understanding the attacker you know - sector employeethreatv1.0… · exploiting– group policy...
TRANSCRIPT
![Page 1: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/1.jpg)
Understanding the Attacker
You Know - A walk through of a malicious employee
threat scenario and the lessons it can teach
Brian Read
Security Practice Manager
Conexsys Communications Ltd.
![Page 2: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/2.jpg)
• Security service provider and integrator
• 55 years in the Canadian IT Market
• Trusted advisor to many large customers in
the financial, oil and gas and government
sectors.
Who is Conexsys
Communications?
![Page 3: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/3.jpg)
• Design, Installation, Configuration
• Support, Training
• Specialize in multi-vendor environments
Technology Integration Services
![Page 5: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/5.jpg)
• Controls Design and Strategy
• Vulnerability Assessments
• Penetration Tests
• New Technology Evaluation
Technology Independent
Services
![Page 6: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/6.jpg)
• Security Practice Manager at Conexsys
Communications Ltd.
• SME for PIDM, Vulnerability Management
Solutions
• Advise clients on controls design and other
strategic security projects
• Lead the VA and PenTest team
Who am I?
![Page 7: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/7.jpg)
• Walk thru a malicious employee case
study
• Outline the lessons you can learn from
the scenario
• Takeaways: – 3 publicly available scripts that you can use to simulate
an insider threat
– 1 free tool that can find hundreds of holes in your AD
deployment
– The single best control for measuring the threat from
malicious employees
Today’s Goals
![Page 8: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/8.jpg)
• Employee with a corporate system on
the inside network
• Restricted access to their system
• Restricted access to organizational
resources
• Not a skilled hacker
The Malicious Employee Threat
![Page 9: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/9.jpg)
• Employee with a restricted user
account
• An organizational system on the
network
• Restricted access to resources
• Not a professional hacker
The Malicious Employee Threat
• Not compiling custom malware
• Not developing Zero-Days
• No expensive testing tools
![Page 10: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/10.jpg)
• Employee with a restricted user
account
• An organizational system on the
network
• Restricted access to resources
• Not a skilled hacker
• Doesn’t want to compromise their
employment or go to jail
The Malicious Employee
![Page 11: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/11.jpg)
• Employee with a restricted user
account
• An organizational system on the
network
• Restricted access to resources
• Not a professional hacker
• Doesn’t want to compromise their
employment or go to jail
The Malicious Employee
• No phishing
• No rogue WiFi access points
• No USB in coworkers system
• Minimize traceable changes
![Page 12: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/12.jpg)
• Employee with a restricted user
account
• An organizational system on the
network
• Restricted access to resources
• Not a skilled hacker
• Doesn’t want to compromise their
employment or go to jail
The Malicious Employee
![Page 13: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/13.jpg)
Outsider Threat Kill Chain
Recon
Weaponization
Delivery
Maintain
Persistence
Command
and Control
Exploitation
Escalate
Privileges
Locally
Steal Other
Credentials
Move
Laterally
Accomplish
Goal
![Page 14: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/14.jpg)
Insider Threat Kill Chain
Recon
Weaponization
Delivery
Maintain
Persistence
Command
and Control
Exploitation
Escalate
Privileges
Locally
Steal Other
Credentials
Move
Laterally
Accomplish
Goal
![Page 15: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/15.jpg)
Insider Threat Kill Chain
Recon
Weaponization
Delivery
Maintain
Persistence
Command
and Control
Exploitation
Escalate
Privileges
Locally
Steal Other
Credentials
Move
Laterally
Accomplish
Goal
![Page 16: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/16.jpg)
• Trend towards using functionality built
into windows
How to Hack From Your
Workstation
![Page 17: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/17.jpg)
Attack Tools Inside Windows
• Net commands, Batch Files
• Sysinternal or other support tools
• VB Script, JavaScript
• CScript, Windows Scripting Host
• Windows Subsystem for Linux
![Page 18: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/18.jpg)
• Access to all aspects of windows
functionality
• Bypass AV: No requirement to save
files to disk
PowerShell - The Ultimate Attack
Platform
![Page 19: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/19.jpg)
• Can’t remove –built into windows
• Tough to restrict – usually needs to be
whitelisted
• Lots of techniques for breaking
current containment controls and
running scripts
PowerShell – Tough to Restrict
![Page 20: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/20.jpg)
• Many standalone scripts to choose
from
• One repository collectively known as
PowerSploit
• Started by Matt Graeber with help
from many other contributors. – https://github.com/PowerShellMafia/PowerSploit/graph
s/contributors
PowerShell – Premade Attack
Tools
![Page 21: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/21.jpg)
Escalating Local Privileges
Steal Other
Credentials
Move
Laterally
Accomplish
Goal Escalate
Privileges
Locally
![Page 22: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/22.jpg)
• Use group policy to push down local
settings including administrator or
other local account passwords
• Promotes sharing passwords across
multiple systems, insecure storage of
passwords
• Phased out in May 2013 (but legacy
passwords remain)
Gaining Local Admin – Group
Policy Preferences
![Page 23: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/23.jpg)
• PowerSploit: Get-GPPPassword
• Can be run by any domain user
• Just need a powershell prompt
• Decrypts and exposes passwords
Exploiting– Group Policy
Preferences
![Page 24: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/24.jpg)
Exploiting– Group Policy
Preferences
![Page 25: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/25.jpg)
• Services with misconfigured ACL’s or
lax permissions
• Scheduled tasks running with
admin\system rights
• Registry keys with lax permissions
Gaining Local Admin – Other
Techniques
![Page 26: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/26.jpg)
• PowerSploit: PowerUp
• Invoke-Allchecks
• Just need powershell prompt and user
level access
Gaining Local Admin – Other
Techniques
![Page 27: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/27.jpg)
• Create secondary admin account
• Reset local admin password
Invoke-AllChecks Results
![Page 28: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/28.jpg)
Gain Other Credentials
Escalate
Privileges
Locally
Move
Laterally
Accomplish
Goal Gain Other
Credentials
![Page 29: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/29.jpg)
• Author: Benjamin DELPY `gentilkiwi`.
Blog: http://blog.gentilkiwi.com
–Can find unencrypted creds
–Can find hashes from previous
cached logins
• Powersploit: Invoke-Mimikatz
Collect Local and AD Credentials
- Mimikatz
![Page 30: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/30.jpg)
Accessing Other Credentials –
Invoke-Mimikatz
![Page 31: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/31.jpg)
Use Accounts to Access Other
Systems
Escalate
Privileges
Locally
Gain Other
Credentials
Accomplish
Goal Move
Laterally
![Page 32: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/32.jpg)
Use PSRemoting or enable it if it is not
currently running then…
• PowerSploit Invoke-Mimikatz to view their
passwords
• PowerSploit Get-Keystrokes to capture
their keystrokes
• PowerSploit Get-TimedScreenshots to
capture their screen shots
Lateral Movement – PowerShell
Remoting
![Page 33: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/33.jpg)
Lessons Learned From the Walk
Thru
Escalate
Privileges
Locally
Steal Other
Credentials
Move
Laterally
Accomplish
Goal
![Page 34: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/34.jpg)
• For example:
1. Windows Hardening and End Point
Controls
2. Privileged Identity Management
3. NAC and Network Segmentation
4. Alert on Suspicious Activity
...
Lesson 1 - Review Key Controls
For Focus on the Insider
![Page 35: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/35.jpg)
Does our current combination of end
point controls and windows hardening
prevent local escalation?
– Group Policy Preferences reveal
passwords
– Poorly configured services allow
escalation
– Settings securing credentials stored in
memory
Lesson 2 - Review Windows
Hardening Details
![Page 36: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/36.jpg)
• What is our plan for mitigating the
risks while still allowing for necessary
PowerShell functionality?
–PowerShell v5
–Constrained Language Mode
–PowerShell Module Logging
–100% whitelisting of scripts
Focusing on PowerShell
Strategy
![Page 37: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/37.jpg)
How does our organization enforce:
• Unique local administrator passwords
• Restricting admin rights for IT Admins
• Removing unnecessary accounts
• Detecting with real time alerting
• Validating with a Periodic scan
Lesson 3 – Lateral Movement is
Made Much Easier by Poor PIDM
![Page 38: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/38.jpg)
Do you mandate:
• Unique local administrator passwords
• Restricting admin rights for IT Admins
• Removing unnecessary accounts
• Detectivewith real time alerting
• Validating with a Periodic scan
Lesson 3 – Lateral Movement is
Made Much Easier by Poor PIDM
![Page 39: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/39.jpg)
Cant We Just Use an “Insider
Threat” Checklist or Something?
• Develop your own checklist…
![Page 40: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/40.jpg)
• Focus the PenTest on a malicious
employee scenario
• Tip1: Clean up the low hanging fruit
(like some of the items in this
presentation)
The Internal PenTest
![Page 41: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/41.jpg)
• Should definitely receive technical
recommendations on system level
exploits
• Tip 2: Demand high level
recommendations on:
–containment
–data exfiltration
The Internal PenTest – Demand
Quality Findings
![Page 42: Understanding the Attacker You Know - SecTor EmployeeThreatv1.0… · Exploiting– Group Policy Preferences . Exploiting – Group Policy Preferences •Services with misconfigured](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fd7505ee67e7a8901a49b/html5/thumbnails/42.jpg)
Thank You
Follow Conexsys on Twitter: @conexsyscomm
For any pdf of this presentation or any
technical questions come by the Conexsys
booth or contact me at [email protected]
Drop off a card at the booth and win a GoPro