How to compromise governments network silently through abuse of trust. Governments rely on 3rd parties heavily for minor tasks like shipping, to major tasks like DB management. The trust between government network and those 3rd parties can be abused silently while using Shadow Admins and Delegation.

1. 1
Silent Cold War
How Government Networks
Can Be Compromised Silently
Lavi Lazarovitz – Cyberark Security Research

2. 2
4.5M22.5M

3. 3
“ This is crown jewels material… a gold mine for a foreign
intelligence service ”
“ … a treasure trove of information that is available to the
Chinese until the people represented by the information age
off. There’s no fixing it. ”
Joel Brenner, former NSA Senior Counsel
Michael Hayden, former Director of the CIA

4. 4
My Name Is…. My Name Is… My Name Is…
/> Lavi. Lazarovitz
/> Security Research @ CyberArk Labs
/> Research:
//> Authentication protocols
//> Privilege escalation + Persistency
//> Cloud security
/> Contributor to CyberArkLabs Github repo
/> Former pilot and intel. Officer for the IAF

5. 5
201520142012 2013
Timeline of the Attack
Initial foothold
July Mar
US-CERT
notified OPM
about a beach
“Big Bang”
Network map
exfiltration
“Big Bang”
Execution
Attackers
install key
loggers
20152014
May
Initial foothold
Apr 15
OPM detects
anomalous SSL
activity
Apr 17
US CERT
discovers risk to
PII
Apr 23
US CERT discovers
exfiltration that
occurred in Dec.
Apr 24
Attackers kicked
out
USIS breach
detected
Aug
KeyPoint breach
detected
Sept
KeyPoint
breached
Mar
Fingerprints
exfiltrated
July
PII exfiltration
Dec
Pivot to
Department Of Interior

6. 6
USIS
KeyPoint DOI
OPM
Deep Panda / Axiom
The OPM Breach

7. 7
The OPM Breach
KeyPoint
credentials
Phishing
email
Domain
Admin
PIIs
SQL
server
Network
map
Finger
prints
DOI
credentials

8. 8
Breach Attack Vectors
KeyPoint credentials Domain Admin DOI credentials
Initial foothold Domain Compromise Cross Domains

9. 9
US CERT Recommendations
Trust Model
“ The zero trust model requires strictly enforced user controls to ensure limited
access for all users and assumes that all traffic traveling over an organization’s
network is threat traffic until authorized by the IT team.”
https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf

10. 10
generals are
always preparing for the last war rather than the next one.
ICIT, Handing Over the Keys to the Castle
http://icitech.org/wp-content/uploads/2015/07/ICIT-Brief-OPM-Breach2.pdf

11. 11
Admin A
Shadow Admins
Admin B
Shadow Admin

12. 13
Permissions and ACLs - in Active Directory
SYSTEM
Enterprise Admins
Domain Admins
Authenticated Users
User1
User2
ACLAD Objects
Groups
Domain root
Containers
GPOs
FULL CONTROL
CREATE CHILD OBJECTS
DELETE CHILD OBJECTS
CHANGE PASSWORD
READ ONLY
READ ONLY
READ ONLY
CHANGE PASSWORD

13. 14
SHADOW ADMINS DEMO
https://github.com/cyberark/ACLight

14. 15
Delegation - Concept
Client
User
Front End
User’s Ticket
Back End

15. 16
Delegation - Kerberos
Client’s
Workstation
Front-End Service
Unconstrained
Delegation
1
2
3
4
5
Domain
Controller

16. 17
Kerberos Features
Allows a service to obtain a
service ticket on behalf of a
user to a different service.
Allows a service to obtain a
service ticket to itself in the
name of a different user.

17. 18
Delegation - Kerberos
Client’s
Workstation
Front-End Service
Unconstrained
Delegation
1
4
Domain
Controller

18. 20
The Bottom Line
https://msdn.microsoft.com/en-us/library/cc246112.aspx
“ This gives any service allowed access to the S4U2proxy extension
a degree of power similar to that of the KDC itself. “
“ The S4U2proxy extension allows a service to obtain a service
ticket to a second service on behalf of a user. “
“ When combined with S4U2self, this allows the first service to
impersonate any user principal while accessing the second
service. “

19. 21
The Flexibility…
CIFS
File Server HOST
Computer
MSSQLSvc
SQL Databases
HTTP
Web Services
LDAP
Domain Controllers
msDS-AllowedToDelegateTo

20. 22
Constrained Delegataion
Privilege Escalation
Arbitrary Impersonations
MSSQL Svc
Data Base access
HTTP
Invoke-Command
Remote Code execution
LDAP
DCSync
Password replication

21. 23
The Attack Vector
Hunt Accounts Trusted for Delegation
Impersonate Another User
Abuse the Allowed Service

22. 24
Trying To Constrain
Services validate a service ticket using
Secret-Key
Services associated with the
same account
Services with the
same password

23. 26
DELEGATION DEMO

24. 27
Detection
Monitor Kerberos Traffic Monitor Impersonation

25. 28
Log Detection – Event 4624
Source Target

26. 29
Network Detection – Kerberos Traffic
TGS_REQ TGS_REP

27. 30
Mitigations
Dedicated
Service Accounts Protected Accounts Unique SPNs
https://github.com/CyberArk

28. 31
Takeaways
Credentials are key asset
Delegation can be utilized to abuse credentials
Shadow Admins are silent assassins

29. 32

30. 33
Thank You
Lavi.Lazarovitz@cyberark.com
Lavi Lazarovitz @ Linkedin
@LaviLazarovitz @ Twitter
CyberArk @ GitHub
Credits
Benjamin Delpy
Ben Campbell
@Harmj0y