SlideShare a Scribd company logo

The Enemy Within: Stopping Advanced Attacks Against Local Users

Download as PPTX, PDF
Tal Be'ery
Tal Be'ery

Advanced targeted attackers utilize compromised credentials in order to move laterally within their victims' network. These compromised credentials may consist of either domain or local credentials. Local credentials, especially those of local admins, are a lucrative target for the attackers as they are less managed (password complexity and change policy) and less monitored (no traffic and logs besides the specific computer). In this talk, we will cover how advanced attackers are abusing local users' credentials in their attacks, including real examples as captured "in the wild". We would follow with suggested new methods and tools to detect and prevent such attacks. Most notably, we'd expose a tool that implements a method which allows visibility to local users' activity without installing an agent on the monitored machine. The visibility is based on periodic scans of the local users' directory, the Windows Security Account Manager (SAM), using the standard SAM-Remote (SAMR) protocol, messages and APIs. Using these methods defenders gain visibility to local users' logons, group membership, password change among others. Security applications enabled by this visibility include but are not limited to, abnormal logons detection, abnormal group additions and removal detection and abnormal password changes detection.

Technology
1 of 51
The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager, Microsoft ATA, @TalBeerySec Marina Simakov, Security Researcher, Microsoft ATA
Intro
“When the Cyber Kill- Chain Met Local Users”
Group: IT Admins User: Bob Computer: Server1 User: Mary Group: Domain Admins http://www.slideshare.net/AndyRobbins3/six-degrees-of- domain-admin-bloodhound-at-def-con-24
https://www.safety.com/wp-content/uploads/2012/12/Burglar-Entry-300x300.jpg
Admin Recon
Defending
http://s1206.photobucket.com/user/harbottle1/media/Posters%202/LocalHeroQuad.jpg.html
Parting Thoughts
Win version Who can query SAMR by default Can default be changed < Win10 Any domain user No Win10 Any domain user Yes (only via registry) > Win10 (e.g. anniversary) Only local administrators Yes (registry or GPO)
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users

Recommended

The Industrial Revolution of Lateral Movement
The Industrial Revolution of Lateral MovementThe Industrial Revolution of Lateral Movement
The Industrial Revolution of Lateral MovementTal Be'ery
 
Automate or Die: How Automation Reshapes Cybersecurity
Automate or Die: How Automation Reshapes CybersecurityAutomate or Die: How Automation Reshapes Cybersecurity
Automate or Die: How Automation Reshapes CybersecurityTal Be'ery
 
Game inspiration image links
Game inspiration image linksGame inspiration image links
Game inspiration image linksLewis Brierley
 
Website support Internet Explorer and other older browsers in 2021
Website support Internet Explorer and other older browsers in 2021Website support Internet Explorer and other older browsers in 2021
Website support Internet Explorer and other older browsers in 2021InternetDevels
 
What are Good Bots
What are Good BotsWhat are Good Bots
What are Good BotsDr. Augustine Fou - Independent Ad Fraud Researcher
 
R user group meeting 25th jan 2017
R user group meeting 25th jan 2017R user group meeting 25th jan 2017
R user group meeting 25th jan 2017Garrett Teoh Hor Keong
 
Nic teaming and converged fabric
Nic teaming and converged fabricNic teaming and converged fabric
Nic teaming and converged fabrichypervnu
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 PresentationAngelo Rago
 

Recommended

The Industrial Revolution of Lateral Movement
The Industrial Revolution of Lateral MovementThe Industrial Revolution of Lateral Movement
The Industrial Revolution of Lateral MovementTal Be'ery
 
Automate or Die: How Automation Reshapes Cybersecurity
Automate or Die: How Automation Reshapes CybersecurityAutomate or Die: How Automation Reshapes Cybersecurity
Automate or Die: How Automation Reshapes CybersecurityTal Be'ery
 
Game inspiration image links
Game inspiration image linksGame inspiration image links
Game inspiration image linksLewis Brierley
 
Website support Internet Explorer and other older browsers in 2021
Website support Internet Explorer and other older browsers in 2021Website support Internet Explorer and other older browsers in 2021
Website support Internet Explorer and other older browsers in 2021InternetDevels
 
What are Good Bots
What are Good BotsWhat are Good Bots
What are Good BotsDr. Augustine Fou - Independent Ad Fraud Researcher
 
R user group meeting 25th jan 2017
R user group meeting 25th jan 2017R user group meeting 25th jan 2017
R user group meeting 25th jan 2017Garrett Teoh Hor Keong
 
Nic teaming and converged fabric
Nic teaming and converged fabricNic teaming and converged fabric
Nic teaming and converged fabrichypervnu
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 PresentationAngelo Rago
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Cysinfo Cyber Security Community
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsCrowdStrike
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.CrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdStrike
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsCrowdStrike
 
Pycon Sec
Pycon SecPycon Sec
Pycon Secguesta762e4
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit KitsJoe Desimone
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaCrowdStrike
 
Venom
Venom Venom
Venom CrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsCrowdStrike
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGSCrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning CrowdStrike
 
Is Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksIs Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksMaarten Van Horenbeeck
 
Ransomware 0 admins 1
Ransomware 0 admins 1Ransomware 0 admins 1
Ransomware 0 admins 1kieranjacobsen
 

More Related Content

Viewers also liked

Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsCrowdStrike
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.CrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdStrike
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsCrowdStrike
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit KitsJoe Desimone
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaCrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsCrowdStrike
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGSCrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning CrowdStrike
 

Viewers also liked (20)

Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
 
Pycon Sec
Pycon SecPycon Sec
Pycon Sec
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit Kits
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
 
Venom
Venom Venom
Venom
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
 

Similar to The Enemy Within: Stopping Advanced Attacks Against Local Users

Is Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksIs Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksMaarten Van Horenbeeck
 
Securious talk at the SWCSC event on 24th Feb 2016.
Securious talk at the SWCSC event on 24th Feb 2016.Securious talk at the SWCSC event on 24th Feb 2016.
Securious talk at the SWCSC event on 24th Feb 2016.Peter Jones
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAli Habeeb
 
Web Application Security - Folio3
Web Application Security - Folio3Web Application Security - Folio3
Web Application Security - Folio3Folio3 Software
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainKernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainIgor Korkin
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...Soya Aoyama
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetNathan Wallace, PhD, PE
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdfMarlboroAbyad
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...M Mehdi Ahmadian
 

Similar to The Enemy Within: Stopping Advanced Attacks Against Local Users (20)

Is Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksIs Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacks
 
Ransomware 0 admins 1
Ransomware 0 admins 1Ransomware 0 admins 1
Ransomware 0 admins 1
 
Securious talk at the SWCSC event on 24th Feb 2016.
Securious talk at the SWCSC event on 24th Feb 2016.Securious talk at the SWCSC event on 24th Feb 2016.
Securious talk at the SWCSC event on 24th Feb 2016.
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Web Application Security - Folio3
Web Application Security - Folio3Web Application Security - Folio3
Web Application Security - Folio3
 
Network security
Network securityNetwork security
Network security
 
NetworkSecurity
NetworkSecurityNetworkSecurity
NetworkSecurity
 
Brendon Hatcher Joomla Security
Brendon Hatcher Joomla SecurityBrendon Hatcher Joomla Security
Brendon Hatcher Joomla Security
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainKernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the Internet
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
botnet.ppt
botnet.pptbotnet.ppt
botnet.ppt
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
 

More from Tal Be'ery

Give me some (key) space!
Give me some (key) space!Give me some (key) space!
Give me some (key) space!Tal Be'ery
 
Web3’s red pill: Smashing Web3 transaction simulations for fun and profit
Web3’s red pill: Smashing Web3 transaction simulations for fun and profitWeb3’s red pill: Smashing Web3 transaction simulations for fun and profit
Web3’s red pill: Smashing Web3 transaction simulations for fun and profitTal Be'ery
 
Understanding Compound‘s Liquidation
Understanding Compound‘s LiquidationUnderstanding Compound‘s Liquidation
Understanding Compound‘s LiquidationTal Be'ery
 
Web3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMWeb3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMTal Be'ery
 
The Color of Money
The Color of MoneyThe Color of Money
The Color of MoneyTal Be'ery
 
Open Sesame: Picking Locks with Cortana
Open Sesame: Picking Locks with CortanaOpen Sesame: Picking Locks with Cortana
Open Sesame: Picking Locks with CortanaTal Be'ery
 
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES Tal Be'ery
 
Target Breach Analysis
Target Breach AnalysisTarget Breach Analysis
Target Breach AnalysisTal Be'ery
 
Battlefield network
Battlefield networkBattlefield network
Battlefield networkTal Be'ery
 
Client sidesec 2013-intro
Client sidesec 2013-introClient sidesec 2013-intro
Client sidesec 2013-introTal Be'ery
 
Client sidesec 2013 - non js
Client sidesec 2013 - non jsClient sidesec 2013 - non js
Client sidesec 2013 - non jsTal Be'ery
 
Client sidesec 2013 - script injection
Client sidesec 2013 - script injectionClient sidesec 2013 - script injection
Client sidesec 2013 - script injectionTal Be'ery
 
One Key to Rule Them All: Detecting the Skeleton Key Malware
One Key to Rule Them All: Detecting the Skeleton Key MalwareOne Key to Rule Them All: Detecting the Skeleton Key Malware
One Key to Rule Them All: Detecting the Skeleton Key MalwareTal Be'ery
 
Skeleton key malware detection owasp
Skeleton key malware detection owaspSkeleton key malware detection owasp
Skeleton key malware detection owaspTal Be'ery
 

More from Tal Be'ery (14)

Give me some (key) space!
Give me some (key) space!Give me some (key) space!
Give me some (key) space!
 
Web3’s red pill: Smashing Web3 transaction simulations for fun and profit
Web3’s red pill: Smashing Web3 transaction simulations for fun and profitWeb3’s red pill: Smashing Web3 transaction simulations for fun and profit
Web3’s red pill: Smashing Web3 transaction simulations for fun and profit
 
Understanding Compound‘s Liquidation
Understanding Compound‘s LiquidationUnderstanding Compound‘s Liquidation
Understanding Compound‘s Liquidation
 
Web3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMWeb3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEM
 
The Color of Money
The Color of MoneyThe Color of Money
The Color of Money
 
Open Sesame: Picking Locks with Cortana
Open Sesame: Picking Locks with CortanaOpen Sesame: Picking Locks with Cortana
Open Sesame: Picking Locks with Cortana
 
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
 
Target Breach Analysis
Target Breach AnalysisTarget Breach Analysis
Target Breach Analysis
 
Battlefield network
Battlefield networkBattlefield network
Battlefield network
 
Client sidesec 2013-intro
Client sidesec 2013-introClient sidesec 2013-intro
Client sidesec 2013-intro
 
Client sidesec 2013 - non js
Client sidesec 2013 - non jsClient sidesec 2013 - non js
Client sidesec 2013 - non js
 
Client sidesec 2013 - script injection
Client sidesec 2013 - script injectionClient sidesec 2013 - script injection
Client sidesec 2013 - script injection
 
One Key to Rule Them All: Detecting the Skeleton Key Malware
One Key to Rule Them All: Detecting the Skeleton Key MalwareOne Key to Rule Them All: Detecting the Skeleton Key Malware
One Key to Rule Them All: Detecting the Skeleton Key Malware
 
Skeleton key malware detection owasp
Skeleton key malware detection owaspSkeleton key malware detection owasp
Skeleton key malware detection owasp
 

Recently uploaded

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 

Recently uploaded (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 

The Enemy Within: Stopping Advanced Attacks Against Local Users

Editor's Notes

  1. Initial Recon: Attackers Goal: Identify interesting assets. Find all users, machines, etc. Attackers are not administrator on the machine Means: SAMR Recon (net group/user) DNS Recon Local privilege escalation Attackers Goal: become local administrator Means Compromised Creds Of a Domain User who has Local administrator privileges Of a Local administrator privileges 0 days / Known vulnerabilities (CVEs) Compromise Credentials Attacker Goals: Get creds to expand toward destination Means: Windows cred harvesting Tools Mimikatz Passwords in Group Policy Passwords in plaintext “passwords.txt” In E-mail Admin recon Attackers’ Goal: Find machines that has Admin creds on Means: NetSess Luring admin Creating an IT ticket and waiting for admin to connect Remote Code Execution Attackers’ Goals: take over another machine using compromised creds Means: PsExec (new remote service) Remote ScheduleTask WMI Remote PowerShell RDP Remote Registry Lateral Movement Vehicle is Remote Code Execution Fuel is Compromised Creds Map is provided by Recon Ignition Key is Local privilege Escalation That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs,IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year: Detect attackers before they cause damage. That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year: Detect attackers before they cause damage.
  2. Domain dominance Attackers Goal: Get full control over the domain, i.e. access all assets, all the time Means NTDS.DIT stealing to get all keys DC-SYNC Backup utils Create new admins Compromise KRBTGT key for Golden Ticket Install the Skeleton Key Malware Get more secrets with DPAPI Attacking Data Attackers Goal: Get the data they are after Lateral Movement Same Same, But different Fast and Easy: attackers’ has all credentials Some Subject Matter Expertise (SME) might be required Reading documents - That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year: Detect attackers before they cause damage.
  3. This is where ATA focuses on. Detect attackers before they cause damage. That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year:
  4. Infiltrate the network by compromising domain account (phishing etc) Eventually compromise domain admin creds Shortest path
  5. Prioritize list of assets Be aware of relationships & dependencies
  6. Not enough to think in graphs Explicitly – IT wants a “master key” Implicitly – Image prepared in advance Local Users are copied
  7. Remove such policies
  8. No password is needed A graph “link” from any other computer to such machines
  9. Local Privilege Escalation: Attackers can escalate to local Admin with BruteForce Compromise creds: Local user hash can be harvested from memory/disk If the remote machine’s local user has the same password PtH works (no cracking) Admin Recon: Local admins of a machine can be remotely queried Remote Code Execution: Can be done with remote machine local user’s creds
  10. Brute force to obtain local privileged user credentials Small tool written in C# Expects a username & password dictionary High rate – more than 200k attempts per minute Authentication is performed locally No traffic overhead
  11. Valuable information
  12. Misconception that the damage of local accounts is limited to the boundaries of the individual machine However – these accounts can be used to compromise the entire domain
  13. How common is the use of local credentials during real attacks? Enables attackers to execute the PtH attack using local accounts Used in most cases! Attackers one step ahead of the defenders
  14. More ways for attackers to use local accounts during an attack Adding For persistency “Reverse hardening” Disrupts defenders
  15. Again – how common is this scenario? Here is a real example of a malware found on Azure One of the things that it does is add…
  16. Periodically query Local Users over SAMR Users Info Group membership Discover security issues: Abnormal login patterns BruteForce attempts Enabled Guest accounts Privileged group modifications Password configuration issues Cloned Local Users
  17. Fetches all domain machines records from DC over LDAP Remotely scans all domain machines using the SAMR protocol Retrieves all local accounts’ data from SAM
  18. 2 types of detections: Configuration issues found from a single scan (cloned, guest) Deltas found between each 2 consecutive scans that may indicate a potential attack