Darren Mar-Elia Head of Product

Slides:



Advertisements
Similar presentations
Access Control Chapter 3 Part 3 Pages 209 to 227.
Advertisements

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server Sue’s.
Windows Security Mechanisms Al Bento - University of Baltimore.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Forensic Artifacts From A Pass The Hash (PtH) Attack
WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections.
Managing Active Directory Domain Services Objects
PCIT numbers/?_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_r=5&
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Module 11: Securing a Microsoft ASP.NET Web Application.
Security Windows 2000 Richard Goldman © December 4, 2001.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Restricted Admin & Credential Exposure MMS Minnesota 2014 Hasain Alshakarti – TrueSec Enterprise Security #MMSMinnesota #MMSConfigMgr #MMSLove.
LM/NTLMv1 Retirement Hosted by LSP Services.
Sander Berkouwer Microsoft MVP Directory Services Microsoft Netherlands Virtual Technical Evangelist Blogger on DirTeam.com ServerCore.Net.
Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010.
Taming the Beast How a SQL DBA can keep Kerberos under control David Postlethwaite 29/08/2015David Postlethwaite.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Microsoft Azure Active Directory Identity Solutions
Stopping Attacks Before They Stop Business
Hacking Windows.
Real-world OS Deployment Samples
Managing User and Service Accounts
Tactic 1: Adopt Least Privilege
AuthLite 2-Factor for Windows Administration
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
I have edited and added material.
Windows Server 2016 Secure IaaS Microsoft Build /1/2018 4:00 AM
Module 1: Identity is the New Perimeter
Configuring Windows Firewall with Advanced Security
Radius, LDAP, Radius used in Authenticating Users
Credential protection in Windows: An overview
Unit 8 NT1330 Client-Server Networking II Date: 8/2/2016
Determined Human Adversaries: Mitigations
Limiting SQL Server Exposure
Kerberos.
Fixing Bad IT Security: Stupid Mistakes and Dangerous Conveniences
Single Sign On Glen Dorton 1/18/2019.
Protecting your Domain Admin Account
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Taking Windows Security to the Next Level with Group Policy
Determined Human Adversaries: Mitigations
Designing IIS Security (IIS – Internet Information Service)
Oh no! My W1nd0ws S3rv3r 1s Vladimir Stefanović Oh no! My W1nd0ws S3rv3r 1s
Pass-the-Hash.
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Privileged Access Management
11/25/ :29 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Presentation transcript:

Lateral Movement and Pass-the-Hash in Windows 10— Am I Still Vulnerable? Darren Mar-Elia Head of Product Semperis, Inc., Founder-SDM Software/GPOGuy

Agenda Level Set—What are Lateral Movement Attacks? Credential Theft and Pass-the-Hash Tools and techniques for moving laterally in Windows What’s new to protect against this in Windows 10? Questions

Credential theft Credential theft is a broad category Pass-the-hash (PtH) is a Windows-specific instance of credential theft Involves stealing the LAN Manager Hash or Kerberos keys of a user from LSASS memory on a Windows System Requires you to have administrative access to read the memory Credential theft is a common way to facilitate moving laterally

Lateral Movement attacks Compromise user on one machine Find credentials of “interesting” users Use creds to move to higher value users and machines

Typical lateral movement scenario Domain Controller

Tools and techniques for moving laterally

Tools of the trade While not the only way to grab credentials, Mimikatz is probably the most widely used and the most versatile https://github.com/gentilkiwi/mimikatz Provides a variety of methods for grabbing LM Hashes, Kerberos tickets, etc.

Finding Targets Once you have a credential, the trick is to find out where you can use it Lots of tools now to help attackers with that And…your own environment can help!

Bloodhound https://wald0.com

Powershell empire and PowerSploit https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon https://github.com/EmpireProject/Empire

Using your own information Many of these “red team” tools use information in your infrastructure against you Group Policy security related information to find privileged accounts AD ACL mis-configuration to take over AD objects AD group memberships to privileged accounts Once they get a credential foothold, finding “high- value targets” to move towards becomes easier

Demo—passing the hash and other Information gathering nastiness

Enter Windows 10 Credential guard

What is Windows 10 credential guard? Instead of storing hashes and keys in LSASS memory, they are stored in a virtualization partition—isolated completely from the OS Credit: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-how-it-works

REQUIREMENTS FOR Credential guard Windows 10 Enterprise x64 (or Server 2016) UEFI and Secure Boot TPM 2.0 Virtualization Support Don’t Enable on Domain Controllers—will crash them!

Enabling credential guard NOTE: NTLM v1 support is disabled when credential guard is enabled (GOOD!) Using Group Policy

What Does credential guard protect? Logon Session NTLM Hash Logon Session Kerberos User name and password until user gets Ticket Granting Ticket (TGT) Any long-lived keys TGT session keys Any credentials that have been saved to Credential Manager

What does credential guard not protect? Local account credentials Microsoft accounts Azure AD accounts Service account passwords Application-specific credentials And of course… Passwords stored in clear-text in scripts or GP Preferences Passwords

Demo: Enabling credential guard—how things change

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.