Topics
The
Problem
Attack
Scenario
Demo
Mitigations and
Recommendations
Next Steps
Aaron Margosis
Ahmad Mahdi
Ambrose Leung
Benjamin Godard
Bret Arsenault
Brian Fielder
Charlie Kaufman
Crispin Cowan
David Hoyle
Dean Wells
Eric Leonard
Fernando Cima
Georgeo Pulikkathara
Jason Krolak
Joe Bialek
John Lambert
Jonathan Ness
Justin Hendricks
Laura A. Robinson
Lori Woehler
Mark Cartwright
Mark Novak
Mark Oram
Mark Russinovich
Mark Simos
Matt Thomlinson
Michael Howard
Michiko Short
Mike Reavey
Mohamed Rouatbi
Nate Morin
Patrick Arnold
Patrick Jungles
Paul Rich
Peter Zdebski
Roger Grimes
Scott Robinson
Scott V. Cleave
Sean Finnegan
Steve Patrick
Tim Rains
Tony Rice
Ideological
Movements
Nation
States
Organized
Crime
…They were next spotted in March 2010, after signing on with the
stolen password of a network administrator…
…The hackers logged on through the company’s remote access
system, just like any employee…
The virus erased data on three-quarters of
Aramco’s corporate PCs — documents,
spreadsheets, e-mails, files — replacing all of it
with an image of a burning American flag.
Attack activities
Lateral movement
Description
In this activity, the attacker uses the credentials obtained from a
compromised computer to gain access to another computer of the
same value to the organization
Privilege escalation
In this activity, the attacker uses the credentials obtained from a
compromised computer to gain access to another computer of a
higher value to the organization.
Power:
Domain
Controllers
1. Bad guy targets workstations en masse
2. User running as local admin compromised,
Bad guy harvests credentials.
3. Bad guy uses credentials for lateral traversal
Data:
Servers and
Applications
Access:
Users and
Workstations
4. Bad guy acquires domain admin credentials
and associated privileges – privilege escalation
5. Bad guy has direct or indirect access to
read/write/destroy data and systems in the
environment.
The same single sign-on (SSO) mechanism that brings
significant benefits to the user experience also increases
the risk of a PtH attack if an operating system is
compromised.
Credentials must be stored or cached to allow the
operating system to perform actions on behalf of the
user to make the system usable.
Location
Plaintext passwords
(Reversibly encrypted)
NT Hash
LM Hash
TGT Windows logon
cached password
verifiers
Security Accounts Manager (SAM)
database
-
Yes
Maybe1
-
-
Local Security Authority Subsystem Yes
(LSASS) process memory
Yes
Yes
Yes
-
Active Directory Database
Yes
Maybe1
-
-
The Credential Manager (CredMan) Maybe2
store
-
-
-
-
LSA Secrets in the registry
Service Accounts,
Scheduled Tasks, etc.
Computer
Account
-
-
-
HKLM\Security
-
-
-
-
Yes
-
Mitigation
Effectiveness
Effort
required
Privilege
escalation
Lateral
movement
Mitigation 1: Restrict
and protect high
privileged domain
accounts
Excellent
Medium
√
-
Mitigation 2: Restrict
and protect local
accounts with
administrative privileges
Excellent
Low
-
√
Mitigation 3: Restrict
inbound traffic using
the Windows Firewall
Excellent
Medium
-
√
Objective
How
Outcome
This mitigation
restricts the ability of
administrators to
inadvertently expose
privileged credentials
to higher risk
computers.
• Restrict DA/EA accounts from
authenticating to lower trust
computers
• Provide admins with accounts to
perform administrative duties
• Assign dedicated workstations for
administrative tasks.
• Mark privileged accounts as
“sensitive and cannot be delegated”
• Do not configure services or
schedule tasks to use privileged
domain accounts on lower trust
computers
An attacker cannot
steal credentials for an
account if the
credentials are never
used on the
compromised
computer.
Objective
How
Outcome
This mitigation
restricts the ability of
attackers to use local
administrator
accounts or their
equivalents for lateral
movement PtH
attacks.
• Enforce the restrictions available in
Windows Vista and newer that
prevent local accounts from being
used for remote administration.
• Explicitly deny network and Remote
Desktop logon rights for all
administrative local accounts.
• Create unique passwords for local
accounts with administrative
privileges.
An attacker who
successfully obtains
local account
credentials from a
compromised
computer will not be
able to use those
credentials to perform
lateral movement on
the organization's
network.
Objective
How
Outcome
This mitigation
restricts the ability of
attackers from
initiating lateral
movement from a
compromised
workstation by
blocking inbound
connections.
• Restrict all inbound connections to
all workstations except for those
with expected traffic originating
from trusted sources, such as
helpdesk workstations, security
compliance scanners and servers.
An attacker who
successfully obtains any
type of account
credentials will not be
able to connect to
other workstations.
Note: Whitepaper update recently released with guidance for authorized peer to peer applications
Recommendations
Remove standard users
from the local
administrators group
Effectiveness
Effort
required
Privilege
escalation
Lateral
movement
Excellent
High
√
-
Limit the number and use of
privileged domain accounts
Good
Medium
√
-
Configure outbound proxies
to deny Internet access to
privileged accounts
Good
Low
√
-
Ensure administrative
accounts do not have email
accounts
Good
Low
√
-
More recommendations
Effectiveness
Effort
required
Privilege
escalation
Lateral
movement
Use remote management
tools that do not place
reusable credentials on a
remote computer’s
memory
Good
Medium
√
-
Avoid logons to potentially
compromised computers
Good
Low
√
√
Update applications and
operating systems
Partial
Medium
-
-
Secure and manage
domain controllers
Partial
Medium
-
-
Remove LM Hashes
Partial
Low
-
-
Other mitigation
Effectiveness
Effort
required
Privilege
escalation
Lateral
movement
Disable NTLM
Minimal
High
-
-
Smart cards and
multifactor authentication
Minimal
High
-
-
Jump servers
Minimal
High
√
-
Rebooting workstations
and servers
Minimal
Low
-
-
Mitigations and recommendations in the
paper are what can be done today (easily).
Whitepaper and Next Steps
 Read the Whitepaper
Mitigating Pass-the-Hash Attacks and other Credential Theft
Techniques
Next Steps
http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating Pass-the-Hash
(PtH) Attacks and Other Credential Theft Techniques_English.pdf
 Spread the Word
 Questions? Interested in advanced architectures?
 Mark.Simos [at] Microsoft.com
The PtH workgroup will continue to investigate mitigations for credential theft and reuse.
Admin Environment
Production Domain(s)
Power:
 Credential Partitioning
 Hardened Admin Environment
 Hardened Workstations
 Network security
 Accounts and smartcards
 Auto-Patching
 Security Alerting
 Tamper-resistant audit
 Assist with mitigating risks
 Services & Applications
 Lateral Traversal
Threats:
Internet
Domain
Controllers
IPsec
Domain Admins
Management and
Monitoring
Data:
Servers and
Applications
Access:
Users and
Workstations
Red Card
Admins
Break Glass
Account(s)
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
Logon type
#
Authenticators
accepted
Reusable credentials
in LSA session
Interactive
(a.k.a., Logon
locally)
2
Password,
Smartcard,
other
Yes
Network
3
Password,
NT Hash,
Kerberos ticket
Batch
4
Service
5
Password (usually
stored as LSA
secret)
Password (usually
stored as LSA
secret)
Examples
Console logon;
RUNAS;
Hardware remote control solutions (such as
Network KVM or Remote Access / Lights-Out
Card in server)
IIS Basic Authn (before IIS 6.0)
No (except if delegation NET USE;
is enabled, then
RPC calls;
Kerberos tickets
Remote registry;
present)
IIS integrated Windows authn;
SQL Windows authn;
Yes
Scheduled tasks
Yes
Windows services
Logon type
#
Authenticators
accepted
Reusable credentials Examples
in LSA session
NetworkCleartext
8
Password
Yes
IIS Basic Authn (IIS 6.0 and newer);
Windows PowerShell with CredSSP
NewCredentials
9
Password
Yes
RUNAS /NETWORK
Password,
Smartcard,
other
Yes
Remote Desktop (formerly known as “Terminal
Services”)
RemoteInteractive 10
Connection
method
Logon type
Log on at console
Interactive
RUNAS
Reusable credentials
on destination
Comments
Includes hardware remote access / lights-out cards
and network KVMs.
√
Interactive
√
RUNAS
/NETWORK
Remote Desktop
(success)
Remote Desktop
(failure - logon
type was denied)
NewCredentials
RemoteInteractive √
RemoteInteractive -
√
Clones current LSA session for local access, but uses
new credentials when connecting to network
resources.
If the remote desktop client is configured to share
local devices and resources, those may be
compromised as well.
By default, if RDP logon fails credentials are only
stored very briefly. This may not be the case if the
computer is compromised.
Connection
method
Net use *
\\SERVER
Net use *
\\SERVER /u:user
MMC snap-ins to
remote computer
Logon type
Reusable credentials
on destination
Comments
Network
-
Network
-
Network
PowerShell
WinRM
Network
PowerShell
WinRM with
CredSSP
NetworkClearText
-
√
Example: Computer Management, Event Viewer,
Device Manager, Services
Example: Enter-PSSession server
New-PSSession server
-Authentication Credssp
-Credential cred
Connection
method
PsExec without
explicit creds
Logon type
Network
PsExec with
explicit creds
Network +
Interactive
Remote Registry
Network
Remote Desktop
Gateway
Scheduled task
Reusable credentials
on destination
Comments
Example: PsExec \\server cmd
-
Network
Batch
PsExec \\server -u user -p pwd cmd
√
Creates multiple logon sessions.
√
Authenticating to Remote Desktop Gateway.
Password will also be saved as LSA secret on disk.
Connection
method
Run tools as a
service
Vulnerability
scanners
Logon type
Reusable credentials
on destination
Comments
Password will also be saved as LSA secret on disk.
Service
√
Network
-
Most scanners default to using network logons,
though some vendors may implement non-network
logons and introduce more credential theft risk.