Defender Credential Guard: Protecting Your Hashes
Virtualization-Based Security to Protect Your Secrets
What is Windows Defender Credential Guard?
Windows Defender Credential Guard is a security feature in Windows 10 Enterprise and Windows Server 2016 and above that uses virtualization-based security to protect your credentials. With Credential Guard enabled, only trusted, privileged applications and processes are allowed to access user secrets, or credentials. Without Credential Guard enabled, Windows stores credentials in the Local …
How to Detect Overpass-the-Hash Attacks
Now that we’ve looked at how pass-the-hash and pass-the-ticket attacks work and what to do to detect them, let’s take a look at overpass-the-hash. Basically, this is a combination of both attacks. The idea of overpass-the-hash is for an attacker to leverage the NTLM hash of another user account to obtain a Kerberos ticket which can be used to access network resources. This can come in handy if you are only able to obtain the NTLM hash for an account, but require Kerberos authentication…
New – Purpose-Built Active Directory Threat Detection & Response Platform
Active Directory has always been at the center of it all, but with the advent of highly powerful, incredibly clever tools like Mimikatz, BloodHound, CrackMapExec, and the like, Active Directory has now become the center of attention.
Since 2005, STEALTHbits has been providing organizations of
all sizes the best products and tools available to understand, manage, and
secure their increasingly complex, ever-changing, ever-growing Active Directory
environments. Now in 2019, at precisel…
How to Detect Pass-the-Ticket Attacks
In our first post of the series, we looked at some interesting ways to detect the pass-the-hash attack. Pass-the-hash is an effective approach for exploiting NTLM authentication within an Active Directory domain. Pass-the-ticket is an alternate approach which leverages Kerberos authentication to perform lateral movement.
In this post we will dive into how this attack works and
what you can do to detect it.
How Pass-the-Ticket Works
In a pass-the-ticket attack, an a…
How to Detect Pass-the-Hash Attacks
This is the first in a 3-part blog series, that will be followed by a webinar February 28th.
Lateral movement techniques are one of the most common approaches attackers can use to infiltrate your network and obtain privileged access to your credentials and data. This has been seen recently with modern ransomware such as SamSam and Ryuk.
We’ve looked recently at how to detect pass-the-hash attacks using honeypots and in doing research into the most effective ways to detect this typ…
New Exchange Authentication Vulnerability uses AD Admin to Gain Privileges
STEALTHbits mitigates a new
vulnerability that uses Exchange Authentication to gain AD Admin privileges
A new attack has been posted by Dirk-jan Mollemma, an independent security researcher that exploits how Exchange uses NTLM over HTTP to authenticate to the Active Directory Domain. Read the complete details.
This attack combines known vulnerabilities in a new way to achieve privilege escalation that can be used to attack AD. Here is how the attack works.
An attacker sends a r…
WDigest Clear-Text Passwords: Stealing More Than a Hash
What happens when a malicious user has access to more than just an NTLM
hash?
What is WDigest?
Digest Authentication is a challenge/response protocol that was
primarily used in Windows Server 2003 for LDAP and web-based authentication. It
utilizes Hypertext Transfer Protocol (HTTP) and Simple Authentication Security
Layer (SASL) exchanges to authenticate. At a high level, a client requests
access to something, the authenticating server challenges the client, and the
client responds to …
Implementing Detections for the Honeyhash
In our first post of this series, we explored the Honeyhash, and how it can be used to create a honeypot to catch attackers performing credential theft and pass-the-hash attacks. Now that our trap is set, we need to make sure we can catch any attacker in the act who may fall for it.
The concept of detection for the Honeyhash is simple. We put a fake account in memory on a system, so let’s see if anybody tries to use it. If they do, we know they used credential theft tech…
Detecting Pass-the-Hash with Honeypots
Credential theft within Windows and Active Directory continues to be one of the most difficult security problems to solve. This is made clear in the Verizon DBIR where it is reported that the use of stolen credentials is the #1 action identified across data breaches.
Microsoft has acknowledged this challenge and responded with a guide on how to mitigate the Pass-the-Hash attack. They have expanded on their recommendations and outlined steps to set up a tiered Active Directory environment…
2018 Threat Hunting Report
67% of organizations are not confident in their ability to uncover insider threats?
In response to new challenges, threat hunting is a developing security practice that focuses on proactively detecting and isolating advanced threats.
Detecting, preventing and mitigating “insider threats” is the most common reason for an organization to have a threat hunting program. However, in practice, what some call an “insider threat,” others may call “internal security monitoring.” Definitions of what…
