Avenue to Compromise – Credential Theft

March 2014 EventTracker Newsletter

By A.N. Ananth

After an attacker has compromised a target infrastructure, the typical next step is credential theft. The objective is to propagate compromise across additional systems, and eventually target Active Directory and domain controllers to obtain complete control of the network.

Attractive Accounts for Credential Theft
Credential theft attacks are those in which an attacker initially gains privileged access to a computer on a network and then uses freely available tooling to extract credentials from the sessions of other logged-on accounts.

Activities that Increase the Likelihood of Compromise
Because the target of credential theft is usually highly privileged domain accounts and “very important person” (VIP) accounts, it is important for administrators to be conscious of activities that increase the likelihood of a success of a credential-theft attack.

These activities are:

  • Logging on to unsecured computers with privileged accounts
  • Browsing the Internet with a highly privileged account
  • Configuring local privileged accounts with the same credentials across systems
  • Overpopulation and overuse of privileged domain groups
  • Insufficient management of the security of domain controllers.

Privilege Elevation and Propagation
Specific accounts, servers, and infrastructure components are usually the primary targets of attacks against Active Directory.

These accounts are:

  • Permanently privileged accounts
  • VIP accounts
  • “Privilege-Attached” Active Directory accounts
  • Domain controllers
  • Other infrastructure services that affect identity, access, and configuration management, such as public key infrastructure (PKI) servers and systems management servers

Although pass-the-hash (PtH) and other credential theft attacks are ubiquitous today, it is because there is freely available tooling that makes it simple and easy to extract the credentials of other privileged accounts when an attacker has gained Administrator – or SYSTEM-level access to a computer. Even without tooling that allows harvesting of credentials from logon sessions, an attacker with privileged access to a computer can just as easily install keystroke loggers that capture keystrokes, screenshots, and clipboard contents. An attacker with privileged access to a computer can disable antimalware software, install rootkits, modify protected files, or install malware on the computer that automates attacks or turns a server into a drive-by download host.

The tactics used to extend a breach beyond a single computer vary, but the key to propagating compromise is the acquisition of highly privileged access to additional systems. By reducing the number of accounts with privileged access to any system, you reduce the attack surface not only of that computer, but the likelihood of an attacker harvesting valuable credentials from the computer.

A white-paper from Microsoft “Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques” provides detailed guidance on the subject. Highly effective mitigation steps in the order of effort required to implement are:

  • Restrict and protect local accounts with administrative privilege
  • Restrict and protect high privileged domain accounts
  • Restrict inbound traffic using Windows Firewall
  • Remove standard users from the local administrators group