Embed Size (px)
Citation preview
The Enemy Within: Stopping Advanced Attacks
Against Local Users
Tal Be’ery, Sr. Security Research Manager, Microsoft ATA, @TalBeerySecMarina Simakov, Security Researcher, Microsoft ATA
Intro
• Authentication
• Authorization
DC
waza1234/
LSASS (NTLM)
NTLM(rc4_hmac_nt)
cc36cf7a8514893efccd332446158b1a
User
Server① Negotiate
③ Response
② Challenge
⑥ Auth verified
waza1234/
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2
566ce74a7f25b
DC
DC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
“When the Cyber Kill-Chain Met Local Users”
Group:
IT
Admins
User:
Bob
Computer:
Server1
User:
Mary
Group:
Domain
Admins
http://www.slideshare.net/AndyRobbins3/six-degrees-of-
domain-admin-bloodhound-at-def-con-24
https://www.safety.com/wp-content/uploads/2012/12/Burglar-Entry-300x300.jpg
Admin Recon
Defending
http://s1206.photobucket.com/user/harbottle1/media/Posters%202/LocalHeroQuad.jpg.html
Parting Thoughts
Win version Who can query SAMR by default Can default be changed
< Win10 Any domain user No
Win10 Any domain user Yes (only via registry)
> Win10 (e.g.
anniversary)
Only local administrators Yes (registry or GPO)
