ATT&CK Series: Credential Access
April 25, 2019
Once initial access has been obtained, attackers usually need a way of getting into places that their initial foothold can't get to. This can be accomplished via a slew of techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment.
In this post, we will delve into some of the most common ATT&CK Credential Access techniques and tactics from an adversarial perspective. These techniques don't represent the whole equation for credential access; however, they are techniques that myself and my colleagues have seen throughout multiple engagements with our clients across numerous industries.
Link-Local Multicast Name Resolution (LLMNR)/NetBIOS Name Service (NBT-NS) is one of the most common things that I run into during my engagements. LLMNR/NBT-NS is fairly common to any Windows-based environment, as it provides necessary information for internal systems that may not be accessible outside of the environment. Since this is so prevalent in many environments, it is common practice to poison this communication service.
An attacker can utilize LLMNR/NBT-NS poisoning to respond to any LLMNR/NBT-NS request happening within the same subnet that the compromised system is on. If the request is going to a system that requires authentication (SMB, WPAD Proxy Configs, etc.), the username and hashed NT (New Technology) LAN (Local Area Network) Manager password will be sent to the attacker.
If LLMNR/NBT-NS traffic is running freely, an adversary can obtain NTLMv2 hashes from multiple users. Without a strict password policy, these hashes are easily recovered through offline password recovery tools, allowing for these credentials to be used legitimately within the environment with the same level of access as the legitimate user.
Mitigation comes down to disabling LLMNR/NBT-NS traffic entirely whether it be through security settings or by group policy. Since a lot of older environments rely heavily on LLMNR/NBT-NS being enabled and running, the recommendation then becomes improving password policy and ensuring SMB signing is enabled on all devices within the environment.
While LLMNR/NBT-NS has its uses, the level of access that an adversary can obtain via that method is entirely random and may not allow them to proceed further within the environment. This is where Kerberoasting comes into play, as it provides a way to gather accounts likely with higher levels of access.
The name "Kerberoasting" comes from Kerberos which is a windows network authentication protocol that utilizes tickets to allow strong authentication between devices. Within a windows environment, there are Service Principal Names (SPNs) which are utilized to identify each instance of a Windows Service. Kerberos has a special requirement for these SPNs, such that they much are associated with a service account. Adversaries can make use of this requirement by requesting service tickets for any SPNs from a domain controller. The service ticket that is generated contains the hashed password for the service accounts associated with the SPN. For more information regarding Kerberos, please see the additional reading section of this post.
If an adversary gets a hold of a service ticket for any SPN, the ticket can be subjected to offline password recovery attacks to gain the credentials to that service account. Since service accounts typically run with higher levels of privilege, an adversary can make use of these accounts and expand their access as well as escalate their privileges within the environment.
There are a few ways to mitigate Kerberoasting, one of which revolves around proper utilization of least privilege access. Ensuring service accounts have only the bare minimum level of access to accomplish their goals will ensure that lateral movement with service accounts will not be possible. Another solution is to implement extremely strong password conditions for service accounts so that offline password recovery attacks are rendered impractical. Lastly, enabling AES Kerberos encryption or any other robust encryption algorithm versus the default RC4 would reduce risk.
If initial access was obtained by compromising a system with elevated access, one of the first things adversaries tend to do is credential dumping. Credential dumping as a whole is the act of obtaining account login and password information either in cleartext or in hashed form from the system that has been compromised.
For Windows-based systems this is typically done through manipulation of the registry or other services that interact with NTLM credentials within memory. As for Linux based systems, this usually involves scraping live memory of other programs running on the system. If any of the running programs store passwords in clear text or hashes in memory, they can be harvested.
Credential dumping can provide an adversary with brand new credentials with varying level of access. These credentials can be cleartext or in hashed format, allowing lateral movement throughout the network.
Mitigation for Windows is broken down into multiple parts. Most credential dumping takes place through the Security Account Manager (SAM) database within the registry or abusing the Local Security Authority Subsystem Service (LSASS) process. Hardening LSASS requires a registry edit to enable the protected mode of the process. Protecting the SAM database requires protection of the accounts within the table by ensuring that local administrator accounts have unique passwords for all systems within the environment to prevent password reuse abuse and pass-the-hash techniques. As for Linux, to scrape the usernames and passwords from running programs, the adversary would need root level permissions. Following best practices to prevent root access, such as ensuring up to date patches for software and operating system along with long, complex passwords for root is recommended.
In this blog post we have now covered three of the most common credential access techniques used by adversaries after initial access. It is important to note that these are merely a few techniques used today. As techniques and tactics are ever-changing, it is crucial to stay up-to-date with the latest methods attackers are using to escalate privileges in both Windows and Linux environments. By implementing some of the mitigations mentioned here, companies can significantly reduce the level of lateral movement an adversary can do. This series will continue covering various ATT&CK techniques and tactics used today, providing knowledge on risk to networks as well as respective mitigation strategies.
In our previous posts in this series, we reviewed MITRE’s National Cybersecurity Federally Funded Research and Development Centers (FFRDC’s) Adversarial Tactic, Techniques, and Common Knowledge (ATT&CK) repository of collected cybersecurity data. ATT&CK bridges the gap between multiple offensive security data points, including tactics, techniques, tools, and identified malicious Advanced Persistent Threat (APT) actors. The creation of most of this framework comes from an interesting project executed by Blake Storm, of MITRE, called project FMX (Fort Meade eXperiment). In this project, a production network was attacked by Blake and other security professionals which impersonated adversarial groups' tactics and techniques. By leveraging data points collected on the network, Blake was able to construct a large part of the ATT&CK framework that could be leveraged by offensive as well as defensive security professionals, to map potential offensive tactics and techniques.
Here's a review of related posts on this important topic:
- ATT&CK Intro - Sept 2018
- ATT&CK Initial Access - October 2018
- ATT&CK Privilege Escalation - November 2018
- ATT&CK Discovery - March 2019
- ATT&CK Persistence - April 2019
- Kerberos Documentation - https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-kerberos