Lateral move attack path using "pass the hash," token theft or SAM extraction

Granting users local administrative privileges on servers as a quick solution for Remote Desktop Access is a too common practice that I have seen customers adopt, but it does pose significant security concern because it creates a direct path to a complete Windows domain takeover.

That’s the risk?

Elevated Privileges: Local administrators have elevated privileges that allow them to modify system settings, install software, and potentially access sensitive data such as password hashes and credentials of other users on the same system who may be Domain Admins or have other highly privileged access.

Privilege Escalation: If a user's account is compromised, an attacker who gains access to that account may have an easier path to escalate privileges to privileged domain access. This can lead to unauthorized access to critical systems and sensitive data.

Lateral Movement: Once an attacker gains local administrative privileges on one server, they may use that access as a pivot point to move laterally within the network. This lateral movement can lead to the compromise of additional servers and the domain.

Spread of Malware: Local administrators can introduce malware or malicious software to servers, either intentionally or inadvertently. This can lead to the spread of malware across the network to other servers and file shares.

Data Breaches: With local administrative privileges, users or those who compromise their accounts can potentially access and exfiltrate sensitive data from servers. This poses a significant risk of data breaches and compromise of confidential information.

Account Management Overhead: Managing and maintaining a large number of users with local administrative privileges on multiple systems becomes administratively burdensome. It increases the risk of stale or unused accounts that can be exploited.

Privilege Abuse Prevention: Local administrators have elevated privileges that allow them to install software, modify system settings, and access sensitive data. Without proper oversight, there is a risk that administrators may abuse their privileges for malicious purposes, such as installing unauthorized software, stealing sensitive information, or compromising system integrity.

Insider Threats: Insider threats occur when individuals within an organization misuse their access privileges to harm the organization's security or operations. By auditing local administrators, organizations can detect and prevent insider threats before they cause significant damage.

Credential Theft Mitigation: If an attacker gains access to a local administrator account on a single system, they may attempt to use that access to move laterally within the network. Auditing and restricting local administrators help limit the potential damage an attacker can cause if they gain access to such accounts.

Attack path: lateral move using pass the hash, SAM infiltration, token capture SAM Extraction - Extracting domain passwords from a local Security Account Manager (SAM) database on a Windows device is a technique used by attackers to gain unauthorized access to a network. This process is often part of a broader attack known as "Pass the Hash" (PtH), which involves stealing hashed credentials for lateral movement within a network. The attacker can also capture credentials cache from an administrators application session or the password hash. There are several tools and methods that can be used for this task which I will cover further.

Access to the System: The attacker needs physical or remote access to the target Windows machine to initiate the attack. This can be through techniques like malware, phishing, social engineering, or RDP exploits. The most common access compromise patterns are weak RDS/RDP, malware download and execution or a phishing attack.

Dumping the SAM Database: Once inside the system, the attacker can use various tools and techniques to dump the local SAM database. This database contains hashed user credentials for local accounts on the machine.

Cracking the Hashes: After obtaining the hashed passwords from the SAM database, the attacker can use specialized tools or methods to try to crack the hashes and recover the original passwords. They might use techniques like dictionary attacks, brute-force attacks, SAM infiltration, token theft, hash capture or rainbow tables.

Extracting Domain Credentials: If the target system is part of a Windows domain, the attacker might find cached domain credentials within the local system. These credentials can be used for lateral movement within the network. Cached domain creds can be found in a local profile, the SAM, an active or disconnected RDS/RDP session

Pass the Hash: With the cracked or extracted credentials, the attacker can use the stolen hashes to authenticate themselves to other systems within the network, bypassing the need for the actual password. This is where the "Pass the Hash" attack comes into play.

Token theft - often referred to as "token hijacking" or "session token theft," is a type of cyber attack where an attacker gains unauthorized access to a user's session token and uses it to impersonate the user, effectively taking over their authenticated session. This can allow the attacker to gain access to Azure or office 365 portal. A token stolen from a user profile would not raise impossible travel alerts in Azure AD as it would be used from the same location. The attacked can reuse the stolen token and then change the admin user’s password. If password write-back is enabled, the new password will write back to the on premise AD and can be used there to take over the domain. ?

Tools frequently used in lateral move and “pass-the-hash” attacks:

Cain&Abel Tool - password recovery and security tool used by network administrators, security professionals, and individuals to recover lost passwords and perform various security-related tasks: Network listening, dictionary attack, brute-force and cryptanalysis attacks, opening SAM databases (local password hashes on OS volume), decrypting encrypted passwords, recovering wireless network keys and revealing cached passwords are useful for password recovery by various methods.

PwDump7 - tool is developed by Tarasco, this tool extracts the SAM file from the system and dumps its credentials for any user account that has a profile on the system.

Metasploit's meterpreter gives you have nearly total command of the victim allowing you to: dump hashes from SAM, dump profile information, parse a password hash into a new logon session on a local or remote computer, parse password hash into a “run as” of any utility started via CMD.

PsExec is a command-line tool on Windows, available in many flavors, that allows you to execute programs and commands on remote systems. It is useful for administrators because it integrates with console applications and utilities for seamless redirection of input and output. This tool can be used by an attacker to execute malicious commands or to serve as a backdoor.

How you can reduce the risk of lateral move and “pass-the-hash” attacks:

Use a principle of least privilege: Assign only the necessary privileges to local administrators to minimize their access to sensitive resources.

Implement authorization standards: authorize interactive access to groups, not individual users. Control access authorizations via Domain groups to centralize control.

Monitor and log activities: Implement auditing policies to track local administrator activities and generate logs for review. There are specific Windows event combinations that will help sniff out a pass-the-hash attack in progress.

Enable, configure and review audit logs: Regularly review RDS and Local Logon audit logs to detect any suspicious or unauthorized activities.

Automate access reviews: Implement processes to periodically review and validate the necessity of local administrator privileges.

Inventory local accounts and groups on Domain Member servers. If you currently don’t have an inventory of local administrators on your servers, an audit of local accounts and groups will help you create one. Pay attention to Domain accounts added to local admin groups.

Use a PAW – Privileged Access Workstations. A PAW is a dedicated workstation or device that is specifically designed and configured to perform administrative and privileged tasks while minimizing the risk of security breaches and unauthorized access.

Use Strong Passwords: Enforce strong password policies, use a Windows Domain PSO for privileged groups.

Lock down RDS groups (Remote Desktop Users) is a local group on all computers created by default. There should be a Domain group, centrally controlled, that is enforced by policy as the RDS group on all computers. This should be enforced by Group Policy on all domain members. ?

Multi-Factor Authentication (MFA): Implement MFA for member server and Domain Controllers to add an extra layer of security, even if password hashes are compromised. Both Azure AD MFA and on-premise Microsoft Policy Server MFA have a capability to enforce token lifetime limits. If those limits are properly configured, the attempted logon will be re-prompted for the password if the MFA hash has already timed out.

Network Segmentation: Segment the network to limit lateral movement opportunities. Segregate Domain Controllers from member servers.

PAM – Privilege Access management solutions can help in some cases and mitigate some attack paths, but not all by far. It is important to understand which attack paths are mitigated and which ones are not by your PAM solution. For example, a PAM solution that offers JIT password copy and interval password change will help reduce the risk, but not eliminate it because the password hash, session token and SAM credentials extraction are still viable attack patterns.

Are you more or less susceptible to a lateral move / “pass the hash” attack? We can help you answer this question and reduce the risks of such an attack pattern.

#ComplacentGetsHacked

?