Topics The Problem Attack Scenario Demo Mitigations and Recommendations Next Steps

Aaron Margosis Ahmad Mahdi Ambrose Leung Benjamin Godard Bret Arsenault Brian Fielder Charlie Kaufman Crispin Cowan David Hoyle Dean Wells Eric Leonard Fernando Cima Georgeo Pulikkathara Jason Krolak Joe Bialek John Lambert Jonathan Ness Justin Hendricks Laura A. Robinson Lori Woehler Mark Cartwright Mark Novak Mark Oram Mark Russinovich Mark Simos Matt Thomlinson Michael Howard Michiko Short Mike Reavey Mohamed Rouatbi Nate Morin Patrick Arnold Patrick Jungles Paul Rich Peter Zdebski Roger Grimes Scott Robinson Scott V. Cleave Sean Finnegan Steve Patrick Tim Rains Tony Rice

Ideological Movements Organized Crime Nation States

…They were next spotted in March 2010, after signing on with the stolen password of a network administrator… …The hackers logged on through the company’s remote access system, just like any employee… The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, s, files — replacing all of it with an image of a burning American flag.

Attack activitiesDescription Lateral movementIn this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of the same value to the organization Privilege escalationIn this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of a higher value to the organization.

Access: Users and Workstations Power: Domain Controllers Data: Servers and Applications 1.Bad guy targets workstations en masse 2.User running as local admin compromised, Bad guy harvests credentials. 3.Bad guy uses credentials for lateral traversal 4.Bad guy acquires domain admin credentials and associated privileges – privilege escalation 5.Bad guy has direct or indirect access to read/write/destroy data and systems in the environment.

The same single sign-on (SSO) mechanism that brings significant benefits to the user experience also increases the risk of a PtH attack if an operating system is compromised. Credentials must be stored or cached to allow the operating system to perform actions on behalf of the user to make the system usable.

LocationPlaintext passwords (Reversibly encrypted) NT HashLM HashTGTWindows logon cached password verifiers Security Accounts Manager (SAM) database -YesMaybe 1 -- Local Security Authority Subsystem (LSASS) process memory Yes - Active Directory Database-YesMaybe 1 -- The Credential Manager (CredMan) store Maybe LSA Secrets in the registryService Accounts, Scheduled Tasks, etc. Computer Account --- HKLM\Security----Yes

MitigationEffectivenessEffort required Privilege escalation Lateral movement Mitigation 1: Restrict and protect high privileged domain accounts ExcellentMedium√- Mitigation 2: Restrict and protect local accounts with administrative privileges ExcellentLow-√ Mitigation 3: Restrict inbound traffic using the Windows Firewall ExcellentMedium-√

This mitigation restricts the ability of administrators to inadvertently expose privileged credentials to higher risk computers. Restrict DA/EA accounts from authenticating to lower trust computers Provide admins with accounts to perform administrative duties Assign dedicated workstations for administrative tasks. Mark privileged accounts as “sensitive and cannot be delegated” Do not configure services or schedule tasks to use privileged domain accounts on lower trust computers Objective How An attacker cannot steal credentials for an account if the credentials are never used on the compromised computer. Outcome

This mitigation restricts the ability of attackers to use local administrator accounts or their equivalents for lateral movement PtH attacks. Enforce the restrictions available in Windows Vista and newer that prevent local accounts from being used for remote administration. Explicitly deny network and Remote Desktop logon rights for all administrative local accounts. Create unique passwords for local accounts with administrative privileges. An attacker who successfully obtains local account credentials from a compromised computer will not be able to use those credentials to perform lateral movement on the organization's network. Objective How Outcome

This mitigation restricts the ability of attackers from initiating lateral movement from a compromised workstation by blocking inbound connections. Restrict all inbound connections to all workstations except for those with expected traffic originating from trusted sources, such as helpdesk workstations, security compliance scanners and servers. An attacker who successfully obtains any type of account credentials will not be able to connect to other workstations. Objective How Outcome Note: Whitepaper update recently released with guidance for authorized peer to peer applications

RecommendationsEffectivenessEffort required Privilege escalation Lateral movement Remove standard users from the local administrators group ExcellentHigh√- Limit the number and use of privileged domain accounts GoodMedium√- Configure outbound proxies to deny Internet access to privileged accounts GoodLow√- Ensure administrative accounts do not have accounts GoodLow√-

More recommendationsEffectivenessEffort required Privilege escalation Lateral movement Use remote management tools that do not place reusable credentials on a remote computer’s memory GoodMedium√- Avoid logons to potentially compromised computers GoodLow√√ Update applications and operating systems PartialMedium-- Secure and manage domain controllers PartialMedium-- Remove LM HashesPartialLow--

Other mitigationEffectivenessEffort required Privilege escalation Lateral movement Disable NTLMMinimalHigh-- Smart cards and multifactor authentication MinimalHigh-- Jump serversMinimalHigh√- Rebooting workstations and servers MinimalLow--

Mitigations and recommendations in the paper are what can be done today (easily).

Whitepaper and Next Steps Next Steps The PtH workgroup will continue to investigate mitigations for credential theft and reuse.  Read the Whitepaper Mitigating Pass-the-Hash Attacks and other Credential Theft Techniques Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques_English.pdf  Spread the Word  Questions? Interested in advanced architectures?  Mark.Simos [at] Microsoft.com

Access: Users and Workstations Admin Environment Production Domain(s) Power: Domain Controllers Management and Monitoring Threats: Internet Domain Admins IPsec Credential Partitioning Hardened Admin Environment Hardened Workstations Network security Accounts and smartcards Auto-Patching Security Alerting Tamper-resistant audit Assist with mitigating risks Services & Applications Lateral Traversal Break Glass Account(s) Red Card Admins Data: Servers and Applications

Logon type#Authenticators accepted Reusable credentials in LSA session Examples Interactive (a.k.a., Logon locally) 2Password, Smartcard, other YesConsole logon; RUNAS; Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server) IIS Basic Authn (before IIS 6.0) Network3Password, NT Hash, Kerberos ticket No (except if delegation is enabled, then Kerberos tickets present) NET USE; RPC calls; Remote registry; IIS integrated Windows authn; SQL Windows authn; Batch4Password (usually stored as LSA secret) YesScheduled tasks Service5Password (usually stored as LSA secret) YesWindows services

Logon type#Authenticators accepted Reusable credentials in LSA session Examples NetworkCleartext8PasswordYesIIS Basic Authn (IIS 6.0 and newer); Windows PowerShell with CredSSP NewCredentials9PasswordYesRUNAS /NETWORK RemoteInteractive10Password, Smartcard, other YesRemote Desktop (formerly known as “Terminal Services”)

Connection methodLogon type Reusable credentials on destinationComments Log on at console Interactive√ Includes hardware remote access / lights-out cards and network KVMs. RUNASInteractive √ RUNAS /NETWORK NewCredentials √ Clones current LSA session for local access, but uses new credentials when connecting to network resources. Remote Desktop (success)RemoteInteractive√ If the remote desktop client is configured to share local devices and resources, those may be compromised as well. Remote Desktop (failure - logon type was denied) RemoteInteractive- By default, if RDP logon fails credentials are only stored very briefly. This may not be the case if the computer is compromised.

Connection methodLogon type Reusable credentials on destinationComments Net use * \\SERVER Network- Net use * \\SERVER /u:user \\SERVER Network- MMC snap-ins to remote computer Network- Example: Computer Management, Event Viewer, Device Manager, Services PowerShell WinRM Network - Example: Enter-PSSession server PowerShell WinRM with CredSSP NetworkClearText √ New-PSSession server -Authentication Credssp -Credential cred

Connection methodLogon type Reusable credentials on destinationComments PsExec without explicit creds Network - Example: PsExec \\server cmd PsExec with explicit creds Network + Interactive √ PsExec \\server -u user -p pwd cmd Creates multiple logon sessions. Remote RegistryNetwork - Remote Desktop Gateway Network- Authenticating to Remote Desktop Gateway. Scheduled task Batch√ Password will also be saved as LSA secret on disk.

Connection methodLogon type Reusable credentials on destinationComments Run tools as a service Service√ Password will also be saved as LSA secret on disk. Vulnerability scanners Network- Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk.