Professional Documents
Culture Documents
Sysadmin: Practical Guidance For Fighting It Monsters
Sysadmin: Practical Guidance For Fighting It Monsters
Practical Guidance
for Fighting IT Monsters
Contents SysAdmin Magazine October 2021
SysAdmin
Magazine Contents
3 How to prevent a data breach
68 October ‘21 5 Active Directory Certificate Services: Risky settings and how to remediate them
№
9 What is password spraying, and how can you spot and block attacks?
2
Contents SysAdmin Magazine October 2021
As the volume of information increases and the threat land- 2. Establish a formal • Detection and analysis
• Containment, eradication and recovery
scape evolves, answering the question of how to prevent
a data breach can seem like an insurmountable challenge.
security policy • Post-incident handling
But it’s not. Here are 9 great tips for protecting your busi-
Every organization should have a written information secu-
ness against data breaches.
rity policy that covers all aspects how data is to be handled
3
Contents SysAdmin Magazine October 2021
4. Separate Business 6. Use Encryption tices for identifying threats and preventing data breaches.
Indeed, a significant number of breaches are the direct re-
Accounts from Personal Data encryption is an often overlooked data security best
sult of someone inside the company making a mistake, like
4
Contents SysAdmin Magazine October 2021
Certificate
First, look for Enhanced Key Usages (EKUs) that enable any
When an authentication-based certificate is issued to an kind of domain-level authentication. Here is a brief list:
identity, the certificate can be used to authenticate as the
Services: Risky identity set in the Subject Alternative Name (SAN); this is
usually a UPN or DNS name. The certificate is then used in
• Any Purpose (2.5.29.37.0)
• SubCA (None)
5
Contents SysAdmin Magazine October 2021
When the flag CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is present in the mspki-certificate-name-flag property, the enrollee of the
certificate can supply their own alternative Subject Name in the certificate signing request. This means that any user who is allowed
to enroll in a certificate with this setting can request a certificate as any user in the network, including a privileged user.
You can check this flag in the Certificate Template console; it’s under the Subject Name tab as the “Supply in the request” radio
option:
Further Reducing Risk
In addition to correcting certificate misconfigurations, consider
using the following options to control the issuing of certificates.
6
Contents SysAdmin Magazine October 2021
7
Contents SysAdmin Magazine October 2021
8
Contents SysAdmin Magazine October 2021
What Is Password
Citrix is far from the only enterprise that falls short with Password spraying flips the conventional strategy by at-
password security. When a threat research team scanned tempting to log on to multiple user accounts using many
all Microsoft user accounts in early 2019, they discovered common passwords. Trying a single password on many
Spraying, and How that 44 million users were using the same usernames and
passwords that had already been leaked online after securi-
different accounts before attempting another password
on the same accounts circumvents normal lockout proto-
tool used in Citrix’s consulting practice. The hackers gained Spraying Attack? successes, today’s savvy hackers rely on a more precise ap-
proach. They set their sights on users who use single sign-
this access to Citrix’s IT infrastructure through a password
on (SSO) authentication, hoping to guess credentials that
spraying attack, a technique that exploits weak passwords, Typical brute-force attacks target a single account, testing
will give them access to multiple systems or applications.
leading to criticism that the software giant needlessly com- multiple passwords to try to gain access. Modern cyberse-
They also commonly target users that use cloud services
promised its clients by failing to establish a sound password curity protocols can detect this suspicious activity and lock
and applications utilizing federated authentication. This ap-
strategy. out an account when too many failed login attempts occur
proach can enable attackers to move laterally, since feder-
in a short period of time.
ated authentication can help mask malicious traffic.
9
Contents SysAdmin Magazine October 2021
10
Contents SysAdmin Magazine October 2021
Password Policy
ple endpoints.
11
Contents SysAdmin Magazine October 2021
Pass-the-Hash So, before we look at how to detect pass-the-hash, let’s get a baseline of what events are normally generated when performing
NTLM logon activity. To do that from my PC workstation, I’ll first launch a new command prompt as an administrative user by
Jeff Warren
Security Expert, SVP of Products at Netwrix
Now in the new command prompt, I will use Sqlcmd to connect to a SQL host. For good measure I will run the SELECT SYSTEM_
USER command to show the user I am authenticated as:
12
Contents SysAdmin Magazine October 2021
13
Contents SysAdmin Magazine October 2021
14
Contents SysAdmin Magazine October 2021
Domain Controller Logs This shows a request for a TGT from the domain controller
for our user we are impersonating.
4776 – The computer attempted to validate the creden-
tials for an account.
The 4776 event is specific to NTLM and will come last. This
On the domain controller I will see signs of the user Franklin
4769 – A Kerberos service ticket was requested. occurs when we execute the command using Sqlcmd which
Bluth being authenticated. In this case, I will see artifacts of
Once we have our TGT we request a TGS for the host we forces NTLM authentication.
both Kerberos and NTLM authentication. The Kerberos au-
are impersonating the user on. With this, our user Frank-
thentication happens first, which is the default authentication
lin can now interact with the PC to launch the command
method for Active Directory. That will generate two events:
prompt.
4768 – A Kerberos authentication ticket (TGT) was re-
quested.
15
Contents SysAdmin Magazine October 2021
Sekurlsa::pth /user:Franklin.Bluth /
ntlm:[ntlm] /domain:jefflab.local
A new command window will open and if I use the same Sqlc-
md command to connect to the IP address of my SQL Server,
you can see I am now authenticated there as Franklin Bluth:
Pass-the-Hash Events
To perform a pass-the-hash test, we are going to do the same exercise, only this time instead of using Runas to launch a process as a
user we’re going to use Mimikatz and the pass-the-hash command.
I can easily get the NTLM hash for the user Franklin from memory with the mimikatz command of:
Now that I have that I will perform a pass-the-hash with the following command:
sekurlsa::logonpasswords So, let’s take a look at what events get generated after doing
this pass-the-hash:
16
Contents SysAdmin Magazine October 2021
Workstation Logs Logon Type 9 is very rare. However, I was able to generate some false positives running applications that use impersonation.
The main difference to key off of is the Logon Process will always be “seclogo” for pass-the-hash (from my tests), so you can filter
on that to reduce false positive rates. You can see here I was able to get StealthAUDIT to generate the Logon Type 9 events but
On my local workstation I will see events 4648, 4624, and
it uses the Advapi logon process.
4672 the same as if I was doing legitimate NTLM authentica-
tion. However, there are a few key differences.
17
Contents SysAdmin Magazine October 2021
Also, I noticed a difference in the 4672 event. Previously, this Outside of that, the logs on the SQL server are identical. On the domain controller the key difference is that you will not see Kerberos
identified a privileged logon for my impersonated account authentication. However, that isn’t a very reliable way to detect pass-the-hash because it can happen for lots of valid reasons like
Franklin Bluth. In this case, this registers for the user I am authentications originating from non-trusted domains.
logged into my workstation as.
So here is a summary of what we see when doing pass-the-hash.
18
Contents SysAdmin Magazine October 2021
With a custom event log filter you can easily see when these
two things happen at the same exact time, you’ve got pass-
the-hash activity on your network!
19
Contents SysAdmin Magazine October 2021
Here is a custom event filter you can use to surface that specific information.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID='4624')]
and
FREE GUIDE
EventData[Data[@Name='LogonType']='9']
Network Security
and
EventData[Data[@Name='LogonProcessName']='seclogo']
and
EventData[Data[@Name='AuthenticationPackageName']='Negotiate']
]
Best Practices
</Select>
</Query> Free Download
<Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
<Select Path="Microsoft-Windows-Sysmon/Operational">
*[System[(EventID=10)]]
and
*[EventData[Data[@Name='GrantedAccess'] and (Data='0x1010' or Data='0x1038')]]
</Select>
20
Contents SysAdmin Magazine October 2021
Ransomware with
While there are many different strains of ransomware, and Halloween provides a perfect metaphor:
from the venerable WannaCry to today’s REvil and Conti,
Effective Change
attacks follow a common pattern:
Understanding each of these stages is critical to minimiz- 'Never take candy from
ing your risk of falling victim to a successful ransomware
attack. As we’ll see, the most important technical control
strangers.' And then they
Dirk Schrader
CISSP, CISM, ISO27001 Practitioner
to implement is change control. dressed me up and said, 'Go
This article explains all 5 Halloween-ish legs of the ran-
beg for it
somware monster and details how Change Tracker can Rita Rudner
help you:
I would like, if I may, to take ▪ Avoid being infected in the first place Parents say “Never take candy from strangers” but ma-
▪ Detect an attack in progress licious strangers know that candy is almost irresistible
you on a strange journey ▪ Block an attack from progressing further to children. Similarly, security experts say “Never open
strange emails and never click on unknown links” — but
The Criminologist, cybercriminals know exactly how to make emails and
Rocky Horror Picture Show links so enticing that people can’t seem to resist open-
ing them or clicking on them. That simple act is all that’s
needed for successful ransomware delivery.
21
Contents SysAdmin Magazine October 2021
Attackers use two different strategies to distribute the ▪ Use of stolen or weak credentials (RDP credentials are the most recent favorite)
initial ransomware payload (“dropper”): ▪ Fake software like the infamous fake Adobe Flash Updater distributed using malverts (malicious advertisements)
22
Contents SysAdmin Magazine October 2021
23
Contents SysAdmin Magazine October 2021
How to block ransomware from progressing to Once ransomware has been distributed, the attack proceeds to the infiltration stage. Often, the dropper will “call home”
the next stage (infiltration) to download additional resources, such as DLLs or EXEs, by connecting to specific IP addresses. Or it might use existing
resources to “live off the land.” Sometimes, it is a combination of both. Conti, for example, loads additional malware like
As soon as ransomware is detected in your IT ecosystem,
Trickbot or Cobalt to prepare for the subsequent stages of the attack.
the IT team needs to isolate each affected asset, remove
the dropper, and verify the asset is no longer a threat
before reconnecting it to the rest of the network.
Essential Defense Strategies
How to detect ransomware infiltration
Know your estate and harden it. Using a software solution like Change Tracker, you can establish a secure baseline for all
Leg 2: There is more to your IT assets and closely monitor them for any drift away from that baseline that could allow a ransomware dropper to take
come: The infiltration root. For example, by hardening the configuration settings of your Microsoft Word software, you can prevent malicious Word
macros from distributing ransomware into your network.
phase
24
Contents SysAdmin Magazine October 2021
25
Contents SysAdmin Magazine October 2021
inspection phase
Essential Defense Strategies
26
Contents SysAdmin Magazine October 2021
isn't it? For some of us and spread, so that you can take appropriate steps to
mitigate those vulnerabilities and avoid a repeat attack.
Tim Burton
Your last hope, as seen in recent past, is a universal
decryptor. But I must emphasize: Do not build your
If ransomware hasn’t been detected and blocked in one of ransomware mitigation plan based on the hope that you
the earlier stages, it proceeds to encrypt your IT assets and can get one when you need it. If it were easy to decrypt
demand a ransom for the decryption key. data and traffic, then VPNs, internet banking everything
else that uses encryption for good reason would not be
there. It takes time to develop universal decrpytors, and
they work only on older versions of the ransomware;
strains evolve on the fly by loading new encryption logic
Essential Defense Strategies from the C&C center.
At this stage, detection is simple: You’ll be presented
with the ransomware demand. Unfortunately, paying
the ransom does not guarantee you’ll get your data back
(one report finds that just 8% do), and it can actually put
your organization’s name at the top of the hacker’s list
27
Contents SysAdmin Magazine October 2021
28
Contents SysAdmin Magazine October 2021
How-to for IT Pro 5. Filter by trusted locations (or IP addresses) using the “Location” (or “IP address”) column.
• In Excel, click File -> Open –> Choose the file you
just downloaded.
• In the Text Import Wizard, choose Data Type =
“Delimited” and tick the “My data has headers”
box -> Click Next.
• In the Delimiters section, tick “Comma” -> Click
Next.
• Scroll through the fields preview and choose “Do
not import column (skip)”, leaving only following
columns: Date (UTC), User, Username, IP address,
Location, Status. (For more logon details, you can
also leave the “Application”, “Resource”, “Authen-
tication requirement”, “Browser”, “Operating Sys-
tem” fields checked.) -> Click “Finish”.
29
Contents SysAdmin Magazine October 2021
This free network audit software that keeps you current of what’s happening on your network devices Netwrix Auditor for
Network Devices monitors network devices for configuration changes and logon attempts; catches scanning threats before
FREE TOOL OF THE MONTH attackers can take control of the network; and simplifies detection of hardware failures so you can quickly troubleshoot net-
work traffic issues.
Netwrix Auditor
for Network
Devices
Download Free Tool
30
Contents SysAdmin Magazine October 2021
[On-Demand Webinar]
3 Modern Active The threat landscape is ever-changing and, in this deeply technical webinar, Microsoft MVP
Randy Franklin Smith and STEALTHbits SVP Jeff Warren show you three Modern Active Direc-
Directory Attack tory Attacks and what you can do to detect them:
Detect Them
Rendy Franklin Smith Jeff Warren
Watch Now
CEO, Monterey Technology SVP, Products
Group, Inc.
31
About Netwrix
What did you think Netwrix is a software company that enables information security and governance professionals to reclaim control over
of this issue? sensitive, regulated and business-critical data, regardless of where it resides.
What did you think of this content?
Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of
enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.
300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608 Switzerland: +41 43 508 3472 Hong Kong: +852 5808 1306
Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Italy: +39 02 947 53539
Netherlands: +31 858 887 804 France: +33 9 75 18 11 19
5 New Street Square +44 (0) 203 588 3023 SOCIAL: netwrix.com/social
London EC4A 3TW