Professional Documents
Culture Documents
Pfe Meriem
Pfe Meriem
Filière: Informatique
Spécialité: SSI
Présenté par :
LAROUI Meriem
BOUGUERRA Fatima
First of all, we thank God for giving us the strength and health to be
able to finish our thesis that will conclude five years of hard work,
learning, and extraordinary experiences.
“Learning is the only thing the mind never exhausts, never fears,
and never regrets.”
General Introduction ............................................................................................................................... 1
General Conclusion................................................................................................................................ 92
List of figures
The exponential growth of the information technology industry has led to a significant
extension of cyber attack incidents that comes with disastrous and grievous consequences. The
cyber security incidents that make headlines around the world typically involve companies of all
sizes and in every industry, these companies are vulnerable to cyber security threats that result in
billions of dollars in financial losses, disruption to operations and supply chains, and inflicting
reputational damage from impacted customers and investors.
This urges businesses to implement a solid strategy for cyber security and a robust
mitigation and detection plan if they intend to stay afloat in the face of cyber attacks. However,
many businesses can’t afford professional solutions and have limited time and human resources
to devote to protect against cyber threats which takes a tremendous level of expertise and years
of experience.
Our objective is to offer a solution that tests the strength of the network's security in an
automated way under real-life conditions. This will be achieved by integrating the tactics,
techniques, and practices of adversaries in a tool that allows its users to understand, analyze and
simulate threats and attacks against a network infrastructure in order to provide valuable insight
into the present and future defensive needs, and counter the threats and vulnerable routes to
critical assets before an adversary exploits them. Our solution is mainly focused on Windows
systems since most enterprise networks today are managed using Windows infrastructures.
Our thesis is composed of four chapters, organized as follows :
In the first chapter, we present the basic notions that we will be utilizing in our project.
Starting with the Windows Operating system, then moving to the concept of cyber attack and
defense. And finally the MITRE ATT&CK knowledge framework and how it can be leveraged
to offer up-to-date solutions against the most advanced threats.
The second chapter consists of studying and defining the most omnipresent attacks against
Windows infrastructures, and the weaknesses that allow adversaries to exploit them.
The third chapter will give a global vision of our work by defining and exposing the
conceptual approaches followed to design our solution. It includes the architecture and the
different functionalities offered and the detailed procedures that reflect our reasoning.
The fourth and final chapter consists of presenting the implementation of our solution by
starting with the environment and tools used all along the implementation phase. Then the
presentation, tests, and scenarios phase which includes a presentation of our application and a
selection of test scenarios that will highlight our work and demonstrate it through use cases and
scenarios extended with screenshots of the different steps and results.
We will complete our thesis with a general conclusion that will recapitulate and highlight
the main functions and objectives of our solution, in addition to the future perspectives.
1
Chapter I :
State of the art
1. Introduction
The protection against cyber-attacks has become a vital issue for companies nowadays, as they
are continuously expanding by becoming more sophisticated, targeted, and often undetected.
With the widespread use of Windows infrastructures, especially within companies, Windows
has become the focal point for adversaries. Security professionals must understand and analyze
available knowledge about these threats in order to develop and deploy the most advanced tools
and techniques to counter them. [1]
In this chapter, we will present the Windows operating system, followed by cyber attacks and
cyber defense techniques. Then, we will explain adversary simulation, and how it is enhanced by
threat intelligence.
Finally, we will present and discuss the MITRE ATT&CK framework, and how it can be
leveraged to offer up-to-date solutions against the most advanced threats.
2.2 History
Microsoft Windows was announced by Bill Gates on November 10, 1983, as a
graphical operating system shell for MS-DOS1 in response to the growing interest in graphical
user interfaces (GUIs).
The first version of Windows (Windows 1.0) was released in 1985. Since then, the OS has
gone through several major updates. A few of the most notable Windows releases include
Windows 3.1 (1992), Windows 95 (1995), Windows XP (2001), Windows 7 (2009), and
Windows 10 (2015).
The most recent version of Windows is Windows 11, and the most recent version
for server computers is Windows Server 2019. [3]
The following figure represents the timeline of releases of Windows versions.
1
Short for Microsoft Disk Operating System, MS-DOS is a non-graphical command line operating system created for IBM
compatible computers and introduced by Microsoft in 1981.
2
Chapter 1 : State of the art
2.3 Versions
Microsoft offers two major versions of operating systems, each tailored for different use
cases.
2.3.1 Desktop
Windows Desktop Operating System is geared towards home or business use for
simple daily functions like video editing, image manipulation, or coding.
It always comes in a graphical user interface which makes its usage easier and more
user-friendly. It is optimized for simple daily usage, they are not meant to run for
extended periods.
2.3.2 Server
Windows server is designed to be run on server hardware, which uses enterprise-
grade components. It allows users to install server features like Active Directory, DNS
Server, DHCP Server, Group Policy, as well as many other features which are not
available in Desktop versions.
It can run without a graphic interface to minimize the size of the install.Windows
Server can be deployed either on-site or on a cloud computing service.
3
Chapter 1 : State of the art
2
LDAP is a protocol that allows AD to communicate with other LDAP enabled directory services across platforms.
4
Chapter 1 : State of the art
5
Chapter 1 : State of the art
3. Cyber attacks
3.1 Definition
Cyber attacks are malicious attempts launched by threat actors (also referred to as
cybercriminals, hackers, or adversaries) to gain unauthorized access to a computer, computing
system, or computer network to alter, manipulate or steal data held within these systems.
Cybercriminals use a variety of methods to launch a cyber-attack, including malware,
phishing, ransomware, and denial of service among other methods.
3
Lockheed Martin is one of the largest companies in the aerospace, military support, security and technologies industry. It is
principally engaged in the research, development and integration of advanced technology systems, products and services.
4
Intelligence driven defense is a risk management strategy that addresses the threat component of risk, incorporating analysis
of adversaries, their capabilities, objectives and limitations.
6
Chapter 1 : State of the art
The following figure represents the phases of the Cyber kill chain.
The cyber kill chain is mainly used as a management tool to help understand and encounter
the different cyber threats that may face organizations, such as insider threats, advanced
malware, and innovative attacks.
5
CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws.
7
Chapter 1 : State of the art
4. Cyber defense
4.1 Definition
Cyber defense is the collection of processes and practices which are employed to
prevent and respond to cyber threats. It involves taking active steps to anticipate
adversarial actions and to counter intrusions.
The most common cyber defense activities include:
Implementation and maintaining of hardware and software detection and
prevention tools.
Analyzing, identifying, and patching system vulnerabilities.
Obtaining and understanding of the latest threat intelligence information.
Periodically perform different types of cybers security assessments.
4.2 Teaming
The concept of teaming in cyber security was modeled after military training exercises.
Cyber security professionals are divided into teams based on the nature of their activities,
whether it's on the defensive or the offensive side. Some of the most commonly used titles
is Red Team, Blue Team, and Purple Team.
4.2.1 Red team
The red team consists of security professionals who act as an adversary to evaluate
the security from the perspective of threat actors. Red team exercises focus on imitating
real-world attack techniques and methods to identify and exploit potential weaknesses
within the organization’s cyber defenses. Based on the results, recommendations and
plans on how to strengthen the security posture are elaborated.
4.2.2 Blue team
The blue team is on the defensive side. It consists of professionals who work
continuously on identifying, assessing, and responding to intrusions.
The blue team's main objective is to protect the organization’s critical assets against
any kind of threat by performing an analysis of information systems to
identify security flaws and verify the effectiveness of each security measure. They are
expected to detect, oppose and weaken the red team.
The following figure represents the different perspectives and tasks of the blue
team.
8
Chapter 1 : State of the art
Figure 1.5 The workflow of the Blue, Red and Purple teams
5. Threat intelligence
5.1 Definition
Cyber threat intelligence is organized, analyzed, and refined information about potential
or current attacks that threaten an organization.
It is used to prepare, prevent, and identify new threats and threat actors, by analyzing the
adversarial motives and their tactics, techniques, and procedures (TTPs). [10]
9
Chapter 1 : State of the art
6.2 History
The ATT&CK framework was created by MITRE Corporation, which is an American
government-funded research organization. The project was launched in 2013 and officially
released in May 2015 on the MediaWiki6 platform. [12]
In 2018, the framework was moved from MediaWiki to the attack.mitre.org domain, and
since then, many versions were released, from ATT&CK v1 to ATT&CK v9 (current version)
which was released on 29th April 2021. [13]
10
Chapter 1 : State of the art
11
Chapter 1 : State of the art
Figure 1.8 Example of the Enterprise matrix, its tactics (first row), and techniques (columns)
The following figure presents an example of the Brute force technique, and its sub-
techniques.
Figure 1.9 Example of the Brute force technique, and its sub-techniques
12
Chapter 1 : State of the art
uses ordered phases to describe high-level adversary objectives, however, each stage of the
Cyber Kill Chain can be matched with a set of specific MITRE ATT&CK techniques.
Many researchers feel that the ATT&CK framework has already replaced the Cyber Kill
Chain, which is further demonstrated by the trends of vendors implementing ATT&CK
terminology into their solutions.
6.6.1 The Unified Kill Chain
A unified version of the kill chain was developed in order to offer a significant
improvement over the scope limitations of the Cyber Kill Chain and the time-agnostic
nature of ATT&CK, by uniting and extending Lockheed Martin's kill chain and MITRE’s
ATT&CK framework. The unified kill chain is an ordered arrangement of 18 unique
attack phases, which covers activities that occur in a cyber arrack. The unified model can
be used to analyze, compare and defend against cyber-attacks by adversaries.
The following figure represents the stages of the unified kill chain.
13
Chapter 1 : State of the art
Defensive Gap Assessment: ATT&CK can be used to assess existing tools, or test
new tools before purchasing, to determine security coverage and prioritize
investment.
6.8 Challenges
As with any other solution, using ATT&CK doesn’t come without challenges. Some of
the challenges that are often faced while leveraging ATT&CK are:
Not all techniques are always malicious, some of them can be used for a legitimate
reason by a legitimate user. For example, the "Data from Network Shared Drive"
technique (T1039), which is a system feature that allows a user to search network
shares on a computer. Adversaries may use it on compromised hosts to find files of
interest and collect sensitive data.
Some techniques have many possible methods of execution. For example, the
"Credential Dumping" Technique (T1003) can be leveraged in multiple ways and
by a vast selection of tools. It's a challenge to try to simulate and defend against all
the possibilities.
Not all techniques in the ATT&CK framework are easy to detect. For example, the
"Rogue Domain Controller" Technique (T1207)7 can be quite difficult to detect on
security monitoring tools.
It requires a high level of expertise, as It may be daunting for organizations with
small security teams or junior engineers to process and map the different attacks to
the security infrastructure. Prioritizing threats is a must, instead of aiming to protect
against every single type of technique.
7. Adversary Simulation
7.1 Definition
Adversary simulation is a red team exercise classified as a white box8 activity. It is
a realistic simulation of a malicious actor actively trying to penetrate into the system and
evading detection.
The process models an attack scenario that very closely mirrors the tools, tactics, and
procedures of the adversaries, with a pre-defined objective. This objective, for example, can be
accessing a specific sensitive network zone, extracting confidential data, or gaining
administrative level access over the environment.
Adversary simulation provides a complete insight into the security posture of an
organization, such as user awareness, monitoring, and detection capabilities. It also provides
the blue team with the necessary artifacts and indicators of compromise9 needed to harden the
defense mechanisms.
7
It's an attack where adversaries create a rogue Domain Controller (DC) to manipulate Active Directory data,
including objects and schemas, by registering and simulating the behavior of a DC
8
An assessment is classified as white box when the maximum amount of information about the target's system is shared in
complete transparency.
9
Indicators of compromise are pieces of forensic data, such as data found in system log entries or files that identify
potentially malicious activity on a system or network.
14
Chapter 1 : State of the art
From the definition of the terms in the Cambridge English Dictionary, to "Emulate" is to
behave in the same way as someone else, while to "Simulate" is to produce something that is
not real but has the appearance of being real. [20] [21]
From an attack perspective, Adversary emulation is the mimicking of specific advanced
attackers, or advanced persistent threats (APTs)10. Based on threat intelligence, the APT that's
most likely to target the organization is determined, then their tactics, techniques, and
procedures (TTPs) are employed in an adversary emulation exercise, to test the environment
and be prepared for the potential threat.
On the other hand, during an adversary simulation, the tactics, techniques, and procedures
(TTPs) are employed irrespectively from which APTs use them. Adversary simulation focuses
more on simulating an attack that looks real while there is no real adversary.
10
An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains
unauthorized access to a computer network and remains undetected for an extended period.
15
Chapter 1 : State of the art
The following image represents the graphical user interface of the CALDERA web
application.
7.3.2 ATTPwn
ATTPwn developed by Telefonica security researchers is a tool that aims to enable
penetration testers to identify potential weaknesses impacting an organization. It is based
on techniques and tactics from the MITRE ATT&CK framework. [23]
ATTPwn can be used to mimic several attack chains against Windows
environments, like privilege escalation11, lateral movement12 across a network, and
credential dumping. The tool also includes famous exploits that were used in destructive
ransomware attacks like NotPetya and WannaCry.
The functionalities offered by ATTPwn are very much similar to those offered by
CALDERA.
11
Privilege escalation is when adversaries gain access to the privileges of another user account in the target system, with
higher privileges than the ones they currently dispose of.
12
Lateral movement refers to the techniques that adversaries use after gaining initial access, to move deeper into a network in
search of sensitive data and other high-value assets.
16
Chapter 1 : State of the art
The following image represents the graphical user interface of the ATTPwn
platform.
13
An agent is a software program that performs tasks on behalf of users.
17
Chapter 1 : State of the art
Improving security practices, by testing against the common risks, and thus detect the
weak points to strengthen the security posture and confirm any need for additional
investment.
Offering a low-budget solution for companies with small security teams or no red
teams, as it represents an automated exercise that doesn't need a professional red team
intervention.
Test the blue team's incident response processes against the threats posing the greatest
risks to the infrastructure.
8. Conclusion
In this chapter, we presented the basic notions that we will be utilizing in our project. Starting
with the Windows Operating system, then moving to the concept of cyber attack and defense. And
finally the MITRE ATT&CK knowledge framework.
This will allow us to study and define the most omnipresent attacks against Windows
infrastructures, and the vulnerabilities which allow us to exploit and simulate them, which will
make the subject of the next chapter.
18
Chapter II :
Cyber Attacks on Windows Infrastructures
1. Introduction
Adversaries are always on the hunt for the newest and latest ways to abuse vulnerabilities in
different systems. The Windows operating system has always been the main target due to the
nature and implementation of its legitimate functionalities which allows adversaries to abuse them
for malicious purposes.
In order to analyze, understand, and simulate the different attacks targeted at Windows
infrastructures, the main functionalities that are prone to these attacks should be presented first. In
this chapter, we will study the default authentication protocols in the Windows system, which will
allow us to define the most omnipresent attacks against Windows infrastructures, and the
weaknesses that allow adversaries to exploit them.
14
The LM protocol was the first used in Microsoft's products and is still the authentication protocol of choice for older
operating systems. Its hashing algorithme is a based on DES encryption, and can only support passwords up to 14
characters. LM is the predecessor to the NTLM authentication protocol.
15
Digest Authentication is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and
web-based authentication.
16
single sign-on allows the user to log in once and access services without re-entering authentication factors upon each
action.
19
Chapter 2 : Cyber attacks on Windows infrastructures
The client encrypts this challenge with their NT password hash17 and returns the
result to the server in an authentication message.
To verify the identity of the user, the server sends the username, the clear-text
challenge, and the received response (encrypted challenge) to the domain controller.
The domain controller encrypts the clear-text challenge with the user's NT password
hash, then compares it to the received encrypted challenge. If they are identical,
access is granted.
The server then sends a response back to the client.
The following figure represents the NTLM authentication process.
NTLM was replaced as the default authentication protocol by Kerberos on Windows 2000
and later releases. However, it's still used even on new systems in order to maintain
compatibility with legacy clients and servers, it's also used for authentication instead of
Kerberos if the latter fails.
NTLM has two versions, NTLMv1 and NTLMv2. NTLMv2 offers better security than its
previous version, by hardening the protocol against some attacks. In NTLMv2, the client
includes a timestamp with the encrypted challenge, in order to mitigate replay attacks 18, also,
while NTLMv1 uses a 16-byte random number challenge, NTLMv2 uses a variable-length
challenge.
Several vulnerabilities related to the NTLM authentication protocol have been discovered,
Pass the hash and NTLM relaying are an example of the most famous ones.
17
The NT hash is the format used to store hashes on Windows environments starting from Windows Vista, it consists of 32
hexadecimal digits. The NT hashing algorithm uses the MD4 algorithm on the clear-text password encoded in the UTF-16-
LE format.
18
A replay attack is an attack in which the adversary records a communication session and replays the entire session, or some
portion of the session, at a later point in time.
20
Chapter 2 : Cyber attacks on Windows infrastructures
2.2 Kerberos
Kerberos was developed by researchers at the Massachusetts Institute of Technology
(MIT) in the 1980s. The name is derived from the Greek mythological character Cerberus, the
three-headed dog.
Microsoft introduced their version of Kerberos in Windows 2000. It is currently the default
authorization technology used by Microsoft Windows. Implementations of Kerberos exist in
Apple OS, UNIX, and Linux. [25]
The three main security components in the Kerberos protocol are :
The client who wants to authenticate to a service.
The server hosting the service that the client wants to authenticate to.
The key distribution center (KDC) which is run by the Domain Controller. It's
composed of the ticket granting server and the authentication server.
The Kerberos Authentication process goes as follow :
The client sends an authentication request (AS-REQ) to the authentication server.
This request contains information about the client like the client's ID and a
timestamp (system time) encrypted with the secret key of the client which is an
encryption key that's derived from the client's password depending on the encryption
algorithm used. The encrypted timestamp and client ID among other attributes
compose what's called the PREAUTH data or the authenticator.
When the authentication server receives the AS-REQ packet, it verifies the identity
of the client by retrieving his password from the Domain controller's database, then it
calculates the client's secret key and uses it to decrypt the received authenticator. If it
can decrypt it successfully and the obtained system time matches the current time
within a 5 minutes interval then the client's identity and the validity of the request are
verified.
The authentication server creates a ticket called the Ticket Granting Ticket (TGT)
which includes a Client/TGS session key. The TGT is encrypted with the secret key
of the Key Distribution Center service account. The TGT and a copy of the
Client/TGS session key encrypted with the client's secret key are then sent to the
client via a response message (AS-REP).
The Key Distribution Center service account is called "KRBTGT", it is a local
default account that acts as a service account19 for the KDC. This account cannot be
deleted, and the account name cannot be changed.
When the client receives the TGT and the Client/TGS Session key he decrypts the
received session key with his secret key, this Client/TGS session key is used for
further communications with the TGS.
The TGT (which cannot be decrypted by the client) is stored in the client’s Kerberos
tray20and can be used to request access to different services for a defined period (10
hours by default).
When the clients want to authenticate to a specific service, he sends the Ticket
Granting Ticket (TGT), the ID of the requested service, and an authenticator (Client's
ID and a timestamp encrypted with the Client/TGS session key) to the Ticket
Granting Server via a request message (TGS-REQ).
The Ticket Granting Server decrypts the TGT with the secret key of the KRBTGT
account. The decrypted TGT includes the client's ID and the Client/TGS session key
which is used to decrypt the authenticator to confirm the identity of the client by
19
A service account is an account that is created explicitly to provide a security context for services running on Windows
Server operating systems.
20
A special memory area for storing cached Kerberos tickets.
21
Chapter 2 : Cyber attacks on Windows infrastructures
comparing the client's ID retrieved from the TGT with the one retrieved from the
authenticator, and checking the validity of the timestamp.
The TGS generates a TGS ticket for the client to access the service, it includes a
Client/Server Session key, the TGS ticket is encrypted using the service's secret key.
The TGS is sent to the client via a response message (TGS-REP) alongside the
Client/Server session key encrypted with the Client/TGS session key.
The client decrypts the Client/Server session key with his Client/TGS session key
and saves it alongside the TGS ticket in his Kerberos tray. He then sends a copy of
the TGS ticket and an authenticator (the client's id and a timestamp encrypted with
the Client/Server session key) to the server where the service is hosted.
The server uses the secret key of the service account to decrypt the TGS ticket and
retrieve the Client/Service session key, then uses it to decrypt the authenticator and
check the validity of the request and if the client has the necessary permission to
access the resource. If so, access is permitted.
The following figure summarizes the Kerberos authentication process.
Kerberos is considered a secured protocol, but it hasn't been sheltered from cyber attacks.
Several ways have been discovered to abuse the nature of the Kerberos protocol or exploit
some of its security weaknesses in order to use it for malicious and unauthorized actions. Some
of the most famous attacks that exploit Kerberos include Kerberoasting, AS-REP Roasting,
Golden tickets, and Silver tickets among others.
22
Chapter 2 : Cyber attacks on Windows infrastructures
23
Chapter 2 : Cyber attacks on Windows infrastructures
24
Chapter 2 : Cyber attacks on Windows infrastructures
When adversaries obtain the challenge encrypted with the NT password hash of a
victim they can either attempt to crack it using the clear-text challenge and a word list to
obtain a clear text password or relay it across the network in an attempt to impersonate a
legitimate user.
This attack is widely exploited by adversaries due to the reason that the
LLMNR/NBT-NS protocols are both activated by default on systems running Windows
Vista and later. In addition, a wide range of services running on Windows Systems still
relies on NTLM authentication by default, such as SMB.
25
Chapter 2 : Cyber attacks on Windows infrastructures
The attacker passes the correctly encrypted challenge to the target and
successfully authenticates.
The attacker terminates the session with the victim, by sending a failed
authentication response.
The following figure demonstrates the SMB relaying attack process.
In order to relay authentication packets to a target host, the host must have SMB
signing set as "not required". SMB signing is a Windows feature that allows to digitally
sign the packets, this security mechanism comes as a part of the SMB protocol and is also
known as security signatures. It is used to confirm the origin and authenticity of the
incoming packets in order to eliminate man-in-the-middle attacks.
By default on systems running Windows (except server editions) SMB signing is
set as 'not required', which makes this attack widely used by adversaries.
21
Post-exploitation techniques are techniques used once a victim's system has been compromised by the attacker.
26
Chapter 2 : Cyber attacks on Windows infrastructures
authentication, when the key is extracted from memory it is used to decrypt the encrypted
passwords and provide a clear-text password.
The stored information represents the credentials of users with active Windows
sessions in memory, it lets users seamlessly access network resources without re-entering
their credentials each time.
Adversaries may attempt to dump the LSASS process memory from the target host,
then remotely transfer the dump file to their command and control server22 in order to
extract credentials more stealthily.
3.4.3 NTDS
It's a sub-technique of the Credential dumping technique, identified as T1003.003.
NTDS (New Technologies Directory Services) is a database that stores different pieces of
information about domain members including password hashes of domain users, in order
to verify users and credentials. This database is only found on Windows Server machines
that are Domain controllers.
By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS on a
domain controller. Adversaries may attempt to dump the content of the NTDS file using
built-in windows utilities such as ntdsutil.exe which is one of the key tools to manage
Active Directory and its database, or other techniques like shadow copy which is a
technology included in Microsoft Windows that can create backup copies or snapshots of
computer files or volumes even when they are in use, it is implemented as a Windows
service called the Volume Shadow Copy service.
22
A command-and-control [C&C] server is a computer controlled by an attacker or cybercriminal which is used to
send commands to systems compromised by malware and receive stolen data from a target network.
23
The RID uniquely identifies a security principal relative to the local or domain security authority.
24
The Local Security Authority (LSA) is a protected system process that authenticates and logs users onto different
machines, it maintains information about all aspects of local security on a computer.
27
Chapter 2 : Cyber attacks on Windows infrastructures
Adversaries may attempt to extract LSA secrets from memory or the registry.
Credentials stored as LSA secrets might include default passwords if auto-logon is
enabled, the NL$KM secret key which is the key used to encrypt cached domain
passwords, password hashes of service accounts, system account passwords, and private
user data like EFS25 encryption keys.
3.4.6 DCSync
DCSync is a sub-technique of the Credential dumping technique, identified on
MITRE ATT&CK as T1003.006. With DCSync adversaries can retrieve credentials from
the domain controller database without having to gain a session on the domain controller
and execute malicious code there, they just need to compromise a domain user that has
enough privileges and then simulate the behavior of a domain controller in order to
retrieve information from it via domain replication protocols.
Domain replication in Active Directory is a service that replicates the content of the
Active Directory in order to ensure that the information between the different domain
controllers stays updated and synchronized. This attack is wildly used by adversaries, it
takes advantage of valid and necessary functions of Active Directory which cannot be
turned off or disabled, also, it's a stealthy attack since it doesn't require the attacker to log
into or execute malicious code on the domain controller.
Adversaries may attempt to leverage a DCSync attack by :
Discovering the domain controllers in the specified domain name.
Mimicking a domain controller and sending a replication request to a
legitimate domain controller using the Microsoft Directory Replication Service
Remote Protocol (MS-DRSR) which is a protocol used for replication and
management of data in Active Directory.
The replication request can be submitted by the bias of the GetNCChanges
function which can prompt the legitimate domain controller to replicate the
domain credentials back to the attacker.
The attacker receives the replicated credentials from the domain controller.
25
The Encrypting File System (EFS) on Microsoft Windows is a feature introduced that enables files to be transparently
encrypted to protect confidential data from attackers with physical access to the computer.
26
It's the MD4 hash of the password, followed by the username in lower case, the result is hashed together with MD4.
28
Chapter 2 : Cyber attacks on Windows infrastructures
27
An access token is an object that contains the security credentials for a login session and identifies the user, the
user's groups, and the user's privileges among others.
29
Chapter 2 : Cyber attacks on Windows infrastructures
The following figure describes the pass the hash attack process.
3.7.1 Kerberoasting
Kerberoasting is a post-exploitation, lateral movement, and credential access attack,
it's identified in MITRE ATT&CK as the sub-technique T1558.003 of the Stealing or
forging Kerberos tickets technique.
Kerberoasting is an attack that abuses a combination of weak encryption, poor
service account passwords policy, and the nature of the Kerberos protocol. This attack
allows adversaries to harvest Active Directory service account hashes for offline
cracking.
Adversaries attempt this attack after they have gained an initial foothold into the
network as a valid domain user, which will allow them to query and discover accounts
with Service principal names (SPNs) through SPN scanning which is performed via
LDAP queries to a Domain Controller. In Windows systems, SPNs identify service
accounts that support Kerberos authentication. These service accounts can be linked to
domain host or user accounts. Host service accounts are associated with the computer
accounts in Active directory, they have a randomly generated 128-character long
password which is changed every 30 days, hence, it's almost impossible to crack it using
brute force or wordlist attacks, on the other hand, domain user service accounts with
weak passwords are the ones exploited in the Kerberoasting attack.
30
Chapter 2 : Cyber attacks on Windows infrastructures
After determining the available service accounts in the domain, adversaries will
authenticate to the domain in order to receive a Ticket Granting Ticket (TGT) from the
authentication server in the Key Distribution Center (KDC). Upon obtaining a valid TGT,
they can request a service ticket for a specific service they wish to compromise, the
Ticket Granting Server (TGS) will then create a TGS ticket and encrypts it with the
service account's secret key.
At this point, only the service and the domain controller are capable of decrypting
the ticket since those are the only two entities who share the secret key of the service
account.
On a legitimate Kerberos authentication, the TGS provides the user with the TGS
ticket which will be presented by the user to the server hosting the service. The server
will decrypt the ticket with the service account's secret key and determine if the user has
sufficient permissions to access the service. However, adversaries abuse this process by
extracting the TGS ticket from system memory (specifically, the Kerberos tray) after it is
sent by the TGS, and then attempt to crack the service account's secret key offline by
brute force or dictionary attacks on the obtained TGS ticket.
The service accounts secret keys are keys derived from the password depending on
the encryption algorithm used. The default Kerberos encryption algorithm for Windows
systems (starting from XP/Windows server 2003) is AES256, however, the older RC4
algorithm is also still used for backward compatibility. The RC4 algorithm is a weak
algorithm that relies on the NT password hash as the secret key which makes it very
vulnerable to dictionary attacks, contrary to the AES algorithm that includes a salt which
makes cracking it very hard. When a service ticket is requested by an adversary, they can
specify the encryption type in the body of the TGS-REQ request, the RC4 algorithm is
requested to ensure that the service account’s NTLM password hash is used to encrypt
the service ticket.
The following figure describes the process of the Kerberoasting attack.
31
Chapter 2 : Cyber attacks on Windows infrastructures
28
PowerShell is a task automation and configuration management framework from Microsoft, consisting of a
command-line shell and the associated scripting language.
32
Chapter 2 : Cyber attacks on Windows infrastructures
over a target user, they can maliciously modify their user account attribute to not require
pre-authentication, attempt AS-REP Roasting, and then reset the value.
Moreover, this attack takes advantage of the RC4 weak encryption algorithm that
relies on the user's NT hash as their secret key which makes cracking it an easy task, RC4
is specified as the encryption type by adversaries when a TGT ticket is requested.
The following figure summarizes the process of this attack.
33
Chapter 2 : Cyber attacks on Windows infrastructures
adversaries to keep using the Golden ticket even if the KRBTGT's password was reset
once.
The following figures describes the Golden ticket attack process.
Even though silver tickets are limited to compromising one target service, they are
still widely used by adversaries, especially when the obtained service account hash can't be
easily cracked or passed around. Also, a silver ticket can be created and manipulated to
include elevated privileges for its user, which can be used to gain full control over a
service that wasn't fully accessible with the compromised hash (when the compromised
user doesn't have enough privileges to fully manipulate the service).
34
Chapter 2 : Cyber attacks on Windows infrastructures
4. Conclusion
In this chapter, we presented an overview of the main authentication protocols used on
Windows systems and are widely targeted by adversaries, this allowed us to study their
weaknesses and vulnerabilities, and the different techniques used by adversaries to abuse them
based on the MITRE ATT&CK knowledge framework.
This will allow us to move to the conception stage which will make the subject of the next
chapter.
35
Chapter III :
Analysis and Conception
1. Introduction
In the previous chapter, we defined the most used techniques by adversaries based on the
MITRE ATT&CK knowledge framework, this allowed us to study these techniques and expound
the weakness and vulnerabilities that allow adversaries to exploit legitimate Windows features for
malicious purposes.
This will allow us to move to the next step which is the conception and analysis phase. It will
be introduced by defining the problematic that pushed us towards working on this solution, and
the objectives that it aims to reach. Next, we will define the functionalities and the general
architecture of our solution, followed by a presentation of each functionality from a conceptual
point of view by the bias of explanatory diagrams.
3. Functionalities
Our adversary simulation solution is based on five key functionalities :
-Authentication: Users can create new accounts or log on to their accounts, this will ensure that
each user can run their own personalized simulations and have access to the reports of their
simulations.
36
Chapter 3 : Analysis and conception
-Providing a knowledge framework: For each technique included, a full description is offered.
These descriptions include a full explanation of the technique and the vulnerabilities behind it, the
procedures followed to simulate the technique, and the different ways to detect the attack and
mitigate from it. This will allow the users of the tool to have a full understanding of the attacks
they are simulating and ways to detect them and prevent them, and that's whether they are security
professionals, system administrators, or general Information technology employees.
-Setting up a simulation session: Before simulating some specific techniques, users must set up
a simulation session where they provide information about the target domain. This information is
used differently depending on the technique.
-Running simulations: There are three different types of simulations that users can run, static
simulation, dynamic simulation, and determining attack paths.
If the user runs a static simulation, he can select a technique to simulate from a pre-
defined list, and then select one or multiple procedures to run depending on the chosen
technique. Finally, the user selects a target to run the simulation on, the target can be a
single domain account, a group of domain accounts, or all the domain accounts. Static
simulations will allow the user to simulate a specific procedure on a specific target that
they chose. These simulations are used when it comes to testing the implemented
defense and detection mechanisms and assessing the incident response capabilities of
the blue team, or determine the risk factor that is presented by the different attacks,
based on the results of the simulation.
When the user runs a dynamic simulation, he has to provide the IP address of the target
subnet. The simulation will then run specific attacks mimicking the behavior of an
adversary who's actively penetrating the network and in real-time. The simulation will
start by running discovery and enumeration techniques, then depending on the result of
each step the next possible attacks to run are determined and the user can choose the
attacks to simulate on each step of the dynamic simulation. These simulations are useful
for red teams to run automated penetration tests, or for network administrators to run a
penetration test without having to rely on a specialized red team or externalize the task.
Determining attack paths is a functionality that gathers information from the network in
order to assess and review the security configuration issues and weaknesses that an
adversary can leverage during a breach. This will help organizations that struggle to
properly maintain securely configured environments to identify the risks and attack
surfaces that are present in their environments, and thus reduce the risk and impact of a
security incident by hardening common attack surfaces.
-Generating reports: Upon completion of a simulation, users are provided with a detailed
report containing the results of the simulation, these results include compromised users,
computers, and data among others.
37
Chapter 3 : Analysis and conception
38
Chapter 3 : Analysis and conception
To log in, the user submits his username and password. If a user with the submitted
username exists in the database the password hash related to it and the salt are retrieved. The
entered password concatenated with the retrieved salt is hashed and compared with the
retrieved hash, if the values are equal access is granted.
The following diagram describes the Login function.
39
Chapter 3 : Analysis and conception
40
Chapter 3 : Analysis and conception
automatic method will use the DCSync sub-technique (T1003.006) of the Credential dumping
technique.
After completing the acquisition of the domain accounts information, this information is
stored in the database and is used on the simulations of post-exploitation techniques.
This process is displayed in the following diagram.
41
Chapter 3 : Analysis and conception
The information that the user has to provide before simulating a sub-technique is
dependent on the sub-technique itself except for the simulation name which is required in all
the simulations, this table explains the different information that should be provided by the user
for each sub-technique.
Sub-technique Require a Provided information by the user
simulation session
Scanning IP Blocks ❌ -One or multiple IP subnets to scan.
Vulnerability ❌ -One or multiple IP subnets to scan.
Scanning
Discovery ✔ -One target host (the compromised host to simulate
the sub-technique on it).
LLMNR/NBT-NS ❌ -One or multiple IP subnets of the target
Poisoning network.
LLMNR/NBT-NS ❌ -One or multiple IP subnets of the target
Poisoning and SMB network.
Relaying
LSASS Memory ✔ -One or multiple target hosts to execute the
simulation on.
-One or multiple procedures to execute on each target
host.
Security Account ✔ -One or multiple target hosts to execute the
Manager simulation on.
NTDS ✔ -One or multiple procedures to execute on the target
host (the domain controller).
LSA Secrets ✔ -One or multiple target hosts to execute the
simulation on.
Cached domain ✔ -One or multiple target hosts to execute the
credentials simulation on.
42
Chapter 3 : Analysis and conception
DCSync ✔
Pass the hash ✔ -One or multiple domain users to pass their hash.
-One or multiple target hosts to pass the chosen users
hash into in an attempt to compromise them.
-One or multiple procedures to execute on each target
host.
Pass the ticket ✔ -The ticket to pass around.
-One or multiple target hosts to authenticate to by the
chosen ticket.
Kerberoasting ✔ -One compromised domain user to simulate the attack
on their behalf.
AS-REP Roasting ✔ -One compromised domain user to simulate the attack
on their behalf.
Golden Ticket ✔
Silver Ticket ✔ -One or multiple target domain users or computer
accounts to generate a silver ticket to access their
resources.
Table 3.1 Information provided by users before a static simulation
43
Chapter 3 : Analysis and conception
44
Chapter 3 : Analysis and conception
The sub-techniques that can be executed on each step of the dynamic simulation are
determined based on the assets that have been compromised on previous simulations, all the
sub-techniques available in static simulations are also available in dynamic simulation, in
addition to the "Lateral movement" technique which is a simulation that's executed when clean
text passwords are compromised on previous simulations, it allows to connect through the
network with the compromised passwords in order to compromise new hosts and move through
the network, and the "Vulnerability exploitation" technique which exploits predefined
vulnerabilities that are discovered on hosts in the network, the exploitation of these
vulnerabilities will lead to compromising the hosts and thus gaining initial access into the
network to start leveraging post-exploitation and lateral movement attacks. The following chart
illustrates the functioning of a dynamic simulation and how the possible sub-techniques to
execute in each step are determined.
45
Chapter 3 : Analysis and conception
46
Chapter 3 : Analysis and conception
47
Chapter 3 : Analysis and conception
and they are easy to determine and exploit by an adversary because by default all
authenticated users can read ACEs on all objects, which means if a user account is
compromised, ACEs can be retrieved on all the objects and potential attack paths can be
quickly determined by adversaries.
Some of the Active Directory object permissions and types that can be exploited to
elevate privileges are :
-GenericAll: Full object control such as add users to a group, reset a user's password
without knowing its current values, register an SPN with a user object...etc
-GenericWrite: Update the object's attributes such as the logon script (which is used
to execute specific commands the next time the user logs on).
-WriteOwner: Change the owner of the target object (if the owner is changed to an
object compromised by the adversary, full control is gained over the target object).
-WriteDACL: Modify the object's ACEs.
-ForceChangePassword: Change the user's password without knowing its current
value.
-AddMember: Add objects to a group.
To determine shadow administrators, a remote connection is established to the domain
controller and ACEs of the domain users and groups are retrieved via Powershell.
The following diagram summarized the functioning of the different sections of the functionality
"Determining attack paths".
48
Chapter 3 : Analysis and conception
49
Chapter 3 : Analysis and conception
Vulnerability scanning
In order to simulate the vulnerability scanning technique, the user specifies one or
multiple IP subnets to scan for vulnerabilities. This technique scans the network to
discover live hosts, for each host, it tries to determine the services running on open ports
and the versions of these services. When service versions are retrieved they are checked
against one or multiple databases of known vulnerabilities to determine if a
vulnerability that affects a deployed service is present on the network.
The following diagram summarizes the functioning of this simulation.
50
Chapter 3 : Analysis and conception
51
Chapter 3 : Analysis and conception
52
Chapter 3 : Analysis and conception
53
Chapter 3 : Analysis and conception
54
Chapter 3 : Analysis and conception
29
Malware obfuscation is a process that makes textual and binary data difficult to understand. It helps adversaries hide
critical words (known as strings) a program uses because they reveal patterns of the malware's behavior.
55
Chapter 3 : Analysis and conception
30
DLL files are binary files that are dynamically linked with programs that use them during execution rather than
being compiled into the main program (they are loaded when they are required).
56
Chapter 3 : Analysis and conception
Security account manager (SAM), LSA Secrets, and Cached domain credentials
If the user wants to simulate the LSA secrets, or Cached domain credentials dumping
sub-techniques on a specific host, the HKEY_LOCAL_MACHINE\SECURITY registry
key is copied on the target host. If the user wants to simulate the Security account
manager (SAM) dumping sub-technique the HKEY_LOCAL_MACHINE\SAM registry
key is the one copied. After connecting to the host, the registry keys are copied by the
reg.exe process which is a process introduces in Windows that enables modifying the
registry via command prompts or scripts and exporting copies of registry keys to external
files. Once the copy files are generated, they are transferred to the simulation host where
they are parsed to extract information from them then deleted from the target host.
The following diagram details the functioning of this simulation.
57
Chapter 3 : Analysis and conception
Figure 3.17 The functioning of the SAM, LSA, and Cached credentials, simulation
NTDS
To extract credentials from the NTDS.dit file on the domain controller, the domain
controller should be compromised first. To simulate this sub-technique, two procedures
are available :
Volume shadow copy: Volume shadow copy is a Windows service that allows to
take backups of drives when they are locked and in use by the operating system,
the legatine usage is to provide backup files that can be used to restore the
previous state if a problem occurs. Once a shadow copy is created for a specific
drive, files on it will be accessible and can be copied into other locations. To
create volume shadow copies, tools like Vssadmin are used, which is a default
Windows process that creates and manipulates shadow copies.
The steps followed to simulate this procedure are :
-Locate the NTDS.dit file and determine the drive it's stored in.
-Create a volume shadow copy for that drive using vssadmin.exe.
-Copy the NTDS.dit file and the System hive (That contains the necessary keys to
decrypt the NTDS.dit file) from the shadow copy to a temporary folder.
-Transfer the NTDS.dit and the system hive files from the temporary folder to the
simulation host.
-Delete the files and the shadow copy from the target host.
-Parse the files offline to extract credentials and insert them into the database.
The following diagram summarizes the functioning of this simulation.
58
Chapter 3 : Analysis and conception
DCSync
This technique allows to retrieve information from the domain controller database
without having to obtain a session on the domain controller. A user with Replication
rights should be compromised to execute this technique from their context.
59
Chapter 3 : Analysis and conception
60
Chapter 3 : Analysis and conception
After access is granted to the target host, sending and retrieving commands depends
on the procedure used. There are four different possible procedures that can be executed,
each one produces different indicators of compromise, the different procedures are :
Through SMB (PSexec): PSexec is a command-line utility built for Windows as
part of the Sysinternals suite31, it allows administrators to launch and execute interactive
command prompts on remote computers without having to manually install client
software. This tool is made for legitimate purposes but has been exploited by adversaries
because it authenticates to SMB via the NTLM protocol which allows them to use it for
remote code execution when only the user's password hash is known through pass the
hash technique.
It connects to the ADMIN$ share through SMB, then transfers a binary executable to
the target and places it in the ADMIN$ share folder, then, it creates a service called
PSEXECSVC, this service points to the binary and runs it to create a named pipe32 that
can be used to send commands to the target host and retrieve results from it. Upon
completion of its task, the service will be stopped and the binary file will be deleted
from the ADMIN$ share folder.
The following diagram represents the functioning of this procedure.
31
Windows Sysinternals is a suite of more than 70 freeware utilities that was initially developed by Mark Russinovich and
Bryce Cogswell that is used to monitor, manage and troubleshoot the Windows operating system.
32
Named pipes provide communication between processes on different computers across a network.
61
Chapter 3 : Analysis and conception
Through SMB (SMBexec): SMBexec connects to the target host's ADMIN$ share
via SMB and allows remote code execution. Instead of transferring an executable file, it
transfers every command on a batch33 file to the target machine via SMB, then a service
is created that runs the batch file and redirects the output to a temporary file placed on a
readable SMB share, the temporary file is then transferred to the attacker's machine.
When the execution is finished, the files and the created service are deleted.
The following diagram represents the functioning of this procedure.
33
A BATCH file is a file used to execute commands with the Windows Command Prompt (cmd.exe). It contains a series of
line commands in plain text that are executed to perform various tasks.
62
Chapter 3 : Analysis and conception
Figure 3.24 Sequence diagram describing the procedure 'Pass the hash through WMI'
Through scheduled tasks over RPC: Adversaries can connect to a target by passing
the hash through Remote procedure call (RPC), which is a protocol that a process can use
to request a service from another process located in another host on the network. The
requested service is the Task scheduler service, which registers a task with the command
to execute in the action section. The task uses the cmd.exe process to run each command,
and it redirects the output to a temporary file in the ADMIN$ share. The task is run to
execute the command, after the command execution the task is deleted and a connection
is established to the ADMIN$ share over SMB to retrieve the output file, the output file is
then deleted.
The following diagram represents the functioning of this procedure.
63
Chapter 3 : Analysis and conception
Figure 3.25 Sequence diagram describing the procedure 'Pass the hash through RPC'
One of the objectives behind this simulation is to determine the attack surface that
can be obtained upon compromising a specific user. For example, the following diagram
represents an example of a simulation where 3 users are chosen as the initially
compromised users, and there are 4 hosts on the network. The user1 has elevated privileges
on the hosts computer1 and computer2 and thus he can connect to them using pass the hash
technique, user2 doesn't have elevated privileges on any host, and user3 has elevated
privileges on all the hosts. This gives an insight into the attack surface that each host is
exposed to based on the compromised user.
Figure 3.26 Diagram describing an example of the results of the pass the hash technique
64
Chapter 3 : Analysis and conception
Figure 3.27 Sequences diagram of the pass the ticket sub-technique simulation
65
Chapter 3 : Analysis and conception
66
Chapter 3 : Analysis and conception
AS-REP Roasting
The AS-REP Roasting sub-technique can be simulated upon gaining access to the
domain as any valid user, the simulation goes as fellow :
-An LDAP query is sent to the target domain controller to query for user accounts
that do not require Kerberos pre-authentication.
-For each user with the 'Do not require pre-authentication' attribute set an AS-REQ
message can be sent without having to provide the user's password in order to encrypt
the authenticator. The AS-REQ packet is crafted to request for a TGT ticket, it contains
in the request body the CNameString which is set to the target user name and the
encryption type which is set to RC4_HMAC.
-Once the KDC receives the AS-REQ request packet, it will reply with a TGT for the
target user which will be sent via an AS-REP packet, this AS-REP packet contains an
encrypted part which is the session key encrypted with the target user's NT hash (since
RC4 encryption was imposed), this encrypted data is then cracked using a dictionary
attack in order to extract the clear text password of the target user.
The following diagram resumes the functioning of the AS-REP roasting sub-
technique simulation.
67
Chapter 3 : Analysis and conception
Golden ticket
To simulate the Golden ticket sub-technique, the hash of the KRBTGT account must
be already compromised. If it's a static simulation the hash is retrieved from the
currently setup simulation session, if it's a dynamic simulation it is retrieved from a
previously simulated credential dumping technique where the KRBTGT hash was
compromised.
The steps followed to simulate this sub-technique are :
-A TGT ticket is forged by specifying the domain name, the domain SID, the ticket
lifetime which is set to 10 years, and an arbitrary PAC.
PAC stands for Privilege Attribute Certificate, which is an extension to Kerberos
tickets that contain information about user's privileges. When a user authenticates to a
resource with a Kerberos ticket the PAC in the ticket is read and used to determine the
privileges of that user and the level of access they have on the resource without having
to reach the domain controller to query for that information each time. This allows
adversaries to forge a PAC that attributes a high level of access to any user (even if the
user doesn't exist), since the information in the PAC isn't validated (unless it is required
which is rare).
The forged PAC includes information about a fake user entitled GoldenUser. Group
membership to the Domain Admins group is defined by adding the RID 51234, this will
indicate that the user is part of the Domain Admins group and thus have access all over
the network.
When this TGT is presented to the KDC to ask for a TGS for any service, the TGS
will have a copy of the forged PAC which will allow access to any resource since the
PAC indicated that the user is a domain administrator.
34
RID 512 is the relative ID for the Domain administrators groups whose members are authorized to
administrate the domain.
68
Chapter 3 : Analysis and conception
-The forged TGT is encrypted with the hash of the KGBTGT account.
-The ticket is inserted in the database, and can later be used to request for TGSs to
any service via pass the ticket sub-technique.
The following diagram resumes the functioning of the Golden ticket sub-technique
simulation.
Silver ticket
To simulate the Silver ticket sub-technique, the hash of a service account (user or
computer) must be already compromised. If it's a static simulation the hash is retrieved
from the currently setup simulation session, if it's a dynamic simulation it is retrieved
from a previously simulated credential dumping technique where the target service
account's hash was compromised.
The steps followed to simulate this sub-technique are :
-A TGS ticket is forged by specifying the domain name, the name of the requested
service (its service principal name), the ticket lifetime which is set to 10 years, and an
arbitrary PAC. The forged PAC includes information about a fake user entitled
SilverUser. Group membership to the Domain Admins group is defined by adding the
RID 512, this will indicate that the user is part of the Domain Admins group and thus
will have elevated privileges on the requested service.
-The forged TGS is encrypted with the hash of the service account.
-The ticket is inserted in the database, and can later be used to request access to the
target service via pass the ticket sub-technique.
The following diagram resumes the functioning of the Silver ticket sub-technique
simulation.
69
Chapter 3 : Analysis and conception
70
Chapter 3 : Analysis and conception
71
Chapter 3 : Analysis and conception
72
Chapter 3 : Analysis and conception
73
Chapter 3 : Analysis and conception
7. Conclusion
This chapter gives a global vision to our work by defining and exposing the conceptual
approaches followed to design our solution. It included the architecture and the different
functionalities offered by the application and the detailed procedures that reflect our reasoning.
This phase will allow us to move to the implementation step, which will be covered in the next
chapter.
74
Chapter IV :
Implementation and Tests
1. Introduction
Through this chapter, we will present the implementation of the application by starting with the
environment and tools used all along the implementation phase. Then move to the presentation,
tests, and scenarios phase which will include a presentation of our application and a selection of
test scenarios that will highlight our work and demonstrate it through use cases and scenarios
extended with screenshots of the different steps and results.
2. Working Environment
2.1 Operating system
2.1.1 GNU/Linux
GNU/Linux is a family of open-source Unix-like operating systems based on
the Linux kernel35. It includes a vast selection of distributions each tailored for specific use
cases.
Our solution is destined to work on any Linux-based operating system. The reasons
behind this choice are the flexibility and the stability that Linux operating systems offer
especially the distributions derived specifically for penetration testing as they include
multiple pre-installed penetration testing tools and utilities that offer a complete toolbox.
This provides a practical solution to interfere with multiple different components of a
remote system and work at different levels of abstraction by relying on flexible tools that
facilitate the task and especially reduce the execution time. It also doesn't cause a problem
to simulate attacks targeted at Windows environments from Linux-based operating systems
because the host where the adversary simulation tool is deployed doesn't have to be joined
to the target domain.
2.2 Servers
2.2.1 MySQL
MySQL is a robust, fast, and open-source relational database management system
based on the SQL (Structured Query Language) which is a standard language for database
processing.
The MySQL server can operate in client/server mode. It controls data access to
ensure that multiple users can simultaneously use the same database, and guarantee that
only authorized users can access data.
2.3 Languages
2.3.1 Python
Python is a high-level, object-oriented, general-purpose, and powerful programming
language. It has a neat and simple syntax that makes the programs readable and easy to
maintain. It supports modules and packages, which encourages program modularity and
code reuse.
75
Chapter 4 : Implementation and tests
2.3.2 SQL
Structured Query Language (SQL) is a programming language that is typically used
in relational databases or data stream management systems.
The SQL data manipulation language allows to search, add, modify or delete data in
relational databases. It is particularly used by web developers to communicate with the
data of a website.
2.3.3 HTML
HTML is the foundation of a webpage. It is a markup language, which defines the
overall structure of the page. It tells a web browser how to display text, images, and other
forms of multimedia on a webpage.
HTML is a formal recommendation by the World Wide Web Consortium (W3C) and
is generally adhered to by all major web browsers, including both desktop and mobile web
browsers.
2.3.4 CSS
Cascading Style Sheets, fondly referred to as CSS, is a simple design language that
allows web designers and developers to style and tune every component that is defined in
HTML. CSS allows controlling the style of fonts, colors, and layout designs as well as a
variety of other effects.
2.3.5 JavaScript
It is a scripting language incorporated into an HTML document. It allows to make
improvements to the HTML language by allowing commands to be executed on the client-
side, i.e., at the level of the browser and not the web server. In addition, it allows to
perform input controls to validate the fields of a form, to open new windows, or to manage
graphic elements.
2.4 Frameworks
2.4.1 Flask
Flask is a web framework written in Python that offers tools, libraries, and
technologies suitable for building a web application. It is known as a micro-
framework because it is lightweight and only provides components that are essential such
as routing, request handling, sessions, and so on.
Flask provides a development server and a debugger, alongside many extensions
which can be used to enhance its functionalities. This makes it an ideal framework for web
application development.
2.4.2 Bootstrap
Bootstrap is the most popular, free, and open-source framework for creating a
responsive layout in web pages with much fewer efforts. It contains HTML, CSS, and JS
components for creating forms, buttons, navigation, dropdown, modals, layout, and many
other interface components.
2.4.3 JQUERY
jQuery is an open-source fast and small JavaScript library that simplifies the
interactions between an HTML document and JavaScript. It makes things like animation,
and event handling. It comes with an easy-to-use API that works on different types of
browsers.
2.4.5 JSON
JavaScript Object Notation (JSON) is a lightweight data-interchange format that is
based on key-value pairs and ordered lists. Although JSON is derived from JavaScript, it is
76
Chapter 4 : Implementation and tests
3. Test environment
In order to continuously perform tests and validate the functioning of our solution, we set up a
test environment that simulates an enterprise domain that runs on Active directory. The test
environment is set up in a virtualized environment.
36
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (i.e., CVE Identifiers) for
publicly known information security vulnerabilities.
37
The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software,
developed for use by penetration testers and vulnerability researchers.
38
Security Focus is an online news portal and community created to share general CVE and exploit information
with developers and security researchers in a centralized location.
77
Chapter 4 : Implementation and tests
78
Chapter 4 : Implementation and tests
Upon logging into the application, the dashboard contains a list of all the available sub-
techniques under each technique.
The menu offers the different functionalities available. The user can set up a simulation session,
simulate an attack (static, dynamic, or determine attack paths), or consult the reports of the
previous simulations.
79
Chapter 4 : Implementation and tests
Upon choosing to start a static simulation, a list of all the available sub-techniques is provided
for the user to choose the desired sub-technique to simulate.
If a dynamic simulation is chosen, the user has to choose between starting a new dynamic
simulation or proceeding with an old one.
On the other hand, the results page includes a list of all the previous simulations, the user can
consult the results of any simulation they want.
80
Chapter 4 : Implementation and tests
After successfully setting up a simulation session, the user can view the information related
to it, or edit some information.
81
Chapter 4 : Implementation and tests
Figure 4.12 Starting the LLMNR/NBT-NS poisoning & SMB relaying simulation
Once the simulation is terminated, the reports of it can be consulted on the results
page. The reports of this simulation include a section that contains all the hosts on the
target network with SMB signing set as disabled or not required. The second section
contains a graphical representation of the compromised host "COMPUTER2" which we
successfully authenticated to by relaying the credentials of the user "user1" who attempted
to access a share that couldn't be resolved by the DNS on the host "COMPUTER1". It
also includes a table that represents all the poisoned requests from the users in the column
"username" on the hosts in the column "IP Address", if the credentials were successfully
82
Chapter 4 : Implementation and tests
relayed to another host on the network that host is shown with the privilege of the access
obtained on it on the columns "Credentials relayed to" and "Privilege obtained".
Figure 4.13 Reports of the LLMNR/NBT-NS poisoning & SMB relaying simulation
Figure 4.14 Simulating the LSASS memory dumping sub-technique of the Credential dumping technique
83
Chapter 4 : Implementation and tests
Once the simulation is completed, the reports can be consulted on the "View
Results" page. The first section of the report includes the status of the simulation of each
procedure on each host. The second section includes the retrieved credentials and the
extracted Kerberos tickets from each host.
84
Chapter 4 : Implementation and tests
Upon starting the simulation, the "Scanning IP blocks" and "Vulnerability scanning"
techniques are run in order to conduct in-depth research on the chosen network and identify the
vulnerabilities that can be exploited to gain initial access. The reports of the results of the initial
simulations are as follow :
- For the IP Blocks scanning, we can see a graphical representation of all the discovered
Windows hosts in the network, as well as details about the host name, OS, domain name, forest
name..etc
85
Chapter 4 : Implementation and tests
- For the vulnerability scanning simulation, the results indicate that there were three high
severity vulnerabilities discovered on the network, two of them in the host "COMPUTER1",
and one on the host "COMPUTER2". These two vulnerabilities were identified as :
Remote code execution on Windows SMBv1 servers: this vulnerability affects
Windows system that uses the SMBv1 file-sharing protocol. It exists in the way that the
SMBv1 protocol handles certain request. An adversary can successfully exploit this
vulnerability by sending a specially crafted packet to the target, this will allow them to
gain the ability to execute code on the target network remotely. The exploit of this
vulnerability is known as "EthernalBlue", it has been used to spread one of the most
dreadful malware known as "WannaCry"39.
Remote desktop protocol remote code execution vulnerability: This vulnerability affects
Windows systems by taking advantage of a vulnerable implementation of the RDP
protocol. An adversary can successfully exploit this vulnerability by sending
maliciously crafted parquets to the targets with RDP enabled which can lead to gaining
the ability to execute arbitrary code remotely. This vulnerability is also known as
"BlueKeep".
In order to proceed with this dynamic simulation and chain another attack, the user goes to
the dynamic simulations page and chooses 'Proceed with a dynamic simulation', then chooses
39
WannaCry is a worldwide ransomware attack launched in May 2017. It targeted computers running
the Microsoft Windows operating system by encrypting data and demanding ransom payments in
the Bitcoin cryptocurrency. It propagated through the EternalBlue exploit.
86
Chapter 4 : Implementation and tests
the simulation they would like to proceed with (the simulation with the name 'Dynamic
Simulation' in this case). Since at least a vulnerability was discovered in both the hosts, the
techniques that can be simulated next are 'Vulnerability exploitation' for both.
In this scenario, the user would like to attempt to exploit vulnerabilities on both the hosts
in order to gain initial access to them. He chooses to exploit the "Remote code execution on
Windows SMBv1 servers" on the host "COMPUTER2" and the "Remote desktop protocol
remote code execution vulnerability" on the host "COMPUTER1".
Once the simulation is completed, on the reports page we can find the results of the
vulnerability exploitation technique. Access has been granted to the host "COMPUTER1"
upon successfully exploiting the vulnerability on it, for the other host the exploitation has
failed.
87
Chapter 4 : Implementation and tests
Now that we have an initial foothold into the network, we can proceed with other
techniques, the first one being the "Account discovery" technique.
Once the simulation is completed, on the reports page we can see the valuable information
that an adversary can harvest once they have initial access into the network. This information
includes the list of domain controllers, domain users and their details including the description
entry which may contain sensitive information, and the list of the domain administrators.
88
Chapter 4 : Implementation and tests
By going back to the dynamic simulation page, we can see the next techniques that can be
simulated on the compromised host.
89
Chapter 4 : Implementation and tests
The results of this simulation include two sections, the first contains the status of the
simulation and the second the retrieved password hashes.
From the previous simulation, we can notice that the credentials of the user "user3"
were cached and retrieved from the host "COMPUTER1", and from the "Account
discovery" simulation we learned that the user "user3" has administrative privileges on
the domain. If we could crack his hash we could gain direct access to the domain
controller. The next sub-technique to run is Password cracking on the compromised hash.
90
Chapter 4 : Implementation and tests
The reports of this simulation indicate that the password of the user "user3" was
successfully cracked.
Figure 4.29 Proceeding with a dynamic simulation - Lateral movement from dumped passwords
91
Chapter 4 : Implementation and tests
From the reports, we conclude that the domain controller has been successfully
compromised.
Figure 4.30 Reports of the Lateral movement from dumped passwords sub-technique
This scenario demonstrates how an adversary can take control over the whole
network just by gaining access to one under-privileged host and taking advantage of the
present vulnerabilities.
On the top of the reports page for the dynamic simulation, a graphical representation
of the simulated techniques and compromised assets is provided on each step of the
simulation, at the end of this scenario, the graph is as follows :
92
Chapter 4 : Implementation and tests
Once the simulation is terminated, we can consult the reports to see the retrieved
password hashes of the local users from the compromised host.
Figure 4.33 Reports of the sub-technique Security account manager of the credential dumping technique
Since hashes were compromised, the next technique to simulate is pass the hash, to
try to gain additional access and move laterally through the network via the compromised
credentials.
93
Chapter 4 : Implementation and tests
The reports of the simulation indicate that the user "user1" could successfully
connect to both hosts "COMPUTER1" and "COMPUTER2". This means the host
"COMPUTER2" has been compromised as well.
This scenario demonstrates how an adversary can chain a set of specific techniques
to first gain an initial foothold in the network, then move laterally and compromise
additional assets.
At the end of this scenario, the graph of this dynamic simulation is as follows.
94
Chapter 4 : Implementation and tests
After completing the simulation, the reports page will include the following sections
The first section includes the list of domain administrators, this will help to determine
over-privileged users and reduce the attack surface.
The second section includes a graphical representation of the access that each user has to
the different hosts through the network. By forcing a least-privilege strategy when it comes to
local administrators the attack surface will shrink considerably and many attack paths will be
eradicated.
Figure 4.39 Reports of Determining Attack Paths - Local administrators through the network
95
Chapter 4 : Implementation and tests
The next section is an assessment of the password policy by attempting to crack the
passwords of the domain accounts via the provided wordlist, and determine the percentage of
the weak passwords in addition to the discovered users with weak passwords.
The following section determine the attack paths that can be taken by adversaries to exploit
the Kerberoasting and AS-REP Roasting technique, this is determined by extracting the
vulnerable users to these attacks that have weak passwords based on the previous assessment.
Figure 4.41 Reports of Determining Attack Paths - Users vulnerable to Kerberoasting and ASREP roasting
The last part determines the Shadow administrators present on the domain by analyzing the
ACEs of the configures DACLS. A list containing the domain users is provided and when a
user is chosen all the possible paths that lead to taking control over that user are displayed.
In this example we chose the user "user3" who is a domain administrator, we can see that
there is two paths that lead to compromising them. Either directly from the user 'user1' who
have ForceChangePassword right over 'user3' which allows him to change the password of
'user3' without knowing it, or from the user 'user4' who have GenericAll on the target user
which gives him full access over the target. We can conclude that the users 'user4' and 'user1'
are considered Shadow administrators.
96
Chapter 4 : Implementation and tests
6. Conclusion
In this last chapter, we have presented the working environment of our project, specifying the
different languages and tools that we have worked with. Followed by a presentation of the test
environment. We concluded by illustrating the different functionalities of our application through
some scenarios in order to give an overview of our solution.
97
General Conclusion
Through this project, we implemented an adversary simulation tool that allows to simulate
different sets of cyber attacks against Windows infrastructures.
Our solution offers multiple functionalities that fit different aspects of cyber security
orientations.
It can be used to test the implemented security politics on the environment in an automated
and flexible way which offers a convenient and time and resource-saving solution for the blue
teams.
Another use case is to determine the security holes in the infrastructure by an automated
penetration testing assessment which provides the red team with the ability to view their network
from the perspective of an adversary by starting with exploiting security holes and working their
way up to the privileged sensitive assets.
It also offers the possibility to assess the network and find the most common and pre-
defined weaknesses and overlooked configurations that allow adversaries to penetrate the
infrastructure, this presents a low-budget solution for companies with no security professionals.
Moreover, it offers a knowledge framework that catalogs and explains the different
techniques in a constructive way to provide the domain administrators with the ability to harden
the security of their environment and fill up the gaps of knowledge when it comes to securing
Windows infrastructures.
Working on this project allowed us to discover and manipulate the different aspects of
Windows infrastructures and explore the common weaknesses present in them and most
importantly how malicious actors take advantage of them.
Many perspectives that allow to improve our solution are planned to work on in the future.
The most important of them are:
-Enhance and extend the solution by including many more tactics, techniques, and
procedures from the most robust knowledge frameworks such as MITRE ATT&CK.
-Provide the users with the ability to dynamically generate, upload, and execute (on the
target network's hosts) scripts that correct the mis-configurations and harden the default features
that are behind each implemented technique.
-Expand the solution to cover cloud-based identity and access management services, such
as Azure AD.
-And finally and most importantly, aim to test the solution under a real enterprise
environment and scale it to an enterprise qualified solution that can be commercialized and
employed in real environments.
98
Webography
[1] AV Test, "Facts & Analyses on the Threat Scenario: The AV-TEST Security Report 2019/2020,"
[Online]. Available: https://www.av-test.org/en/news/facts-analyses-on-the-threat-scenario-the-av-
test-security-report-2019-2020/. [Accessed 18 02 2021].
[2] Satista, ,"Global market share held by operating systems" [Online]. Available:
https://www.statista.com/statistics/268237/global-market-share-held-by-operating-systems-since-
2009/. [Accessed 20 02 2021].
[3] Microsoft Wiki, "Microsoft Windows," [Online]. Available:
https://microsoft.fandom.com/wiki/Microsoft_Windows. [Accessed 16 02 2021].
[4] Tech Traget, "What is Active Directory," [Online]. Available:
https://searchwindowsserver.techtarget.com/definition/Active-Directory. [Accessed 20 02 2021].
[5] Paessler, "Active Directory," [Online]. Available: https://www.paessler.com/it-explained/active-
directory. [Accessed 22 02 2021].
[6] Techadmin, [Online]. Available: https://teckadmin.wordpress.com/2013/10/25/active-directory-logical-
and-physical-components. [Accessed 15 02 2021].
[7] Lockheed Martin, "The cyber Kill chain," [Online]. Available: https://www.lockheedmartin.com/en-
us/capabilities/cyber/cyber-kill-chain.html. [Accessed 10 03 2021].
[8] Semperis, "Recovering Active Directory from Cyber Disasters," [Online]. Available:
https://pages.semperis.com/recovering-ad-from-cyber-disasters/. [Accessed 25 03 2021].
[9] CVE Details, "Microsoft : Vulnerability statistics," [Online]. Available:
https://www.cvedetails.com/vendor/26/Microsoft.html. [Accessed 18 02 2021].
[10] Crowdstrike, "What is cyber threat intelligence ?," [Online]. Available:
https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/. [Accessed 26 02 2021].
[11] Awake Security, "MITRE ATT&CK Framework," [Online]. Available:
https://awakesecurity.com/glossary/mitre-attck-framework/. [Accessed 31 01 2021].
[12] Guardian Digital, "What's the MITRE ATT&CK Framework," [Online]. Available:
https://digitalguardian.com/blog/what-mitre-attck-framework. [Accessed 31 01 2021].
[13] ATT&CK MITRE, "wersions of MITRE ATT&CK," [Online]. Available:
https://attack.mitre.org/resources/versions. [Accessed 16 01 2021].
[14] Howard, "The MITRE ATT&CK Framework Matrices: An Overview," [Online]. Available:
https://resources.infosecinstitute.com/topic/mitre-attck-framework-matrices-an-overview/. [Accessed
02 02 2021].
[15] ATT&CK MITRE, "Entreprise Tactics," [Online]. Available: https://attack.mitre.org/tactics/enterprise/.
[Accessed 02 02 2021].
[16] ATT&CK MITRE, "Mobile Tactics," [Online]. Available: https://attack.mitre.org/tactics/mobile.
[Accessed 02 02 2021].
[17] ATT&CK MITRE, "Entreprise Techniques," [Online]. Available:
https://attack.mitre.org/techniques/enterprise. [Accessed 02 02 2021].
[18] ATT&CK MITRE, "Mobile Techniques," [Online]. Available:
https://attack.mitre.org/techniques/mobile/. [Accessed 02 02 2021].
[19] ATT&CK MITRE, "ICS Techniques," [Online]. Available:
https://collaborate.mitre.org/attackics/index.php/All_Techniques. [Accessed 02 02 2021].
[20] Cambridge Dictionnary, "Meaning of emulate in English," [Online]. Available:
https://dictionary.cambridge.org/dictionary/english/emulate. [Accessed 04 03 2021].
[21] Cambridge Dictionnary, "Meaning of simulate in English dictionnary," [Online]. Available:
https://dictionary.cambridge.org/dictionary/english/simulate. [Accessed 04 03 2021].
[22] Github, "CALDERA™," [Online]. Available: https://github.com/mitre/caldera. [Accessed 15 02 2021].
[23] Github, "ATTPwn," [Online]. Available: https://github.com/Telefonica/ATTPwn. [Accessed 15 02
2021].
[24] Crowdstrike, "NTLM Exlained," [Online]. Available: https://www.crowdstrike.com/cybersecurity-
101/ntlm-windows-new-technology-lan-manager/. [Accessed 14 04 2021].
[25] Varonis, "Kerberos Explained," [Online]. Available: https://www.varonis.com/blog/kerberos-
authentication-explained/. [Accessed 15 04 2021].
ANNEX
MITIGATION AND DETECTION OF THE DIFFERENT ATTACKS
1. Scanning IP Blocks :
Mitigation :
Focus on reducing the amount of sensitive data exposed to the external.
Disable old protocols that can be exploited to fingerprint hosts on the network such as
SMBv1.
Detection :
Implement and harden the configuration of network intrusion detection/prevention systems
to detect and prevent remote service scans.
Monitor for suspicious network traffic that could be indicative of scanning, such as large
quantities originating from a single source.
2. Vulnerability scanning :
Mitigation :
Regularly scan systems especially externally faced systems and rapidly patch any
discovered vulnerabilities.
Prioritizing vulnerability and configuration management, and continuously patch all the
systems.
Detection :
Monitor for suspicious network traffic that could be indicative of scanning, such as large
quantities originating from a single source.
Implement and harden the configuration of network intrusion detection/prevention systems
to detect and prevent remote service scans.
3. Account Discovery
Mitigation :
Disable Domain Users from Enumerating other Domain Users, Domain Admins, and other
objects in Active Directory by denying read permissions to certain objects in the domain
through the use of the access control lists (ACL). A steady solution is to create a new
security group and add users that you want to deny ready permissions for them, when a
user from this group tries to read the domain they will get an ‘access denied’ message.
Detection :
Monitor processes and command-line arguments for actions that could be taken to gather
system and network information.
Monitor for processes that can be used to enumerate user accounts, such as "net user"40
especially when executed in quick succession.
System and network discovery techniques normally occur throughout an operation as an
adversary learns the environment. Data and events should not be viewed in isolation but as
part of a chain of behavior that could lead to other activities, such as Lateral Movement,
based on the information obtained.
40
net user is a command-line tool built into Windows used to display user account information.
4. LLMNR/NBT-NS Poisoning
Mitigation :
Disable LLMNR and NBT-NS in local computer security settings or by a group policy if
they are not needed within an environment, or block traffic of these protocols with network
traffic filtering solutions.
If LLMNR/NetBIOS are needed within the environment, implement a strong password
policy to mitigate against password cracking (which may only harden the cracking phase,
but it’s obsolete if the hash is relayed).
Use solutions like Microsoft LAPS41 to create strong, random, and unique passwords for
local administrator accounts, and automatically rotate them periodically.
Detection :
Monitor the registry entry HKLM\Software\Policies\Microsoft\Windows
NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "1"
indicates that LLMNR is enabled.
Implement network detection and prevention intrusion systems that can identify patterns of
Man in the middle activity.
5. SMB Relaying
Mitigation :
Enable SMB message signing. Unfortunately, this solution has some downsides, like the
decrease in performance (especially when there is a high demand for the service), also,
some devices may not support SMB signing, which makes them a reachable target.
Enforce the principle of least privilege for user accounts by limiting users with local
administrative privileges on endpoints in the network. This will greatly reduce the risk that
an adversary can gain access to a large surface by relaying the NTLMv2 of a domain user.
Enabling Kerberos for authentication instead of NTLM.
Detection :
Implement network detection and prevention intrusion systems that can identify patterns of
Man in the middle activity.
41
Microsoft LAPS (Local Administrator Password Solution) provides management of local account passwords of
domain joined computers.
42
A security group that provides protection for highly-privileges users from credential theft attacks, it ensures that:
Members can't use NTLM or DIGEST (plain text passwords can't be extracted from LSASS), Kerberos keys aren't
reissued automatically (TGT is required at each logon), Credentials are never cached, No RC4 encryption in Kerberos.
Monitor processes and command-line arguments for program execution that may be
indicative of credential dumping
Deploy Endpoint protection solutions and ensure they are maintained up to date.
43
Microsoft Windows Defender Credential Guard uses virtualization to store credentials in protected containers
separate from the OS. As a result, the information Credential Guard protects is safe even if malware or some other
malicious attack penetrates an organization's network.
44
LSA Protection is a mechanism that provides additional protection for the LSA to prevent reading memory and code
injection by non-protected processes.
45
Data exfiltration is the act of transferring data from a compromised computer to a command and control server for
offline analysis.
8. DCSync
Mitigation :
Track in real-time memberships in privileged groups such as Domain Admins and
Enterprise Admins which have replication privileges set by default.
Track in real-time when replication permissions are assigned to unauthorized users
Replicating Directory Changes, Replicating Directory Changes All, and Replicating
Directory Changes In Filtered Set).
Detection :
Monitor the network for replication requests made by non-DC hosts.
Set up a list of IP addresses that are allowed to replicate data (the legitimate domain
controllers), and configure an IDS/IPS rule when a GetNCChange request is made from
an IP address that isn't in the white list.
Deploy Endpoint protection solutions and ensure they are maintained up to date.
9. NTDS
Mitigation :
Limit domain administrators from logging to network endpoints other than the domain
controller and administrator servers, delegate remaining tasks to users in a custom
administrative group with the least privileges. This will reduce the probability that an
adversary can compromise an administrative account and gain access to the domain
controller.
Detection :
Monitor the command line and process for commands that can be an indication of NTDS
dumping (such as Vssdmin and ntdsutil).
12. Kerberoasting
Mitigation :
Ensure all service accounts (user accounts with Service Principal Names) have long,
complex passwords greater than 25 characters, preferably 30 or more, especially accounts
with elevated privileges.
Ensure that service accounts passwords are changed regularly (by setting a password
policy with maximum password age attribute).
Use group managed service accounts that have random complex passwords (>100
characters) and are managed automatically by Active Directory.
Disable RC4 support for Kerberos (this requires a minimum of Windows server 2008
domain functional level and an environment where all Kerberos clients, application
servers, and trust relationships to and from the domain support AES).
Ensure to implement the principle of least privilege on service accounts.
Add servers accounts to the Protected users groups.
Use solutions like Microsoft LAPS to create strong, random, and unique passwords for
local administrator accounts, and automatically rotate them periodically.
Detection :
Monitor the network for TGS-REQ packets with RC4 encryption
(Ticket_Encryption_Type=0x17) (which may generate a lot of false positives).
Monitor the network for multiple TGS-REQ requests in a short period of time by a single
user. To do so you can enable Kerberos service ticket request monitoring to log successful
Kerberos TGS ticket requests and then search for users with multiple 4769 events
(Eventid 4769 “A Kerberos service ticket was requested”).
Create a Kerberos service account honeypot: create a user service account and give it a
fake unique SPN, this service account isn't linked to any legitimate service, thus, access to
it isn't normally requested. If an attacker gains access to the network and scans for SPNs,
the honeypot SPN will also be available, and the attacker will make a TGS request for the
fake server. An IDS/IPS rule can be configured to alert for TGS-REQ packets with the
fake SPN.
13. AS-REP Roasting
Mitigation :
Make sure that all accounts have Kerberos pre-authentication enabled, and audit changes to
this setting.
Carefully consider if accounts with Kerberos pre-authentication disabled really need it.
Ensure that all accounts have long, complex passwords greater than 25 characters,
preferably 30 or more, especially accounts with elevated privileges.
Disable RC4 support for Kerberos (this requires a minimum of Windows server 2008
domain functional level and an environment where all Kerberos clients, application
servers, and trust relationships to and from the domain support AES).
Ensure to implement the principle of least privilege on user accounts.
Add users with elevated privileges to the Protected users groups.
Use solutions like Microsoft LAPS to create strong, random, and unique passwords for
local administrator accounts, and automatically rotate them periodically.
Detection :
Monitor the network for AS-REQ packets with RC4 encryption
(Ticket_Encryption_Type=0x17) (which may generate a lot of false positives).
Monitor the network for multiple AS-REQ packets without an authenticator (or pre-
authentication data: timestamp encrypted with the user's secret) and with a failed login
attempt as a reply. This may detect when an adversary is attempting to enumerate accounts
with Kerberos pre-authentication disabled by sending crafted AS-REQ packets for each
user.
Monitor user accounts for changes in the Do not require pre-authentication attribute (check
out event 4738 looking for changes to the User Account Control ‘Don’t Require Preauth’
value).
Create a honeypot account: Create a unique account with Kerberos pre-authentication
disabled and configure an IDS/IPS rule to alert for TGT requests made from that account.
46
It is a set of guidelines and best practices to help organizations build and improve their cyber security posture.
MITRE ATT&CK FRAMEWORK COVERAGE
Throughout our project, we have implemented the MITRE ATT&CK framework as the
knowledge framework used to map the different techniques. To keep track of the covered and
implemented tactics, techniques, and sub-techniques on the different simulations we have been
using the MITRE ATT&CK navigator.
The ATT&CK Navigator is an open-source web application that provides basic navigation and
annotation of the ATT&CK matrices, it is used to visualize the ATT&CK matrices coverage, it
allows to manipulate the cells in the matrix (by color coding, adding a comment, assigning a
numerical value, etc.). The techniques that have been implemented and covered in our solution are
highlighted in orange, while the implemented sub-techniques are highlighted in red.
The following figures represent a screenshot of our ATT&CK Navigator instance.
RÉSUMÉ
La simulation des attaques adversaires est une solution qui permet à ses utilisateurs de tester
leurs capacités de détection contre les cyber attaques par rapport aux tactiques, techniques et
procédures utilisées par les acteurs malveillants. Il s'agit d'une approche qui met la sécurité à l'épreuve
dans des conditions réelles sans prendre le moindre risque afin de détecter les faiblesses dans les
configurations de l'infrastructure avant qu'un adversaire ne les exploite. Notre solution offre aux
entreprises ayants des infrastructures à base Windows différentes fonctionnalités permettant de tester
et évaluer leurs mécanismes de sécurité. Cette solution permet aux administrateurs système de
découvrir les faiblesses et les lacunes de leurs architectures et ce, quel que soit le niveau de leurs
connaissances en sécurité mais aussi sans la nécessité d'une intervention quotidienne d'une équipe de
sécurité professionnelle. D'autre part, elle offre aux professionnels de la sécurité la possibilité de tester
de manière automatisée et rapide les capacités de défense et de réponse aux incidents qu'ils ont mis en
place et de voir le réseau du point de vue adverse afin d'améliorer la posture de sécurité.
Mots clé : Simulation des attaques adversaires, bleu team, red team, Windows, cyber sécurité,
cyber attaque, cyber défense, Active directory.
ملخص
محاكاة الخصوم هو حل يسمح لمستخدميه باختبار قدرات الكشف ضد التكتيكات و التقنيات واإلجراءات المستخدمة من قبل
إنه نهج يضع األمن السيبراني تحت االختبار في ظل ظروف الحياة الواقعية دون التعريض الى أدنى.القراصنة االلكترونيين
يوفر حلنا للشركات التي تعمل.المخاطر للكشف عن نقاط الضعف والثغرات في البنية التحتية قبل أن يستغلها الخصوم االلكترونيون
على نظام التشغيل ويندوز امكانية تقييم آلياتها األمنية حيث يسمح لمسئولي النظام باكتشاف نقاط الضعف والثغرات في أبنيتهم بغض
من ناحية أخرى فإنه يوفر.النظر عن مستوى معرفتهم األمنية دون الحاجة إلى االعتماد باستمرار على تدخل فريق األمن المحترف
لمحترفي األمن السيبراني إمكانية اختبار قدرات الدفاع واالستجابة للحوادث بطريقة سريعة و آلية ورؤية الشبكة من وجهة نظر
.الخصم لتحسين الموقف األمني
الدفاع، الهجمات السيبرانية، األمن السيبراني، الفريق األزرق، الفريق األحمر، ويندوز، محاكاة الخصم:كلمات البحث
.السيبراني