Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store

Transcription

1 Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store Mike Middleton Justin Prosco Mandiant, A FireEye Company Mike Middleton Principal Consultant Joined Mandiant in 2010 Forensic, IR, application and network penetration experience Big Yankees fan Attempting to learn guitar This is dog, my human is sleeping. Over. 2

2 Justin Prosco Principal Consultant Joined Mandiant in years of incident response and forensics experience Contributor to Incident Response & Computer Forensics Third Edition 3 Agenda Password Harvesting Techniques from Active Directory Volume Shadow Copy Service (VSS) PowerShell Detecting VSS Password Harvesting Forensic Artifacts and Investigation Techniques Audit Settings Mitigating Password Harvesting Attacks Focus on Windows 2008 &

3 Active Directory Directory Services for Windows Domains Active Directory Data Store ESE (Extensible Storage Engine) file that contains domain user account password hashes Stored on Disk Default Location: %systemroot%\ntds\ntds.dit 5 Password Harvesting Usually involves dumping memory from lsass.exe Typically the best method to obtain account passwords Examples: Mimikatz, Windows Credentials Editor, etc 6

4 Issues for Attackers Involves transferring tools to the remote system Can be detected by Antivirus or HIPS Unsigned code difficult to run on domain controllers using application whitelisting Usually leaves behind forensic evidence of password harvesting 7 Solution: NTDS.DIT If domain controller is secured, take the Active Directory databases for offline password recovery Problem: NTDS.DIT is locked for reading 8

5 Volume Shadow Copy Service Designed to back up files that are in-use First introduced in Windows XP Shadow copies can be created on a regular schedule Windows Task Scheduler Default: No schedule Created when system updates are applied or on application installation 9 Volume Shadow Copy Tools Built-in tools for accessing Volume Shadow Copies: vssadmin: manipulate Volume Shadow Copies ntdsutil: manage the Active Directory Data Store Some backdoors have built-in functionality to control VSS Example: Gh0st RAT Can be manipulated through WMI or PowerShell 10

6 VSS Attack Techniques VSS Attack Techniques Built in utility, vssadmin Visual Basic script, VSSOwn PowerShell Built in utility, ntdsutil 12

7 Technique: vssadmin Command-line utility for interacting with VSS copies Create a volume shadow copy List the available shadow copies Attack technique has been published since 2011 Mount the shadow copy and take the NTDS.DIT file and SYSTEM registry hive for offline hash extraction Leaves almost no forensic evidence of activity 13 Example: vssadmin Create snapshot: C:\Users\mmiddleton>vssadmin Create Shadow /For=C: vssadmin Volume Shadow Copy Service administrative command-line tool (C) Copyright Microsoft Corp. Successfully created shadow copy for 'C:\' Shadow Copy ID: {cf6b4f72-6e28-4b26-a71c-d518734e9c14} Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65 14

8 Example: vssadmin View snapshots: C:\Users\mmiddleton>vssadmin list shadows /For=C: /shadow:{f1c67cf1-8f3a d9b-eb8a69160d1d} Contents of shadow copy set ID: {f1c67cf1-8f3a d9b-eb8a69160d1d} Contained 1 shadow copies at creation time: 8/25/ :29:35 AM Shadow Copy ID: {cf6b4f72-6e28-4b26-a71c-d518734e9c14} Original Volume: (C:)\\?\Volume{e7e1ba e4-80b5-806e6f6e6963}\ Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65 Originating Machine: gatekeeper.ghostbusters.com Service Machine: gatekeeper.ghostbusters.com Provider: 'Microsoft Software Shadow Copy provider 1.0' Type: ClientAccessible Attributes: Persistent, Client-accessible, No auto release, No writers, Differential 15 Example: vssadmin Mount snapshot: C:\Users\Administrator>mklink /d c:\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65\ symbolic link created for c:\shadow <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65\ Access snapshot: 16

9 Evidence: vssadmin Windows System Event Logs Event ID: 7036 The <service name> service entered the <running/stopped> state. Microsoft Software Shadow Copy Provider : Manages softwarebased shadow copies taken by Volume Shadow Copy The Microsoft Software Shadow Copy Provider service entered the running state. The Volume Shadow Copy service entered the running state. The Microsoft Software Shadow Copy Provider service entered the stopped state. The Volume Shadow Copy service entered the stopped state. 17 VSS Attack Techniques Built in utility, vssadmin Visual Basic script, VSSOwn PowerShell Built in utility, ntdsutil 18

10 WMI Attacks vssown.vbs written by Mark Baggett and Tim Tomes in ndows/vssown.vbs Visual Basic script that automates extraction of password hashes from volume shadow copies using WMI Used by targeted attackers 19 Example: vssown.vbs List Volume Shadow Copies cscript vssown.vbs /list Create Volume Shadow Copies cscript vssown.vbs /create C 20

11 Detection Process Tracking in Security Event Logs (EID 4688): cscript.exe (Windows Script Host) wmiprvse.exe (WMI Provider Host) vssvc.exe (Volume Shadow Copy Service) Volume Shadow Copy service start/stop logged in System Event log (EID 7036) No artifacts for listing shadow copies or mounting existing copies 21 VSS Attack Techniques Built in utility, vssadmin Visual Basic script, VSSOwn PowerShell Built in utility, ntdsutil 22

12 PowerShell Attacks Matt Graeber s PowerSploit: Volume Shadow Copies (VolumeShadowCopyTools.ps1) Access locked files (Invoke-NinjaCopy.ps1) 23 Example: PowerSploit (VolumeShadowCopyTools) Script to mount an existing volume shadow copy: Get-VolumeShadowCopy Mount-VolumeShadowCopy -Path $PWD cp $PWD\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit Creates an NTFS reparse point for mount Attacker might forget to delete this No observable changes in registry or event logs with default logging 24

13 Example: PowerSploit (NinjaCopy) Invoke-NinjaCopy Path C:\Windows\NTDS\ntds.dit LocalDestination C:\Windows\Temp\ntds.dit No Event Log artifacts created powershell.exe process logged with object auditing Command line not logged if called from interpreter No Registry artifacts created Potential Shellbags if attacker browses to copied file using Explorer No File artifacts created Potential INDX records or deleted files created after copy 25 VSS Attack Techniques Built in utility, vssadmin Visual Basic script, VSSOwn PowerShell Built in utility, ntdsutil 26

14 Technique: ntdsutil Command-line utility providing management facilities for AD DS and AD LDS Available on AD DS or AD LDS server roles Including in AD DS for RSAT Used by attackers to create VSS copies 27 Example: ntdsutil Create Snapshot: C:\Users\Administrator>ntdsutil ntdsutil: activate instance ntds Active instance set to "ntds". ntdsutil: snapshot snapshot: create Creating snapshot... Snapshot set {a45e4063-e4b5-407b-837c-a38d984ce4ae} generated successfully. snapshot: View Snapshots: snapshot: list all 1: 2014/08/19:18:31 {a45e4063-e4b5-407b-837c-a38d984ce4ae} 2: C: {5d3bef1e-09a9-4abe-82cc-c9bccbe6a8c6} 28

15 Example: ntdsutil Mount snapshot: snapshot: mount 1 Snapshot {5d3bef1e-09a9-4abe-82cc-c9bccbe6a8c6} mounted as C:\$SNAP_ _VOLUMEC$\ Access snapshot: 29 Example: ntdsutil As a one liner: ntdsutil "act inst ntds" "snapshot" "create" q q As a one liner with alternative path: ntdsutil "act inst ntds" "ifm" "create full c:\evil" q q 30

16 Example: ntdsutil 31 Evidence: ntdsutil Windows Application Logs Event ID: 2001: lsass (556) Shadow copy instance 2 freeze started. 2003: lsass (556) Shadow copy instance 2 freeze ended. 2005: lsass (556) Shadow copy instance 2 starting. This will be a Full shadow copy. 2006: lsass (556) Shadow copy instance 2 completed successfully. 32

17 Mitigation and Detection 33 Mitigation and Detection Detecting VSS usage through timeline analysis Detailed Process Tracking Leveraging AppLocker Sysinternals Sysmon Mitigation 34

18 Event Log Timeline Timeline analysis and stacking often effective technique Collect evidence Application, Security, System Operational Task Scheduler Others Reduce evidence Identify patterns Remove known legitimate activity Analyze results %systemroot%\system32\winevt\logs\application.evtx %systemroot%\system32\winevt\logs\security.evtx %systemroot%\system32\winevt\logs\system.evtx %systemroot%\system32\winevt\logs\microsoft-windows-taskscheduler%4operational.evtx 35 Reduce Evidence Take a sip from the fire hose Analyze Event IDs 4904 & 4905 from Security log using vssvc.exe 4904: An attempt was made to register a security event source 4905: An attempt was made to unregister a security event source Are these entries normal backups? 36

19 Reduce Evidence Volume configured for shadow copies List of snapshot 37 Reduce Evidence 38

20 Reduce Evidence 39 Reduce Evidence 40

21 Reduce Evidence Event ID Gen Time Log Message :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source. 41 Reduce Evidence Event ID Gen Time Log Message :00:00 Security An attempt was made to register a security event source An attempt 10:00:00 was Security made to An register attempt was a security made to unregister event a source. security event source. Subject : :00:00 Security An attempt was made to register a security event source. Security ID: NT AUTHORITY\SYSTEM :00:00 Account Security Name: An attempt was GATEKEEPER$ made to unregister a security event source :00:00 Account Security Domain: An attempt was GHOSTBUSTERS made to register a security event source. Logon ID: 0x e :00:00 Security An attempt was made to unregister a security event source. Process: :00:00 Process Security ID: An attempt was 0x made to register a security event source :00:00 Process Security Name: An attempt was C:\Windows\System32\VSSVC.exe made to unregister a security event source. Event Source: :00:00 Security An attempt was made to register a security event source. Source Name: VSSAudit :00:00 Event Security Source An ID: attempt was 0x ccbd made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source. 42

22 Reduce Evidence Event ID Gen Time Log Message :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source. Remove entries corresponding :00:00 Security An attempt was made to unregister a security event source. twice daily VSSVC backups :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source :00:00 Security An attempt was made to register a security event source :00:00 Security An attempt was made to unregister a security event source. 43 Reduce Evidence Take another sip from the (now) garden hose Determine if Scheduled Tasks run backups Remove any applicable entries HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ShadowCopyVolume{GUID} C:\WINDOWS\Tasks\ShadowCopyVolume{GUID} 44

23 Reduce Evidence Event ID Gen Time Log Message :55:16 Security An account was successfully logged on. New Logon: Security ID: Account Name: Account Domain: Logon ID: GHOSTBUSTERS\Administrator Administrator GHOSTBUSTERS 0x f2df :55:16 Microsoft- Windows- TaskScheduler :55:16 Security An account was logged off. Network Information: Workstation Name: RSTANZ Source Network Address: User "\Administrator" updated Task Scheduler task "\evil Subject: Security ID: Account Name: Account Domain: Logon ID: GHOSTBUSTERS\Administrator Administrator GHOSTBUSTERS 0x f2df 45 Reduce Evidence Event ID Gen Time Log Message :02:00 Microsoft- Windows- TaskScheduler Task Scheduler launch task "\evil", instance "C:\Windows\SYSTEM32\cmd.exe with process ID :02:00 System The Microsoft Software Shadow Copy Provider service entered the running state :02:01 Application Shadow copy instance 1 freeze started :02:01 Application Shadow copy instance 1 starting. This will be a Full shadow copy :02:03 System Volume?? (\Device\HarddiskVolumeShadowCopy63) :02:04 Application Shadow copy instance 1 completed successfully :02:04 Application Shadow copy instance 1 freeze ended. 46

24 Detailed Process Tracking Enable Detailed Process Tracking Security Settings > Advanced Audit Configuration > Detailed Tracking Logged to Security Event Log (EID 4688) Server 2012 R2 - Include command line in process creation events Administrative Templates > System > Audit Process Creation HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Polici es\system\audit:processcreationincludecmdline_enabled (DWORD:1) 47 Detailed Process Tracking 48

25 Detection Using AppLocker Use AppLocker in Audit-Only mode to detect usage of vssdamin and ntdsutil 49 Detection Using AppLocker Blocked applications will generate a warning event in the AppLocker Event Log (EID 8003) Forward Warning level to a SIEM for monitoring 50

26 Caveats AppLocker in enforcement mode Valid Microsoft utilities do not generate Warning level events Requires filtering at SIEM or log forwarder level Attackers may not always use both ntdsutil and vssadmin during an attack Potential evasion of correlation rules Does not record command line arguments 51 Sysinternals Sysmon Released in August 2014 Monitors process creation to its own event log file Applications and Services Logs/Microsoft/Windows/Sysmon/Operational Shows command line arguments by default Provides optional hashes of executed files (MD5/SHA1) Records file creation time changes 52

27 Sysmon Event Example 53 PowerShell Module Logging Requires PowerShell 3.0 Only installed by default on Windows Server 2012 Configured through Group Policy Records commands and resulting output to the PowerShell Operational Event Log (EID 4103) 54

28 PowerShell Module Logging 55 Mitigating These Attacks Restrict Logons to Domain Controllers Only allow interactive logons from Domain Admins Group Use Domain Admins group only for administration of domain controllers Require interactive logons to originate from jump servers with host-based firewall Require two-factor authentication on jump servers Review RDP sessions connecting to DCs Practice Enterprise Password Resets 56

29 Additional Resources Investigating PowerShell Attacks: Microsoft Sysmon: 58