In this presentation, Erik Van Buggenhout (NVISO founder & SANS Instructor) zooms in on Windows 10 CredentialGuard and how it can be used to protect against LSASS hash dumping (e.g. using Mimikatz). Want to learn more? Join us at SANS SEC599!
2. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Who am I?
2
• Co-founder
• Incident Response & Threat
Hunting
• Lead Author & Instructor SEC599
• Instructor SEC560, 561, 562, 542
3. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
What I’d like to discuss today
3
Quick Introduction
Refresher: Windows credentials attacks
Let’s talk defenses
What defense mechanisms were introduced
before?
CredentialGuard
What is this CredentialGuard you speak of?
Demo
The proof is in the pudding!CredentialGuard
VS
4. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
What I’d like to discuss today
4
Quick Introduction
Refresher: Windows credentials attacks
Let’s talk defenses
What defense mechanisms were introduced
before?
CredentialGuard
What is this CredentialGuard you speak of?
Demo
The proof is in the pudding!CredentialGuard
VS
5. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Stealing Windows credentials – where in the Cyber Kill Chain?
5
Reconnaissan
ce
Delivery Installation
Action on
Objectives
Weaponizatio
n
Exploitation
Command &
Control
Windows credentials are typically a target for adversaries in the later stages
of the compromise. After obtaining an initial foothold, credentials are
stolen to further escalate privileges / move laterally in the environment!
6. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Windows credentials attacks
6
Aside from generic attacks such as phishing or keylogging, the table below lists some of the
most common ways used by adversaries to obtain Windows credentials:
SANS Senior Instructor Chad Tilbury has an excellent presentation on Windows Credentials Attacks, Mitigations & Defence:
https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
7. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Introducing some of these tools – Capturing NTLMv2
7
For different reasons, Kerberos could not be available, in which case Windows will revert
to NTLMv2 Challenge / Response authentication:
Domain
Controller
1. Request authentication
Service
Database
Server
2. Challenge
3. Response
Client
Workstation
6. Server sends response to
client
The authenticating system uses the
hashed credential to calculate a
response based on the challenge sent
by the server
In a Windows domain environment, the
NTLM challenge & response will be
forwarded to the domain controller for
validation of credentials
4. Forward Chal + Resp
5. Validation
8. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Introducing some of these tools – Responder – Capturing NTLMv2
8
Responder is (amongst others) an LLMNR, NBT-NS and MDNS poisoner. It will attempt to trick systems
to connect / authenticate to the system it is running on. It will then attempt to sniff the authentication
challenge (e.g. NTLMv2), which could be cracked by a password cracking tool.
9. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Dumping credentials from LSASS memory
9
Once an initial entry point in the network has been obtained, dumping credentials from LSASS memory in
particular has become extremely popular:
• Open ups attack vector against users that aren’t locally configured (domain users). Furthermore,
stolen credentials are in clear-text (Windows 7) or NT hash (Windows 10) format, so can immediately
be reused in Pass-the-Hash attacks
• Common attack flow:
1. Obtain local admin access to one system in domain
2. Lure domain admin to machine (e.g. Call Helpdesk)
3. Dump credentials from memory
4. Own the domain (“Domain dominance”)
5. Persist domain ownage (Golden ticket, DCSync, Skeleton Key,…)
• Tools like Bloodhound create entire attack trees that reveal relationships
between accounts and systems to facilitate this
10. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Dumping credentials from LSASS memory – Common technique
10
Due to its size & complexity, it’s often difficult for administrators to retain a good
overview of how privileges are assigned across the environment. Adversaries
can leverage this to spot excessive privileges which can be used in lateral
movement…
AD structure diagrams
The below diagram
(generated by the attacking
tool BloodHoundAD), reveals
an interesting way of how
adversaries could laterally
move through the target
environment: In a few steps,
Erik could easily steal the
hashes of Stephen, thereby
obtaining Domain Admin
privileges.
User:
Erik
Group:
Work-
station
admins
PC:
Work-
station
1
Group:
Domain
admins
User:
Stephen
HasSession
11. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Dumping credentials from LSASS memory – Mimikatz
11
Due to its high reliability & flexibility, it is used by adversaries and penetration
testers alike. Several variations have been created and it has been included as a
module in the Metasploit Meterpreter attacking tool.
Mimikatz is a free, open-source Windows tool built by Benjamin Delpy
(@gentilkiwi) to extract credentials from Windows computers. Its second
version is often referred to as “Kiwi”.
“Mimikatz is a tool I've made to learn C and make somes experiments with
Windows security. It's now well known to extract plaintexts passwords,
hash, PIN code and kerberos tickets from memory. Mimikatz can also
perform pass-the-hash, pass-the-ticket or build Golden tickets.”
12. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Dumping credentials from LSASS memory – The primacy of Mimikatz
12
Executing command
privilege::debug to enable
the debug privilege.
Executing
command
lsadump::lsa
/inject will dump
the hashes from
the LSA process
(lsaass.exe).
13. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Dumping credentials from LSASS memory – Mimikatz in the news
13
The popularity of Mimikatz has sky-rocketed over the last few years:
• In 2017, the NotPetya ransomware used various components of Mimikatz to supports its
lateral movement
• In several APT investigations, Mimikatz is part of the standard toolkit used by advanced
adversaries (Amongst others, Oilrig, Cobalt Kitty & APT-28 have been observed to use
(variants of) Mimikatz)
• Penetration testing & red teaming frameworks include (variants of) Mimikatz:
• Metasploit Meterpreter has a built-in Mimikatz module
Powershell Empire has a built-in version of Mimikatz
14. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Dumping credentials from LSASS memory – Some advanced Mimikatz features
14
• To prevent AV detection, Mimikatz supports an offline mode, where a dump of the LSASS
process can be fed to Mimikatz. This dump-file can be created by built-in Windows tools
(e.g. Task Manager) or the SysInternals toolkit. This removes the need of running a “hacking
tool” like Mimikatz on the target system…
• Mimikatz can impersonate a Domain Controller and replicate all password hashes using
MS-DRSR (Directory Replication Service Remote Protocol), labelled “DCSync” in Mimikatz
• Mimikatz can create AD persistence by generating golden tickets or installing a backdoor in
memory of the Domain Controller (“Skeleton Key” attack)
15. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
What I’d like to discuss today
15
Quick Introduction
Refresher: Windows credentials attacks
Let’s talk defenses
What defense mechanisms were introduced
before?
CredentialGuard
What is this CredentialGuard you speak of?
Demo
The proof is in the pudding!CredentialGuard
VS
16. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
What’s left behind?
16
http://technet.microsoft.com/en-us/windows-server-docs/security/securing-
privileged-access/securing-privileged-access-reference-material
17. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
What’s left behind? – Mimikatz point of view
17
18. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Generic recommendations – Isolate Domain Controllers
18
Put domain
controllers in a
different
network than
other servers
and
workstations.
Use at least
firewalls to
separate the
networks.
Domain controllers
network
Inner network
21. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Focused improvements - Windows 8 / 2012 – Restricted Admin
21
The idea of “Restricted Admin” mode is that credentials are not sent upon establishing of an
RDP session, so the chances of capturing them using Mimikatz are lower!
Source: https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard
22. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Focused improvements - Windows 8 / 2012 – Restricted Admin
22
In a bit more detail:
Normal RDP
• Erik enters his password to the RDP client.
• RDP client performs network logon to the
target server to authorize Erik.
• Erik is authorized & the RDP client securely
relays the credentials to the target machine
over a secure channel.
• The target server uses there credentials to
perform an interactive logon on behalf of
Erik.
Restricted Admin
• RDP will try to interactively log on to the
remote machine without sending credentials
• The actual credentials are not required in
order to set up the connectivity
24. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Focused improvements - Windows 8 / 2012 – Protected Processes
24
In order to prevent hash dumping attacks aimed at the
LSA process, Microsoft introduced “Protected
Processes” as of Windows 8 & Windows Server 2012.
• Protected processes were first introduced in
Windows Vista for DRM (Digital Rights
Management) purposes, but were adapted for
“security purposes” in Windows 8
• The screenshot on the right provides an example of
the lsass.exe process running as a “protected
process”
• Protected Processes are implemented in the Kernel
software and can thus be defeated…
27. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Focused improvements - Windows 8 / 2012 – Domain Protected Users
27
“Protected Users” enforces a number of restrictions on affected users, which try to defend
against several of the attack strategies previously mentioned:
Disable authentication using NTLM
=> Protect against Responder-style attacks
Wdigest & CredSSP clear-text credentials no longer stored in LSASS
=> Less results when LSASS memory dumping
On a device running Windows 8.1, passwords are not cached
=> Protect against dumping of cached credentials (default Windows: 10 latest users)
Kerberos will not use DES or RC4 during pre-authentication
=> Protect against “Kerberoasting” attacks
28. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
What I’d like to discuss today
28
Quick Introduction
Refresher: Windows credentials attacks
Let’s talk defenses
What defense mechanisms were introduced
before?
CredentialGuard
What is this CredentialGuard you speak of?
Demo
The proof is in the pudding!CredentialGuard
VS
30. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Windows high-level architecture – Without CredentialGuard
30
31. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Having a look at the processes – Without CredentialGuard
31
32. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Windows high-level architecture – With CredentialGuard
32
When Credential Guard is
enabled, the LSA process still
runs in userland.
The actual credentials are
stored in the isolated LSA
process (LsaIso.exe).
This process does not run
under Windows, but in the
Virtual Secure Mode.
33. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Windows high-level architecture – With CredentialGuard
33
34. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Some caveats
34
35. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Some caveats – Another interesting attack strategy!
35
36. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
What I’d like to discuss today
36
Quick Introduction
Refresher: Windows credentials attacks
Let’s talk defenses
What defense mechanisms were introduced
before?
CredentialGuard
What is this CredentialGuard you speak of?
Demo
The proof is in the pudding!CredentialGuard
VS
37. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Demo time
37
39. InfoSecurity – 14 March 2018 – CredentialGuard &
Mimikatz
Want to learn more?
39
Want support?
Get in touch with NVISO’s experts, we’d be happy to discuss how we
can help further!
Want to learn more?
Join SEC599 – Defeating Advanced Adversaries!
• London – April 2018
• Amsterdam – September 2018
• Brussels – October 2018
More locations available at
https://www.sans.org/course/defeating-advanced-adversaries-
kill-chain-defenses
Notas del editor
Welcome to SANS Security SEC599: Defeating Advanced Adversaries.
In this course, you will build essential skills required to fend off today’s advanced cyber attacks. The course will be highly hands-on, as we help you develop skills by exercising them in hands-on, realistic lab settings. Although this is not a penetration testing course, we will have sufficient attention for the offensive side of the spectrum. We will provide you with a deep technical understanding of how advanced adversaries work, as this will help us be more efficient defenders. Likewise, we will inform you on how to respond to cyber security attacks, but will primarily focus on how to prevent and detect them.
Our goal is to keep the course as interactive as possible. If you have a question, please let the instructor know. Discussions about relevant topics are incredibly important in a class like this, as we have numerous attendees with various levels of skill coming into the class. Share your insights and ask questions. The instructor does reserve the right, however, to take a conversation offline during a break or outside of class in the interest of time and applicability of the topic.
As course authors, we welcome any comments, questions, or suggestions pertaining to the course material. We would also like to extend our thanks to Didier Stevens (a SANS ISC handler), whose contributions greatly helped improve the course.
Erik Van Buggenhout
erik.van.buggenhout@gmail.com
www.nviso.be
Stephen Sims
ssims@sans.org
www.sans.org
Update: C01
The Cyber Kill Chain ®
As we are the defenders of digital assets of our company or organization, we face adversaries using digital methods to attack our digital assets. It would be useful to have a digital equivalent of the military kill chain so that we can structure our defenses accordingly.
Different groups and organizations have worked on documenting adversaries' methods in a digital kill chain. Lockheed Martin developed the trademarked “Cyber Kill Chain ®”, which has risen in popularity to become one of the most used frameworks to describe cyber attacks. An alternative, slightly adopted variant is Dell SecureWorks’ “Cyber Kill Chain”. Both chains have more steps than the military kill chain.
Lockheed Martin: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions On Objectives.
Dell SecureWorks: Target Defined, Recon, Development, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objectives, Objective Met
For the purpose of our course, we will follow a similar structure, as most online publications related to cyber attacks do the same.
References:
http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html
https://www.secureworks.com/resources/wp-breaking-the-kill-chain