Topics The Problem Attack Scenario Demo Mitigations and Recommendations Next Steps

Pass the Hash and Other Credential Theft and Reuse: Preventing Lateral Movement and Privilege Escalation Mark SimosAaron MargosisMicrosoft Cybersecurity Team

ATC-B210

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Topics

The Proble

m

Attack Scenari

o

Demo

Mitigations and Recommendatio

ns

Next Steps


Pass the Hash WorkgroupAaron MargosisAhmad MahdiAmbrose LeungBenjamin GodardBret ArsenaultBrian FielderCharlie KaufmanCrispin CowanDavid Hoyle Dean WellsEric Leonard

Fernando CimaGeorgeo PulikkatharaJason KrolakJoe BialekJohn LambertJonathan NessJustin HendricksLaura A. RobinsonLori WoehlerMark CartwrightMark Novak

Mark OramMark RussinovichMark SimosMatt ThomlinsonMichael HowardMichiko ShortMike ReaveyMohamed RouatbiNate MorinPatrick ArnoldPatrick Jungles

Paul RichPeter ZdebskiRoger GrimesScott Robinson Scott V. CleaveSean FinneganSteve PatrickTim RainsTony Rice

Internet cafes in vacation spots

Every time you connect to the internet

Wonderful Internet Services

You have instant and direct IP connectivity to…

Ideological Movements

OrganizedCrime

NationStates

Numerous, active, and evolving threats…

…using your own systems against you

…They were next spotted in March 2010, after signing on with the stolen password of a network administrator…

…The hackers logged on through the company’s remote access system, just like any employee…

The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing

all of it with an image of a burning American flag.


Attack Scenario

Attack activities DescriptionLateral movement

In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of the same value to the organization

Privilege escalation

In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of a higher value to the organization.

Access: Users and Workstations

Power: Domain Controllers

Data: Servers and Applications

Typical Pass The Hash Attack

1.Bad guy targets workstations en masse

2.User running as local admin compromised, Bad guy harvests credentials.

3.Bad guy uses credentials for lateral traversal4.Bad guy acquires domain admin credentials and associated privileges – privilege escalation

5.Bad guy has direct or indirect access to read/write/destroy data and systems in the environment.

Demo

WCE in action…


Why can’t Microsoft release an update to address this issue?

Pass the Hash and other credential theft attacks exploit the access that an attacker gains by compromising an account in the local administrators group.

These accounts have complete control over the computer’s memory, disks, and processor resources.


A word about single sign-on (SSO)

The same single sign-on (SSO) mechanism that brings significant benefits to the user experience also increases the risk of a PtH attack if an operating system is compromised.

Credentials must be stored or cached to allow the operating system to perform actions on behalf of the user to make the system usable.

1. Only if Network security: Do not store LAN Manager hash value on next password change is disabled (enabled by default since Windows Vista/2008)

2. Only if the user chooses to save a password

What & Where ?Location Plaintext passwords

(Reversibly encrypted)

NT Hash LM Hash TGT Windows logon cached password verifiers

Security Accounts Manager (SAM) database

- Yes Maybe1 - -

Local Security Authority Subsystem (LSASS) process memory

Yes Yes Yes Yes -

Active Directory Database - Yes Maybe1 - -

The Credential Manager (CredMan) store

Maybe2 - - - -

LSA Secrets in the registry Service Accounts,Scheduled Tasks, etc.

Computer Account

- - -

HKLM\Security - - - - Yes


Mitigations SummaryMitigation Effectiveness Effort

requiredPrivilegeescalation

Lateralmovement

Mitigation 1: Restrict and protect high privileged domain accounts

Excellent Medium √ -

Mitigation 2: Restrict and protect local accounts with administrative privileges

Excellent Low - √

Mitigation 3: Restrict inbound traffic using the Windows Firewall

Excellent Medium - √


Mitigation 1 - Restrict and protect high privileged domain accounts

This mitigation restricts the ability of administrators to inadvertently expose privileged credentials to higher risk computers.

• Restrict DA/EA accounts from authenticating to lower trust computers

• Provide admins with accounts to perform administrative duties

• Assign dedicated workstations for administrative tasks.

• Mark privileged accounts as “sensitive and cannot be delegated”

• Do not configure services or schedule tasks to use privileged domain accounts on lower trust computers

Objective How

An attacker cannot steal credentials for an account if the credentials are never used on the compromised computer.

Outcome


Mitigation 2 - Restrict and protect local accounts with administrative privileges

This mitigation restricts the ability of attackers to use local administrator accounts or their equivalents for lateral movement PtH attacks.

• Enforce the restrictions available in Windows Vista and newer that prevent local accounts from being used for remote administration.

• Explicitly deny network and Remote Desktop logon rights for all administrative local accounts.

• Create unique passwords for local accounts with administrative privileges.

An attacker who successfully obtains local account credentials from a compromised computer will not be able to use those credentials to perform lateral movement on the organization's network.

Objective How Outcome


Mitigation 3 - Restrict inbound traffic using the Windows Firewall

This mitigation restricts the ability of attackers from initiating lateral movement from a compromised workstation by blocking inbound connections.

• Restrict all inbound connections to all workstations except for those with expected traffic originating from trusted sources, such as helpdesk workstations, security compliance scanners and servers.

An attacker who successfully obtains any type of account credentials will not be able to connect to other workstations.

Objective How Outcome

Note: Whitepaper update recently released with guidance for authorized peer to peer applications


Recommendations (1)Recommendations Effectiveness Effort

requiredPrivilegeescalation

Lateralmovement

Remove standard users from the local administrators group

Excellent High √ -

Limit the number and use of privileged domain accounts

Good Medium √ -

Configure outbound proxies to deny Internet access to privileged accounts

Good Low √ -

Ensure administrative accounts do not have email accounts

Good Low √ -


Recommendations (2)More recommendations

Effectiveness Effortrequired

Privilegeescalation

Lateralmovement

Use remote management tools that do not place reusable credentials on a remote computer’s memory

Good Medium √ -

Avoid logons to potentially compromised computers

Good Low √ √

Update applications and operating systems

Partial Medium - -

Secure and manage domain controllers

Partial Medium - -

Remove LM Hashes Partial Low - -


Other Mitigations

Other mitigation Effectiveness Effortrequired

Privilegeescalation

Lateralmovement

Disable NTLM Minimal High - -

Smart cards and multifactor authentication

Minimal High - -

Jump servers Minimal High √ -

Rebooting workstations and servers

Minimal Low - -


Is the problem solved?

No. These are initial steps.

Mitigations and recommendations in the paper are what can be done today (easily).


Whitepaper and Next Steps

Next Steps

The PtH workgroup will continue to investigate mitigations for credential theft and reuse.

Read the WhitepaperMitigating Pass-the-Hash Attacks and other Credential Theft Techniqueshttp://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques_English.pdf

Spread the Word

Questions? Interested in advanced architectures? Mark.Simos [at] Microsoft.com

Enhanced Security Admin Environment

Access: Users and Workstations

Admin EnvironmentProduction

Domain(s)Power: Domain Controllers

Management and Monitoring

Threats:

Internet

Domain Admins

IPsec Credential Partitioning Hardened Admin

Environment Hardened Workstations Network security Accounts and

smartcards Auto-Patching Security Alerting Tamper-resistant audit

Assist with mitigating risks Services & Applications Lateral Traversal Break Glass

Account(s)Red CardAdmins

Data: Servers and Applications

Related contentATC-B312 - Security Experts Panel Discussion: Security for Hackers (BYOD)ATC-B302 - APTs: Cybercrime, Cyber Attacks, Warfare and Threats ExposedATC-B309 - Live Demonstration: Hacker Tools You Should Know and Worry About ATC-B301 Adventures in Underland: What Passwords Do When No One Is WatchingFind Us Later At Ask The Experts

msdn

Resources for Developers

http://microsoft.com/msdn

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Resources for IT Professionals

http://microsoft.com/technet

http://microsoft.com/msdn

http://www.microsoft.com/learning

http://channel9.msdn.com/Events/TechEd

http://microsoft.com/technet

Complete an evaluation on CommNet and enter to win!

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Backup Slides


Logon Types (1)Logon type # Authenticators

acceptedReusable credentials in LSA session

Examples

Interactive (a.k.a., Logon locally)

2 Password, Smartcard,other

Yes Console logon;RUNAS;Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server)IIS Basic Authn (before IIS 6.0)

Network 3 Password,NT Hash,Kerberos ticket

No (except if delegation is enabled, then Kerberos tickets present)

NET USE;RPC calls;Remote registry;IIS integrated Windows authn;SQL Windows authn;

Batch 4 Password (usually stored as LSA secret)

Yes Scheduled tasks

Service 5 Password (usually stored as LSA secret)

Yes Windows services


Logon Types (2)Logon type # Authenticator

s acceptedReusable credentials in LSA session

Examples

NetworkCleartext

8 Password Yes IIS Basic Authn (IIS 6.0 and newer);Windows PowerShell with CredSSP

NewCredentials 9 Password Yes RUNAS /NETWORK

RemoteInteractive

10 Password, Smartcard,other

Yes Remote Desktop (formerly known as “Terminal Services”)


Logon and Remote Management (1)Connectionmethod Logon type

Reusable credentials on destination Comments

Log on at console

Interactive √

Includes hardware remote access / lights-out cards and network KVMs.

RUNAS Interactive

√

RUNAS /NETWORK

NewCredentials√

Clones current LSA session for local access, but uses new credentials when connecting to network resources.

Remote Desktop (success)

RemoteInteractive √

If the remote desktop client is configured to share local devices and resources, those may be compromised as well.

Remote Desktop (failure - logon type was denied)

RemoteInteractive -

By default, if RDP logon fails credentials are only stored very briefly. This may not be the case if the computer is compromised.




Net use * \\SERVER

Network -

Net use * \\SERVER /u:user

Network -

MMC snap-ins to remote computer

Network -Example: Computer Management, Event Viewer, Device Manager, Services

PowerShell WinRM

Network-

Example: Enter-PSSession server

PowerShell WinRM with CredSSP

NetworkClearText √

New-PSSession server-Authentication Credssp-Credential cred




PsExec without explicit creds

Network

-

Example: PsExec \\server cmd

PsExec with explicit creds

Network + Interactive √

PsExec \\server -u user -p pwd cmd

Creates multiple logon sessions.

Remote Registry

Network-

Remote Desktop Gateway

Network -Authenticating to Remote Desktop Gateway.

Scheduled taskBatch √

Password will also be saved as LSA secret on disk.




Run tools as a service

Service √

Password will also be saved as LSA secret on disk.

Vulnerability scanners Network -

Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk.

Documents

Topics The Problem Attack Scenario Demo Mitigations and Recommendations Next Steps