Fireside Chat: Horizon3.ai and JTI Cybersecurity

Apr 17, 2024

Horizon3.ai Principal Security SME Stephen Gates and JTI Cybersecurity Principal Consultant Jon Isaacson discuss:

– What JTI does to validate things like access control, data loss prevention, ransomware protection, and intrusion detection approaches.
– How #pentesting and red team exercises allow orgs to validate the effectiveness of their security controls.
– Why offensive operations work best to discover and mitigate exploitable vulnerabilities in their client’s infrastructures.

Fireside Chat: Horizon3.ai and JTI Cybersecurity

Apr 17, 2024

Horizon3.ai Principal Security SME Stephen Gates and JTI Cybersecurity Principal Consultant Jon Isaacson discuss:

Credential Misconfigurations

by Horizon3.ai | Oct 25, 2021 | Industry Insights

Are your credential policies implemented right? Are your enterprise accounts configured correctly? How do you know?

Most phishing, ransomware, and credential attacks start by gaining access to a host and compromising a domain user (Credential Attacks – Horizon3.ai). With a credential in hand, an attacker can persist and pervade, appearing like a legitimate user and maneuver through your network with a small risk of being detected. Additionally, your zero trust framework falls apart when an attacker creates their own trust.

In more than 1,000 pentests this last year, our autonomous attacker platform – NodeZero – has discovered, dumped, captured, cracked, brute forced, and reused over a million credentials leading to critical impacts in nearly every environment we’ve encountered – from compromising a single user to an entire domain. In doing so, our customers have taken on the attacker’s perspective within their environments and learned lessons on their own policies, implementation, and enforcement they may have never seen otherwise. Repeatedly, our most successful attack paths take advantage of misconfigured management tools. One of the most prevalent, valuable, and easily misconfigured tools is Active Directory.

In Microsoft trust environments, we’ve relied on Active Directory (AD) for 30+ years to centrally manage access and permissions to resources. Where we used to have to manage asset and account access locally, AD enabled remote management, and there was much rejoicing.

Now, 90% of Fortune 1000 companies use AD (Active Directory Holds the Keys to your Kingdom, but is it Secure?) and because AD holds the keys to your kingdom, it’s a primary target for attackers and a basic building block of APTs (https://docs.broadcom.com/doc/ten-active-directory-misconfigurations-that-lead-to-total-domain-compromise-en)…including NodeZero.

Coupled with the fact that AD can easily be misconfigured (Misconfigurations in most Active Directory environments create serious security holes, researchers find), this is an easy and exploitable attack path that can lead to complete domain compromise if attackers are allowed to gain but an inch. You can’t just install a security agent or implement a framework and tell the board they can sleep safe at night; to minimize the damage that can be done, it’s really important to understand what an attacker can do with the credentials of a compromised domain user.

Therefore, you need to think like an attacker.

Attackers will probe for weak spots and exploit them. Sure, they could create a weak spot with a zero-day, but then that capability is burned; why not just take advantage of a weakness you’re offering them? Often, those weak spots start with credentials and end with privileges.

Attackers want to take advantage of “all the things” that are:

Commonly used
Easily misconfigured
Holding value

As you know, AD checks each of these boxes. The value AD holds is the ability to dump or create a credential and look legit, and that credentialed access to resources then enables an attacker to legitimately persist. This is also why Active Directory misconfigurations are incredibly lucrative – one misstep in assigning account access, and the difference between a user and an administrator is just a click.

The accounts in Active Directory that are most commonly targeted by attackers are those that are members of the most-highly privileged groups… When we evaluate the membership of the highest privileged groups in Active Directory, we commonly find excessive membership in all three of the most privileged groups. – “Avenues to Compromise” – Microsoft Docs (Avenues to Compromise)

This is also why it is SO important to see what an attacker could do with any credential in your environment, testing your AD configurations – accounts, hosts, permissions – and verifying that the policies and privileges you’ve assigned to your users and admins is what you intended. This is exactly what one of our customers did.

In a recent operation (op), a customer wanted to conduct an internal pentest to see what the “blast radius” might be from a couple of compromised users and injected the following credentials: a Domain User and a System Admin.

The system administrator credential turned out to also have domain admin rights (an AD misconfiguration).
The domain user credential turned out to be a local admin on a box and was used to discover several other domain user credentials, one of which turned out to be a domain admin.

NOTE: in the following two use scenarios, the original credential logons, passwords, domain names, and IP address have been obfuscated.

CASE #1: From System Admin to Domain Admin

Because misconfigurations are easily introduced and credential reuse is so prevalent (Save Your Data with Empowering Password Statistics | DataProt), once it discovers a credential, NodeZero will verify it is a legit credential and then attempt to gain access anywhere it can.

While we usually chart an attack path towards what is most valuable and vulnerable, NodeZero immediately used the injected credential to successfully log in to a domain controller over SMB. It discovered the credential had domain admin rights because it had read/write privileges on administrative shares.

In case you missed it, this was a System Admin credential and was NOT supposed to also have Domain Admin rights. There was zero privilege escalation and zero dump to get domain admin credentials; this credential was all NodeZero needed to wreak havoc.

After checking their Active Directory and screenshotting this credential to prove that it didn’t have Domain Admin rights, the customer wanted to review the operation with us to make sure this was not a false positive. We rallied with the customer, shared screens, and ultimately asked them to attempt to log in to the DC with the credential. It worked. This credential had administrative access to administrative shares. Immediately, the customer dug in and removed rights from this account. Then, when they checked, the admin rights were still present.

Our NodeZero Certified Partner, Liberman Networks, was also on the call and requested the admin to pull up the credential’s security groups/rights and check the “Member Of” tab; and among the six groups was an embedded group tying back to a Domain Administrator group, thereby giving this credential – and several other users and administrators –Domain Admin rights.

At this point, they called in the lead system administrator, found this additional rights tree, and started pruning.

In this first instance, NodeZero was able to take advantage of a misconfigured system administrator credential to create a domain compromise impact.

CASE #2: From Domain User to Domain Admin

NodeZero launched and injected the environment with a single Domain User credential.
NodeZero executed a Host Discovery and found two Domain Controllers and 3K workstations.
NodeZero executed a TCP Port Scan and discovered the SMB service was running on both DCs and a workstation.
NodeZero attempted an SMB login on the first DC with the injected system user credential and verified as a Domain User.

5. NodeZero attempted and was able to use the domain user credential with local admin rights, so it dumped several new user credentials in cleartext from the workstation.
6. NodeZero then attempted an SMB login on the second DC with newly found user credentials and was able to use one of the newly found credentials to login as a Domain Admin.
7. NodeZero accessed the DC with Read & Write privileges.
8. Game Over.

In this case, NodeZero was able to utilize a simple domain user credential to great effect, chaining together an attack path en route to Domain Administrator. Whether misconfigured or wrongly-but-deliberately approved, that credential also had local admin rights that were then used to dump other credentials – one of which was a domain admin.

Domain admins are often looking to AD for managing access to every resource, while local admin rights can be (mis)configured directly on the host, and AD isn’t going to spotlight that personal credential as having those rights. Understanding your local configurations is just as important as understanding your enterprise-wide ones. Having that awareness of how domain, local, and service accounts tie together – and CAN be used to lead to other credentials compromised – is critical. That’s why we ask the question: how do you know?

Is this directly an AD misconfiguration? Maybe.
A credential misconfiguration? Maybe.
A risk misunderstanding? Definitely.

The greatest issue is the lack of attention we allocate to verifying our policies, our implementation, and our enforcement. This lack of attention exacerbates misunderstanding and misconfiguration, creating a destructive security cycle… for which attackers are all too ready to exploit.

“This is a good experience for me to teach the team the importance of credential use and reuse. We never would have found this without you guys…” – Director of Infrastructure

Lessons Learned

You need to think like an attacker.

Your digital environments are complex, and therefore, prone to to misconfigurations. It’s no secret that Active Directory requires active management. If there is an area of our networks we’ve got to get right every time, it’s our domains and credentials. Personnel and their roles are in constant flux, and the maintenance of those permissions and privileges is critical to your cybersecurity. Key to simplifying the complexity in your environment is the perspective of an attacker, which often thrives in those misconfiguration gaps and seams.

Active Directory administration is critical to your remote network management, so you can expect misconfigurations to lead to critical impacts because the implementation and enforcement of policies is fraught with missteps. Administrative vigilance is key and not a bad law: (10 Immutable Laws of Security Administration).

A couple recommendations going forward:

If you haven’t already, implement a least-privilege administrative model (and include resources, accounts, privileges, and access location, timing, and rights) and review with your IT, security, and dev teams how they’ve implemented your guidance in AD workflows. Every connection, path, and point is a potential (opportunity for attacker) for misconfiguration.
Continuously verify account access to prove your AD policy is working, or not working. Your AD system administrators should be able to see every account and every embedded group membership. You have to cross-reference this with HR to ensure your current personnel align with current AD resource access.
Test your security tools to see how an attacker might use lower level protocols get around your policy enforcement; then, invite an offensive security expert’s insight and ask them to show you proof.

Bottom Line: Test your rules and tools. If you don’t, you’re presuming success… and that’s a risk none of us can afford. Proof wins, every time.

How can NodeZero help you?

Let our experts walk you through a demonstration of NodeZero, so you can see how to put it to work for your company.

Schedule a Demo

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	LinkedIn - Used to store information about the time a sync took place with the lms_analytics cookie
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	2 years	LInkedIn Used to store consent of guests regarding the use of cookies for non-essential purposes
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_V462VSRXXS	2 years	This cookie is installed by Google Analytics.
6suuid	2 years	6sense is a B2B predictive intelligence engine for marketing and sales.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
visitorId	1 year	Salesforce

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Attack Content

Security Strategies