Should we also introduce Mimikatz, this software that can steal authentication data in order to subsequently hijack user accounts and navigate the information system? Maybe even. Because it is mentioned regularly as soon as we talk about lateral displacement after impairing an environment. Miter’s ATT&CK framework mentions this regularly. But largely wrong.
Continuation of the article below
Benjamin Delpy, its creator, begins immediately: “The major attacks that we can see don’t involve the Mimikatz binary, but the technology”. Hence, it is not the Mimikatz program or its files that need to be stopped or detected, but the attack that is highlighted by the tool. And it’s instantly more complicated. “In addition, the“ vanilla ”mimikatz sold by Benjamin Delpy is actually full of markers“ with which it can be recognized in a few seconds ”. The Yara ID ruler even comes with you! And to add, not without a touch of mischief: “The version I am handing out is a shame not to be discovered”. Of course, this does not apply to custom versions compiled from intentionally corrupted sources.
The direct detection of Mimikatz can still cover 90% or even 95% of the users, according to the creator. So what it deserves to look into. In addition, everything is played with the detection of behaviors associated with the use of Mimikatz. And it starts with peer-to-peer connections, the keys to moving sideways.
Protect your hosts with their firewalls
Benjamin Delpy finds it disappointing to see so many companies of all sizes again in 2020 enabling peer-to-peer connections. When installing a Windows workstation or a Windows server, an inbound connection is not possible by default. This means that the ability to remotely access files in the office or initiate Remote Procedure Calls (RPC) has been activated voluntarily. “Because for him“ we don’t need that anymore to manage machines ”. And the first report against the attackers shifting sideways in his information system: “It’s the Windows firewall, fundamental. It is active by default! “”
This native protection is therefore deactivated and at the same time connected to the historical myth of perimeter security and “made easier”: “Many administrators make their lives easier by deactivating the Windows firewall. That way, it’s easier to distribute with very simple tools. “
Benjamin Delpy emphasizes, however, that there is less and less lateral movement between workstations … It is the servers that are being targeted. But “it would not occur to anyone that the accounting server could, for example, access the server intended for deployments in factories … but we see that often because the firewall has been deactivated”.
Do not leave the protection unattended
The most advanced attackers, however, have more than one card up their sleeve: “They take control of the entire domain before being telegistered by the GPO. There’s nothing like relying on the normal functioning of a domain for sending because it’s under the radar. “And here it comes down to how the domain was designed and maintained to prevent this from happening.
This also applies to the administration consoles of host protection systems or EDRs or even to system administration: “We have seen that attackers take control of the security tools that are supposed to be provided on the hosts.” . In short: “We protected our domain, but not our antivirus program. It may sound silly to say so, but it happens ”.
In a blog post and a recent episode of the No Limit Secu podcast, Christophe Renard, also known under the pseudonym FuraxFox, mentioned the first piece of advice for CISOs to monitor virus protection programs – and not just via their proprietary console.
Strictly manage rights
However, he also recommended migrating Windows administrators to the Protected Users group in Active Directory. As Christophe Renard states with this provision, “you are advising Windows that these accounts must use Kerberos authentication only and that the identification management policy must prioritize security over usability.”
For Benjamin Delpy this actually deserves, but be careful not to develop a false sense of total security: “Nothing prevents you from stealing a Kerberos ticket in memory”, and for the attacker it does not prevent it from being transmitted “.
As far as removing the debug privilege is concerned, Christophe Renard also advises blocking at least the less advanced attackers: this privilege “makes it possible to read the memory of any process and to handle processes and tasks independently of their owner”.
Deactivating it is progress, but not enough, explains Benjamin Delpy: “When you take control of a workstation, you want to become not just an administrator, but a system too. It’s still up. And the system doesn’t need debug privileges. In addition, “it is generally possible to return the debug privilege once after the administrator”.
Strict execution rules
The first principle, which is not always easy to apply and enforce, “but we’re getting there in 2020”, is not to give users administrative privileges on their workstations. The second: “If the user can write an executable file anywhere, he cannot start it”. And vice versa: “If a user can execute a program anywhere, the user cannot write there.” Such rules of execution, explains Benjamin Delpy, “are pretty silly, but they block a lot of attacks and spread”. And to illustrate this: “With such rules an attacker can take control of a station or server and then restore his load, but he cannot start it.”
There it is not about absolute protection: “There are macros, execution in memory, etc.” However, these rules already limit the threat considerably. “And also because very often“ a macro serves as a bootstrap and then downloads an executable file. It cannot be started with the principle described here. “And to ensure that no third-party editor is required, the creator of Mimikatz emphasizes:” AppLocker does its job very well. Only one configuration is required. “
For Benjamin Delpy, “the attackers end up being not very clever. You don’t need it. In essence, there is a real problem of basic hygiene. “Unfortunately,” maintaining the security of cultural heritage in working conditions is not sexy enough “.