Don't Relay Me: Empirically Diagnose Privilege Escalation via Active Directory Account Sighting
10With the complexity of AD, many severe threats have been exposed recently, but many of these relay attacks are by design and hard to fixed. They are Windows features! Attackers could easily escalate their privileges to an administrator via Kerberos relay, NTLM relay, Network NITM, and cache credentials. At the network level, attackers could perform Man-in-the-middle to sniff credentials. At the endpoint level, attackers could harvest cached credentials. Even without cached credentials, attackers could still force authentication via relay attacks or launch cross session attacks. With relay attacks, attackers successfully stealthy login to their target machines, while users only observe their operational failures. For example, attackers could relay authentication to an ADCS (Active Directory Certificate Services) server to enroll certificates. Microsoft provided some solutions such as LDAP singing to migrate these vulnerabilities. However, this might be impractical due to compatibility concerns. Under these harsh circumstances, discovering these types of suspicious logons becomes a vital issue for blue teams. In the beginning of this presentation, we make a comprehensive summarize about relay attacks. Afterward, we summarize our real world experience from AD assessment missions. We would uncover real use cases that match attack scenarios in the enterprise environments. The causes that lead to fulfilling attack preconditions could simply be divided into human and non-human operations. In human operation scenarios, we would analyze scenarios where normal and high privileged users logon appears on the same endpoint even if the enterprise knows privilege separation principals. This might result in cached credentials. In non-human operation scenarios, we would conclude the relay targeted servers such as file servers and the potentially high risk computer accounts. For example, SCCM (System Center Configuration Manager) accounts might be abused for logging into other endpoints with a high permission. Then, we discuss remote management tools such as PsExec and RDP applications utilized in a secure way. In the end, we would deliver the operations the enterprise should do and the mitigation could apply. In this talk, attendees would learn a full picture of relay attacks. The takeaways are list in below. They then could inventory endpoints that match attack scenarios based on real use cases we introduce. The operations they should perform and the mitigation could apply to relay attacks.
ABOUT THE SPEAKERS
Shand-De Jiang (John Jiang) is a cybersecurity researcher at CyCraft Technology and is currently focused on incident response (IR), endpoint security, and Active Directory (AD) security. He has investigated multiple domestic and foreign APT-level security incidents and continues to perform in-depth analyses of attacker techniques and detection methods. He is an active member of the international cybersecurity community and has spoken at multiple conferences, including Black Hat USA, HITCON, and HITB. He is also the co-founder of the Taiwan cybersecurity organization UCCU Hacker.
Gary Sun is a cybersecurity researcher at CyCraft Technology and is currently focused on ETW security and .NET malware analysis. He graduated from the Institute of Network Engineering at National Yang Ming Chiao Tung University and has published papers at the Cryptology and Information Security Conference (CISC).
View upcoming Summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE
#BlueTeamSummit #BlueTeam #CyberDefense