Microsoft products have been frequent targets for threat actors for decades. In recent years, attacks targeting Microsoft Active Directory, the Microsoft Kerberos authentication protocol, and PowerShell have increased dramatically, leading to compromises at thousands of organizations.
Below, we examine five common Microsoft exploits and show how the ExtraHop Reveal(x) network detection and response (NDR) platform helps security analysts respond to these attacks. Reveal(x) gives users comprehensive visibility into Microsoft environments, providing detections of common attacks.
The detections in Reveal(x) build on its unmatched decryption capabilities, which reveal malicious activity hiding in encrypted traffic, a common tactic used in attacks on Microsoft environments. The decryption capabilities identify unauthorized access and privilege escalation attempts in Active Directory, and they give security analysts visibility into living-off-the-land techniques, in which attackers misuse legitimate tools to gain access to targeted networks.
These decryption capabilities provide greater visibility into advanced attacks, such as Kerberos golden ticket attacks, described below.
In addition, Reveal(x) gives users comprehensive visibility into protocols used by Active Directory, including Kerberos and LDAP, and provides detailed metrics on domain controllers and clients in a Windows environment.
PowerShell is a legitimate command-line interface and scripting language built into Windows, often used by security teams and systems administrators to automate tasks and manage IT systems.
Threat actors use PowerShell to engage in malicious activity on compromised Microsoft systems. Attackers can exploit the capabilities of PowerShell to steal login credentials, move laterally within a network, and communicate with their command-and-control servers.
One of the 12 most exploited vulnerabilities in 2022 was a PowerShell vulnerability, CVE-2021-34473, that led to ProxyShell attacks on Microsoft Exchange Servers, according to the U.S. Cybersecurity and Infrastructure Agency (CISA). This chain of attacks allows threat actors to execute remote code on targeted servers.
Reveal(x) features a Threat Briefing on the ProxyShell chain of attacks. The Threat Briefing provides users with an overview of unpatched Microsoft Exchange Servers in their environment that are vulnerable to the attack, as well as any detections involving the specific HTTP requests associated with the ProxyShell chain of attacks. The Threat Briefing also points users to mitigation steps provided by Microsoft.
Reveal(x) detects ProxyShell attacks by identifying HTTP requests with Uniform Resource Identifiers that match exploits of the ProxyShell vulnerability. Reveal(x) also detects PowerShell remoting attempts, alerting users to devices making suspicious remote PowerShell requests. These requests are associated with lateral movement.
The decryption capabilities in Reveal(x) also help organizations identify ProxyShell attacks by giving security analysts visibility into related malicious activity encrypted by attackers.
BloodHound uses data collectors, such as SharpHound or BloodHound.py, that leverage network protocols including remote procedure call (RPC), SMB, and LDAP to retrieve data from domain controllers and domain workstations.
Attackers use BloodHound to find hidden relationships in Active Directory and to look for attack paths in Active Directory. BloodHound builds visualizations in a user interface where the attacker can identify Active Directory objects to compromise. BloodHound can also help attackers gain high-level access rights within Active Directory that allow them to move laterally across the targeted network.
The MITRE ATT&CK framework identifies 12 techniques that threat actors use alongside BloodHound. BloodHound can map domain trusts and identify misconfigurations for potential abuse. It can collect information about domain users, including identification of domain admin accounts, and it can use PowerShell to pull Active Directory information from the target environment.
Reveal(x) defends against BloodHound attacks by detecting BloodHound attempts to map out Active Directory domains. The BloodHound enumeration detection identifies the domain controllers and other devices targeted by attackers using BloodHound.
The decryption capabilities in Reveal(x) also help organizations defend against BloodHound attacks. BloodHound often collects Active Directory information with its activity encrypted, but the decryption capabilities in Reveal(x) help security analysts identify unauthorized access and privilege escalation attempts in Active Directory.
Reveal(x) also includes an Active Directory dashboard that shows invalid login attempts, service ticket requests, and other indicators of possible attempts to compromise Active Directory.
Kerberos Golden Ticket Attacks
A Kerberos golden ticket attack targets Kerberos, an authentication protocol commonly used in Active Directory. The Kerberos authentication workflow uses tickets, which provide a cryptographic proof of identity that can be exchanged between clients, services, and the domain controller. In a golden ticket attack, threat actors forge a ticket using a stolen key distribution center (KDC) key, an encryption key designed to show that the ticket is valid.
Stealing a KDC key can be difficult, since attackers first need to gain initial access to the targeted network, escalate their privileges, and then compromise the domain controller. However, once an attacker manages to steal a KDC key, a successful golden ticket attack can cause serious damage because it not only subverts normal authentication processes, but it also gives attackers unlimited access to any account or resource on an Active Directory domain.
A Kerberos golden ticket attack is related to a category of attacks called Kerberoasting, which involve stolen or forged Kerberos tickets. Kerberoasting is a post-compromise technique for cracking passwords for service accounts in Active Directory.
The CrowdStrike 2023 Threat Hunting Report found a 583% increase in Kerberoasting attacks from the previous year.
Reveal(x) detects both Kerberos golden ticket attacks and Kerberoasting activity. The detection of a Kerberos golden ticket attack alerts Reveal(x) users to a Kerberos request that indicates the presence of a golden ticket. The detection advises security teams to take the following actions: changing the passwords for the KRBTGT account and for all related service and client accounts, and implementing strict login controls on devices with highly privileged users to reduce the exposure of credentials stored in memory to golden ticket attacks. The Kerberoasting activity notification alerts Reveal(x) users to requests that match activity performed by Kerberos attack tools, such as GetUserSPNs.py.
Data Protection API Attacks
The Data Protection Application Programming Interface (DPAPI) is a cryptographic API that’s been available since the Windows 2000 operating system was released. The purpose of DPAPI is to provide encryption protections to applications and user and system processes running on Windows.
DPAPI protects passwords and auto-completion data in some browsers, email account passwords in Outlook, remote desktop connection passwords, wireless network account keys and passwords, shared folder passwords, VPN and WiFi authentication, and several other processes.
However, one challenge with DPAPI is that its effectiveness depends heavily on the security of Windows users’ credentials, because DPAPI creates a user-specific master key from the user’s password. This challenge, combined with the sensitive data DPAPI is designed to protect, makes DPAPI a prime target for threat actors.
Data Protection API attacks can take several forms. For example, attackers can use the Mimikatz exploit software to extract passwords from applications like Google Chrome running in Windows.
DPAPI attacks target domain controllers in Windows that hold backup master keys, which attackers can use to decrypt data encrypted with DPAPI on domain-joined computers. These backup keys are stored as self-signed certificates in Active Directory.
Attackers with high-level permissions can access these backup keys from Active Directory through the Local Security Authority Remote Protocol and use the keys to decrypt any data protected by DPAPI on all domain-connected Windows computers.
To counter these attacks, Reveal(x) features a detector of DPAPI backup key export attempts. The detection shows users when an attacker remotely dumps the DPAPI domain backup private key from the Local Security Authority Subsystem Service (LSASS), a process to enforce security policy, on a domain controller.
In addition, Reveal(x) includes a remote procedure call (RPC) detector that shows when attackers use the Mimikatz lsadump::backupkeys command in attempts to decrypt user data on the domain controller.
UnPac-the-Hash and Related Attacks
UnPac-the-hash is a technique that allows an attacker with a valid TGT (Ticket Granting Ticket) in the Kerberos authentication process to steal the NT and LM hashes of a user account. NT and LM hashes are the cryptographic formats where user passwords are stored in Windows. The attack technique targets the PKINIT preauthentication mechanism for Kerberos that allows users to switch to NTLM authentications when remote servers don’t support Kerberos.
Threat actors able to conduct shadow credential or golden certificate attacks can also use the UnPac-the-hash technique to recover the NT and LM hashes.
If attackers obtain the hash of a Windows user’s password, they can use it to authenticate themselves and impersonate the user. Hashes can be used for authentication in place of original passwords.
The user’s stolen hash can also be used to create a Kerberos silver ticket, which uses compromised authentication to forge ticket-granting service tickets. Attackers can use a silver ticket to gain administrative access over the entire system.
An UnPac-the-hash detector in Reveal(x) identifies a suspicious ticket-granting-request (or TGS_REQ) in Kerberos. These ticket-granting-requests use a kdc-options bitmask of 0x40810018 as explained in this blog post from Henri Hambartsumyan.
Also, with Unpac-the-hash and related techniques falling under the Kerberoasting family of attacks, the Kerberoasting activity detection in Reveal(x) will also alert users to attacker attempts to use these methods.
Reveal(x) gives users unmatched visibility into Microsoft environments and helps them manage the risks associated with major exploits targeting Windows and related applications. Learn more in the on-demand webinar or self-guided demo.
Want to dive deeper into techniques for securing Microsoft environments? Join the discussion on the ExtraHop customer community,