Account Credential Theft in Domain Environments Detected by EDR

The “Internal Reconnaissance in Domain Environments Detected by EDR” [1] post covered cases where EDR was used to detect the process of a threat actor taking over a system in an Active Directory environment before conducting internal reconnaissance to collect information. If an organization’s infrastructure is an environment that uses Active Directory, the threat actor can perform internal reconnaissance to collect information on the domain environment, steal account credentials, use these for lateral movement, and ultimately seize control over the domain environment.

This post will explain the attack phase where a threat actor steals account credentials for lateral movement after taking control over a system within an Active Directory environment, as well as how EDR is used to detect this stage of attack. Threat actors use various tools including Mimikatz for account credential theft or abuse instances where the administrator becomes inattentive.

Because account credential theft is a key step in dominating a domain, threat actors employ various methods to bypass security products. Not only do they pack or obfuscate their files to evade detection, but they also use ProcDump, a legitimate utility tool, to bypass behavior detection. Accordingly, there is a limit to detecting these behaviors with existing products such as anti-malware programs. It is necessary to use EDR to monitor and respond to suspicious behaviors.

AhnLab EDR (Endpoint Detection and Response) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on South Korea’s only self-behavior-based engine. AhnLab EDR collects information on suspicious behaviors by type around the clock, allowing users to precisely perceive threats from a detection, analysis, and response perspective. Comprehensive analysis using the collected data allows administrators to identify the cause, make appropriate responses, and establish processes to prevent threat recurrence.

1. Overview

Directory services integrate, save, and manage information on users and resources within a computer network. The directory service implemented in Windows is called Active Directory (AD). Domains are the basic unit of AD, and the server that performs management such as authentication or permission grants is called Domain Controller. The goal of the threat actor is to steal the credentials of an account in the Domain Admins group and take over the Domain Controller, or essentially the entire domain.

Threat actors often use Mimikatz to steal account credentials. Even if Mimikatz is not used, account credentials can be extracted from poorly managed user information or by abusing inadequate settings. Such account credentials are used for lateral movement and the behavior continues until the domain administrator’s account credentials are extorted ultimately.

2. Mimikatz

2.1. What Is Mimikatz?

Mimikatz is a program that extracts account credentials from environments running Windows OS. It is an open-source project available on GitHub, making it beloved by threat actors. In particular, it is often used in domain environments as a means to seize control over domains for ransomware distribution or information theft.

Figure 1. GitHub page of Mimikatz

Regarding account credentials theft, Mimikatz can not only extract passwords in plain text for Windows accounts but also various data such as hashes and Kerberos tickets from Windows environments. Furthermore, it also supports lateral movement attacks and features for maintaining persistence of control using the obtained credentials.

While Mimikatz supports a variety of features for each attack stage, this article will cover its account credential theft process which is the most utilized in practice. Mimikatz has many commands for account credential theft, but this post will summarize the method of extracting the NT hash (hash used in the NTLM authentication protocol) saved in the LSASS process memory.

In most attack cases, threat actors use the Mimikatz command “sekurlsa::logonpasswords”. This command shows most of the account credentials that can be extracted from the current system.

Figure 2. Result of executing the logonpasswords command

2.2. Various Forms of Mimikatz

While commands can be entered in Mimikatz in shell prompt format as above, they can also be entered and run as command line arguments. Actual attacks often show cases where commands are transmitted and run as arguments and the results are printed into a text file.

Figure 3. Mimikatz command identified in a GlobeImposter ransomware attack

Figure 4. Logs detecting Mimikatz command – EDR

Mimikatz accesses the LSASS process memory directly to obtain the NT hash saved inside. Such behaviors can easily be detected by security products, so threat actors have recently been using legitimate product such as Sysinternals’ ProcDump to evade detection. The process involves dumping the memory and creating a file from it using the legitimate software ProcDump before using the “sekurlsa::minidump” command to decrypt the dump file with Mimikatz. This method was also used in a case covered in “Analysis of APT Attack Cases Targeting Web Services of Korean Corporations”. [2]

AhnLab EDR detects as a threat the behavior of using Sysinternals’ ProcDump (legitimate program) to dump the LSASS process memory, enabling administrators to recognize the behavior, identify the cause, and make adequate responses.

Figure 5. Logs detecting suspicious ProcDump execution log – EDR

Additionally, it is not possible to obtain plain text passwords using the WDigest security package in the latest Windows environments by default. The UseLogonCredential registry key must be configured to obtain plain text passwords. Accordingly, threat actors sometimes use a command that adds the UseLogonCredential registry key to obtain such passwords.

Figure 6. Logs detecting the behavior of obtaining passwords in plain text through the configuration of the UseLogonCredential key – EDR

The type of Mimikatz covered so far is in executable file format. Though threat actors sometimes create binaries themselves or pack/obfuscate existing binaries to evade file detection, Mimikatz in PowerShell format is often detected in actual attack cases. PowerShell scripts have a convenient interface and the advantage of being able to be executed in the memory area instead of in a file format. This is supported in most penetration testing tools such as PowerSploit, Empire, and Nishang under the name “Invoke-Mimikatz.ps1”.

Figure 7. Log detecting Invoke-Mimikatz PowerShell script – EDR

Cobalt Strike is a tool used for the purpose of checking the security vulnerabilities within the network and systems of companies and institutions. As such, it supports various features for each stage of the infiltration test from internal reconnaissance to privilege escalation, account credential theft, lateral movement, and command and control. Cobalt Strike uses Mimikatz for account credential theft. A DLL format is used instead of the executable format covered above. This is similar to the Invoke-Mimikatz PowerShell script internally using Mimikatz in DLL format. Cobalt Strike runs the Mimikatz command by executing a normal process and then injecting Mimikatz into this process.

When the “Run Mimikatz” command is used in a GUI environment, the Mimikatz command “sekurlsa::logonpasswords” is executed by default after which the results are shown. Each Mimikatz command can also be run in the shell.

Figure 8. Mimikatz features supported by Cobalt Strike (Source – Basic Beacon Use [3])

AhnLab EDR detects the behavior of Cobalt Strike injecting Mimikatz into a normal process and stealing account credentials, enabling administrators to recognize the behavior, identify the cause, and make adequate responses.

Figure 9. Log detecting Mimikatz executed by Cobalt Strike – EDR

2.3. Stealing Account Credentials Using Mimikatz

Mimikatz extracts, decrypts, and shows account credentials stored in the LSASS process memory. If the infected system is a personal PC or not part of a certain network, only the account credentials for the current system will be obtained. However, domain environments of organizations may have complex relationships depending on the settings, including errors on the part of the administrator. In such environments, merely running Mimikatz in a small number of compromised systems allows threat actors to collect the data required for lateral movement. [4]

A. Identical Local Administrator Account

For example, when an IT administrator issues a new PC, the configuration for the local administrator group account may be left unchanged. In this case, multiple PCs will have the same local administrator account and password, meaning that other issued systems with identical configurations will have the same NT hash. Thus, when a threat actor takes over a system and obtains account credentials for the local administrator account, they may also gain account credentials for all identical systems. The account credentials obtained in this way can be used for lateral movement attacks, paving a path to the internal system that uses or has a history of using a domain administrator account.

B. Group With Local Administrator Privileges

There are also cases where inadequate rights are given to domain users. For example, the help desk department may require admin rights for systems in the domain for IT services. If local administrator privileges are granted to the help desk group in this instance, when a user in the help desk group logs into a system in the domain, they are granted the local administrator privileges for that system. When a threat actor obtains the account credentials (NT hash) for a help desk account, this includes local administrator privileges, so the domain in question becomes vulnerable to lateral movement attacks.

C. Logging in Using a Domain Administrator Group Account

Besides the local administrator group, some cases involve inadequately managed domain administrator group accounts. If the current system has a history of logins from multiple users, these account credentials are stored in the LSASS process memory. Accounts of users who logged in from the infected system are all at risk of account credential theft. If the user of an infected system logs into a domain administrator account instead of a domain user account, no other steps will be needed to seize control over the domain.

D. Executing Processes Using a Domain Administrator Account

Certain programs can be executed with domain administrator privileges without actually logging into the account as covered above. For example, some programs require administrator privileges for setup or upon launch. These programs may be run as admin after logging into an administrator account. If a lookup on the process list of the current system finds a process being run as admin, this means that domain administrator account credentials are stored in the LSASS process memory.

3. Various Methods of Account Credential Theft

So far, we covered attack methods involving the use of Mimikatz to steal account credentials saved in the local system. However, sufficient account credentials can be obtained without using Mimikatz due to inattention from a user or an administrator. In particular, a lot of internal infrastructures that are not externally available have default settings or weak account credentials. This section covers some major examples of such cases.

3.1. Inadequate Data Management

The first method consists in utilizing accessible internal data. For example, shared folders can be scanned to collect information from configuration and script files in each shared folder. Departments in companies usually have shared folders for sharing work data. In addition to addresses and descriptions of other systems, these folders could also contain configuration files with account credentials or script files such as login scripts. Threat actors scan all accessible shared folders before inspecting all data to collect information needed for lateral movement.

PowerView is a tool also included in the PowerSploit project which collects and shows various types of information in Windows domain environments. For example, it supports the Find-DomainShare command which finds shared folders in the current domain. Threat actors use the results to access the shared folders and collect information. The Find-InterestingDomainShareFile command extracts and shows files in shared folders with account credential-related keywords such as “admin” and “password”.

3.2. Inadequate User Management

Aside from internal data management issues, inadequate management methods may also be leveraged. For example, if there are too many users that need to be managed, the administrator may include information such as passwords in the “Description” field for the domain user. Not only do administrators have access to this entry, but also ordinary domain users can use tools to create and print a list of all domain users.

In the following case, the PowerView command Get-NetUser was used to extract the Description field of all domain users from the User Field.

Figure 10. Extracting user description using PowerView

As such, PowerView is used in the account credential theft phase as well as for internal reconnaissance. AhnLab EDR detects the behavior of threat actors using PowerView scripts to obtain account credentials from domain environments as follows, enabling administrators to recognize the incident.

Figure 11. Logs detecting PowerView commands – EDR

3.3. Account Credentials Saved in Applications

Account credential management may be comparatively more vulnerable in systems in the internal network than in those with Internet access. As most infrastructures are also structured on the web, the web browser of a system in the internal network may hold access records to other systems in the network as well as multiple account credentials. The method of stealing user account credentials from web browsers and programs such as email, FTP, and SSH clients is already well known.

For example, the Defray777 ransomware operator in the past also used account credentials saved in web browsers during the VMware ESXi server attack process. They used account credentials collected by Mimikatz and from web browsers for lateral movement, ultimately encrypting the VMs running in the VMware ESXi environment. [5]

Additionally, ransomware operators such as GlobeImposter, MedusaLocker [6], Crysis, and Venus [7] also target externally exposed remote desktop services. After the initial access, they use various tools for internal reconnaissance and account credential theft. NirSoft’s tools are often used for collecting account credentials saved in the infected systems. WebBrowserPassView is a tool that extracts and shows account credentials saved in web browsers such as Chrome, Firefox, and IE, while Mail PassView extracts and shows account credentials saved in email clients such as Outlook and Thunderbird. Other tools such as VNCPassView and WirelessKeyView are also used, which extract various account credentials saved in the infected system.

Figure 12. Logs showing the Venus ransomware operator installing tools for account credential theft

Although these tools are being used in various attacks, as they can also be used by administrators to check the organization’s network, it is difficult for antivirus products to block these tools perfectly.

Figure 13. Logs detecting the tools used in an attack – EDR

4. Conclusion

A threat actor who infiltrates a domain environment of an organization using Active Directory can use Mimikatz to obtain account credentials. While Mimikatz is the most frequently used tool, threat actors can also obtain account credentials using inappropriate data and through administrators being inattentive to user management. These account credentials are combined with information obtained through internal reconnaissance for lateral movement attacks at a later stage.

Because account credential theft is key in taking control over a domain, threat actors use various methods to bypass security products, and as such, there are limits to anti-malware products detecting and blocking these behaviors alone. AhnLab EDR detects attack techniques employed by threat actors who have seized control over a certain system to steal account credentials for taking over the whole domain in later stages, helping administrators identify the cause, make adequate responses, and establish recurrence prevention processes.

Behavior Detection
– Execution/EDR.Mimikatz.M11444
– Execution/EDR.Behavior.M10484
– Suspicious/DETECT.SystemManipulation.M2810
– CredentialAccess/EDR.Mimikatz.M10451
– Suspicious/DETECT.T1003.M2608
– LateralMovement/EDR.PowerView.M4055
– Execution/EDR.Event.M10819
– Execution/EDR.Event.M10817
– Execution/EDR.Event.M10815

AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.

The post Account Credential Theft in Domain Environments Detected by EDR appeared first on ASEC BLOG.

Article Link: Account Credential Theft in Domain Environments Detected by EDR - ASEC BLOG