Processes are implemented in the Kernel
software and can thus be defeated…

28

29

Focused improvements - Windows 8 / 2012 – Domain Protected Users
30
“Protected Users” enforces a number of restrictions on affected users, which try to defend
against several of the attack strategies previously mentioned:
Disable authentication using NTLM
=> Protect against Responder-style attacks
Wdigest & CredSSP clear-text credentials no longer stored in LSASS
=> Less results when LSASS memory dumping
On a device running Windows 8.1, passwords are not cached
=> Protect against dumping of cached credentials (default Windows: 10 latest users)
Kerberos will not use DES or RC4 during pre-authentication
=> Protect against “Kerberoasting” attacks

Introducing CredentialGuard
31

Windows high-level architecture – Without CredentialGuard
32

Having a look at the processes – Without CredentialGuard
33

Windows high-level architecture – With CredentialGuard
34
When Credential Guard is
enabled, the LSA process still
runs in userland.
The actual credentials are
stored in the isolated LSA
process (LsaIso.exe).
This process does not run
under Windows, but in the
Virtual Secure Mode.

Windows high-level architecture – With CredentialGuard
35

Some caveats
36

Some caveats – Another interesting attack strategy!
37

Some caveats – Another interesting attack strategy!
38

39
Quick Introduction
Kill Chain
credential defenses
Demo
VS

Demo time
40

Conclusion
41

Want to learn more?
42
Want to learn more?
Join SEC599 - Defeating Advanced Adversaries - Purple Team Tactics &
Kill Chain Defenses
• San Diego (CA) – November 2018
• Scottsdale (AZ) – December 2018
• Washington (DC) – December 2018
• Las Vegas (NV) – January 2019
• Reno (NV) – February 2019
• Baltimore (MD) – March 2019
More locations available at
https://www.sans.org/course/defeating-advanced-adversaries-
kill-chain-defenses

SEC599 - Breaking The Kill Chain

More Related Content

What's hot

Similar to SEC599 - Breaking The Kill Chain

Recently uploaded

SEC599 - Breaking The Kill Chain

Editor's Notes