Mar 01 2016
Sean has founded a new security company called Trimarc focused on providing enterprise security solutions. Launching today, Trimarc’s mission is to identify ways to better protect organizations from modern threats not effectively stopped by traditional security measures.
ADSecurity.org will continue thanks to Trimarc!
Check out Trimarc’s capabilities at TrimarcSecurity.com.
Feb 24 2016
After about two months of Microsoft PowerShell developers working around the clock (probably), the bug that wound up causing the WMF 5.0 RTM installer to be pulled is now fixed. There was an issue with the original release dealing with PSModulePath ($Env:PSModulePath) which was reset to default after installation of the original PowerShell v5 installer.
The Windows Management Framework (WMF) 5.0 RTM packages for Windows 2008 R2 SP1/2012 R2/2012 and Windows 7 SP1/8.1 are available for download in the Microsoft Download Center.
As I’ve stated before, due to the security enhancements including logging, updating to PowerShell v5 is highly recommended. More details on the advantages of enabling PowerShell logging and attack detection, including PowerShell v5 security enhancements are in two posts:
Download PowerShell version 5 aka “Windows Management Framework (WMF) 5.0 RTM”
Feb 11 2016
At DerbyCon V (2015), I presented on Active Directory Attack & Defense and part of this included how to detect & defend against PowerShell attacks.
Update: I presented at BSides Charm (Baltimore) on PowerShell attack & defense in April 2016.
More information on PowerShell Security: PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection
The Evolution of PowerShell as an attack tool
PowerShell is a built-in command shell available on every supported version of Microsoft Windows (Windows 7 / Windows 2008 R2 and newer) and provides incredible flexibility and functionality to manage Windows systems. This power makes PowerShell an enticing tool for attackers. Once an attacker can get code to run on a computer, they often invoke PowerShell code since it can be run in memory where antivirus can’t see it. Attackers may also drop PowerShell script files (.ps1) to disk, but since PowerShell can download code from a website and run it in memory, that’s often not necessary.
Dave Kennedy & Josh Kelley presented at DEF CON 18 (2010) on how PowerShell could be leveraged by attackers. Matt Graeber developed PowerSploit and blogged at Exploit-Monday.com on why PowerShell is a great attack platform. Offensive PowerShell usage has been on the rise since the release of “PowerSploit” in 2012, though it wasn’t until Mimikatz was PowerShell-enabled (aka Invoke-Mimikatz) about a year later that PowerShell usage in attacks became more prevalent. PowerShell provides tremendous capability since it can run .Net code and execute dynamic code downloaded from another system (or the internet) and execute it in memory without ever touching disk. These features make PowerShell a preferred method for gaining and maintaining access to systems since they can move around using PowerShell without being seen. PowerShell Version 5 (v5) greatly improves the defensive posture of PowerShell and when run on a Windows 10 system, PowerShell attack capability is greatly reduced.
Feb 11 2016
PowerShell version 5 is RTM (As of 12/18/2015). Prior to this there was a “production preview” available since August which means it was supported, but not final. With the final release of PowerShell v5 now available, I highly recommend you download PowerShell v5 and start testing to prepare for production deployment.
While the PowerShell v5 download was pulled previously due to an issue with PSModule Path, the Windows Management Framework (WMF) 5.0 RTM is available for download once again.
PowerShell provides extensive management capability for administrators, though this capability can also be used by attackers to exploit and persist in an enterprise. There are ways to detect offensive PowerShell attack tools and PowerShell v5 extends this capability further.
Microsoft provides the following PowerShell v5 benefits and updates on the download site:
Windows Management Framework (WMF) 5.0 brings functionality that has been updated from WMF 4.0. WMF 5.0 is available for installation only on Windows Server 2012 R2, Windows Server 2012, Windows 2008 R2, Windows 8.1, and Windows 7 SP1. Some of the new and updated features in this release include:
- Develop with classes in Windows PowerShell
- Just Enough Administration (JEA)
- Extract and parse structured object out of string content
- More control in Windows PowerShell Remote Debugging
- PowerShell Information Stream
- New and updated cmdlets based on community feedback
- Generate Windows PowerShell cmdlets based on an OData endpoint with ODataUtils
- Manage .ZIP archives through new cmdlets
- Interact with symbolic links using improved Item cmdlets
- DSC authoring improvements in Windows PowerShell ISE
- 32-bit support for the configuration keyword in DSC
- Audit Windows PowerShell usage by transcription and logging
- Configure DSC’s Local Configuration Manager with the meta-configuration attribute
- Configure piece by piece with partial configurations in DSC
- Manage with cross-computer dependencies in DSC
- More control over configurations in DSC
- Find more detail about configuration status in DSC
- Support for -? during DSC configuration compilation
- Support for DSC RunAsCredential
- Rich information for DSC LCM State
- Side-by-Side installation of DSC Resources and PowerShell Modules
- PSDesiredStateConfiguration Module version updated to 1.1
- Report configuration status from DSC to a central location
- Discover and install software with PackageManagement
- Discover PowerShell Modules, PowerShell Scripts and DSC resources with PowerShellGet
- Network Switch management with Windows PowerShell
- Software Inventory Logging (SIL)
There are several compelling PowerShell v5 security features that make it a must deploy (IMHO). I presented on several of these at security conferences in 2015.
Jan 31 2016
Microsoft recently released Enhanced Mitigation Experience Toolkit (EMET) version 5.5 (it jumped from 5.2 to 5.5) which includes Windows 10 compatibility and better GPO support (among others). I’ve included information from a variety of Microsoft sources in this post so that others don’t have to search for the data separately. The resources/references are listed at the bottom of this post.
Update: I have received reports of problems with IE 11 with EMET 5.5.
Jan 27 2016
A fact that is often forgotten (or misunderstood), is that most objects and their attributes can be viewed (read) by authenticated users (most often, domain users). The challenge is that admins may think that since this data is most easily accessible via admin tools such as “Active Directory User and Computers” (dsa.msc) or “Active Directory Administrative Center” (dsac.msc), that others can’t see user data (beyond what is exposed in Outlook’s GAL). This often leads to password data being placed in user object attributes or in SYSVOL.
There is a lot of data that can be gathered from Active Directory which can be used to update documentation or to recon the environment for the next attack stages. It’s important for defenders to understand the different types of data accessible in AD with a regular user account.
Attacks frequently start with a spear-phishing email to one or more users enabling the attacker to get their code running on a computer inside the target network. Once the attacker has their code running inside the enterprise, the first step is performing reconnaissance to discover useful resources to escalate permissions, persist, and of course, plunder information (often the “crown jewels” of an organization).
This post shows how an attacker can recon the Active Directory environment with just domain user rights. Many people are surprised when they learn how much information can be gathered from AD without elevated rights.
Note: Most of the examples in this post use the Active Directory PowerShell module cmdlets. A good alternative is HarmJ0y’s PowerView (now part of PowerSploit).
I spoke about some of these techniques at several security conferences in 2015 (BSides, Shakacon, Black Hat, DEF CON, & DerbyCon). I also covered some of these issues in the post “The Most Common Active Directory Security Issues and What You Can Do to Fix Them“.
Jan 22 2016
IT World Canada reached out to me recently to help with an article on Active Directory attack & defense.
Read the article: “IT not doing enough to secure Active Directory, says expert.”
IIT World Canada also requested comments for a second story titled: “22 tips for preventing ransomware attacks“.
Jan 18 2016
After performing research at the end of 2014 on Microsoft enterprise security, specifically Active Directory, I realized that others may be interested in this information – my customers certainly were! So, I decided to submit a talk to the various security conferences and see what happened. I certainly didn’t expect to be accepted at 5 out of 5 of the conferences I submitted to!
In 2015, I spoke at the following security conferences:
This post is my attempt to note the approaches that worked for me, and share with others the key items involved in my talk being accepted. By no means do I think I have struck on some sort of magic “formula” that ensures success, but I do want to share some important items that reviewers will look for and appreciate.
How did I get accepted to speak?
I think it was a combination of the following:
Note: I have been rejected to speak at conferences since speaking at Black Hat & DEF CON. Don’t think that speaking at one conference means you will speak at others. Again, I don’t have the special CFP formula for acceptance. I just want to help others with the CFP process. Good CFP responses tend to get accepted and speaker slots are limited, so take the time to develop a really great response!
If you have tips and/or other information helpful for those going through the CFP process, please send them my way. Special thanks to Jericho (@attritionorg) for his input (any mistakes are mine alone).
Jan 05 2016
In late 2014, I discovered that the domain field in many events in the Windows security event log are not properly populated when forged Kerberos tickets are used. The key indicator is that the domain field is blank or contains the FQDN instead of the short (netbios) name and depending on the tool used to generate the Kerberos tickets, other domain field anomalies may be present in the events.
The likely reason for the anomalies is that third party tools that create Kerberos tickets (TGT & TGS) don’t format the tickets exactly the same way as Windows does.
Around this time last year (early January 2015), I shared with customers these indicators for detecting forged Kerberos tickets and subsequently presented this information at BSides Charm 2015. Soon after, Mimikatz was updated with a domain field that was set to static values, usually containing the string “eo.oe”.
As of 4/16/2015: Mimikatz generated tickets may include the string “eo.oe.kiwi : ) ” in the domain field.
As of 6/29/2015: Mimikatz generated tickets may include the string “<3 eo.oe – ANSSI E>” in the domain field.
Few things in life are as consistent as the guarantee that things will change. In infosec, that means the attack tools will continue to evolve to evade detection and the defensive tools need to constantly evolve and improve.
If you protect your Active Directory admins (and service accounts), you will likely not have to deal with forged Kerberos Tickets since they require prior admin access. The problem is that Active Directory & Enterprises are often not secured to protect against modern threats and often, gaining Domain Admin rights to an AD domain is often too easy in many enterprises.
Recent Comments