In the realm of cybersecurity, one of the most targeted areas by adversaries is privileged accounts. These accounts hold elevated permissions, making them high-value targets for threat actors, especially in the context of ransomware operations. Privilege escalation and credential access are two key tactics used by adversaries to gain control over systems.
1. Understanding Privilege Escalation and Credential Access
Privilege Escalation (TA0004)
Privilege escalation involves an adversary attempting to gain elevated permissions on a system. These elevated privileges enable them to execute commands, install malware, and move laterally across the network.
Credential Access (TA0006)
Credential access refers to the methods adversaries use to obtain account credentials. These credentials can grant them unauthorized access to systems and data. The most valuable targets are accounts with administrative privileges, such as Domain Admin (DA), Enterprise Admin (EA), and Schema Admin (SA). Attackers focus on stealing these credentials to gain control over the Active Directory (AD) environment.
2. Best Practices for Securing Privileged Accounts
Securing privileged accounts is crucial for minimizing the impact of privilege escalation and credential access attacks. Here are actionable steps to protect these high-privilege accounts:
Use Non-Privileged Accounts for Everyday Use
Administrators should always use their personal, non-privileged accounts for routine tasks. Elevated accounts, like DA and EA, should only be activated when absolutely necessary and promptly disabled afterward.
Enable Windows Defender Credential Guard
Credential Guard is a critical feature that helps protect credentials stored in memory from being stolen. While it’s recommended to enable it across all servers, at the very least, it should be activated on critical systems like Domain Controllers (DCs). Learn more about setting up Credential Guar.
Utilize the Protected Users Group
Place all service accounts, admin accounts, and high-privilege accounts (DA/EA/SA) into the Protected Users group in AD. This limits their exposure to attacks. Learn more about the Protected Users group.
Service Account Privileges
Service accounts should only have the minimum privileges required for their function. Be wary of vendor recommendations suggesting excessive privileges for their service accounts. Challenge them and ensure security is prioritized.
Avoid Over-Privileged Service Accounts
Do not allow vendors to dictate security within your organization by granting over-privileged access to their service accounts. Many ransomware incidents stem from the abuse of such accounts.
3. Local Administrator Password Solution (LAPS)
Microsoft offers a free solution known as Local Administrator Password Solution (LAPS), which is vital for managing local administrator accounts securely. By deploying LAPS, you can significantly reduce the risk of ransomware and other types of attacks that target local admin accounts. Learn more about LAPS.
4. Mitigating Attacks on LSASS and NTDS.dit
LSASS (Local Security Authority Server Service)
LSASS is responsible for handling authentication requests in Windows environments, and it stores credentials in memory. Threat actors often try to dump the LSASS process to extract these credentials. Here are some common methods used:
Task Manager Dump: A straightforward method where attackers use Task Manager to create a dump file of the LSASS process.
SysInternals Process Explorer: This tool provides more sophisticated methods for LSASS dumping.
PowerSploit’s Out-MiniDump Cmdlet: A PowerShell command that facilitates LSASS dumping.
you can create an alerting for lsass.dmp
NTDS.dit
The NTDS.dit file is the Active Directory database file. Attackers frequently attempt to steal this file from Domain Controllers. Monitoring file creation events (e.g., Sysmon Event ID 11) and analyzing MFT/UsnJrnl data can help detect unauthorized NTDS.dit access. Focus on hunting for instances where this file exists outside its proper location, such as C:\Windows\NTDS\NTDS.dit.
5. Addressing UAC Bypass Techniques
User Account Control (UAC) is designed to prevent unauthorized changes by prompting users for consent. However, malware families like Emotet have built-in UAC bypass capabilities. Other tools may require attackers to manually bypass UAC. While UAC is a valuable layer of security, it is not foolproof, and organizations should implement additional controls to mitigate the risks of privilege escalation.
Example of UAC:
If a user is an administrator on a host, they will receive a UAC-driven prompt that reads, “Do you want to allow this app to make changes to your device?” You are most likely familiar with this dialog box and its associated Yes/No buttons.
6. Final Thoughts: Leveraging Tools to Secure Your Environment
To further enhance security, consider adopting Privileged Access Management (PAM) solutions such as BeyondTrust. Additionally, tools like Microsoft LAPS, Credential Guard, and SysInternals can be valuable assets in defending against privilege escalation and credential access attacks.
By implementing these best practices, you can reduce the likelihood of ransomware infections and protect your organization from being compromised by advanced attack tactics.
Akash Patel
Bình luận