Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store

Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store Mike Middleton Justin Prosco Mandiant, A FireEye Company Mike Middleton Principal Consultant Joined Mandiant in 2010 Forensic, IR, application and network penetration experience Big Yankees fan Attempting to learn guitar Twitter: @_mikemny This is dog, my human is sleeping. Over. 2

Justin Prosco Principal Consultant Joined Mandiant in 2010 9.5 years of incident response and forensics experience Contributor to Incident Response & Computer Forensics Third Edition Twitter: @jprosco 3 Agenda Password Harvesting Techniques from Active Directory Volume Shadow Copy Service (VSS) PowerShell Detecting VSS Password Harvesting Forensic Artifacts and Investigation Techniques Audit Settings Mitigating Password Harvesting Attacks Focus on Windows 2008 & 2012 4

Active Directory Directory Services for Windows Domains Active Directory Data Store ESE (Extensible Storage Engine) file that contains domain user account password hashes Stored on Disk Default Location: %systemroot%\ntds\ntds.dit 5 Password Harvesting Usually involves dumping memory from lsass.exe Typically the best method to obtain account passwords Examples: Mimikatz, Windows Credentials Editor, etc 6

Issues for Attackers Involves transferring tools to the remote system Can be detected by Antivirus or HIPS Unsigned code difficult to run on domain controllers using application whitelisting Usually leaves behind forensic evidence of password harvesting 7 Solution: NTDS.DIT If domain controller is secured, take the Active Directory databases for offline password recovery Problem: NTDS.DIT is locked for reading 8

Volume Shadow Copy Service Designed to back up files that are in-use First introduced in Windows XP Shadow copies can be created on a regular schedule Windows Task Scheduler Default: No schedule Created when system updates are applied or on application installation 9 Volume Shadow Copy Tools Built-in tools for accessing Volume Shadow Copies: vssadmin: manipulate Volume Shadow Copies ntdsutil: manage the Active Directory Data Store Some backdoors have built-in functionality to control VSS Example: Gh0st RAT Can be manipulated through WMI or PowerShell 10

VSS Attack Techniques VSS Attack Techniques Built in utility, vssadmin Visual Basic script, VSSOwn PowerShell Built in utility, ntdsutil 12

Technique: vssadmin Command-line utility for interacting with VSS copies Create a volume shadow copy List the available shadow copies Attack technique has been published since 2011 Mount the shadow copy and take the NTDS.DIT file and SYSTEM registry hive for offline hash extraction Leaves almost no forensic evidence of activity 13 Example: vssadmin Create snapshot: C:\Users\mmiddleton>vssadmin Create Shadow /For=C: vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Successfully created shadow copy for 'C:\' Shadow Copy ID: {cf6b4f72-6e28-4b26-a71c-d518734e9c14} Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65 14

Example: vssadmin View snapshots: C:\Users\mmiddleton>vssadmin list shadows /For=C: /shadow:{f1c67cf1-8f3a-4036-8d9b-eb8a69160d1d} Contents of shadow copy set ID: {f1c67cf1-8f3a-4036-8d9b-eb8a69160d1d} Contained 1 shadow copies at creation time: 8/25/2014 11:29:35 AM Shadow Copy ID: {cf6b4f72-6e28-4b26-a71c-d518734e9c14} Original Volume: (C:)\\?\Volume{e7e1ba47-2566-11e4-80b5-806e6f6e6963}\ Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65 Originating Machine: gatekeeper.ghostbusters.com Service Machine: gatekeeper.ghostbusters.com Provider: 'Microsoft Software Shadow Copy provider 1.0' Type: ClientAccessible Attributes: Persistent, Client-accessible, No auto release, No writers, Differential 15 Example: vssadmin Mount snapshot: C:\Users\Administrator>mklink /d c:\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65\ symbolic link created for c:\shadow <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65\ Access snapshot: 16

Evidence: vssadmin Windows System Event Logs Event ID: 7036 The <service name> service entered the <running/stopped> state. Microsoft Software Shadow Copy Provider : Manages softwarebased shadow copies taken by Volume Shadow Copy The Microsoft Software Shadow Copy Provider service entered the running state. The Volume Shadow Copy service entered the running state. The Microsoft Software Shadow Copy Provider service entered the stopped state. The Volume Shadow Copy service entered the stopped state. 17 VSS Attack Techniques Built in utility, vssadmin Visual Basic script, VSSOwn PowerShell Built in utility, ntdsutil 18

WMI Attacks vssown.vbs written by Mark Baggett (@MarkBaggett) and Tim Tomes (@lanmaster53) in 2011 https://code.google.com/p/ptscripts/source/browse/trunk/wi ndows/vssown.vbs Visual Basic script that automates extraction of password hashes from volume shadow copies using WMI Used by targeted attackers 19 Example: vssown.vbs List Volume Shadow Copies cscript vssown.vbs /list Create Volume Shadow Copies cscript vssown.vbs /create C 20

Detection Process Tracking in Security Event Logs (EID 4688): cscript.exe (Windows Script Host) wmiprvse.exe (WMI Provider Host) vssvc.exe (Volume Shadow Copy Service) Volume Shadow Copy service start/stop logged in System Event log (EID 7036) No artifacts for listing shadow copies or mounting existing copies 21 VSS Attack Techniques Built in utility, vssadmin Visual Basic script, VSSOwn PowerShell Built in utility, ntdsutil 22

PowerShell Attacks Matt Graeber s PowerSploit: https://github.com/mattifestation/powersploit/ Volume Shadow Copies (VolumeShadowCopyTools.ps1) Access locked files (Invoke-NinjaCopy.ps1) 23 Example: PowerSploit (VolumeShadowCopyTools) Script to mount an existing volume shadow copy: Get-VolumeShadowCopy Mount-VolumeShadowCopy -Path $PWD cp $PWD\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit Creates an NTFS reparse point for mount Attacker might forget to delete this No observable changes in registry or event logs with default logging 24

Example: PowerSploit (NinjaCopy) Invoke-NinjaCopy Path C:\Windows\NTDS\ntds.dit LocalDestination C:\Windows\Temp\ntds.dit No Event Log artifacts created powershell.exe process logged with object auditing Command line not logged if called from interpreter No Registry artifacts created Potential Shellbags if attacker browses to copied file using Explorer No File artifacts created Potential INDX records or deleted files created after copy 25 VSS Attack Techniques Built in utility, vssadmin Visual Basic script, VSSOwn PowerShell Built in utility, ntdsutil 26

Technique: ntdsutil Command-line utility providing management facilities for AD DS and AD LDS Available on AD DS or AD LDS server roles Including in AD DS for RSAT Used by attackers to create VSS copies 27 Example: ntdsutil Create Snapshot: C:\Users\Administrator>ntdsutil ntdsutil: activate instance ntds Active instance set to "ntds". ntdsutil: snapshot snapshot: create Creating snapshot... Snapshot set {a45e4063-e4b5-407b-837c-a38d984ce4ae} generated successfully. snapshot: View Snapshots: snapshot: list all 1: 2014/08/19:18:31 {a45e4063-e4b5-407b-837c-a38d984ce4ae} 2: C: {5d3bef1e-09a9-4abe-82cc-c9bccbe6a8c6} 28

Example: ntdsutil Mount snapshot: snapshot: mount 1 Snapshot {5d3bef1e-09a9-4abe-82cc-c9bccbe6a8c6} mounted as C:\$SNAP_201408191831 _VOLUMEC$\ Access snapshot: 29 Example: ntdsutil As a one liner: ntdsutil "act inst ntds" "snapshot" "create" q q As a one liner with alternative path: ntdsutil "act inst ntds" "ifm" "create full c:\evil" q q 30

Example: ntdsutil 31 Evidence: ntdsutil Windows Application Logs Event ID: 2001: lsass (556) Shadow copy instance 2 freeze started. 2003: lsass (556) Shadow copy instance 2 freeze ended. 2005: lsass (556) Shadow copy instance 2 starting. This will be a Full shadow copy. 2006: lsass (556) Shadow copy instance 2 completed successfully. 32

Mitigation and Detection 33 Mitigation and Detection Detecting VSS usage through timeline analysis Detailed Process Tracking Leveraging AppLocker Sysinternals Sysmon Mitigation 34

Event Log Timeline Timeline analysis and stacking often effective technique Collect evidence Application, Security, System Operational Task Scheduler Others Reduce evidence Identify patterns Remove known legitimate activity Analyze results %systemroot%\system32\winevt\logs\application.evtx %systemroot%\system32\winevt\logs\security.evtx %systemroot%\system32\winevt\logs\system.evtx %systemroot%\system32\winevt\logs\microsoft-windows-taskscheduler%4operational.evtx 35 Reduce Evidence Take a sip from the fire hose Analyze Event IDs 4904 & 4905 from Security log using vssvc.exe 4904: An attempt was made to register a security event source 4905: An attempt was made to unregister a security event source Are these entries normal backups? 36

Reduce Evidence Volume configured for shadow copies List of snapshot 37 Reduce Evidence 38

Reduce Evidence 39 Reduce Evidence 40

Reduce Evidence Event ID Gen Time Log Message 4904 2014-08-19 10:00:00 Security An attempt was made to register a security event source. 4905 2014-08-19 10:00:00 Security An attempt was made to unregister a security event source. 4904 2014-08-19 22:00:00 Security An attempt was made to register a security event source. 4905 2014-08-19 22:00:00 Security An attempt was made to unregister a security event source. 4904 2014-08-20 10:00:00 Security An attempt was made to register a security event source. 4905 2014-08-20 10:00:00 Security An attempt was made to unregister a security event source. 4904 2014-08-20 22:00:00 Security An attempt was made to register a security event source. 4905 2014-08-20 22:00:00 Security An attempt was made to unregister a security event source. 4904 2014-08-21 10:00:00 Security An attempt was made to register a security event source. 4905 2014-08-21 10:00:00 Security An attempt was made to unregister a security event source. 4904 2014-08-21 22:00:00 Security An attempt was made to register a security event source. 4905 2014-08-21 22:00:00 Security An attempt was made to unregister a security event source. 41 Reduce Evidence Event ID Gen Time Log Message 4904 2014-08-19 10:00:00 Security An attempt was made to register a security event source. 4905 2014-08-19 An attempt 10:00:00 was Security made to An register attempt was a security made to unregister event a source. security event source. Subject : 4904 2014-08-19 22:00:00 Security An attempt was made to register a security event source. Security ID: NT AUTHORITY\SYSTEM 4905 2014-08-19 22:00:00 Account Security Name: An attempt was GATEKEEPER$ made to unregister a security event source. 4904 2014-08-20 10:00:00 Account Security Domain: An attempt was GHOSTBUSTERS made to register a security event source. Logon ID: 0x00000000000003e7 4905 2014-08-20 10:00:00 Security An attempt was made to unregister a security event source. Process: 4904 2014-08-20 22:00:00 Process Security ID: An attempt was 0x0000000000000130 made to register a security event source. 4905 2014-08-20 22:00:00 Process Security Name: An attempt was C:\Windows\System32\VSSVC.exe made to unregister a security event source. Event Source: 4904 2014-08-21 10:00:00 Security An attempt was made to register a security event source. Source Name: VSSAudit 4905 2014-08-21 10:00:00 Event Security Source An ID: attempt was 0x000000000022ccbd made to unregister a security event source. 4904 2014-08-21 22:00:00 Security An attempt was made to register a security event source. 4905 2014-08-21 22:00:00 Security An attempt was made to unregister a security event source. 42

Reduce Evidence Event ID Gen Time Log Message 4904 2014-08-19 10:00:00 Security An attempt was made to register a security event source. 4905 2014-08-19 10:00:00 Security An attempt was made to unregister a security event source. 4904 2014-08-19 22:00:00 Security An attempt was made to register a security event source. 4905 2014-08-19 22:00:00 Security An attempt was made to unregister a security event source. 4904 2014-08-20 10:00:00 Security An attempt was made to register a security event source. Remove entries corresponding 4905 2014-08-20 10:00:00 Security An attempt was made to unregister a security event source. twice daily VSSVC backups 4904 2014-08-20 22:00:00 Security An attempt was made to register a security event source. 4905 2014-08-20 22:00:00 Security An attempt was made to unregister a security event source. 4904 2014-08-21 10:00:00 Security An attempt was made to register a security event source. 4905 2014-08-21 10:00:00 Security An attempt was made to unregister a security event source. 4904 2014-08-21 22:00:00 Security An attempt was made to register a security event source. 4905 2014-08-21 22:00:00 Security An attempt was made to unregister a security event source. 43 Reduce Evidence Take another sip from the (now) garden hose Determine if Scheduled Tasks run backups Remove any applicable entries HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ShadowCopyVolume{GUID} C:\WINDOWS\Tasks\ShadowCopyVolume{GUID} 44

Reduce Evidence Event ID Gen Time Log Message 4624 2014-08-22 08:55:16 Security An account was successfully logged on. New Logon: Security ID: Account Name: Account Domain: Logon ID: GHOSTBUSTERS\Administrator Administrator GHOSTBUSTERS 0x000000000018f2df 899 2014-08-22 08:55:16 Microsoft- Windows- TaskScheduler 4634 2014-08-22 08:55:16 Security An account was logged off. Network Information: Workstation Name: RSTANZ Source Network Address: 192.168.110.158 User "\Administrator" updated Task Scheduler task "\evil Subject: Security ID: Account Name: Account Domain: Logon ID: GHOSTBUSTERS\Administrator Administrator GHOSTBUSTERS 0x000000000018f2df 45 Reduce Evidence Event ID Gen Time Log Message 901 2014-08-22 09:02:00 Microsoft- Windows- TaskScheduler Task Scheduler launch task "\evil", instance "C:\Windows\SYSTEM32\cmd.exe with process ID 1728. 7036 2014-08-22 09:02:00 System The Microsoft Software Shadow Copy Provider service entered the running state. 2001 2014-08-22 09:02:01 Application Shadow copy instance 1 freeze started. 2005 2014-08-22 09:02:01 Application Shadow copy instance 1 starting. This will be a Full shadow copy. 98 2014-08-22 09:02:03 System Volume?? (\Device\HarddiskVolumeShadowCopy63) 0 2006 2014-08-22 09:02:04 Application Shadow copy instance 1 completed successfully. 2003 2014-08-22 09:02:04 Application Shadow copy instance 1 freeze ended. 46

Detailed Process Tracking Enable Detailed Process Tracking Security Settings > Advanced Audit Configuration > Detailed Tracking Logged to Security Event Log (EID 4688) Server 2012 R2 - Include command line in process creation events Administrative Templates > System > Audit Process Creation HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Polici es\system\audit:processcreationincludecmdline_enabled (DWORD:1) 47 Detailed Process Tracking 48

Detection Using AppLocker Use AppLocker in Audit-Only mode to detect usage of vssdamin and ntdsutil 49 Detection Using AppLocker Blocked applications will generate a warning event in the AppLocker Event Log (EID 8003) Forward Warning level to a SIEM for monitoring 50

Caveats AppLocker in enforcement mode Valid Microsoft utilities do not generate Warning level events Requires filtering at SIEM or log forwarder level Attackers may not always use both ntdsutil and vssadmin during an attack Potential evasion of correlation rules Does not record command line arguments 51 Sysinternals Sysmon Released in August 2014 Monitors process creation to its own event log file Applications and Services Logs/Microsoft/Windows/Sysmon/Operational Shows command line arguments by default Provides optional hashes of executed files (MD5/SHA1) Records file creation time changes 52

Sysmon Event Example 53 PowerShell Module Logging Requires PowerShell 3.0 Only installed by default on Windows Server 2012 Configured through Group Policy Records commands and resulting output to the PowerShell Operational Event Log (EID 4103) 54

PowerShell Module Logging 55 Mitigating These Attacks Restrict Logons to Domain Controllers Only allow interactive logons from Domain Admins Group Use Domain Admins group only for administration of domain controllers Require interactive logons to originate from jump servers with host-based firewall Require two-factor authentication on jump servers Review RDP sessions connecting to DCs Practice Enterprise Password Resets 56

Additional Resources Investigating PowerShell Attacks: http://www.fireeye.com/resources/pdfs/fireeye-lazanciyaninvestigating-powershell-attacks.pdf Microsoft Sysmon: http://technet.microsoft.com/en-us/sysinternals/dn798348 57 Questions mike.middleton@mandiant.com @_mikemny justin.prosco@mandiant.com @jprosco 58