Learn how to hack Windows machines and reveal the password of the domain admin by hacking into the memory and Windows Services. This is Level 400 content with a lot of demos and it covers many security technologies like machine learning, post-breach defensive and pre-preach defensive controls.
I presented this session in the first BSides Security conference in Amman-Jordan and I am sharing the slides as requested by the audience.
I am also going to post the full video on my Youtube Channel: http://youtube.com/ammarhasayen , so, don't forget to subscribe.
I would like to hear your feedback on my session, so please connect with me on twitter @ammarhasayen and let me know what do you think.
About me: http://ahasayen.com
Blog: http://blog.ahasayen.com
Social Media (Twiiter, LinkedIn, Instagram): @ammarhasayen
Windows Advanced Threat and Defensive Technique
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Windows Advance Threats - BSides Amman 2019
1.
2. Presented by:
Ammar Hasayen | MS MVP
CISSP | Cybersecurity
http://ahasayen.com
ADVANCED WINDOWS
THREATS & DEFENSIVE
TECHNIQUES
BSides Amman - ASU
Date: 20 April 2019
Available on SlideShare &
YouTube @ammarhasaye
n
3. About Me: http://ahasayen.com
Blog: http://blog.ahasayen.com
Social Media: @ammarhasayen
CISSP | Microsoft MVP | Pluralsight Author |
Book Author
4. IN THIS
PRESENTATI
ON
Attacking Windows Services
– Stopping the Antivirus service
– Hacking service accounts running
under domain admin account.
Attacking Passwords
– Hacking the built-in admin password
– Pass-the-hash attack
Cyber Kill Chain
– Endpoint Detect & Response
• Microsoft Defender ATP
– Behavioral-based Detection
• Azure ATP
6. DEMO
Look at the antivirus service and see if we can
stop it.
Hack the antivirus service and stop it
7. DEMO
Inspect a Windows service running under
domain admin account
Hack the password of the domain admin
account
8. Windows Service Account best Practices
Never use highly privileged accounts (domain admin) to run services in your
environment.
As a best practice, user Managed Service Accounts to run your Windows
services.
Mind the principle of Least Privilege.
If the attacker gets privileged access to the machine, everything on that
machine is compromised (even if you have Antivirus)
9. DEMO REFERENCES
• SDDL for Device Objects
https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/sddl-for-device-objects
• SID Strings
https://docs.microsoft.com/en-us/windows/desktop/secauthz/sid-strings
• PsExec Tool (used to impersonate Local System Account in the demo)
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
• Service Account Password Dumper: SPAD
• Managed Service Accounts (MSA)
https://blogs.technet.microsoft.com/askds/2009/09/10/managed-service-accounts-
understanding-implementing-best-practices-and-troubleshooting/
11. DEMO
Hacking password in memory
Stealing the hash of the local admin
Using Pass-the-hash to connect to another
machine
- Obtain CMD.EXE access
- Access sensitive information
12. Lesson Learned
Debug Privilege right should be monitored.
Users should not be admin on their machine (least privilege)
You should not have same local administrator password on machines.
- Use Microsoft Local Administrator Password Solution (LAPS)
Use separate machines for admins by implementing the Privilege Admin
Workstation solution (PAW)
Consider disabling the local Guest and Administrator accounts
13. DEMO REFERENCES
• Microsoft Local Administrator Password Solution https://www.microsoft.com/en-
us/download/details.aspx?id=46899
• Privileged Access Workstations
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-
access/privileged-access-workstations
• PsExec Tool used to connect to the target machine
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
15. Cyber Kill Chain
Malware
Deliver
Install Command
& Control
Pre Breach Post Breach
Lateral
Movement
Staging Exfiltration Forensics
Advanced Threat Detection
(Classification)
Anomaly Detection
Signature
& Packet Filters
Heuristics,
Sandboxes &
Stateful Filters
Machine LearningMachine Learning
16. Endpoint Detect & Response
Installs on the endpoint (workstation or server).
Uses AI-based detection techniques (mainly using
classification).
Using the power of the cloud.
Tries to identify zero-day attacks using machine learning.
Microsoft implement Microsoft Defender ATP.
17. Microsoft Defender ATP
Windows Defender
Endpoint Detection
and Response
Windows Defender
Endpoint Protection
Windows Defender
Smart Screen
Block malicious websites
Block low reputation web
downloads
Monitors behaviors and
terminates bad processes
Block malicious programs and
content
After execution – Windows
Defender Hexadite can
reverse damage
After execution – Windows
Defender ATP monitors for
post-breach signals
Endpoint Protection Detection and Remediation
18. Advanced Real-Time Defense
Client holds file
and upload sample
Sample is processed
& checked against
machine learning
classifiers
Cloud generates signature and sends to client
Client blocks file and report back, protecting all customers
1
2
3
4
5
6
19. Machine Learning for Endpoint Protection
Local ML models, behavior-based detection algorithms, generics and heuristics
Metadata-based ML models
Sample Analysis-based ML
models
Detonation-based ML
Models
Big Data
Analysis
Client
Cloud
Milliseconds
Milliseconds
Seconds
Minutes
Hours
20. DEMO
Simulate an attack
- Delivering malware to a machine
- Document drops backdoor
- Malware creates schedule task (auto-
start)
- Detect attack on Microsoft ATP
- Explore response actions
Exploring Microsoft Defender ATP portal
22. Behavioral-based Detection
Happens Post Breach (Lateral Movement).
Identifies anomalies in the network.
Can be seen in IDS, IPS or other type of implementations.
Microsoft implements Azure Advanced Threat Protection (Azure
ATP) formally known as ATA.
24. Azure ATP Detecting Unusual Behaviour
Azure ATP
Machine?
Logon Hours?
Sensitive?
Peers?
Resources?
Alice
CFO Machine
25. Azure ATP Detecting Unusual Behavior
Azure ATP
Machine?
Logon Hours?
Sensitive?
Peers?
Resources?
Alice
Finance Files
26. Azure Advanced Threat Protection
1
2 4
53
Collect
DC Logs, SIEM,
Windows Events.
L7 Deep Packet Inspection
Analyze & Learn
Self-learning and profiling
technology, patented IP
resolution, unlimited scale
by Azure
Alert & Investigate
Intuitive attack timeline.
Lateral movement graphs.
Alert via email & scheduled reports.
Detect
Abnormal behavior &
Suspicious activities
Integrate
Integrated with Windows
Defender ATP
to further dig deep into the
device health.
28. SUMMAR
Y
Windows service account best attacks and
defensive techniques
Attacking passwords in memory
– Pass-the-hash
– Same local admin password risk
Cyber kill chain
– Pre-breach endpoint detection
• Microsoft Defender ATP
– Post-breach detection
• Azure ATP
29. REFERENCES
• Introduction to Azure Advanced Threat Protection (Azure ATP)
https://blog.ahasayen.com/tag/azure-atp/
• Secure Modern Workplace With Microsoft ATP
https://blog.ahasayen.com/secure-modern-workplace-with-microsoft-365-advanced-
threat-protection/
• My YouTube Video on Microsoft ATP
https://youtu.be/3pVRmaxNPJs
• Microsoft Cloud App Security
https://blog.ahasayen.com/microsoft-cloud-app-security-casb/
37. CREDIT
I want to thank BSides Amman community in Jordan for having me as
a speaker in the first version of this conference. Special thanks to
Layla Al-Zoubi for recommending my name as a speaker.
Big thanks to all the great audience who gave me amazing feedback
and encourage me to share my slide and record a YouTube video for
offline viewing.
Thanks to all sponsors who make this event a professional conference
in terms of facilities, media coverage and organization.
I would encourage people to follow BSides Amman on social media
(@BSidesAmman) and follow their Facebook page for future events to
come.
Note: Some demos are inspired from Paula J , CQURE.
40. COPYRIGHT STATEMENT
I want to help you share knowledge and creativity, to build a more
equitable, accessible, and innovative world, by unlocking the
potential of the internet to drive new era of development, growth
and productivity.
This is why I provide you with my copyright license, to make it easy
for you to share and use creative work on simple terms and
conditions. This license lets you remix, tweak, and build upon my
work non-commercially, as long as you credit me and license your
new creations under the identical terms.
https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
Attribution-NonCommercial-ShareAlike
Notas do Editor
Hi everyone, I was honored to be talking at the firs Bsides security conference in Jordan. Many people asked me to record my session and make it available online, so here we go
Today we are going to talk about Advanced Windows threats and defensive techniques. There are many demos in this session, and we are going to have a deep dive technical content, so be prepared.
The slides will be available on SlideShare and YouTube.
So, my name is Ammar Hasayen, I am certified information systems security professional and a Microsoft MVP
I author courses in Pluralsight about security topics and I recently authored a bout cloud migration where I cover the cloud reference architecture and cloud security. Mainly, I help organizations move to the cloud without compromising security, governance and compliance. I also speak in international conferences in the united states and Europe.
Now, you can learn more about me at ahasayen.com, and you can also check my blog at blog.ahasayen.com.
Today, we are going to do a lot of hacking. We will start by hacking a windows service by trying to stop the antivirus service that as we know cannot be stopped. I know that many organizations also are running services under the domain admin account, so we will hack the password of the domain admin account by hacking into a windows service.
Next, when will try to hack the password of the built-in admin on a Windows machine, and then use pass the hash technique to get access to credit card data on a remote machine.
Finally, we will talk about cyber kill chain and this is where things get interesting. We will talk about pre breach defenses that is how to detect attacks while they are happening, and then we will move to post breach detection using behavioral-based techniques.
If this is something that you find interesting, keep watching.
Now, let us start with attacking a Windows service and by that we will move to a demo.
In this demo, we are going to look at the antivirus service. This is the first thing attackers will try to stop so that they can work freely on that box and download other payloads to evade detection.
Now we all know that the antivirus service is hardened in a way that you cannot just stop it even if you are a local admin on the machine. But believe me when I say, there are other ways to do that. So let’s jump into our demo.
Now that you know that any service in Windows can be stopped if you are an admin on the machine, let us do something else.
The top security threat that every penetration tester finds in almost every organization, is when you have a Windows service running under a domain admin account or any other highly privileged account.
This can be your backup service that needs access to all files so that it can be backed up, or even a SQL database running under an admin account.
Now, what if the attacker hack into the box and can reveal the password of that service account running under the domain admin account. Yes, this can be done. In fact, you can reveal the password in clear text.
Believe me when I say that the first thing attackers will do is search for service accounts running under a domain admin account, and once they find one, its game over. So let us dive into our demo and see how this works.
I know that all this sounds scary, and by now, you should carefully consider what account is use to run your services. You should never use the domain admin account to run any windows service and there is no exception what so ever for doing this.
Now, the best way to handle service accounts is to use Managed Service Accounts. They are available for you to use since Windows Server 2008 R2 and the password of such accounts are managed by your domain controller. There are also another variation of managed service accounts called Group Managed Service Accounts that allow you to use the same managed service account across multiple machines, think of an IIS pool account that is shared across many front end nodes.
The next thing that you should consider is to give service accounts just enough privilege to carry on their purpose, nothing more and nothing less, and remember, once an attacker hacks into a machine, every account used on that box should be considered compromised including service accounts running on that box.
Now, during the demo, I used many tools and talked about a lot of technologies, so make sure to check these links for more information.
What about hacking passwords in Windows machines? Let jump into a demo and see what we can do to hack passwords.
In this demo, we have a Windows machine that can be an end user machine or even a server with many admins logging there to do some administrative tasks.
We are going then to view that protected portion of memory where password hashes are located and is protected by Windows.
Then, we are going to reveal the hash of the local admin password and use that hash to perform pass the hash attack to obtain access to high valuable remote server and access sensitive information.
So let us start our demo.
What we can learn from that demo is that the debug privilege is a very risky privilege. You should use group policy to prevent anyone including administrators to have such right, unless you have specific needs on certain machines to give some developers for example such right.
Also, users should not be admin on their machines. They should be running under a normal account and perhaps use another account with high privilege to carry on administrative tasks.
As we saw in the demo, we used the hash of the local admin to connect to a remote machine because the local admin password is the same across all machines. You should always make sure to have different local admin password across your machines, and to do that, you can use a solution from Microsoft called the Local Administrator Password Solution of LAPS.
Also, as a best practice, you should have your admins working with two machines, one machine to access email and browse the web, and a separate machine to perform highly privileged tasks. This way if a malware was delivered through the web or email, it cannot do much damage, because your admins are using a separate machine for admin tasks. Now one of the two machines can be a virtual machine and there is a great solution and guide from Microsoft to implement that. It is called the Privileged Admin Workstation, that I encourage you to look at.
Finally, you can disable the local administrator and guest accounts on all machines just in case.
Again, here are some good references for you to learn more about some of the tools and technologies we talked about.
Now, let us shift geers and talk about a famous security topic which is the Cyber Kill chain
A cyber kill chain reveals the phases of a cyber attack from early reconnaissance to the goal of data exfiltration.
It can be used however by security professional to improve network defenses in each stage of the cyber kill chain
Usually an attacker selects a target and do some researches to learn how learn about vulnerabilities. This is usually called the reconnaissance phase. Now the attacker is ready to move to the weaponization phase as he creates a malware trailed to one of the vulnerabilities discovered.
Guess what’s the next step? Of course the attacker delivers the malware to the target via an email attachment, USB drives or any other possible way.
No that the malware lives in the target machine and network; the malware start a privilege escalation on the local machine to elevate its right and installs an access point or backdoor and then connects to the command and control center so that an intruder can now have remote access.
Most of the time, patient zero or the first machine being hacked is not interesting enough, it just happened that it is the weakest entry point to attack the network. So the attacker now starts discovering the machines and resources and move from one machine to another (this is called lateral movement) until he gets to the intended resource or credential. This can be the domain admin credentials or perhaps a database with high value information which is the data exfiltration phase. The objective can also be data corruption or data destruction.
Now usually it takes long time usually until someone discovers that an attack happen, and forensics teams are involved trying to understand how the attack happened in the first place, what targets are compromised, and what was the damage.
From security defensive point of view, we can think of two types of detection and prevention measures that maps to the pre breach and post breach phases of he cyber kill chain.
In the pre breach phase, We have signatures and packet filters that are good in recognizing known threats and then injecting the results in the form of antivirus signatures or intrusion detection-based signature systems.
With time attacks becomes more sophisticated and they start to adapt to evade detection using technologies like polymorphism, and with that, the defenses themselves start to evolve and we start seeing heuristics and behavioral rules being introduced into the security space including sandboxes where pieces of the content would be executed in a safe isolated environment and then monitored for signs of malicious behavior. But the problem with this approach is that it really based on having identified threats and then constructing these rules and behaviors that you would look for intruder to identify similar threat even if their signatures had changed.
The next wave is machine learning, promise of being able to get a head of a threat, really moving and not being reliant on having to have found something before in order to be able to detect it for the first time and this is driven by the introduction of zero day malware that are coming out and the sophistication of the adversary was growing and therefore there was definitely a desire to get amore sophisticated defense. The promise is being able to build super intelligent machine that would be able to reason its way through the high volume and velocity of data that is prevalent in the cyber environment
One way of using machine learning is at the endpoint level which usually involved classification or supervised machine learning models. the game is typically around classification most often being applied to particular piece of content in the network so this is things like (windows exe, pdf , word, or network streams) that can be labeled as being malicious and the whole supervised technique is really is really about starting with labeled data that feeds machine learning algorithms and they learn from those labels and learns from the properties of the file s or samples that go into that machine learning system and then it predicts if the file is clean or not.
Now, Microsoft has a great solution at the endpoint level call Microsoft Defender Advanced Threat Protection that really can help here.
Microsoft is changing their whole strategy when it comes to endpoint protection. Inf act, the name Windows defender is not just the antivirus we all used to know and perhaps choose not to trust.
Windows Defender ATP is the new thing and it is a brand name, that consists of many products, all working together tightly, using the power of the cloud and all the signals from Microsoft threat intelligent, to deliver a comprehensive solution that can protect endpoint from zero day attacks and most sophisticated malware out there.
As an example, Windows defender smart screen block low reputation web downloads and even malicious websites, while Windows Defender end point protection monitors all Windows processes and files, and then terminate or clean any infection found.
The next innovation that comes with Windows defender ATP is the ability to automate the response part of the attack, which is possible through a recent acquisition to a company called Hexadite so that security admins don’t need to worry much about responding to threats as this is taken care of by this new automation capability.
And the new way of defending against attacks is by utilizing the power of the cloud and the intelligent security graph in Microsoft. Microsoft intelligent security graph provides rich signals from vast security intelligence, machine learning and behavioral analytics that Microsoft allows you to consume and use to enhance your protection and detection speeds.
So when Windows defender encounters a new file that it does not know if it is bad or good file, it sends a file query to the cloud. If the cloud knows about this file, it will provide a feedback to the endpoint, else it will ask for a sample.
The client will holds the file and upload a sample to the cloud. The cloud services will process the sample and check against machine learning classifiers, trying to find out whether the file is good or not, and then if the file turned out to be holding a malicious code, it will generate a new signature to that file and sends it back to the client along with all other clients so that when they encounter this file, they know already to block it.
And you might be asking, does this mean the client needs to consult the cloud and wait for an answer, and what if there is no internet connection at that time?
Well, here is how things are designed. Each Windows defender client has local machine learning models, and behavior-based detection algorithms , so that it can use all that logic offline and without consulting the cloud. This operation take only milliseconds.
The client can consult the cloud services by sending only metadata so that the cloud can use metadata based machine learning models to determine if the file is malicious or not. This only takes milliseconds.
If the cloud requested a sample, then sample analysis based machine learning models are used in the cloud which might takes seconds.
In certain scenarios, detonation based machine learning models can be invoked which might take minutes, and big data analysis can take up to hours.
What this means is that the client will not wait for minutes and hours. If the file is infected and the cloud could not determine it is a bad file in seconds, the client will allow that file to run. In the background, the cloud will continue working and analyzing and might do detonation based ML models and big data analysis to get the truth about that file, so other clients can be notified and updated, although we list patient zero in the process
Now the next wave of applying machine learning and AI in your security defensive strategy is by trying to detect attacks after they happen, that is , if your endpoint detection technique fails to stop an attack, how can you know there is an attack happening inside your network.
This is where another form of machine learning is applied that relies on anomaly detection or unsupervised learning and this is simply the machine learns what's normal and when something is outside of that norm occurs. it does not lable it good or bad, but still it’s a great compliment to pull into a supervised approach to find somethings that perhaps a normal researcher wouldn’t find, or an antivirus product fails to detect.
Anomaly detection usually happens after the attacker compromises a machine and he start moving inside your network perhaps to find more valuable assets.
Now Microsoft answer to this area is by implementing the Azure advanced threat protection or Azure ATP which was formally known as Advanced threat analytics or ATA
Let me try to help you visualize how anomaly detection can help you detect an attack after it happens. Suppose we have John, a new hire, who is a security expert and his job is to monitor your environment for attacks.
The first thing John would do is to learn about the environment. He starts by learning about all the machines in the network, what operating systems they are running for example. And he would also learn about all users and groups in the network, especially, who is member of the highly privileged groups like the domain admin and schema admin groups
Now that John knows about every machine, user and group in the environment, he will start learning about the behavior of users. For each user in the environment, John would create a behavioral profile. In this behavioral profile, john will analyze which machines each user is normally using, what are the logon hours for each user, which users are sensitive. For each user, John would also learn who are his peers and who that user works with, and finally what resources each user normally access.
Now let us replace John with Azure ATP, which is an agent that you install in each and every domain controller in your environment.
Suppose we have Alice who works in the HR department, and remember that Azure ATP knows everything about Alice, her working hours, the machine or machines she normally log on to, and what resources she usually access.
Now, if the Azure ATP agent detect that Alice is logging from the CFO machine, the Azure ATP agent will immediately detect an anomaly and raise an alert to the security team because that might mean that an attacker compromises her machine, and use some techniques like pass-the hash to move to the CFO machine, which Alice normally won’t do.
The same thing will happen if the Azure ATP detects that Alice is trying to access the finance share which is an anomaly as Azure ATP knows through its learning phase, that Alice normally does not access the finance share.
Azure ATP is a great tool to have in your environment and it complement other security measures and controls that you already have, to early detect attacks happening inside your network.
Azure ATP is a great tool to have in your environment and it complement other security measures and controls that you already have, to early detect attacks happening inside your network.
Azure ATP agents start by collecting logs from your domain controllers and other sources. Then the analyze and learn phase kicks off, and this is where Azure ATP agents learn about the environment.
The third phase is when a detection happen due to an anomaly, in which case you will get alerted and provided with a comprehensive dashboard to track what is happening. The final is integration, this is where your Azure ATP integrates with your Windows Defender ATP so that you can have identity based protection with Azure ATP and machine based protection with Windows ATP.
I am going to leave you with some resources to learn more about Windows Defender ATP and Azure ATP so that you can consider implementing both in your environment to help you detect attacks while they are happening and after they happen.
In this presentation, we talked about service accounts in Windows and how things can go wrong with service accounts. Please have a look no managed service accounts and remember not to run any service under the domain admin account.
We also talked about pass the hash attacks and how it can be used by attackers to move inside your network after gaining access to the hash of your users passwords. Always make sure you don’t have the same local admin password across your machine and remember you can use Microsoft Local Admin Password Solution to automate this job
We then talked about the cyber kill chain and how you can use machine learning defensive for the pre breach and post breach phases of the attack. Azure ATP and Windows Defender ATP can be used to help you detect attacks as they happen and after that.
Finally, I will leave you with great resources I put tighter that I highly recommend you look at. You can find my blog series on how Azure ATP works and how to deploy it in your environment, and you can also look at my secure the modern workplace with different ATP products from Microsoft including a third ATP product called Office 365 ATP.
I want to thank everyone who attended my session at Bsides Amman conference this year and all people who are watching this video righ now.
Remember also that you can view my slides at SlideShare, and you can also follow me there to get access to all my previous and future presentations
If you want to watch more videos about cloud and cybersecurity, you can always subscribe to my YouTube channel listed here.
I would also appreciate if you give me your feedback and thoughts about this session, either by commenting at this video or sending me a message directly using one of my social media accounts.
Thank you again, and wait for my next videos to come.