SlideShare una empresa de Scribd logo

Windows 10 CredentialGuard vs Mimikatz - SEC599

Descargar como PPTX, PDF
Erik Van Buggenhout
Erik Van Buggenhout

In this presentation, Erik Van Buggenhout (NVISO founder & SANS Instructor) zooms in on Windows 10 CredentialGuard and how it can be used to protect against LSASS hash dumping (e.g. using Mimikatz). Want to learn more? Join us at SANS SEC599!

Internet
1 de 39
Erik Van Buggenhout CredentialGuard vs Mimikatz The showdown InfoSecurity – 14 March 2018
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Who am I? 2 • Co-founder • Incident Response & Threat Hunting • Lead Author & Instructor SEC599 • Instructor SEC560, 561, 562, 542
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 3 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 4 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Stealing Windows credentials – where in the Cyber Kill Chain? 5 Reconnaissan ce Delivery Installation Action on Objectives Weaponizatio n Exploitation Command & Control Windows credentials are typically a target for adversaries in the later stages of the compromise. After obtaining an initial foothold, credentials are stolen to further escalate privileges / move laterally in the environment!
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows credentials attacks 6 Aside from generic attacks such as phishing or keylogging, the table below lists some of the most common ways used by adversaries to obtain Windows credentials: SANS Senior Instructor Chad Tilbury has an excellent presentation on Windows Credentials Attacks, Mitigations & Defence: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing some of these tools – Capturing NTLMv2 7 For different reasons, Kerberos could not be available, in which case Windows will revert to NTLMv2 Challenge / Response authentication: Domain Controller 1. Request authentication Service Database Server 2. Challenge 3. Response Client Workstation 6. Server sends response to client The authenticating system uses the hashed credential to calculate a response based on the challenge sent by the server In a Windows domain environment, the NTLM challenge & response will be forwarded to the domain controller for validation of credentials 4. Forward Chal + Resp 5. Validation
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing some of these tools – Responder – Capturing NTLMv2 8 Responder is (amongst others) an LLMNR, NBT-NS and MDNS poisoner. It will attempt to trick systems to connect / authenticate to the system it is running on. It will then attempt to sniff the authentication challenge (e.g. NTLMv2), which could be cracked by a password cracking tool.
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory 9 Once an initial entry point in the network has been obtained, dumping credentials from LSASS memory in particular has become extremely popular: • Open ups attack vector against users that aren’t locally configured (domain users). Furthermore, stolen credentials are in clear-text (Windows 7) or NT hash (Windows 10) format, so can immediately be reused in Pass-the-Hash attacks • Common attack flow: 1. Obtain local admin access to one system in domain 2. Lure domain admin to machine (e.g. Call Helpdesk) 3. Dump credentials from memory 4. Own the domain (“Domain dominance”) 5. Persist domain ownage (Golden ticket, DCSync, Skeleton Key,…) • Tools like Bloodhound create entire attack trees that reveal relationships between accounts and systems to facilitate this
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Common technique 10 Due to its size & complexity, it’s often difficult for administrators to retain a good overview of how privileges are assigned across the environment. Adversaries can leverage this to spot excessive privileges which can be used in lateral movement… AD structure diagrams The below diagram (generated by the attacking tool BloodHoundAD), reveals an interesting way of how adversaries could laterally move through the target environment: In a few steps, Erik could easily steal the hashes of Stephen, thereby obtaining Domain Admin privileges. User: Erik Group: Work- station admins PC: Work- station 1 Group: Domain admins User: Stephen HasSession
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Mimikatz 11 Due to its high reliability & flexibility, it is used by adversaries and penetration testers alike. Several variations have been created and it has been included as a module in the Metasploit Meterpreter attacking tool. Mimikatz is a free, open-source Windows tool built by Benjamin Delpy (@gentilkiwi) to extract credentials from Windows computers. Its second version is often referred to as “Kiwi”. “Mimikatz is a tool I've made to learn C and make somes experiments with Windows security. It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. Mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.”
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – The primacy of Mimikatz 12 Executing command privilege::debug to enable the debug privilege. Executing command lsadump::lsa /inject will dump the hashes from the LSA process (lsaass.exe).
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Mimikatz in the news 13 The popularity of Mimikatz has sky-rocketed over the last few years: • In 2017, the NotPetya ransomware used various components of Mimikatz to supports its lateral movement • In several APT investigations, Mimikatz is part of the standard toolkit used by advanced adversaries (Amongst others, Oilrig, Cobalt Kitty & APT-28 have been observed to use (variants of) Mimikatz) • Penetration testing & red teaming frameworks include (variants of) Mimikatz: • Metasploit Meterpreter has a built-in Mimikatz module Powershell Empire has a built-in version of Mimikatz
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Some advanced Mimikatz features 14 • To prevent AV detection, Mimikatz supports an offline mode, where a dump of the LSASS process can be fed to Mimikatz. This dump-file can be created by built-in Windows tools (e.g. Task Manager) or the SysInternals toolkit. This removes the need of running a “hacking tool” like Mimikatz on the target system… • Mimikatz can impersonate a Domain Controller and replicate all password hashes using MS-DRSR (Directory Replication Service Remote Protocol), labelled “DCSync” in Mimikatz • Mimikatz can create AD persistence by generating golden tickets or installing a backdoor in memory of the Domain Controller (“Skeleton Key” attack)
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 15 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What’s left behind? 16 http://technet.microsoft.com/en-us/windows-server-docs/security/securing- privileged-access/securing-privileged-access-reference-material
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What’s left behind? – Mimikatz point of view 17
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Isolate Domain Controllers 18 Put domain controllers in a different network than other servers and workstations. Use at least firewalls to separate the networks. Domain controllers network Inner network
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Privileged Access Workstations 19 Domain controllers network Privileged Access Workstations Inner Network
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Identity & Access Management 20
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 21 The idea of “Restricted Admin” mode is that credentials are not sent upon establishing of an RDP session, so the chances of capturing them using Mimikatz are lower! Source: https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 22 In a bit more detail: Normal RDP • Erik enters his password to the RDP client. • RDP client performs network logon to the target server to authorize Erik. • Erik is authorized & the RDP client securely relays the credentials to the target machine over a secure channel. • The target server uses there credentials to perform an interactive logon on behalf of Erik. Restricted Admin • RDP will try to interactively log on to the remote machine without sending credentials • The actual credentials are not required in order to set up the connectivity
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 23
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 24 In order to prevent hash dumping attacks aimed at the LSA process, Microsoft introduced “Protected Processes” as of Windows 8 & Windows Server 2012. • Protected processes were first introduced in Windows Vista for DRM (Digital Rights Management) purposes, but were adapted for “security purposes” in Windows 8 • The screenshot on the right provides an example of the lsass.exe process running as a “protected process” • Protected Processes are implemented in the Kernel software and can thus be defeated…
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 25
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 26
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Domain Protected Users 27 “Protected Users” enforces a number of restrictions on affected users, which try to defend against several of the attack strategies previously mentioned: Disable authentication using NTLM => Protect against Responder-style attacks Wdigest & CredSSP clear-text credentials no longer stored in LSASS => Less results when LSASS memory dumping On a device running Windows 8.1, passwords are not cached => Protect against dumping of cached credentials (default Windows: 10 latest users) Kerberos will not use DES or RC4 during pre-authentication => Protect against “Kerberoasting” attacks
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 28 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing CredentialGuard 29
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – Without CredentialGuard 30
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Having a look at the processes – Without CredentialGuard 31
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – With CredentialGuard 32 When Credential Guard is enabled, the LSA process still runs in userland. The actual credentials are stored in the isolated LSA process (LsaIso.exe). This process does not run under Windows, but in the Virtual Secure Mode.
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – With CredentialGuard 33
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Some caveats 34
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Some caveats – Another interesting attack strategy! 35
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 36 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Demo time 37
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Conclusion 38
InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Want to learn more? 39 Want support? Get in touch with NVISO’s experts, we’d be happy to discuss how we can help further! Want to learn more? Join SEC599 – Defeating Advanced Adversaries! • London – April 2018 • Amsterdam – September 2018 • Brussels – October 2018 More locations available at https://www.sans.org/course/defeating-advanced-adversaries- kill-chain-defenses

Recomendados

SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainErik Van Buggenhout
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Jorge Orchilles
 

Recomendados

SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainErik Van Buggenhout
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Jorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaMauricio Velazco
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For CybersecurityNathan Anderson
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesomeSumedt Jitpukdebodin
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
Creds extraction
Creds extractionCreds extraction
Creds extractionIlan Mindel
 

Más contenido relacionado

La actualidad más candente

Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaMauricio Velazco
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For CybersecurityNathan Anderson
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 

La actualidad más candente (20)

Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 

Similar a Windows 10 CredentialGuard vs Mimikatz - SEC599

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
Creds extraction
Creds extractionCreds extraction
Creds extractionIlan Mindel
 
CyberArk Interview.pdf
CyberArk Interview.pdfCyberArk Interview.pdf
CyberArk Interview.pdfInfosec Train
 
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Bruno Caseiro
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfInfosec Train
 
CyberArk Interview Questions and Answers for 2023.pdf
CyberArk Interview Questions and Answers for 2023.pdfCyberArk Interview Questions and Answers for 2023.pdf
CyberArk Interview Questions and Answers for 2023.pdfinfosec train
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfinfosec train
 
Webinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosWebinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosJenniferMete1
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonUlf Mattsson
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 
Jak využít cloudu pro zvýšení bezpečnosti vašeho IT
Jak využít cloudu pro zvýšení bezpečnosti vašeho ITJak využít cloudu pro zvýšení bezpečnosti vašeho IT
Jak využít cloudu pro zvýšení bezpečnosti vašeho ITMarketingArrowECS_CZ
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachIBM Security
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewRobert Herjavec
 
ThreatModeling.ppt
ThreatModeling.pptThreatModeling.ppt
ThreatModeling.ppttashon2
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...MohamedOmerMusa
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecurityTara Arnold
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecurityMediacurrent
 
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024Michael Noel
 

Similar a Windows 10 CredentialGuard vs Mimikatz - SEC599 (20)

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Creds extraction
Creds extractionCreds extraction
Creds extraction
 
CyberArk Interview.pdf
CyberArk Interview.pdfCyberArk Interview.pdf
CyberArk Interview.pdf
 
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdf
 
CyberArk Interview Questions and Answers for 2023.pdf
CyberArk Interview Questions and Answers for 2023.pdfCyberArk Interview Questions and Answers for 2023.pdf
CyberArk Interview Questions and Answers for 2023.pdf
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdf
 
Webinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von BaggenstosWebinar Mastering Microsoft Security von Baggenstos
Webinar Mastering Microsoft Security von Baggenstos
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf Mattsson
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Jak využít cloudu pro zvýšení bezpečnosti vašeho IT
Jak využít cloudu pro zvýšení bezpečnosti vašeho ITJak využít cloudu pro zvýšení bezpečnosti vašeho IT
Jak využít cloudu pro zvýšení bezpečnosti vašeho IT
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail Breach
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
 
ThreatModeling.ppt
ThreatModeling.pptThreatModeling.ppt
ThreatModeling.ppt
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal Security
 
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
 

Último

Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Delhi Call girls
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceDelhi Call girls
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.soniya singh
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...SUHANI PANDEY
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 

Último (20)

Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 

Windows 10 CredentialGuard vs Mimikatz - SEC599

  • 1. Erik Van Buggenhout CredentialGuard vs Mimikatz The showdown InfoSecurity – 14 March 2018
  • 2. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Who am I? 2 • Co-founder • Incident Response & Threat Hunting • Lead Author & Instructor SEC599 • Instructor SEC560, 561, 562, 542
  • 3. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 3 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  • 4. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 4 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  • 5. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Stealing Windows credentials – where in the Cyber Kill Chain? 5 Reconnaissan ce Delivery Installation Action on Objectives Weaponizatio n Exploitation Command & Control Windows credentials are typically a target for adversaries in the later stages of the compromise. After obtaining an initial foothold, credentials are stolen to further escalate privileges / move laterally in the environment!
  • 6. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows credentials attacks 6 Aside from generic attacks such as phishing or keylogging, the table below lists some of the most common ways used by adversaries to obtain Windows credentials: SANS Senior Instructor Chad Tilbury has an excellent presentation on Windows Credentials Attacks, Mitigations & Defence: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
  • 7. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing some of these tools – Capturing NTLMv2 7 For different reasons, Kerberos could not be available, in which case Windows will revert to NTLMv2 Challenge / Response authentication: Domain Controller 1. Request authentication Service Database Server 2. Challenge 3. Response Client Workstation 6. Server sends response to client The authenticating system uses the hashed credential to calculate a response based on the challenge sent by the server In a Windows domain environment, the NTLM challenge & response will be forwarded to the domain controller for validation of credentials 4. Forward Chal + Resp 5. Validation
  • 8. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing some of these tools – Responder – Capturing NTLMv2 8 Responder is (amongst others) an LLMNR, NBT-NS and MDNS poisoner. It will attempt to trick systems to connect / authenticate to the system it is running on. It will then attempt to sniff the authentication challenge (e.g. NTLMv2), which could be cracked by a password cracking tool.
  • 9. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory 9 Once an initial entry point in the network has been obtained, dumping credentials from LSASS memory in particular has become extremely popular: • Open ups attack vector against users that aren’t locally configured (domain users). Furthermore, stolen credentials are in clear-text (Windows 7) or NT hash (Windows 10) format, so can immediately be reused in Pass-the-Hash attacks • Common attack flow: 1. Obtain local admin access to one system in domain 2. Lure domain admin to machine (e.g. Call Helpdesk) 3. Dump credentials from memory 4. Own the domain (“Domain dominance”) 5. Persist domain ownage (Golden ticket, DCSync, Skeleton Key,…) • Tools like Bloodhound create entire attack trees that reveal relationships between accounts and systems to facilitate this
  • 10. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Common technique 10 Due to its size & complexity, it’s often difficult for administrators to retain a good overview of how privileges are assigned across the environment. Adversaries can leverage this to spot excessive privileges which can be used in lateral movement… AD structure diagrams The below diagram (generated by the attacking tool BloodHoundAD), reveals an interesting way of how adversaries could laterally move through the target environment: In a few steps, Erik could easily steal the hashes of Stephen, thereby obtaining Domain Admin privileges. User: Erik Group: Work- station admins PC: Work- station 1 Group: Domain admins User: Stephen HasSession
  • 11. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Mimikatz 11 Due to its high reliability & flexibility, it is used by adversaries and penetration testers alike. Several variations have been created and it has been included as a module in the Metasploit Meterpreter attacking tool. Mimikatz is a free, open-source Windows tool built by Benjamin Delpy (@gentilkiwi) to extract credentials from Windows computers. Its second version is often referred to as “Kiwi”. “Mimikatz is a tool I've made to learn C and make somes experiments with Windows security. It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. Mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.”
  • 12. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – The primacy of Mimikatz 12 Executing command privilege::debug to enable the debug privilege. Executing command lsadump::lsa /inject will dump the hashes from the LSA process (lsaass.exe).
  • 13. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Mimikatz in the news 13 The popularity of Mimikatz has sky-rocketed over the last few years: • In 2017, the NotPetya ransomware used various components of Mimikatz to supports its lateral movement • In several APT investigations, Mimikatz is part of the standard toolkit used by advanced adversaries (Amongst others, Oilrig, Cobalt Kitty & APT-28 have been observed to use (variants of) Mimikatz) • Penetration testing & red teaming frameworks include (variants of) Mimikatz: • Metasploit Meterpreter has a built-in Mimikatz module Powershell Empire has a built-in version of Mimikatz
  • 14. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Dumping credentials from LSASS memory – Some advanced Mimikatz features 14 • To prevent AV detection, Mimikatz supports an offline mode, where a dump of the LSASS process can be fed to Mimikatz. This dump-file can be created by built-in Windows tools (e.g. Task Manager) or the SysInternals toolkit. This removes the need of running a “hacking tool” like Mimikatz on the target system… • Mimikatz can impersonate a Domain Controller and replicate all password hashes using MS-DRSR (Directory Replication Service Remote Protocol), labelled “DCSync” in Mimikatz • Mimikatz can create AD persistence by generating golden tickets or installing a backdoor in memory of the Domain Controller (“Skeleton Key” attack)
  • 15. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 15 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  • 16. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What’s left behind? 16 http://technet.microsoft.com/en-us/windows-server-docs/security/securing- privileged-access/securing-privileged-access-reference-material
  • 17. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What’s left behind? – Mimikatz point of view 17
  • 18. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Isolate Domain Controllers 18 Put domain controllers in a different network than other servers and workstations. Use at least firewalls to separate the networks. Domain controllers network Inner network
  • 19. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Privileged Access Workstations 19 Domain controllers network Privileged Access Workstations Inner Network
  • 20. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Generic recommendations – Identity & Access Management 20
  • 21. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 21 The idea of “Restricted Admin” mode is that credentials are not sent upon establishing of an RDP session, so the chances of capturing them using Mimikatz are lower! Source: https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard
  • 22. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 22 In a bit more detail: Normal RDP • Erik enters his password to the RDP client. • RDP client performs network logon to the target server to authorize Erik. • Erik is authorized & the RDP client securely relays the credentials to the target machine over a secure channel. • The target server uses there credentials to perform an interactive logon on behalf of Erik. Restricted Admin • RDP will try to interactively log on to the remote machine without sending credentials • The actual credentials are not required in order to set up the connectivity
  • 23. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Restricted Admin 23
  • 24. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 24 In order to prevent hash dumping attacks aimed at the LSA process, Microsoft introduced “Protected Processes” as of Windows 8 & Windows Server 2012. • Protected processes were first introduced in Windows Vista for DRM (Digital Rights Management) purposes, but were adapted for “security purposes” in Windows 8 • The screenshot on the right provides an example of the lsass.exe process running as a “protected process” • Protected Processes are implemented in the Kernel software and can thus be defeated…
  • 25. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 25
  • 26. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Protected Processes 26
  • 27. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Focused improvements - Windows 8 / 2012 – Domain Protected Users 27 “Protected Users” enforces a number of restrictions on affected users, which try to defend against several of the attack strategies previously mentioned: Disable authentication using NTLM => Protect against Responder-style attacks Wdigest & CredSSP clear-text credentials no longer stored in LSASS => Less results when LSASS memory dumping On a device running Windows 8.1, passwords are not cached => Protect against dumping of cached credentials (default Windows: 10 latest users) Kerberos will not use DES or RC4 during pre-authentication => Protect against “Kerberoasting” attacks
  • 28. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 28 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  • 29. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Introducing CredentialGuard 29
  • 30. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – Without CredentialGuard 30
  • 31. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Having a look at the processes – Without CredentialGuard 31
  • 32. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – With CredentialGuard 32 When Credential Guard is enabled, the LSA process still runs in userland. The actual credentials are stored in the isolated LSA process (LsaIso.exe). This process does not run under Windows, but in the Virtual Secure Mode.
  • 33. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Windows high-level architecture – With CredentialGuard 33
  • 34. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Some caveats 34
  • 35. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Some caveats – Another interesting attack strategy! 35
  • 36. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz What I’d like to discuss today 36 Quick Introduction Refresher: Windows credentials attacks Let’s talk defenses What defense mechanisms were introduced before? CredentialGuard What is this CredentialGuard you speak of? Demo The proof is in the pudding!CredentialGuard VS
  • 37. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Demo time 37
  • 38. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Conclusion 38
  • 39. InfoSecurity – 14 March 2018 – CredentialGuard & Mimikatz Want to learn more? 39 Want support? Get in touch with NVISO’s experts, we’d be happy to discuss how we can help further! Want to learn more? Join SEC599 – Defeating Advanced Adversaries! • London – April 2018 • Amsterdam – September 2018 • Brussels – October 2018 More locations available at https://www.sans.org/course/defeating-advanced-adversaries- kill-chain-defenses

Notas del editor

  1. Welcome to SANS Security SEC599: Defeating Advanced Adversaries. In this course, you will build essential skills required to fend off today’s advanced cyber attacks. The course will be highly hands-on, as we help you develop skills by exercising them in hands-on, realistic lab settings. Although this is not a penetration testing course, we will have sufficient attention for the offensive side of the spectrum. We will provide you with a deep technical understanding of how advanced adversaries work, as this will help us be more efficient defenders. Likewise, we will inform you on how to respond to cyber security attacks, but will primarily focus on how to prevent and detect them. Our goal is to keep the course as interactive as possible. If you have a question, please let the instructor know. Discussions about relevant topics are incredibly important in a class like this, as we have numerous attendees with various levels of skill coming into the class. Share your insights and ask questions. The instructor does reserve the right, however, to take a conversation offline during a break or outside of class in the interest of time and applicability of the topic. As course authors, we welcome any comments, questions, or suggestions pertaining to the course material. We would also like to extend our thanks to Didier Stevens (a SANS ISC handler), whose contributions greatly helped improve the course. Erik Van Buggenhout erik.van.buggenhout@gmail.com www.nviso.be Stephen Sims ssims@sans.org www.sans.org Update: C01
  2. The Cyber Kill Chain ® As we are the defenders of digital assets of our company or organization, we face adversaries using digital methods to attack our digital assets. It would be useful to have a digital equivalent of the military kill chain so that we can structure our defenses accordingly. Different groups and organizations have worked on documenting adversaries' methods in a digital kill chain. Lockheed Martin developed the trademarked “Cyber Kill Chain ®”, which has risen in popularity to become one of the most used frameworks to describe cyber attacks. An alternative, slightly adopted variant is Dell SecureWorks’ “Cyber Kill Chain”. Both chains have more steps than the military kill chain. Lockheed Martin: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions On Objectives. Dell SecureWorks: Target Defined, Recon, Development, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objectives, Objective Met For the purpose of our course, we will follow a similar structure, as most online publications related to cyber attacks do the same. References: http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html https://www.secureworks.com/resources/wp-breaking-the-kill-chain