pass-the-hash attacksbilliard klub harlequin praha, 20.5.2015 buďtethe best it pro nebo the best...
TRANSCRIPT
![Page 1: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/1.jpg)
Michael Grafnetter
www.dsinternals.com
Pass-the-Hash Attacks
Gold partner: Generální partner:
![Page 2: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/2.jpg)
Agenda
PtH Attack Anatomy
Mitigation
– Proactive
– Reactive
Windows 10
![Page 3: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/3.jpg)
PtH Attack Premises
Single
Sign-On
Symmetric
CryptographyPtH
![Page 4: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/4.jpg)
PtH Attack Anatomy
Theft Use Compromise
![Page 5: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/5.jpg)
PtH Attack Anatomy
![Page 6: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/6.jpg)
Stealing the Hash
![Page 7: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/7.jpg)
Credentials Lifecycle / Attack Vectors
![Page 8: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/8.jpg)
Hashes in Windows
Authentication Method Hash Function Salted
LM DES NO
NTLM, NTLMv2 MD4 NO
Kerberos (RC4) MD4 NO
Kerberos (AES) PBKDF2 YES
Digest MD5 YES
![Page 9: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/9.jpg)
Credentials Lifecycle / Attack Vectors
![Page 10: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/10.jpg)
Active Directory Database - Offline Files
– C:\Windows\NTDS\ntds.dit
– C:\Windows\System32\config\SYSTEM
Acquire
– Locally – ntdsutil IFM
– Remotely – WMI (Win32_Process), psexec
– VHDs, VMDKs, Backups
Extract
– libesedb+ntdsxtract
– Windows Password Recovery
![Page 11: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/11.jpg)
NTDSXtractesedbexport ntds.dit
python dsusers.py ntds.dit.export/datatable.4--name Administrator --syshive SYSTEM-- supplcreds --passwordhashes
Password hashes:
Administrator:$NT$cc36cf7a8514893efccd332446158b1a:::
Supplemental credentials:
Kerberos newer keys
salt: ADATUM.COMAdministrator
Credentials
18 b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
17 8451bb37aa6d7ce3d2a5c2d24d317af3
3 f8fd987fa7153185
![Page 12: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/12.jpg)
Windows Password Recovery - AD
![Page 13: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/13.jpg)
KRBTGT Account
![Page 14: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/14.jpg)
DEMO
IFM + Windows Password Recovery
![Page 15: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/15.jpg)
Proactive Measures
Encryption
RODC
Backup protection
Regular password changes
![Page 16: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/16.jpg)
Active Directory Database - Online
MS-DRSR/RPC
![Page 17: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/17.jpg)
Proactive Measures
Avoid using administrative accounts
Do not run untrusted SW
![Page 18: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/18.jpg)
SAM Database
Offline
– Files
• C:\Windows\System32\config\SAM
• C:\Windows\System32\config\SYSTEM
– Tools
• Windows Password Recovery
Online
– Mimikatz
![Page 19: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/19.jpg)
DEMO
SAM dump using Mimikatz
![Page 20: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/20.jpg)
Proactive Measures
Restrict administrative access
Bitlocker
Randomize local Administrator passwords
![Page 21: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/21.jpg)
GP Local Admin Pwd Management Solution
![Page 22: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/22.jpg)
Credentials Lifecycle / Attack Vectors
![Page 23: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/23.jpg)
Windows Integrated Authentication
![Page 24: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/24.jpg)
SSP Cached Creds (SSO)
![Page 25: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/25.jpg)
Debug Privilege
![Page 26: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/26.jpg)
DEMO
LSA dump using Mimikatz
![Page 27: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/27.jpg)
Proactive Measures
Restrict administrative access
Applocker/SRP whitelisting
Enable Additional LSA Protection
Protected Users group
Restricted Admin RDP
Authentication Policies and Silos
Shorten Kerberos ticket lifetime
Disable Automatic Restart Sign-On
![Page 28: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/28.jpg)
Automatic Restart Sign-On
![Page 29: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/29.jpg)
Kerberos Ticket Lifetime
![Page 30: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/30.jpg)
Tier Model
![Page 31: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/31.jpg)
Tier Model - Administrative logon restrictions
![Page 32: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/32.jpg)
High-Value Accounts
Admins
– Domain Adminis
– Enterprise Admin
– Schema Adminis
– BUILTIN\Administrators
– BUILTIN\Hyper-V Adminstrators
Service Accounts
– SCCM, SCOM, DPM, Software Installation,…
BMC Accounts
![Page 33: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/33.jpg)
Authentication Policies and Silos
![Page 34: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/34.jpg)
Credential Verifiers
Windows caches AD credentials locally
Used when DC is unavailable
Defaults: 25 on servers, 10 on clients
AKA MS-CACHE and MS-CACHE v2
![Page 35: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/35.jpg)
MS-CACHE Algorithm (XP)
![Page 36: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/36.jpg)
MS-CACHE v2 Algorithm (Vista+)
![Page 37: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/37.jpg)
Configuring Credential Cache
![Page 38: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/38.jpg)
Credentials Lifecycle / Attack Vectors
![Page 39: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/39.jpg)
Using the Hash/Key/Ticket
![Page 40: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/40.jpg)
DEMO
Passing the NT hash using Mimikatz
![Page 41: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/41.jpg)
Golden Ticket
kerberos::golden
/domain:chocolate.local
/sid:S-1-5-21-130452501-2365100805-3685010670
/aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42
/user:srvcharly$
/id:1001
/groups:513,1107
/ticket:fake_utilisateur.kirbi
![Page 42: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/42.jpg)
Proactive Measures Disable NTLM Authentication
Disable Kerberos RC4-HMAC
Implement Smartcard Authentication
Unique local Administrator passwords
Logon restrictions with new well-known SIDs
– NT AUTHORITY\Local account
– NT AUTHORITY\Local account and member of Administrators
group
– KB2871997 required on Windows 7 and 8
Firewalls
![Page 43: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/43.jpg)
Strengthening Kerberos Security
![Page 44: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/44.jpg)
PtH Mitigation Strategies
![Page 45: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/45.jpg)
Planning for compromise
Identify all high-value assets
Protect against known and unknown threats
Detect PtH and related attacks
Respond to suspicious activity
Recover from a breach
![Page 46: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/46.jpg)
NIST Framework for Improving
Critical Infrastructure Cybersecurity
![Page 47: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/47.jpg)
NIST Framework for Improving
Critical Infrastructure Cybersecurity
![Page 48: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/48.jpg)
PtH Detection
![Page 49: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/49.jpg)
Attack Graph
![Page 50: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/50.jpg)
Events
Authentication
– Success
– Failure
Replication Traffic
…
![Page 51: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/51.jpg)
Audit Process Creation
![Page 52: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/52.jpg)
Audit Process Creation
![Page 53: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/53.jpg)
Audit Process Creation
![Page 54: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/54.jpg)
Reactive Measures
Change account passwords
Reset computer account passwords
Disable+Enable smartcard-enforced accounts
Reset KRBTGT account
Implement countermeasures
![Page 55: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/55.jpg)
Windows 10
![Page 56: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/56.jpg)
![Page 57: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/57.jpg)
Hypervisor Code Integrity (HVCI) protected by VSM
Virtual Secure Mode (VSM)
Lo
cal Secu
rity
A
uth
Serv
ice
Windows
AppsV
irtu
al TP
M
Hyp
er-
Vis
or
Co
de In
teg
rity
![Page 58: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/58.jpg)
DEVICE GUARD
Hardware Rooted App Control
Enables a Windows desktop to be locked down to only run trusted apps, just like many mobile OS’s (e.g.: Windows Phone)
Resistant to tampering by an administrator or malware
Requires devices specially configured by either the OEM or IT
Untrusted apps and executables such as malware are unable to run
![Page 59: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/59.jpg)
DEVICE GUARD
Getting Apps into the Circle of Trust
Supports all apps including Universal and Desktop (Win32)
Trusted apps can be created by IHV, ISV, and Organizations using a Microsoft provided signing service
Signing service will be made available to OEM’s, IHV, ISV’s, and Enterprises
Apps must be specially signed using the Microsoft signing service. No additional modification is required
![Page 60: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/60.jpg)
MICROSOFT PASSPORT
YOUR DEVICE IS ONE OF THE FACTORS
SECURED BY HARDWARE
USER CREDENTIAL
An asymmetrical key pair
Provisioned via PKI or created locally via Windows 10
![Page 61: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/61.jpg)
WINDOWS HELLO
Facial
Hello Chris
Fingerprint Iris
![Page 62: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/62.jpg)
Michael Grafnetter
www.dsinternals.com
Pass-the-Hash Attacks
Gold partner: Generální partner:
![Page 63: Pass-the-Hash AttacksBilliard klub Harlequin Praha, 20.5.2015 BuďteThe Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ!SOUTĚŽ! Title: Pass-the-Hash Attacks Author "Michael](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20f1eb16489b0ae13acde8/html5/thumbnails/63.jpg)
Aktuální a navazující kurzy sledujte na www.gopas.cz
DÁREK PRO VÁS! …získejte tričko TechEd-DevCon 2015!Vyplňte dotazníkové hodnocení a…
TechEd party!
Billiard klub Harlequin Praha, 20.5.2015
Buďte The Best IT Pro
nebo The Best Developer
SOUTĚŽ! SOUTĚŽ! SOUTĚŽ!