Advanced targeted attackers utilize compromised credentials in order to move laterally within their victims' network. These compromised credentials may consist of either domain or local credentials. Local credentials, especially those of local admins, are a lucrative target for the attackers as they are less managed (password complexity and change policy) and less monitored (no traffic and logs besides the specific computer).
In this talk, we will cover how advanced attackers are abusing local users' credentials in their attacks, including real examples as captured "in the wild". We would follow with suggested new methods and tools to detect and prevent such attacks.
Most notably, we'd expose a tool that implements a method which allows visibility to local users' activity without installing an agent on the monitored machine. The visibility is based on periodic scans of the local users' directory, the Windows Security Account Manager (SAM), using the standard SAM-Remote (SAMR) protocol, messages and APIs. Using these methods defenders gain visibility to local users' logons, group membership, password change among others. Security applications enabled by this visibility include but are not limited to, abnormal logons detection, abnormal group additions and removal detection and abnormal password changes detection.
Designing IA for AI - Information Architecture Conference 2024
The Enemy Within: Stopping Advanced Attacks Against Local Users
1. The Enemy Within: Stopping Advanced Attacks
Against Local Users
Tal Be’ery, Sr. Security Research Manager, Microsoft ATA, @TalBeerySec
Marina Simakov, Security Researcher, Microsoft ATA
47. Win version Who can query SAMR by default Can default be changed
< Win10 Any domain user No
Win10 Any domain user Yes (only via registry)
> Win10 (e.g.
anniversary)
Only local administrators Yes (registry or GPO)
Editor's Notes
Initial Recon:
Attackers Goal: Identify interesting assets. Find all users, machines, etc.
Attackers are not administrator on the machine
Means:
SAMR Recon (net group/user)
DNS Recon
Local privilege escalation
Attackers Goal: become local administrator
Means
Compromised Creds
Of a Domain User who has Local administrator privileges
Of a Local administrator privileges
0 days / Known vulnerabilities (CVEs)
Compromise Credentials
Attacker Goals: Get creds to expand toward destination
Means:
Windows cred harvesting Tools
Mimikatz
Passwords in Group Policy
Passwords in plaintext
“passwords.txt”
In E-mail
Admin recon
Attackers’ Goal: Find machines that has Admin creds on
Means:
NetSess
Luring admin
Creating an IT ticket and waiting for admin to connect
Remote Code Execution
Attackers’ Goals: take over another machine using compromised creds
Means:
PsExec (new remote service)
Remote ScheduleTask
WMI
Remote PowerShell
RDP
Remote Registry
Lateral Movement
Vehicle is Remote Code Execution
Fuel is Compromised Creds
Map is provided by Recon
Ignition Key is Local privilege Escalation
That’s how real world attacks look like. There are multiple stages in the APT taking place within months.
None of the traditional security vendors like SIEMs, IPSs,IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT.
ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA.
That’s why there’s why a new market for UEBA solutions emerged in the last year:
Detect attackers before they cause damage.
That’s how real world attacks look like. There are multiple stages in the APT taking place within months.
None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT.
ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA.
That’s why there’s why a new market for UEBA solutions emerged in the last year:
Detect attackers before they cause damage.
Domain dominance
Attackers Goal: Get full control over the domain, i.e. access all assets, all the time
Means
NTDS.DIT stealing to get all keys
DC-SYNC
Backup utils
Create new admins
Compromise KRBTGT key for Golden Ticket
Install the Skeleton Key Malware
Get more secrets with DPAPI
Attacking Data
Attackers Goal: Get the data they are after
Lateral Movement
Same Same, But different
Fast and Easy: attackers’ has all credentials
Some Subject Matter Expertise (SME) might be required
Reading documents -
That’s how real world attacks look like. There are multiple stages in the APT taking place within months.
None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT.
ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA.
That’s why there’s why a new market for UEBA solutions emerged in the last year:
Detect attackers before they cause damage.
This is where ATA focuses on.
Detect attackers before they cause damage.
That’s how real world attacks look like. There are multiple stages in the APT taking place within months.
None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT.
ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA.
That’s why there’s why a new market for UEBA solutions emerged in the last year:
Infiltrate the network by compromising domain account (phishing etc)
Eventually compromise domain admin creds
Shortest path
Prioritize list of assets
Be aware of relationships & dependencies
Not enough to think in graphs
Explicitly – IT wants a “master key”
Implicitly – Image prepared in advance
Local Users are copied
Remove such policies
No password is needed
A graph “link” from any other computer to such machines
Local Privilege Escalation: Attackers can escalate to local Admin with BruteForce
Compromise creds:
Local user hash can be harvested from memory/disk
If the remote machine’s local user has the same password PtH works (no cracking)
Admin Recon: Local admins of a machine can be remotely queried
Remote Code Execution: Can be done with remote machine local user’s creds
Brute force to obtain local privileged user credentials
Small tool written in C#
Expects a username & password dictionary
High rate – more than 200k attempts per minute
Authentication is performed locally
No traffic overhead
Valuable information
Misconception that the damage of local accounts is limited to the boundaries of the individual machine
However – these accounts can be used to compromise the entire domain
How common is the use of local credentials during real attacks?
Enables attackers to execute the PtH attack using local accounts
Used in most cases!
Attackers one step ahead of the defenders
More ways for attackers to use local accounts during an attack
Adding
For persistency
“Reverse hardening”
Disrupts defenders
Again – how common is this scenario?
Here is a real example of a malware found on Azure
One of the things that it does is add…
Periodically query Local Users over SAMR
Users Info
Group membership
Discover security issues:
Abnormal login patterns
BruteForce attempts
Enabled Guest accounts
Privileged group modifications
Password configuration issues
Cloned Local Users
Fetches all domain machines records from DC over LDAP
Remotely scans all domain machines using the SAMR protocol
Retrieves all local accounts’ data from SAM
2 types of detections:
Configuration issues found from a single scan (cloned, guest)
Deltas found between each 2 consecutive scans that may indicate a potential attack