Microsoft Virtual

Free, online, technical courses

Academy
Take a free online
course.
http://www.microsoftvirtualacademy.c
om

Module 3: Windows
Authentication Attacks
and Forensics
Erdal Ozkaya
Hasain
Al
Title
Marketing Group

Module Agenda
Pass-the-Hash, replay, reflection, brute force and cracking are some of
many malicious activities performed by attackers to gain access to
systems and lateral movement. Credentials are the ultimate
authentication verifiers, and an attacker who is able to obtain and
successfully present credential to the authentication server can assume
whatever security identity is associated with it.
Credentials and credentials artifacts are stored in memory during logon
authentication. The information often remain in memory, especially during
an interactive session, so that future authentication can be done quickly
and without requiring the user to reenter the credentials. As a result,
password hashes and tickets can be found in memory during active
sessions, as well as stored permanently.
This session will demonstrate how attackers use credential dependencies

Module Agenda
The authentication landscape
Pass the Hash
Privilege Escalation

Authentication
Landscape

PREVENT BREACH
+
ASSUME BREACH

Cybersecurity used to mean building

a bigger moat and a bigger wall

Todays computing environment extends

far beyond our four walls

Cyber Attack Techniques

Targeting

Phishing

Pass the
Hash

Custom
Malware

Applicatio
n Exploit

Pass the Hash

Pass The Hash and Pass The Token

Steal credentials from memory without the

password
Use Bing and you can do it too (on Windows
7)

Pass The Hash

Power:
Domain
Controllers

1. Bad guy targets workstations en masse

2. User running as local admin
compromised, Bad guy harvests
credentials.
3. Bad guy starts credentials crabwalk

Data:
Servers and
Applications

Access:
Users and
Workstations

4. Bad guy finds host with domain

privileged credentials, steals, and
elevates privileges
5. Bad guy owns network, can harvest
what he wants.

Typical Attack Timeline &

First Host
Domain Admin
Observations
Compromised
Compromised
Research &
Preparation
24-48
Hours

Attack Sophistication
Attack operators exploit any
weakness
Target information on any device or
service

Attacks not detected

Current detection tools miss most

attacks
You may be under attack (or
compromised)

Attack
Discovered

Data Exfiltration (Attacker Undetected)

11-14 months

Target AD & Identities

Active Directory controls access to
business assets
Attackers commonly target AD and IT
Admins

Response and Recovery

Response requires advanced expertise and

Expensive and challenging to successfully re

Privilege Escalation

Modern Attack T
Privilege Escalation with Credential Theft
(Typical)

24-48
Hours
1. Get in with Phishing Attack (or
other)
2. Steal Credentials

3. Compromise more hosts &

credentials (searching for Domain
Admin)
4. Get Domain Admin credentials
5. Execute Attacker Mission
(steal data, destroy systems,
etc.)

Demo
How attackers use credential dependencies to gain
elevated access to systems and perform lateral
movement

Summary

TechNet Virtual Labs

Deep technical content
and free product
evaluations

Hands-on deep technical

labs

Free, online,
technical courses

At the TechNet Evaluation Center you can

download free, trial versions of Microsoft
software, with no feature limits. Dozens of
trials are available all at no cost.

Microsoft Hands On Labs offer virtual

environments that will take you through
guided, technically deep product learning
experience.

Microsoft Virtual Academy provides free

online training on the IT scenarios that
are important to your company and your
career.

Try Windows Server 2012 R2 for up to 180

days. Download the Windows 8.1
Enterprise 90-day evaluation. Or try
Microsoft Azure at no-cost for up to 90
days.

Learn at your own pace in labs that you

can complete in 90 minutes or less. There
is no complex setup or installation is
required to use TechNet Virtual Labs.

Download Microsoft
software trials today.

Find Hand On Labs.

Learn at your own pace and boost your IT

skills with over 100 courses across more
than 15 Microsoft technologies including
Windows Server, Windows 8, Microsoft
Azure, Office 365, virtualization, Windows
Phone, and more.

Technet.microsoft.com/evalcente
r

Technet.microsoft.com/virtuallab
s

Take a free online course.

microsoftvirtualacademy.com

 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Icons