Think like an Attacker to Protect against Data Breach

WHOAMI /groupsWhere I work:

Husband / Red Teamer / Marine Corps Veteran

Twitter:

@RedVuln

Name:

Matt Batten

How to:

Think Like an Attacker to Protect against Data Breach

What about

MisconfigurationsUnpatched systems

Using default account credentials (i.e., usernames and passwords)

Unprotected files and directories

Unused web pages

Poorly configured network devices

https://resources.infosecinstitute.com/guide-preventing-common-security-misconfigurations/#gref

Old But New08/26/2019 | Matt

An unquoted Environment Variable path in a Scheduled Task that

runs as system

Unquoted paths are abused frequently on engagements. Normally an attacker would see an

unquoted service path, not an unquoted schedule task path. What makes this unique is that it

is an environment variable that has a space in it that allows for an attacker to abuse it. The key

is, if the path is unquoted then Windows sees the space character in the path as a delimiter and

will then search for program.exe instead of knowing to go to C:\Program Files\. I was surprised

that an up to date Windows 10 machine would still have a vulnerability like this.

The scheduled task shell-usoscan is present and active on a default install of Windows 10

and uses the environment variable %programfiles% with a path that is unquoted.

Example:

08/26/2019: Submitted to MSRC

09/03/2019: Initial response from MSRC:

MSRC closed the case and asked how it was a MITM or social engineering attack

09/10/2019: Reached back out to ask MSRC because their response didn’t make sense;

informed MSRC of my intent to publish findings.

09/10/2019: MSRC reopened the ticket

09/10/2019: MSRC final response:

Will be a next version fix

This is the link provided by Microsoft as a point of reference:

https://blogs.msdn.microsoft.com/aaron_margosis/2014/11/14/it-rather-involved-being-on-the-

other-side-of-this-airtight-hatchway-unquoted-service-paths/

The reference sent by Microsoft refers to vendors having misconfigured services. This is a

Microsoft owned Scheduled Task.

Am I vulnerable?YES!

You are always vulnerable.

That is why Defense in-depth is important.

There are 0-days that no one knows publicly.

Your network is most likely vulnerable without a 0-day exploit.

Every time you download a third-party application you open yourself up even more.

Most common things I have seen

OSINT

Fun word red teamers throw around

What are Red teamers doing?

Passwords and usernames in public

filetype:doc password "walmart“

Google Dorking

Enumerating subdomains

Public facing without muti-factor authentication

Why multi-factor authentication is important

Security Questions

Physical

Apps

Email

Text

Employee’s personal account gets “hacked”

Why and how does this affect you?

Educate users on how to prevent their

accounts from being compromised,

and how to recognize if they already

are.

Who cares?Only you!

If someone’s account gets taken over local law

enforcement most likely will not be able to

help due to lack of resources.

There are options, but most are not likely to

care unless it involves money over 10k, if you

are a political figure, or if enough people report

the same issue in a short amount of time.

Port Security

Does port security really help?

Such as Sticky Macs.

Issues I have seen while testing this.

Scanning Methodology

Responder

LLMNR and NBT-NS Spoofing Attack is an easy way, even today, to harvest credentials and laterally move based off of normal network traffic.

A powerful pentest utility included in Responder's tools

folder giving you the ability to perform targeted

NTLMv1 and NTLMv2 relay on a selected target.

Currently MultiRelay relays HTTP, WebDav, Proxy, and

SMB authentications to an SMB server.

This tool can be customized to accept a range of users to

relay to a target. The concept behind this is to only

target domain Administrators, local Administrators, or

privileged accounts.

(http://g-laurent.blogspot.com/2016/10/introducing-

responder-multirelay-10.html)

Multi-Relay

SMB signing not on

(I know you can’t

turn it on)

Compatibility Issues.

Every penetration test you will get the same feedback

(turn smb signing on).

Too bad you are still running that windows 2003

server.

Ways to stop Responder and pass the hash (PTH)

Honestly, it is hard.

Disable LLMNR and NBT-NS

Create an entry for WPAD

GPO for SMB signing and

NTLMv2

Ensure that an account an

attacker gets to is not an admin

(Only use secure workstations as

an admin).

Why are some systems not restarted for years?

What is LSASS?

Local Security Authority Subsystem Service (LSASS), is a process in Microsoft

Windows operating systems that is responsible for enforcing the security policy

on the system. It verifies users logging on to a Windows computer or server,

handles password changes, and creates access tokens. It also writes to the

Windows Security Log.

(https://www.anvir.com/local-security-authority-subsystem-service-lsassexe.htm)

Every user who has logged into that box since the last time it was restarted an

attacker can get their password.

dsquery

SIEM

Very powerful instrument in the right hands.

Alarms and rules must be properly set.

Turnover rate of analyst makes it harder.

Need a baseline (high turnover rate = no

understanding of baseline).

Ticket ManagementTeam gets an alarm.

Looks up what alarm is and sees that another analyst handles it by

adding it to additional comments.

So then the analyst who sees the alarm now then adds it to

additional comments and saves without looking at SIEM.

See any issues with this?

________________________________________________________________

Security Analyst need to be trained.

Do not get complacent.

Playbooks and Runbooks need to be a thing.

If you enjoyed this

talk and would

like to know more

If you have any questions or just interested in talking feel free

to message me on Twitter. (Walk up to me while I am here)

Twitter: @RedVuln

Name: Matt Batten