More zBang for the zBuck

CONFIDENTIAL INFORMATION
MORE zBANG FOR THE zBUCK
1
How zBang Can Be Used to Discover Hidden Risks
Andy Thompson – Customer Success

• National Manager – Customer Success
• Dallas, TX
• Husband
• Father
• Road-warrior
WHOAMI
2

CONFIDENTIAL INFORMATION 3
If I have seen further than others it is by
standing upon the shoulders of giants.
- Isaac Newton

HIDDEN RISKS

•Hidden Risks
•Shadow Admins
•Skeleton Key Attacks
•SID History
•Risky SPN’s
•zBang!
AGENDA
5

SHADOW ADMINS

Overlooked privileged accounts.
• Not members of a privileged Active Directory Group.
• Privileges granted through the direct assignment of permissions
using ACLs on AD Objects.
SHADOW
ADMINS
7https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/

DEMONSTRATION
8
Normal user can’t access
ms-mcs-AdmPwd
FAIL!

DEMONSTRATION
9
Privileged attacker adds
backdoor to Servers OU

DEMONSTRATION
10
Domain user can access AdmPwd!
LAPS cmdlet doesn’t detect it!
SUCCESS!

An ACE up the sleeve
11
Designing Active Directory DACL Backdoors
Andy Robbins & Will Schroder
SpectreOps

• Prevention:
• None. Pretty much your only hope for performing “forensics” on these actions.
• If you weren’t collecting logs when backdoored, you may never know who the perp was :(
• Detection
• Proper event log tuning and monitoring
• Pro-Tip: Event log 4738 (“A user account was changed”), filtered by the property modified.
• Replication Metadata
• Points you in the right direction, but you still need full logs.
• System Access Control Lists (SALC’s)
• Contain entries that, “specify access attempts and generate audit records in the event log of a
domain controller”.
• More info at http://bit.ly/2tOAGn7
MITIGATION TECHNIQUES
12

Allows the organization to review privileged accounts that might
not be part of the organizations' known privileged groups but still
may have sensitive permissions.
https://github.com/cyberark/ACLight
Developed by Asaf Hecht
@HechtovZBANG
ACLIGHT
13

SKELETON KEY

• Discovered in the wild – Jan 2015.
• Bypasses authentication on Active Directory (AD) systems.
• Threat actors can authenticate as any user.
• Does not generate network traffic.
• Network Intrusion Protection is USELESS!
SKELETON KEY
MALWARE
15

• Deployed as in-memory patch on victim’s AD Domain Controller.
• Downgrades encryption from AES128|256 to RC4
• Affects DC Replication
• Lacks persistence!
SKELETON KEY
MALWARE
16

DEMONSTRATION
17
Running Mimikatz

DEMONSTRATION
18
Running Mimikatz

• Enable Multi-Factor Authentication
• Isolate critical infrastructure
• Limit Privileged User Accounts.
19

Queries all DC’s in forest and tries to connect
through Kerberos with AES256 encryption.
ZBANG
SKELETON
KEY SCAN
20
If DC is running the correct functional level and not
supporting AES256 encryption, it might be infected.

SID HISTORY

• Attribute that can be used in case of migration of an account
between two trusted domains.
• The attribute can be manipulated by attackers to escalate
privileges.
SID
HISTORY
22
SID: 5-1-5-21-1583770191-1400084446-32828441-3103 SID: 3-2-6-49-1547894215-1597538462-15985214-1541
SID: 3-2-6-49-1547894215-1597538462-15985214-1541
SIDHISTORY: 3-2-6-49-1547894215-1234567890-98765432-1351
SIDHISTORY: 5-1-5-21-1583770191-1400084446-32828441-3103

PRIVILEGED
SIDS
23
Name SID
Administrator S-1-5-21 Domain – 500
KRBTGT S-1-5-21 Domain - 502
Enterprise Domain Controllers S-1-5-9
Domain Admins S-1-5-21 Domain - 512
Domain Controllers S-1-5-21 Domain - 516
Schema Admins S-1-5-21 Domain - 518
Enterprise Admins S-1-5-21 Domain - 519
Group Policy Creator Owners S-1-5-21 Domain - 520
Administrators S-1-5-32-544
Account Operators S-1-5-32-548
Server Operators S-1-5-32-549
Print Operators S-1-5-32-550
Backup Operators S-1-5-32-551
Replicators S-1-5-32-552
Event Log Readers S-1-5-32-573

DEMONSTRATION
24
Adding Domain Admin rights
within SID History

DEMONSTRATION
25
User now has
Domain Admin Rights.

DEMONSTRATION
26
Dump KRBTGT (Golden Ticket)

• Enumerate all users with data in the SID History attribute which include SIDs in the same domain.
• If users haven’t been migrated, search for all users with data with the SIDHistory attribute.
DETECTION TECHNIQUES
27
# Detect Same Domain SID History
Import-Module ActiveDirectory
[string]$DomainSID = ( (Get-ADDomain).DomainSID.Value )
Get-ADUser -Filter “SIDHistory -Like ‘*'” -Properties SIDHistory | `
Where { $_.SIDHistory -Like “$DomainSID-*” }
Domain Controller Events:
• 4765: SID History was added to an account.
• 4766: An attempt to add SID History to an account failed.

ZBANG
SID
HISTORY
SCAN
28

RISKY SPNS

• SPN is a unique identifier of a service instance.
• Used by Kerberos to associate a service instance to a service
logon account.
• Computer
• User
• Stored in Active Directory…Whether it exists or not!
RISKY
SPN’S
30

Attacking Kerberos:
Kicking the Guard Dog of Hades
Tim Medin
SANS Hackfest 2014

DEMONSTRATION
33
Search for Vulnerable SPN’s

DEMONSTRATION
34
Request Kerberos Ticket for SPN

DEMONSTRATION
35
Brute-force the Kerberos Ticket

DEMONSTRATION
36
In a single command…
PS C:> Find-PotentiallyCrackableAccounts -
Sensitive -Stealth -GetSPNs | Get-TGSCipher -
Format "Hashcat" | Out-File crack.txt |
Hashcat64.exe -m 13100 crack.txt -a 3

• Delete unused SPN’s, disable unused accounts.
• Often overlooked.
• Avoid Dual-accounts.
• Used by both human users and services.
• Strengthen encryption types. Switch to AES
• Least Privileged approach.
• Consider local accounts, computer accounts, virtual, or ephemeral accounts.
• Rotated, random, and complex credentials.
• Use an automated system, or at least employ managed service accounts.
• Avoid hardcoded credentials – use credentials management. (AIM/Conjur)
• Monitor usage of privileged accounts.
• Specific useage of service accounts
• Large quantities of Service Ticket requests (Event ID 4769)
37

Scans the domain controller for deployed services
running with high privileged human accounts.
ZBANG
RISKYSPN
38
Those services can be targeted by infiltrating attacker to
extract credentials utilize the privileged account for
malicious purposes.

SPN DELEGATION
39
• Services and Service Accounts can
introduce more risk than you think.
• Service Delegation is abused for
PrivEsc and RCE
• Matan Hart @MachoSec

MYSTIQUE
40
Queries the Active Directory for accounts that are trusted for
delegation (Unconstrained, Constrained and Protocol Transition).
https://github.com/machosec/Mystique
Identifies risky Kerberos delegation configurations.

The zBang tool suite was developed by
CyberArk Labs to allow organizations a
quick detection of recent dangerous risks
and vulnerabilities exploited by attackers.
This FREE tool suite will detect risks and
potential attacks in your network.zBANG
41
Typical Execution (1000 machines) = Roughly 7-10 min.

• Powershell v3+ and .NET 4.5
• (Default in Windows 8/2012+)
• Run the tool from a domain joined machine.
• Run it with any domain user account.
• Only Read-Only queries to the DC.
SYSTEM
REQUIREMENTS
42

•Run it today!
• Reach out to your local CS Advisor!
•Deeper Audits available too!
WANT MORE ZBANG?!
43

•Hidden Risks
•Shadow Admins
•Skeleton Key Attacks
•SID History
•Risky SPN’s
•zBang!
SUMMARY
44

THANK zYOU!

More zBang for the zBuck

More Related Content

What's hot (20)

Similar to More zBang for the zBuck (20)

Recently uploaded (20)

More zBang for the zBuck

Editor's Notes