๐Ÿ”’
โŒ
There are new articles available, click to refresh the page.
Yesterday โ€” 29 June 2022CrowdStrike

Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers

29 June 2022 at 18:52

Adversaries often exploit legacy protocols like Windows NTLM that unfortunately remain widely deployed despite known vulnerabilities. Previous CrowdStrike blog posts have covered critical vulnerabilities in NTLM that allow remote code execution and other NTLM attacks where attackers could exploit vulnerabilities to bypass MIC (Message Integrity Code) protection, session signing and EPA (Enhanced Protection for Authentication).ย 

The PetitPotam vulnerability, combined with AD-CS relay, is one of the recent severe NTLM relay variations the CrowdStrike Identity Protection research team have seen, which indicates its high popularity. While the latest Microsoft security update โ€” released on Patch Tuesday, May 10, 2022 โ€” included a patch for the aforementioned vulnerability, it does not fully mitigate the issue. It does, however, change the requirements from being able to run the attack unauthenticated, to requiring any Active Directory account credentials to trigger the attack.ย 

In this blog, we detail the fix, the remaining issues and an enhancement to Falcon Identity Protectionโ€™s existing NTLM relay detection, which detects exploitation of the PetitPotam vulnerability and similar authentication coercion techniques.ย ย 

PetitPotam and NTLM Relay

NTLM relay has always been a popular attack technique. In the past, the biggest challenge was to solicit a user account to authenticate to an attacker-controlled machine; now it seems that endpoint authentication coercion mechanisms are gaining popularity.ย 

The most popular targets, for obvious reasons, are domain controllers, as their high privileges make them a lucrative target for authentication relay attacks. The first authentication coercion mechanism involved the Print Spooler service, while the newer one relies on the MS-EFSRPC protocol. The latter is also known as the PetitPotam attack. When combined with the insecure default configuration of the Active Directory Certificate Services (AD-CS), which does not enforce Extended Protection for Authentication (EPA), it could be deadly as it can lead to a full domain compromise in a few steps. An attacker could trigger a domain controller authentication by exploiting the PetitPotam vulnerability and relaying it to the AD-CS server to request a certificate for the domain controller account. Using this certificate, a malicious actor can then retrieve a TGT for the relayed domain controller account and perform any further operations using its high privileges (e.g., dump domain admin hashes).ย 

One of the most severe issues with the PetitPotam vulnerability, prior to Microsoftโ€™s latest security updates, was that an attacker could run the attack unauthenticated (i.e., only network access to the domain controller was required). The patch only partially mitigates the issue, meaning an attack is still possible.

The Released Fix(es) and Remaining Issues

The Microsoft security update released on Patch Tuesday, May 10, 2022, included a partial patch for the PetitPotam vulnerability. This update, however, also caused authentication failures for various Windows services such as Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP). According to Microsoft, โ€œAn issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.โ€ย 

As a workaround, Microsoft recommended to manually map certificates to Active Directory accounts or follow KB5014754 for other possible mitigations. Because of the issues caused by the patch, CISA warned against deploying it on domain controllers, which left many organizations wide open to the unauthenticated PetitPotam authentication coercion attack. On May 19, 2022, an out-of-band update was made available to fix the authentication failures caused by the latest security update.

It is important to note that the security update states, โ€œThis security update detects anonymous connection attempts in LSARPC and disallows it,โ€ which leaves the question: Does the coercion attack still work using an authenticated user?

Following some testing, it looks like the answer is yes!

While the PetitPotam vulnerability, when patched, will no longer work unauthenticated, it can still be abused by leveraging any Active Directory account credentials to trigger domain controller NTLM authentication, which can be relayed to a escalate to domain admin privileges if the required security settings are not enforced (as previously mentioned, EPA is not enforced by default on AD-CS servers).

Moreover, PetitPotam is no longer the newest authentication coercion method; the attack tool DFSCoerce, which abuses the MS-DFSNM protocol to trigger domain controller authentication, has since been released.ย 

Enhancing CrowdStrike Identity Protection NTLM Relay Detection

Because an authenticated user can still trigger an NTLM authentication from the domain controller, the NTLM relay attack vector remains relevant for domain controller accounts. This is why the NTLM relay detection capability of CrowdStrike Falcon Identity Threat Protection was enhanced to detect attempts to perform NTLM relay using domain controller credentials. The benefit of this detection is that it is not tied to any single authentication coercion method, but will detect a relay attack no matter if it is initiated by the PetitPotam vulnerability, the newer DFSCoerce tool or any coercion mechanism discovered in the future.

(Click to enlarge)

Watch this video on Falcon Spotlightโ„ข to see how you can monitor and prioritize NTLM relay issues and other vulnerabilities within your environment, and this video to learn how Falcon Identity Threat Protectionย  helps ensure comprehensive protection against identity-based attacks in real time.

Additional Mitigations

Though patching is an important first step against the latest NTLM relay vulnerabilities, it is not enough, as many unsecured defaults can leave your domain vulnerable. This is why we recommend following these steps:

  1. Enforce Signing (SMB/LDAP) and Extended Protection for Authentication (EPA) for all relevant servers, especially the AD-CS servers, which are a common target of this attack.
  2. Track any failed/successful NTLM relay attempts performed in your domain network. Using the enhanced detection capabilities of the CrowdStrike Falcon Identity Threat Protection, customers can now be alerted on NTLM relay attacks abusing domain controller accounts.
  3. Disable NTLM. Because this is a potentially breaking change that requires a lot of time in most environments, start by disabling NTLM support on servers that may be targeted during a relay attack and are not sufficiently protected. For example, if for any reason you are unable to enforce EPA on the AD-CS server, disable incoming NTLM on that server to protect it from NTLM relay attacks.

Additional Resources

  • Learn more about popular attack techniques at Fal.Con 2022, the cybersecurity industryโ€™s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21!ย ย 
  • Learn how CrowdStrike Falcon Identity Protection reduces costs and risks across the enterprise by protecting workforce identities.
  • Watch this video to see how Falcon Identity Threat Protection detects and stops ransomware attacks.
  • Learn how the powerful CrowdStrike Falcon platform provides comprehensive protection across your organization, workers and data, wherever they are located.
  • Get a full-featured free trial of CrowdStrike Falcon Preventโ„ข and see for yourself how true next-gen AV performs against todayโ€™s most sophisticated threats.

Falcon OverWatch Elite in Action: Tailored Threat Hunting Services Provide Individualized Care and Support

29 June 2022 at 18:35

The threat presented by todayโ€™s adversaries is as pervasive as it is dangerous โ€” eCrime and state-nexus actors alike are attempting to infiltrate companies and organizations of all sizes and across all verticals.ย 

While technology is a powerful tool for performing routine or repeatable analysis, the only way to effectively hunt and contain sophisticated and determined cyber threat actors is to use the expertise and ingenuity of human threat hunters.

The Telescope and the Microscope: Two Sides of the Threat Hunting Coinย 

Threat hunting is an ever-evolving discipline that proactively tracks changes in adversariesโ€™ behavior. It requires a broad awareness of the threat landscape โ€” the telescopic view โ€” and can be augmented by a deeper understanding of a customerโ€™s pain points or areas of identified risk โ€” the microscopic view. The most comprehensive threat hunting leverages both the telescopic and microscopic viewpoints, blending the insights gained from both perspectives to safeguard a customerโ€™s assets from threats.

The CrowdStrike Falcon OverWatchโ„ข teamโ€™s continuous hunting operations are driven by a world-class team of dedicated in-house threat hunters โ€” individuals who are relentlessly committed to honing their craft and dedicated to the mission of stopping breaches. OverWatch analysts track the most stealthy and persistent hands-on-keyboard campaigns, actively hunting for that last 1% of malicious activity deliberately seeking to subvert technology-based controls.ย 

Using patented hunting tools, OverWatch hunters leverage the power of the CrowdStrike Security Cloud to hunt across in excess of one trillion events a day โ€” proactively searching for that malicious activity designed to blend in with the benign. Given the sheer breadth of information available to them, OverWatch analysts are skilled at identifying even the faintest signs of activity indicative of threat actor behavior and emerging threats, enabling customers to rapidly disrupt malicious behavior before its impact is felt.

The Power of Elite Tailored Threat Hunting

For organizations that are looking for an active partnership with their hunters, CrowdStrike offers OverWatch Elite โ€” the personalized customer engagement add-on forย  CrowdStrikeโ€™s Falcon OverWatch managed threat hunting service.ย 

OverWatch Elite builds on the continuous 24/7 human-led threat hunting provided by OverWatch, leveraging the ability to hunt across global telemetry to address areas of concern identified by customers. OverWatch Elite customers have access to an assigned threat analyst who provides a range of services to drive improved maturity across a customerโ€™s internal security team. These services include expert coaching to support any in-house hunting efforts, regular threat updates, and a dedicated line of communication to address any queries or concerns as they arise. In partnership with their assigned analyst, customers can develop, operationalize and tune their threat hunting programs to ensure that supplementary threat hunts are tailored to their needs.

OverWatch Elite analysts build close partnerships with their assigned customers to develop a shared understanding of an organizationโ€™s unique structure and requirements. OverWatch Elite analysts are then able to tune their tools to the particular nuances found within a customerโ€™s environment. In addition to addressing the customerโ€™s needs, this fine-tuning enables all OverWatch analysts to more easily identify hands-on-keyboard activity and respond promptly to potential threats.ย 

The fast, closed-loop communication between customers and the OverWatch Elite team allows for greater collaboration to addressย  issues. Whether a customer has seen the news about a recent vulnerability or read an intelligence report about certain threat actors targeting companies in their sector, assigned analysts are available to listen and respond to these concerns by performing threat hunts tailored to address them.ย 

Working Better Together

It is important to recognize that these two parts of OverWatch share a common mission: stopping breaches. OverWatch and OverWatch Elite analysts work hand-in-hand daily to ensure all customers are protected against those malicious hands-on-keyboard activities designed to evade detection. All teams under the OverWatch umbrella work together continuously to provide the best customer service possible.ย 

OverWatch Elite Manager Gareth Willams puts it best: โ€œYou canโ€™t look at the moon with a microscope and you canโ€™t use a telescope to see small objects, but both give you a great field of vision.โ€ย 

In addition to tailored threat hunting services, OverWatch Elite offers several additionalย  features that truly make this a customer engagement-centric managed threat hunting service. Additional offerings include 60-minute call escalation for critical threats, which provides OverWatch Elite customers added peace of mind when it comes to rapidly disrupting adversary activity within their environments. OverWatch Elite customers are also invited to a private Slack channel where they can reach an OverWatch Elite analyst to respond with speed and confidence.

For more information, please visit OverWatch Eliteโ€™s page on CrowdStrikeโ€™s website.

Additional Resources

  • There are no more articles
โŒ