Webinar 1521 Slides

10/4/2018
Sponsored by
Why Multi-factor
Authentication Can’t Prevent
Pass-the-Hash Attacks and
Alternative Mitigation Methods
© 2018 Monterey Technology Group Inc.
 Made possible by
Thanks to
1
10/4/2018
 Password hashing
 NTLM challenge / response
 Pass-the-Hash
Preview of Key  MFA
Points  OTP
 Push
 Smartcard
 Real mitigating PtH
 ESAE
 NTLM blocking
 Injecting MFA into network logons when warranted
Common
Misconception  Require Multi-Factor authentication at the desktop and now all
resulting access is protected
2
10/4/2018
How Pass-the-
 Password hashing
Hash Works  NTLM Challenge/Response Protocol
 Pass-the-Hash
When user sets password,

or is logging on
Clear text password
Hash
Password Algorithm
Hashing
Hash
Active Directory /
SAM
3
10/4/2018
Where can you

 Active Directory for domain accounts
find password  Local SAM for local accounts
hashes?  In memory for current logon sessions
 Other artifacts on local system after a user has logged on in the past
 The risks used to be about cracking password hashes back to clear text
password
Changing risks  Windows got better at protecting hashes and hashing in general
 PtH came along so that you don’t NEED the clear text password
 Just the hash
 To access REMOTE computers
 Because of NTLM challenge / response
4
10/4/2018
Client Server
I want to logon
to you
key
NTLM hash Encrypt Challenge
Challenge
Response Encrypt hash
Response Compare
OK you are
authentic,
come on in
Attacker
Collect hashes
Server
I want to logon
to you
Challenge
key
NTLM hash Encrypt
Challenge
Response Encrypt hash
Response Compare
OK you are
authentic,
come on in
5
10/4/2018
User enters
password
Workstation • NTLM or Kerberos

hashes pw and – doesn’t matter
verifies against • Hash artifacts
remain on system
DC
Multi-Factor
Authentication Workstation
asks for 2nd
• Push
authentication
at Workstation
• OTP
factor
Logon
Logon session
begins
Privileged
malware obtains
password hash
artifact
Using PtH,
accesses remote
system as user
“To add insult to injury, Windows

Smart Card logon … generates an
“everlasting” hash, thus providing less
security than the regular password-
only logon process against Pass-the-
Hash attacks.”
http://www.infosecisland.com/blogvie
w/23657-Smart-Card-Logon-The-
Good-the-Bad-and-the-Ugly.html
Smartcard
interactive logon
No smart
card
required Remote
system
6
10/4/2018
Smartcard  Mitigating the “everlasting” hash

 Manually uncheck “smart card required for interactive logon”, save, re-
interactive check, save
 PowerShell script to “roll” the hash
logon  https://blogs.technet.microsoft.com/positivesecurity/2017/05/17/smartcard-
and-pass-the-hash/
 Upgrade domain to 2016 DFL
 https://docs.microsoft.com/en-us/windows-server/security/credentials-
protection-and-management/whats-new-in-credential-protection
Where MFA
Protects You  Keeps other users from logging on as Bob
 interactively at a workstation
 Other applications and websites where MFA is synchronously required
7
10/4/2018
Where MFA  Network logons

 Shared folder
Doesn’t  Computer Management
Protect You  WMI
 PowerShell remoting
 Remote Desktop
True  Red Forest / ESAE

mitigation for  Disable NTLM on your network
Pass-the-Hash  Inject MFA demands into network logons based on dynamic risk
assessment
8
10/4/2018
A big project that only

protects domain
admin accounts
Red Forest /
ESAE
Domain Admins
 Identify every application you know needs

Kerberos implementation
 SQL Server NTLM blocking is no
 SharePoint joke….NTLM blocking
 Exchange can be a résumé
 … generating event!
https://blogs.technet.
 Create Service Principal Names and perform microsoft.com/askds/2
other configuration
Disable NTLM  Test and debug
009/10/08/ntlm-
blocking-and-you-
 Or implement claims based application-analysis-
and-auditing-
 Start auditing remain use of NTLM methodologies-in-
 Remediate windows-7/
 Identify systems where you won’t be able to
migrate to Kerberos or claims-based
 Implement exception list
 Disable NTLM via Group Policy
 https://www.rootusers.com/implement-ntlm-
blocking-in-windows-server-2016/
9
10/4/2018
Inject MFA
demands into
network
 Jeff will demonstrate new capability that allows you to
logons based  monitor for likely PtH exploitation
on dynamic  and immediately use MFA in response
 to determine if the user is in control
risk  – or an attacker…
assessment
PAGE
PAGE 20
20
STEALTHbits Technologies, Inc.

Why Multi-factor Authentication Can’t Prevent Pass-the-Hash Attacks and Alternative Mitigation Methods
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
10
10/4/2018
PAGE
Guidance from Microsoft
PAGE 21
21
• Assume breach
• The problem cannot be solved by
implementing a single strategy or deploying
a single feature
• When an effective program is implemented,
attackers may find too many barriers and
trigger detection mechanisms that could
help organizations stop the attack.
PAGE
Attacks That Bypass MFA
PAGE 22
22
Pass-the-Ticket Pass-the-Hash Forged Tickets
11
10/4/2018
PAGE
Credential Theft Barriers
PAGE 23
23
System Configuration
• Storing Credentials in Registry/Memory
• Credential Guard
Access Control
• Local Administrators
• Logon Policies
• Protected Users
Best Practices
• LM Hashes
• Password Policy (Strong, Unique, Rotating)
• ESAE
PAGE
MFA Supported Applications
PAGE 24
24
Microsoft Web Apps VPNs Cloud Apps Unix
Interactive Login
MFA
12
10/4/2018
PAGE
No MFA for Non-Interactive Logins
PAGE 25
25
MFA No MFA
Interactive Login NTLM / Kerberos

(login type 2, 10) (login type 3, 4, 5, 9)
NTLM Hash
TGT / TGS
PAGE
The STEALTHbits Approach
PAGE 26
26
No MFA
Normal Logins
(login type 3, 4, 5, 9)
MFA
NTLM Hash
Interactive Login
(login type 2, 10) TGT / TGS
MFA
Abnormal Logins
(login type 3, 4, 5, 9)
13
10/4/2018
PAGE
Securing Credential Storage - Registry
PAGE 27
27
Number of previous logons to cache
PAGE
Securing Credential Storage - LSASS
PAGE 28
28
TokenLeakDetectDelaySecs
TokenLeakDetectDelaySecs
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)
14
10/4/2018
PAGE
PAGE 29
StealthDEFEND
29
Data Sources
StealthDEFEND Threats
Active Directory
SIEM
Network File Shares
Response Playbooks
Data Context
Alerts
…
Investigations
PAGE
StealthDEFEND Threat Models
PAGE 30
30
Recon Escalate Move Persist

• SPN Scanning • Kerberoast • Pass-the-Ticket • NTDS.dit
• Privileged • Silver Tickets • Pass-the-Hash • Admin-SDHolder
Accounts • DC Sync • Overpass-the- • Golden Tickets
• Sensitive Servers • Password Hash • Skeleton Key
spraying • Trust Tickets
• SID History • SPNs
• Malicious SSPs
15
10/4/2018
PAGE
Threat Response – Credential Compromise
PAGE 31
31
MFA - PASSED
Approve
Behavior
START BEHAVIOR
Pass-the-Hash
Pass-the-Ticket MFA
MFA - DECLINED CONTAIN CONTAIN INFORM
Escalate Incident
Deny AuthN Block Account Kill Sessions
(Alert, Ticket, etc.)
PAGE
PAGE 32
32
16
10/4/2018
PAGE
STEALTHbits’ Solution
PAGE 33
33
collection monitoring
reporting Credential & Data

alerting
Security Suite
remediation response
PAGE
STEALTHbits’ Active Directory Product Portfolio
PAGE 34
34
Product Purpose
State-based auditing, analysis, reporting, management and governance for
StealthAUDIT for Active Directory
Active Directory objects, configurations, and Group Policy Objects
State-based auditing, analysis, and reporting for Active Directory object-
Active Directory Permissions Analyzer
level permissions
Real-time monitoring and prevention of Active Directory changes and
StealthDEFEND for Active Directory
authentication, attack detection and prevention, and behavior analytics
Real-time change monitoring and control for AD objects, configurations,
StealthINTERCEPT for Active Directory
Group Policy Objects, and AD-integrated DNS
StealthINTERCEPT for LDAP Real-time monitoring of Active Directory LDAP traffic
StealthINTERCEPT Enterprise Password Enforcer Real-time prevention of weak, well-known, and unapproved passwords
StealthRECOVER Rollback of undesired changes and recovery of deleted objects
17
10/4/2018
PAGE
Next Steps
PAGE 35
35
• Learn More
– Attack Tutorials  https://attack.stealthbits.com
– Attack Series  https://blog.stealthbits.com
– Products  https://www.stealthbits.com
• Try Us Out
– Free Trial  https://www.stealthbits.com/free-trial
• Contact Us
– Email  info@stealthbits.com
– Phone  +1.201.447.9300
– Web  https://www.stealthbits.com/contact
PAGE
PAGE 36
36
©STEALTHbits Technologies, Inc. All rights reserved. STEALTHbits and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of STEALTHbits Technologies as of the date of this presentation. Because STEALTHbits must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of STEALTHbits, and STEALTHbits cannot guarantee the accuracy of any information provided after the date of this presentation. STEALTHBITS MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUATORY, AS TO THE INFORMATION IN THIS PRESENTATION.
18

Webinar 1521 Slides

Uploaded by

Copyright:

Available Formats

You might also like

Webinar 1521 Slides

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Webinar 1521 Slides

Uploaded by

Copyright:

Available Formats

10/4/2018

© 2018 Monterey Technology Group Inc.

When user sets password,

Clear text password

Where can you

Workstation • NTLM or Kerberos

“To add insult to injury, Windows

Smartcard  Mitigating the “everlasting” hash

Where MFA  Network logons

True  Red Forest / ESAE

A big project that only

 Identify every application you know needs

STEALTHbits Technologies, Inc.

Pass-the-Ticket Pass-the-Hash Forged Tickets

Microsoft Web Apps VPNs Cloud Apps Unix

Interactive Login NTLM / Kerberos

Network File Shares

Recon Escalate Move Persist

MFA - DECLINED CONTAIN CONTAIN INFORM

reporting Credential & Data

StealthINTERCEPT for LDAP Real-time monitoring of Active Directory LDAP traffic

StealthRECOVER Rollback of undesired changes and recovery of deleted objects

You might also like