SlideShare a Scribd company logo

Windows 10 CredentialGuard vs Mimikatz - SEC599

Download as PPTX, PDF
Erik Van Buggenhout
Erik Van Buggenhout

In this presentation, Erik Van Buggenhout (NVISO founder & SANS Instructor) zooms in on Windows 10 CredentialGuard and how it can be used to protect against LSASS hash dumping (e.g. using Mimikatz). Want to learn more? Join us at SANS SEC599!

Internet
1 of 39
Erik Van Buggenhout CredentialGuard vs Mimikatz The showdown InfoSecurity – 14 March 2018
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Who am I? 2 • Co-founder • Incident Response & Threat Hunting • Lead Author & Instructor SEC599 • Instructor SEC560, 561, 562, 542
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 3 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 4 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Stealing Windows credentials – where in the Cyber Kill Chain? 5 Reconnaissan ce Delivery Installation Action on Objectives Weaponizatio n Exploitation Command & Control Windows credentials are typically a target for adversaries in the later stages of the compromise. After obtaining an initial foothold, credentials are stolen to further escalate privileges / move laterally in the environment!
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows credentials attacks 6 Aside from generic attacks such as phishing or keylogging, the table below lists some of the most common ways used by adversaries to obtain Windows credentials: SANS Senior Instructor Chad Tilbury has an excellent presentation on Windows Credentials Attacks, Mitigations & Defence: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing some of these tools – Capturing NTLMv2 7 For different reasons, Kerberos could not be available, in which case Windows will revert to NTLMv2 Challenge / Response authentication: Domain Controller 1. Request authentication Service Database Server 2. Challenge 3. Response Client Workstation 6. Server sends response to client The authenticating system uses the hashed credential to calculate a response based on the challenge sent by the server In a Windows domain environment, the NTLM challenge & response will be forwarded to the domain controller for validation of credentials 4. Forward Chal + Resp 5. Validation
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing some of these tools – Responder – Capturing NTLMv2 8 Responder is (amongst others) an LLMNR, NBT-NS and MDNS poisoner. It will attempt to trick systems to connect / authenticate to the system it is running on. It will then attempt to sniff the authentication challenge (e.g. NTLMv2), which could be cracked by a password cracking tool.
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory 9 Once an initial entry point in the network has been obtained, dumping credentials from LSASS memory in particular has become extremely popular: • Open ups attack vector against users that aren’t locally configured (domain users). Furthermore, stolen credentials are in clear-text (Windows 7) or NT hash (Windows 10) format, so can immediately be reused in Pass-the-Hash attacks • Common attack flow: 1. Obtain local admin access to one system in domain 2. Lure domain admin to machine (e.g. Call Helpdesk) 3. Dump credentials from memory 4. Own the domain (“Domain dominance”) 5. Persist domain ownage (Golden ticket, DCSync, Skeleton Key,…) • Tools like Bloodhound create entire attack trees that reveal relationships between accounts and systems to facilitate this
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Common technique 10 Due to its size & complexity, it’s often difficult for administrators to retain a good overview of how privileges are assigned across the environment. Adversaries can leverage this to spot excessive privileges which can be used in lateral movement… AD structure diagrams The below diagram (generated by the attacking tool BloodHoundAD), reveals an interesting way of how adversaries could laterally move through the target environment: In a few steps, Erik could easily steal the hashes of Stephen, thereby obtaining Domain Admin privileges. User: Erik Group: Work- station admins PC: Work- station 1 Group: Domain admins User: Stephen HasSession
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Mimikatz 11 Due to its high reliability & flexibility, it is used by adversaries and penetration testers alike. Several variations have been created and it has been included as a module in the Metasploit Meterpreter attacking tool. Mimikatz is a free, open-source Windows tool built by Benjamin Delpy (@gentilkiwi) to extract credentials from Windows computers. Its second version is often referred to as “Kiwi”. “Mimikatz is a tool I've made to learn C and make somes experiments with Windows security. It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. Mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.”
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – The primacy of Mimikatz 12 Executing command privilege::debug to enable the debug privilege. Executing command lsadump::lsa /inject will dump the hashes from the LSA process (lsaass.exe).
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Mimikatz in the news 13 The popularity of Mimikatz has sky-rocketed over the last few years: • In 2017, the NotPetya ransomware used various components of Mimikatz to supports its lateral movement • In several APT investigations, Mimikatz is part of the standard toolkit used by advanced adversaries (Amongst others, Oilrig, Cobalt Kitty & APT-28 have been observed to use (variants of) Mimikatz) • Penetration testing & red teaming frameworks include (variants of) Mimikatz: • Metasploit Meterpreter has a built-in Mimikatz module Powershell Empire has a built-in version of Mimikatz
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Some advanced Mimikatz features 14 • To prevent AV detection, Mimikatz supports an offline mode, where a dump of the LSASS process can be fed to Mimikatz. This dump-file can be created by built-in Windows tools (e.g. Task Manager) or the SysInternals toolkit. This removes the need of running a “hacking tool” like Mimikatz on the target system… • Mimikatz can impersonate a Domain Controller and replicate all password hashes using MS-DRSR (Directory Replication Service Remote Protocol), labelled “DCSync” in Mimikatz • Mimikatz can create AD persistence by generating golden tickets or installing a backdoor in memory of the Domain Controller (“Skeleton Key” attack)
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 15 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What’s left behind? 16 http://technet.microsoft.com/en-us/windows-server-docs/security/securing- privileged-access/securing-privileged-access-reference-material
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What’s left behind? – Mimikatz point of view 17
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Isolate Domain Controllers 18 Put domain controllers in a different network than other servers and workstations. Use at least firewalls to separate the networks. Domain controllers network Inner network
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Privileged Access Workstations 19 Domain controllers network Privileged Access Workstations Inner Network
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Identity & Access Management 20
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 21 The idea of “Restricted Admin” mode is that credentials are not sent upon establishing of an RDP session, so the chances of capturing them using Mimikatz are lower! Source: https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 22 In a bit more detail: Normal RDP • Erik enters his password to the RDP client. • RDP client performs network logon to the target server to authorize Erik. • Erik is authorized & the RDP client securely relays the credentials to the target machine over a secure channel. • The target server uses there credentials to perform an interactive logon on behalf of Erik. Restricted Admin • RDP will try to interactively log on to the remote machine without sending credentials • The actual credentials are not required in order to set up the connectivity
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 23
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 24 In order to prevent hash dumping attacks aimed at the LSA process, Microsoft introduced “Protected Processes” as of Windows 8 & Windows Server 2012. • Protected processes were first introduced in Windows Vista for DRM (Digital Rights Management) purposes, but were adapted for “security purposes” in Windows 8 • The screenshot on the right provides an example of the lsass.exe process running as a “protected process” • Protected Processes are implemented in the Kernel software and can thus be defeated…
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 25
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 26
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Domain Protected Users 27 “Protected Users” enforces a number of restrictions on affected users, which try to defend against several of the attack strategies previously mentioned: Disable authentication using NTLM => Protect against Responder-style attacks Wdigest & CredSSP clear-text credentials no longer stored in LSASS => Less results when LSASS memory dumping On a device running Windows 8.1, passwords are not cached => Protect against dumping of cached credentials (default Windows: 10 latest users) Kerberos will not use DES or RC4 during pre-authentication => Protect against “Kerberoasting” attacks
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 28 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing CredentialGuard 29
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – Without CredentialGuard 30
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Having a look at the processes – Without CredentialGuard 31
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – With CredentialGuard 32 When Credential Guard is enabled, the LSA process still runs in userland. The actual credentials are stored in the isolated LSA process (LsaIso.exe). This process does not run under Windows, but in the Virtual Secure Mode.
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – With CredentialGuard 33
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Some caveats 34
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Some caveats – Another interesting attack strategy! 35
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 36 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Demo time 37
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Conclusion 38
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Want to learn more? 39 Want support? Get in touch with NVISO’s experts, we’d be happy to discuss how we can help further! Want to learn more? Join SEC599 – Defeating Advanced Adversaries! • London – April 2018 • Amsterdam – September 2018 • Brussels – October 2018 More locations available at https://www.sans.org/course/defeating-advanced-adversaries- kill-chain-defenses

Recommended

SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
Erik Van Buggenhout
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
Jorge Orchilles
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
Jorge Orchilles
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 

Recommended

SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
Erik Van Buggenhout
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
Jorge Orchilles
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
Jorge Orchilles
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
MITRE ATT&CK
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
Michael Gough
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Christopher Korban
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
Priyanka Aash
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
Jorge Orchilles
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Creds extraction
Creds extractionCreds extraction
Creds extraction
Ilan Mindel
 

More Related Content

What's hot

Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
MITRE ATT&CK
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
Michael Gough
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Christopher Korban
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
Priyanka Aash
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
Jorge Orchilles
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 

What's hot (20)

Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 

Similar to Windows 10 CredentialGuard vs Mimikatz - SEC599

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Creds extraction
Creds extractionCreds extraction
Creds extraction
Ilan Mindel
 
CyberArk Interview.pdf
CyberArk Interview.pdfCyberArk Interview.pdf
CyberArk Interview.pdf
Infosec Train
 
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Bruno Caseiro
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdf
Infosec Train
 
CyberArk Interview Questions and Answers for 2023.pdf
CyberArk Interview Questions and Answers for 2023.pdfCyberArk Interview Questions and Answers for 2023.pdf
CyberArk Interview Questions and Answers for 2023.pdf
infosec train
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdf
infosec train
 
Webinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosWebinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von Baggenstos
JenniferMete1
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf Mattsson
Ulf Mattsson
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
Jesse Burke
 
Jak využít cloudu pro zvýšení bezpečnosti vašeho IT
Jak využít cloudu pro zvýšení bezpečnosti vašeho ITJak využít cloudu pro zvýšení bezpečnosti vašeho IT
Jak využít cloudu pro zvýšení bezpečnosti vašeho IT
MarketingArrowECS_CZ
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail Breach
IBM Security
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
Robert Herjavec
 
ThreatModeling.ppt
ThreatModeling.pptThreatModeling.ppt
ThreatModeling.ppt
tashon2
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
MohamedOmerMusa
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
Tara Arnold
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal Security
Mediacurrent
 
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
Michael Noel
 

Similar to Windows 10 CredentialGuard vs Mimikatz - SEC599 (20)

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Creds extraction
Creds extractionCreds extraction
Creds extraction
 
CyberArk Interview.pdf
CyberArk Interview.pdfCyberArk Interview.pdf
CyberArk Interview.pdf
 
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdf
 
CyberArk Interview Questions and Answers for 2023.pdf
CyberArk Interview Questions and Answers for 2023.pdfCyberArk Interview Questions and Answers for 2023.pdf
CyberArk Interview Questions and Answers for 2023.pdf
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdf
 
Webinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosWebinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von Baggenstos
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf Mattsson
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Jak využít cloudu pro zvýšení bezpečnosti vašeho IT
Jak využít cloudu pro zvýšení bezpečnosti vašeho ITJak využít cloudu pro zvýšení bezpečnosti vašeho IT
Jak využít cloudu pro zvýšení bezpečnosti vašeho IT
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail Breach
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
 
ThreatModeling.ppt
ThreatModeling.pptThreatModeling.ppt
ThreatModeling.ppt
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal Security
 
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
 

Recently uploaded

Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 

Recently uploaded (12)

Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 

Windows 10 CredentialGuard vs Mimikatz - SEC599

  • 1. Erik Van Buggenhout CredentialGuard vs Mimikatz The showdown InfoSecurity – 14 March 2018
  • 2. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Who am I? 2 • Co-founder • Incident Response & Threat Hunting • Lead Author & Instructor SEC599 • Instructor SEC560, 561, 562, 542
  • 3. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 3 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  • 4. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 4 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  • 5. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Stealing Windows credentials – where in the Cyber Kill Chain? 5 Reconnaissan ce Delivery Installation Action on Objectives Weaponizatio n Exploitation Command & Control Windows credentials are typically a target for adversaries in the later stages of the compromise. After obtaining an initial foothold, credentials are stolen to further escalate privileges / move laterally in the environment!
  • 6. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows credentials attacks 6 Aside from generic attacks such as phishing or keylogging, the table below lists some of the most common ways used by adversaries to obtain Windows credentials: SANS Senior Instructor Chad Tilbury has an excellent presentation on Windows Credentials Attacks, Mitigations & Defence: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
  • 7. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing some of these tools – Capturing NTLMv2 7 For different reasons, Kerberos could not be available, in which case Windows will revert to NTLMv2 Challenge / Response authentication: Domain Controller 1. Request authentication Service Database Server 2. Challenge 3. Response Client Workstation 6. Server sends response to client The authenticating system uses the hashed credential to calculate a response based on the challenge sent by the server In a Windows domain environment, the NTLM challenge & response will be forwarded to the domain controller for validation of credentials 4. Forward Chal + Resp 5. Validation
  • 8. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing some of these tools – Responder – Capturing NTLMv2 8 Responder is (amongst others) an LLMNR, NBT-NS and MDNS poisoner. It will attempt to trick systems to connect / authenticate to the system it is running on. It will then attempt to sniff the authentication challenge (e.g. NTLMv2), which could be cracked by a password cracking tool.
  • 9. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory 9 Once an initial entry point in the network has been obtained, dumping credentials from LSASS memory in particular has become extremely popular: • Open ups attack vector against users that aren’t locally configured (domain users). Furthermore, stolen credentials are in clear-text (Windows 7) or NT hash (Windows 10) format, so can immediately be reused in Pass-the-Hash attacks • Common attack flow: 1. Obtain local admin access to one system in domain 2. Lure domain admin to machine (e.g. Call Helpdesk) 3. Dump credentials from memory 4. Own the domain (“Domain dominance”) 5. Persist domain ownage (Golden ticket, DCSync, Skeleton Key,…) • Tools like Bloodhound create entire attack trees that reveal relationships between accounts and systems to facilitate this
  • 10. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Common technique 10 Due to its size & complexity, it’s often difficult for administrators to retain a good overview of how privileges are assigned across the environment. Adversaries can leverage this to spot excessive privileges which can be used in lateral movement… AD structure diagrams The below diagram (generated by the attacking tool BloodHoundAD), reveals an interesting way of how adversaries could laterally move through the target environment: In a few steps, Erik could easily steal the hashes of Stephen, thereby obtaining Domain Admin privileges. User: Erik Group: Work- station admins PC: Work- station 1 Group: Domain admins User: Stephen HasSession
  • 11. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Mimikatz 11 Due to its high reliability & flexibility, it is used by adversaries and penetration testers alike. Several variations have been created and it has been included as a module in the Metasploit Meterpreter attacking tool. Mimikatz is a free, open-source Windows tool built by Benjamin Delpy (@gentilkiwi) to extract credentials from Windows computers. Its second version is often referred to as “Kiwi”. “Mimikatz is a tool I've made to learn C and make somes experiments with Windows security. It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. Mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.”
  • 12. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – The primacy of Mimikatz 12 Executing command privilege::debug to enable the debug privilege. Executing command lsadump::lsa /inject will dump the hashes from the LSA process (lsaass.exe).
  • 13. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Mimikatz in the news 13 The popularity of Mimikatz has sky-rocketed over the last few years: • In 2017, the NotPetya ransomware used various components of Mimikatz to supports its lateral movement • In several APT investigations, Mimikatz is part of the standard toolkit used by advanced adversaries (Amongst others, Oilrig, Cobalt Kitty & APT-28 have been observed to use (variants of) Mimikatz) • Penetration testing & red teaming frameworks include (variants of) Mimikatz: • Metasploit Meterpreter has a built-in Mimikatz module Powershell Empire has a built-in version of Mimikatz
  • 14. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Some advanced Mimikatz features 14 • To prevent AV detection, Mimikatz supports an offline mode, where a dump of the LSASS process can be fed to Mimikatz. This dump-file can be created by built-in Windows tools (e.g. Task Manager) or the SysInternals toolkit. This removes the need of running a “hacking tool” like Mimikatz on the target system… • Mimikatz can impersonate a Domain Controller and replicate all password hashes using MS-DRSR (Directory Replication Service Remote Protocol), labelled “DCSync” in Mimikatz • Mimikatz can create AD persistence by generating golden tickets or installing a backdoor in memory of the Domain Controller (“Skeleton Key” attack)
  • 15. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 15 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  • 16. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What’s left behind? 16 http://technet.microsoft.com/en-us/windows-server-docs/security/securing- privileged-access/securing-privileged-access-reference-material
  • 17. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What’s left behind? – Mimikatz point of view 17
  • 18. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Isolate Domain Controllers 18 Put domain controllers in a different network than other servers and workstations. Use at least firewalls to separate the networks. Domain controllers network Inner network
  • 19. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Privileged Access Workstations 19 Domain controllers network Privileged Access Workstations Inner Network
  • 20. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Identity & Access Management 20
  • 21. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 21 The idea of “Restricted Admin” mode is that credentials are not sent upon establishing of an RDP session, so the chances of capturing them using Mimikatz are lower! Source: https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard
  • 22. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 22 In a bit more detail: Normal RDP • Erik enters his password to the RDP client. • RDP client performs network logon to the target server to authorize Erik. • Erik is authorized & the RDP client securely relays the credentials to the target machine over a secure channel. • The target server uses there credentials to perform an interactive logon on behalf of Erik. Restricted Admin • RDP will try to interactively log on to the remote machine without sending credentials • The actual credentials are not required in order to set up the connectivity
  • 23. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 23
  • 24. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 24 In order to prevent hash dumping attacks aimed at the LSA process, Microsoft introduced “Protected Processes” as of Windows 8 & Windows Server 2012. • Protected processes were first introduced in Windows Vista for DRM (Digital Rights Management) purposes, but were adapted for “security purposes” in Windows 8 • The screenshot on the right provides an example of the lsass.exe process running as a “protected process” • Protected Processes are implemented in the Kernel software and can thus be defeated…
  • 25. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 25
  • 26. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 26
  • 27. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Domain Protected Users 27 “Protected Users” enforces a number of restrictions on affected users, which try to defend against several of the attack strategies previously mentioned: Disable authentication using NTLM => Protect against Responder-style attacks Wdigest & CredSSP clear-text credentials no longer stored in LSASS => Less results when LSASS memory dumping On a device running Windows 8.1, passwords are not cached => Protect against dumping of cached credentials (default Windows: 10 latest users) Kerberos will not use DES or RC4 during pre-authentication => Protect against “Kerberoasting” attacks
  • 28. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 28 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  • 29. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing CredentialGuard 29
  • 30. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – Without CredentialGuard 30
  • 31. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Having a look at the processes – Without CredentialGuard 31
  • 32. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – With CredentialGuard 32 When Credential Guard is enabled, the LSA process still runs in userland. The actual credentials are stored in the isolated LSA process (LsaIso.exe). This process does not run under Windows, but in the Virtual Secure Mode.
  • 33. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – With CredentialGuard 33
  • 34. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Some caveats 34
  • 35. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Some caveats – Another interesting attack strategy! 35
  • 36. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 36 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  • 37. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Demo time 37
  • 38. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Conclusion 38
  • 39. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Want to learn more? 39 Want support? Get in touch with NVISO’s experts, we’d be happy to discuss how we can help further! Want to learn more? Join SEC599 – Defeating Advanced Adversaries! • London – April 2018 • Amsterdam – September 2018 • Brussels – October 2018 More locations available at https://www.sans.org/course/defeating-advanced-adversaries- kill-chain-defenses

Editor's Notes

  1. Welcome to SANS Security SEC599: Defeating Advanced Adversaries. In this course, you will build essential skills required to fend off today’s advanced cyber attacks. The course will be highly hands-on, as we help you develop skills by exercising them in hands-on, realistic lab settings. Although this is not a penetration testing course, we will have sufficient attention for the offensive side of the spectrum. We will provide you with a deep technical understanding of how advanced adversaries work, as this will help us be more efficient defenders. Likewise, we will inform you on how to respond to cyber security attacks, but will primarily focus on how to prevent and detect them. Our goal is to keep the course as interactive as possible. If you have a question, please let the instructor know. Discussions about relevant topics are incredibly important in a class like this, as we have numerous attendees with various levels of skill coming into the class. Share your insights and ask questions. The instructor does reserve the right, however, to take a conversation offline during a break or outside of class in the interest of time and applicability of the topic. As course authors, we welcome any comments, questions, or suggestions pertaining to the course material. We would also like to extend our thanks to Didier Stevens (a SANS ISC handler), whose contributions greatly helped improve the course. Erik Van Buggenhout erik.van.buggenhout@gmail.com www.nviso.be Stephen Sims ssims@sans.org www.sans.org Update: C01
  2. The Cyber Kill Chain ® As we are the defenders of digital assets of our company or organization, we face adversaries using digital methods to attack our digital assets. It would be useful to have a digital equivalent of the military kill chain so that we can structure our defenses accordingly. Different groups and organizations have worked on documenting adversaries' methods in a digital kill chain. Lockheed Martin developed the trademarked “Cyber Kill Chain ®”, which has risen in popularity to become one of the most used frameworks to describe cyber attacks. An alternative, slightly adopted variant is Dell SecureWorks’ “Cyber Kill Chain”. Both chains have more steps than the military kill chain. Lockheed Martin: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions On Objectives. Dell SecureWorks: Target Defined, Recon, Development, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objectives, Objective Met For the purpose of our course, we will follow a similar structure, as most online publications related to cyber attacks do the same. References: http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html https://www.secureworks.com/resources/wp-breaking-the-kill-chain