Detecting Active Directory Attacks with Azure
Next year will be 20 years since the creation of the Active Directory directory service. During this time, the service has acquired functionality, protocols, and various clients. But the need to maintain compatibility with a number of obsolete clients makes it necessary to have default settings oriented towards compatibility. Administrators often do not change them, and this creates a big risk. In this article we will look at the detection of attacks that can lead to domain dominance.
What is common between attacks on Active Directory and Azure? On March 1, 2018, the Azure Advanced Threat Protection service was released. This is a service that is a cloud analogue of the local product Advanced Threat Analytics. Unlike the local version, the cloud has no artificial limitations for machine learning and is updated regularly, like any cloud services. With it, you can detect both typical attacks and abnormal user behavior.
')
To get started, you can register a trial subscription .
After the initial configuration, you will need to download and install a gateway to collect data on all domain controllers in the enterprise network. This completes the setup.
Now I propose to consider an example of an attack in the following scenario: an employee insider who has taken over administrative rights on a local machine, plans to increase his domain privileges.
To begin, an employee will need to understand which account he will need to compromise in order to receive privileges in the domain. He is interested in the Domain Admins group. To locate members of Domain Admins, he makes a command line request:
Having found the users of the group, it is now necessary to find out which machine has active sessions of one of the users. Let us dwell on the trainer user.
To detect sessions, I will use the Bloodhound tool, which is well-known among pentesters. As you can see in the diagram, the trainer user has an active session on the W10-notGuarded workstation, which the attacker also has access to.
Let's go to the Azure ATP portal and see the new alerts. Requests to discover groups and sessions were detected.
Let's go back to the attacker. Having connected to the workstation, an attacker can dump the lsass process using a task manager (or from the command line using procdump). This operation will require debug privilege.
After receiving the dump, the attacker can copy it to his workstation and analyze it using Mimikatz.
Copy the dump into one folder with Mimikatz, run Mimikatz and connect the dump for analysis.
Let's output the results to a text file.
Extract the contents of the dump
By opening the text file Mimikatz.log you can find the credentials of the trainer user. We are interested in the NTLM password hash. The values ​​in the screenshot are hidden for privacy reasons.
The hashing operation is irreversible, so it is impossible to extract the password from the hash. If the password was simple, then there is a probability of selection through rainbow tables. Suppose that we were not lucky and could not find the password by hash. Then the Pass-the-Hash class attacks come into play.
Before considering the attacks, it briefly works as Kerberos authentication in Active Directory, in order to understand how this attack is possible. In order for an Active Directory client to access a specific resource, it will need a TGS ticket. Getting a TGS fingerprint is as follows:
At what stage is the attack related to the existing NTLM hash possible? The NTLM hash is the very common secret that the client and the domain controller have. Accordingly, knowing the NTLM hash, you can get a TGT ticket almost legitimately.
To launch an attack, we need a workstation on the same network as the domain controller and Mimikatz. The workstation itself does not have to be in the domain.
I will switch to the domain workstation the user jdoe is working at. I will check that I do not have access to the desired resource, but the trainer user should have it.
I will open Mimikatz and upgrade privileges to debug
Then I will specify the command:
A new command line has opened. I check access to the file - access is granted. At the same time, I'm still a jdoe user, but I have the trainer user Kerberos tickets.
This attack is called Overpass-the-Hash and is the exploitation of the peculiarities of the Kerberos protocol operation. Prevention of attacks is possible with the help of proper configuration and detection.
Let's go back to the Azure ATP portal and see what was discovered.
One alert is Unusual Protocol Implementation. This is the detection of "atypical" authentication.
The second is the Encryption Downgrade Activity. Detection of a Kerberos ticket request using Mimikatz.
Thus, we promptly discovered one of the attacks on the Kerberos protocol.
It is important to consider that the detection of attacks does not eliminate the need to carefully configure Active Directory security in accordance with best practices.
You can watch Azure ATP in action on April 21 at the Azure Global Bootcamp in Moscow in person or in the online broadcast.
Learn more about the basics and other security features using Azure in the new free e-book, Microsoft Azure Security Infrastructure in Russian.
The book provides general information, design tips, deployment scenarios, best practices, technology survey results and step-by-step instructions to help you make a comprehensive presentation of the Azure security features.
Sergey Chubarov - Infrastructure Project Manager at Prof IT. Winner of the status of Most Valuable Professional (MVP) by Microsoft Azure. In addition to project work, he is a speaker at technical events and a regional leader among Russian-speaking MCT trainers.
On April 21, on Saturday, we will hold Global Azure Bootcamp Russia 2018 - Azure Global Cloud Technologies Forum. Every year, the Azure community chooses a single conference day in more than 200 cities around the world, where IT experts can share their knowledge and experience with each other and share it with newcomers. Come, participation is free.
Registration
What is common between attacks on Active Directory and Azure? On March 1, 2018, the Azure Advanced Threat Protection service was released. This is a service that is a cloud analogue of the local product Advanced Threat Analytics. Unlike the local version, the cloud has no artificial limitations for machine learning and is updated regularly, like any cloud services. With it, you can detect both typical attacks and abnormal user behavior.
')
To get started, you can register a trial subscription .
After the initial configuration, you will need to download and install a gateway to collect data on all domain controllers in the enterprise network. This completes the setup.
Now I propose to consider an example of an attack in the following scenario: an employee insider who has taken over administrative rights on a local machine, plans to increase his domain privileges.
To begin, an employee will need to understand which account he will need to compromise in order to receive privileges in the domain. He is interested in the Domain Admins group. To locate members of Domain Admins, he makes a command line request:
net group “Domain Admins” /domainHaving found the users of the group, it is now necessary to find out which machine has active sessions of one of the users. Let us dwell on the trainer user.
To detect sessions, I will use the Bloodhound tool, which is well-known among pentesters. As you can see in the diagram, the trainer user has an active session on the W10-notGuarded workstation, which the attacker also has access to.
Let's go to the Azure ATP portal and see the new alerts. Requests to discover groups and sessions were detected.
Let's go back to the attacker. Having connected to the workstation, an attacker can dump the lsass process using a task manager (or from the command line using procdump). This operation will require debug privilege.
After receiving the dump, the attacker can copy it to his workstation and analyze it using Mimikatz.
Copy the dump into one folder with Mimikatz, run Mimikatz and connect the dump for analysis.
Sekurlsa::minidump lsass.dmpLet's output the results to a text file.
LogExtract the contents of the dump
Sekurlsa::logonpasswordsBy opening the text file Mimikatz.log you can find the credentials of the trainer user. We are interested in the NTLM password hash. The values ​​in the screenshot are hidden for privacy reasons.
The hashing operation is irreversible, so it is impossible to extract the password from the hash. If the password was simple, then there is a probability of selection through rainbow tables. Suppose that we were not lucky and could not find the password by hash. Then the Pass-the-Hash class attacks come into play.
Before considering the attacks, it briefly works as Kerberos authentication in Active Directory, in order to understand how this attack is possible. In order for an Active Directory client to access a specific resource, it will need a TGS ticket. Getting a TGS fingerprint is as follows:
- The client sends the current date and time to the domain controller, encrypting them using a shared secret.
- The domain controller, having received and decrypted the request, sends the TGT ticket to the client, which contains information about the user, which groups he is a member of, etc.
- When a client needs access to a resource, he contacts the controller, presents a TGT ticket and receives a TGS ticket.
- With this ticket is authenticated on the desired resource
At what stage is the attack related to the existing NTLM hash possible? The NTLM hash is the very common secret that the client and the domain controller have. Accordingly, knowing the NTLM hash, you can get a TGT ticket almost legitimately.
To launch an attack, we need a workstation on the same network as the domain controller and Mimikatz. The workstation itself does not have to be in the domain.
I will switch to the domain workstation the user jdoe is working at. I will check that I do not have access to the desired resource, but the trainer user should have it.
I will open Mimikatz and upgrade privileges to debug
Privilege::debugThen I will specify the command:
Sekurlsa::pth /user:trainer /domain:contoso.com /ntlm:<ntlm- trainer> (specify a real hash)A new command line has opened. I check access to the file - access is granted. At the same time, I'm still a jdoe user, but I have the trainer user Kerberos tickets.
This attack is called Overpass-the-Hash and is the exploitation of the peculiarities of the Kerberos protocol operation. Prevention of attacks is possible with the help of proper configuration and detection.
Let's go back to the Azure ATP portal and see what was discovered.
One alert is Unusual Protocol Implementation. This is the detection of "atypical" authentication.
The second is the Encryption Downgrade Activity. Detection of a Kerberos ticket request using Mimikatz.
Thus, we promptly discovered one of the attacks on the Kerberos protocol.
It is important to consider that the detection of attacks does not eliminate the need to carefully configure Active Directory security in accordance with best practices.
You can watch Azure ATP in action on April 21 at the Azure Global Bootcamp in Moscow in person or in the online broadcast.
Learn more about the basics and other security features using Azure in the new free e-book, Microsoft Azure Security Infrastructure in Russian.
The book provides general information, design tips, deployment scenarios, best practices, technology survey results and step-by-step instructions to help you make a comprehensive presentation of the Azure security features.
about the author
Sergey Chubarov - Infrastructure Project Manager at Prof IT. Winner of the status of Most Valuable Professional (MVP) by Microsoft Azure. In addition to project work, he is a speaker at technical events and a regional leader among Russian-speaking MCT trainers.
Global Azure Bootcamp 2018 Russia
On April 21, on Saturday, we will hold Global Azure Bootcamp Russia 2018 - Azure Global Cloud Technologies Forum. Every year, the Azure community chooses a single conference day in more than 200 cities around the world, where IT experts can share their knowledge and experience with each other and share it with newcomers. Come, participation is free.
Registration
Source: https://habr.com/ru/post/353832/
All Articles