Pass the Hash and Other Credential Theft and Reuse: Preventing Lateral Movement and Privilege Escalation Mark SimosAaron MargosisMicrosoft Cybersecurity Team
ATC-B210
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Topics
The Proble
m
Attack Scenari
o
Demo
Mitigations and Recommendatio
ns
Next Steps
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Pass the Hash WorkgroupAaron MargosisAhmad MahdiAmbrose LeungBenjamin GodardBret ArsenaultBrian FielderCharlie KaufmanCrispin CowanDavid Hoyle Dean WellsEric Leonard
Fernando CimaGeorgeo PulikkatharaJason KrolakJoe BialekJohn LambertJonathan NessJustin HendricksLaura A. RobinsonLori WoehlerMark CartwrightMark Novak
Mark OramMark RussinovichMark SimosMatt ThomlinsonMichael HowardMichiko ShortMike ReaveyMohamed RouatbiNate MorinPatrick ArnoldPatrick Jungles
Paul RichPeter ZdebskiRoger GrimesScott Robinson Scott V. CleaveSean FinneganSteve PatrickTim RainsTony Rice
Internet cafes in vacation spots
Every time you connect to the internet
Wonderful Internet Services
You have instant and direct IP connectivity to…
Ideological Movements
OrganizedCrime
NationStates
…using your own systems against you
…They were next spotted in March 2010, after signing on with the stolen password of a network administrator…
…The hackers logged on through the company’s remote access system, just like any employee…
The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing
all of it with an image of a burning American flag.
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Attack Scenario
Attack activities DescriptionLateral movement
In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of the same value to the organization
Privilege escalation
In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of a higher value to the organization.
Access: Users and Workstations
Power: Domain Controllers
Data: Servers and Applications
Typical Pass The Hash Attack
1.Bad guy targets workstations en masse
2.User running as local admin compromised, Bad guy harvests credentials.
3.Bad guy uses credentials for lateral traversal4.Bad guy acquires domain admin credentials and associated privileges – privilege escalation
5.Bad guy has direct or indirect access to read/write/destroy data and systems in the environment.
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Why can’t Microsoft release an update to address this issue?
Pass the Hash and other credential theft attacks exploit the access that an attacker gains by compromising an account in the local administrators group.
These accounts have complete control over the computer’s memory, disks, and processor resources.
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
A word about single sign-on (SSO)
The same single sign-on (SSO) mechanism that brings significant benefits to the user experience also increases the risk of a PtH attack if an operating system is compromised.
Credentials must be stored or cached to allow the operating system to perform actions on behalf of the user to make the system usable.
1. Only if Network security: Do not store LAN Manager hash value on next password change is disabled (enabled by default since Windows Vista/2008)
2. Only if the user chooses to save a password
What & Where ?Location Plaintext passwords
(Reversibly encrypted)
NT Hash LM Hash TGT Windows logon cached password verifiers
Security Accounts Manager (SAM) database
- Yes Maybe1 - -
Local Security Authority Subsystem (LSASS) process memory
Yes Yes Yes Yes -
Active Directory Database - Yes Maybe1 - -
The Credential Manager (CredMan) store
Maybe2 - - - -
LSA Secrets in the registry Service Accounts,Scheduled Tasks, etc.
Computer Account
- - -
HKLM\Security - - - - Yes
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Mitigations SummaryMitigation Effectiveness Effort
requiredPrivilegeescalation
Lateralmovement
Mitigation 1: Restrict and protect high privileged domain accounts
Excellent Medium √ -
Mitigation 2: Restrict and protect local accounts with administrative privileges
Excellent Low - √
Mitigation 3: Restrict inbound traffic using the Windows Firewall
Excellent Medium - √
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Mitigation 1 - Restrict and protect high privileged domain accounts
This mitigation restricts the ability of administrators to inadvertently expose privileged credentials to higher risk computers.
• Restrict DA/EA accounts from authenticating to lower trust computers
• Provide admins with accounts to perform administrative duties
• Assign dedicated workstations for administrative tasks.
• Mark privileged accounts as “sensitive and cannot be delegated”
• Do not configure services or schedule tasks to use privileged domain accounts on lower trust computers
Objective How
An attacker cannot steal credentials for an account if the credentials are never used on the compromised computer.
Outcome
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Mitigation 2 - Restrict and protect local accounts with administrative privileges
This mitigation restricts the ability of attackers to use local administrator accounts or their equivalents for lateral movement PtH attacks.
• Enforce the restrictions available in Windows Vista and newer that prevent local accounts from being used for remote administration.
• Explicitly deny network and Remote Desktop logon rights for all administrative local accounts.
• Create unique passwords for local accounts with administrative privileges.
An attacker who successfully obtains local account credentials from a compromised computer will not be able to use those credentials to perform lateral movement on the organization's network.
Objective How Outcome
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Mitigation 3 - Restrict inbound traffic using the Windows Firewall
This mitigation restricts the ability of attackers from initiating lateral movement from a compromised workstation by blocking inbound connections.
• Restrict all inbound connections to all workstations except for those with expected traffic originating from trusted sources, such as helpdesk workstations, security compliance scanners and servers.
An attacker who successfully obtains any type of account credentials will not be able to connect to other workstations.
Objective How Outcome
Note: Whitepaper update recently released with guidance for authorized peer to peer applications
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Recommendations (1)Recommendations Effectiveness Effort
requiredPrivilegeescalation
Lateralmovement
Remove standard users from the local administrators group
Excellent High √ -
Limit the number and use of privileged domain accounts
Good Medium √ -
Configure outbound proxies to deny Internet access to privileged accounts
Good Low √ -
Ensure administrative accounts do not have email accounts
Good Low √ -
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Recommendations (2)More recommendations
Effectiveness Effortrequired
Privilegeescalation
Lateralmovement
Use remote management tools that do not place reusable credentials on a remote computer’s memory
Good Medium √ -
Avoid logons to potentially compromised computers
Good Low √ √
Update applications and operating systems
Partial Medium - -
Secure and manage domain controllers
Partial Medium - -
Remove LM Hashes Partial Low - -
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Other Mitigations
Other mitigation Effectiveness Effortrequired
Privilegeescalation
Lateralmovement
Disable NTLM Minimal High - -
Smart cards and multifactor authentication
Minimal High - -
Jump servers Minimal High √ -
Rebooting workstations and servers
Minimal Low - -
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Is the problem solved?
No. These are initial steps.
Mitigations and recommendations in the paper are what can be done today (easily).
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Whitepaper and Next Steps
Next Steps
The PtH workgroup will continue to investigate mitigations for credential theft and reuse.
Read the WhitepaperMitigating Pass-the-Hash Attacks and other Credential Theft Techniqueshttp://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques_English.pdf
Spread the Word
Questions? Interested in advanced architectures? Mark.Simos [at] Microsoft.com
Enhanced Security Admin Environment
Access: Users and Workstations
Admin EnvironmentProduction
Domain(s)Power: Domain Controllers
Management and Monitoring
Threats:
Internet
Domain Admins
IPsec Credential Partitioning Hardened Admin
Environment Hardened Workstations Network security Accounts and
smartcards Auto-Patching Security Alerting Tamper-resistant audit
Assist with mitigating risks Services & Applications Lateral Traversal Break Glass
Account(s)Red CardAdmins
Data: Servers and Applications
Related contentATC-B312 - Security Experts Panel Discussion: Security for Hackers (BYOD)ATC-B302 - APTs: Cybercrime, Cyber Attacks, Warfare and Threats ExposedATC-B309 - Live Demonstration: Hacker Tools You Should Know and Worry About ATC-B301 Adventures in Underland: What Passwords Do When No One Is WatchingFind Us Later At Ask The Experts
msdn
Resources for Developers
http://microsoft.com/msdn
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Resources for IT Professionals
http://microsoft.com/technet
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Logon Types (1)Logon type # Authenticators
acceptedReusable credentials in LSA session
Examples
Interactive (a.k.a., Logon locally)
2 Password, Smartcard,other
Yes Console logon;RUNAS;Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server)IIS Basic Authn (before IIS 6.0)
Network 3 Password,NT Hash,Kerberos ticket
No (except if delegation is enabled, then Kerberos tickets present)
NET USE;RPC calls;Remote registry;IIS integrated Windows authn;SQL Windows authn;
Batch 4 Password (usually stored as LSA secret)
Yes Scheduled tasks
Service 5 Password (usually stored as LSA secret)
Yes Windows services
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Logon Types (2)Logon type # Authenticator
s acceptedReusable credentials in LSA session
Examples
NetworkCleartext
8 Password Yes IIS Basic Authn (IIS 6.0 and newer);Windows PowerShell with CredSSP
NewCredentials 9 Password Yes RUNAS /NETWORK
RemoteInteractive
10 Password, Smartcard,other
Yes Remote Desktop (formerly known as “Terminal Services”)
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Logon and Remote Management (1)Connectionmethod Logon type
Reusable credentials on destination Comments
Log on at console
Interactive √
Includes hardware remote access / lights-out cards and network KVMs.
RUNAS Interactive
√
RUNAS /NETWORK
NewCredentials√
Clones current LSA session for local access, but uses new credentials when connecting to network resources.
Remote Desktop (success)
RemoteInteractive √
If the remote desktop client is configured to share local devices and resources, those may be compromised as well.
Remote Desktop (failure - logon type was denied)
RemoteInteractive -
By default, if RDP logon fails credentials are only stored very briefly. This may not be the case if the computer is compromised.
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Logon and Remote Management (2)Connectionmethod Logon type
Reusable credentials on destination Comments
Net use * \\SERVER
Network -
Net use * \\SERVER /u:user
Network -
MMC snap-ins to remote computer
Network -Example: Computer Management, Event Viewer, Device Manager, Services
PowerShell WinRM
Network-
Example: Enter-PSSession server
PowerShell WinRM with CredSSP
NetworkClearText √
New-PSSession server-Authentication Credssp-Credential cred
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Logon and Remote Management (3)Connectionmethod Logon type
Reusable credentials on destination Comments
PsExec without explicit creds
Network
-
Example: PsExec \\server cmd
PsExec with explicit creds
Network + Interactive √
PsExec \\server -u user -p pwd cmd
Creates multiple logon sessions.
Remote Registry
Network-
Remote Desktop Gateway
Network -Authenticating to Remote Desktop Gateway.
Scheduled taskBatch √
Password will also be saved as LSA secret on disk.
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Logon and Remote Management (4)Connectionmethod Logon type
Reusable credentials on destination Comments
Run tools as a service
Service √
Password will also be saved as LSA secret on disk.
Vulnerability scanners Network -
Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk.