Presentation is loading. Please wait.

Presentation is loading. Please wait.

Darren Mar-Elia Head of Product

Published byKatrina Atkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Darren Mar-Elia Head of Product"— Presentation transcript:

1 Lateral Movement and Pass-the-Hash in Windows 10— Am I Still Vulnerable?
Darren Mar-Elia Head of Product Semperis, Inc., Founder-SDM Software/GPOGuy

2 Agenda Level Set—What are Lateral Movement Attacks?
Credential Theft and Pass-the-Hash Tools and techniques for moving laterally in Windows What’s new to protect against this in Windows 10? Questions

3 Credential theft Credential theft is a broad category
Pass-the-hash (PtH) is a Windows-specific instance of credential theft Involves stealing the LAN Manager Hash or Kerberos keys of a user from LSASS memory on a Windows System Requires you to have administrative access to read the memory Credential theft is a common way to facilitate moving laterally

4 Lateral Movement attacks
Compromise user on one machine Find credentials of “interesting” users Use creds to move to higher value users and machines

5 Typical lateral movement scenario
Domain Controller

6 Tools and techniques for moving laterally

7 Tools of the trade While not the only way to grab credentials, Mimikatz is probably the most widely used and the most versatile Provides a variety of methods for grabbing LM Hashes, Kerberos tickets, etc.

8 Finding Targets Once you have a credential, the trick is to find out where you can use it Lots of tools now to help attackers with that And…your own environment can help!

9 Bloodhound

10 Powershell empire and PowerSploit

11 Using your own information
Many of these “red team” tools use information in your infrastructure against you Group Policy security related information to find privileged accounts AD ACL mis-configuration to take over AD objects AD group memberships to privileged accounts Once they get a credential foothold, finding “high- value targets” to move towards becomes easier

12 Demo—passing the hash and other Information gathering nastiness

13 Enter Windows 10 Credential guard

14 What is Windows 10 credential guard?
Instead of storing hashes and keys in LSASS memory, they are stored in a virtualization partition—isolated completely from the OS Credit:

15 REQUIREMENTS FOR Credential guard
Windows 10 Enterprise x64 (or Server 2016) UEFI and Secure Boot TPM 2.0 Virtualization Support Don’t Enable on Domain Controllers—will crash them!

16 Enabling credential guard
NOTE: NTLM v1 support is disabled when credential guard is enabled (GOOD!) Using Group Policy

17 What Does credential guard protect?
Logon Session NTLM Hash Logon Session Kerberos User name and password until user gets Ticket Granting Ticket (TGT) Any long-lived keys TGT session keys Any credentials that have been saved to Credential Manager

18 What does credential guard not protect?
Local account credentials Microsoft accounts Azure AD accounts Service account passwords Application-specific credentials And of course… Passwords stored in clear-text in scripts or GP Preferences Passwords

19 Demo: Enabling credential guard—how things change

20 Questions?

Download ppt "Darren Mar-Elia Head of Product"

Similar presentations

Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password.

Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s.

2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server Sue’s.
Windows Security Mechanisms Al Bento - University of Baltimore.

Windows Security Mechanisms Al Bento - University of Baltimore.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Forensic Artifacts From A Pass The Hash (PtH) Attack

Forensic Artifacts From A Pass The Hash (PtH) Attack
WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from https://training.zdresearch.com https://training.zdresearch.com.

WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections.

PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections.
Managing Active Directory Domain Services Objects

Managing Active Directory Domain Services Objects
PCIT304. 1. numbers/?_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_r=5&

PCIT numbers/?_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_r=5&
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure Goals 

5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
8.1 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.

8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.

Similar presentations

Ads by Google