Trying to Prevent Lateral Movement on a Budget?
They say the best things in life are free. And whether you believe it or not, it’s got to be true at least every once in a while, right? Well, when it comes to securing your credentials and data, there are in fact a number of things you can do that are not only highly effective, but cost conscious.
Not to oversimplify some otherwise complex concepts and subjects, there are three things pretty much every attacker relies upon being true in order to move laterally throughout an organization’s network on their way to total domain dominance. They are:
- Local Admin rights
- Improperly configured systems
- A poorly understood Active Directory
Now, expecting to prevent Lateral Movement completely isn’t exactly realistic due to the ultra-sophisticated ways attackers are able to circumvent even the best defenses, so the goal should really be to make it as difficult as possible for an attacker to achieve their goal. This means making sure these basics are covered.
Lateral Movement and Local Admin Rights
Local Admin rights are pretty much the most important ingredient in a standard lateral movement situation. Without privileged access to the system, it’s significantly more difficult – if not impossible – for an attacker to install and run useful software containing powerful tools like Mimikatz that will allow them to exploit critical misconfigurations (which we’ll discuss some of next) that they’ll also need Local Admin rights to get to.
Limiting this level of access to the lowest levels possible through proactive evaluation of Local Admin rights on every system and leveraging built-in solutions like Microsoft’s Local Administrator Password Solution (LAPS) can have drastic impact in the fight against lateral movement techniques.
How Simple Misconfigurations Make Lateral Movement Easy
There are thousands of possible configuration settings on a Windows system, but a relatively small handful of them are particularly significant as it pertains to the topic of lateral movement. Two such configurations are LSA Protection and WDigest.
Again, assuming an attacker has the Local Admin rights needed to either exploit misconfigurations of these settings or change them to be exploitable, improper configuration of LSA Protection and/or WDigest will allow an attacker to steal the passwords of other accounts that have been used on a system by reading system memory through code injection into the Local Security Authority (LSA).
Ensuring LSA Protection is enabled and disabling WDigest passwords from being stored in memory is about as simple as the flick of a switch, as both are controlled via the system’s Registry.
Plaintext Passwords in SYSVOL? Lateral Movement Coming Up!
The last tactic we’re going to discuss here is perhaps the simplest an attacker can employ, but also one of the easiest to spot and fix (if you know to look for it). Here’s how it works:
Group Policy Objects (GPOs) can be used to create accounts and set passwords on computers within an Active Directory domain. Attackers can target these GPOs to obtain and decrypt these passwords (because Microsoft published the AES private key on MSDN) without any elevated rights. Why? Any authenticated account has read access to a Domain Controller’s SYSVOL share – where Group Policy Preferences are stored. Because Group Policy Preferences are often used to set and control the Local Administrator password across systems en masse, compromising an account contained in Group Policy Preferences can provide an attacker high-privilege, far-reaching access across an enterprise.
So, because any malicious insider or attacker can search for the cPassword field inside XML files shared through SYSVOL to decrypt them, you can too! Find them before they do, and you’ll be that much safer from critical credential compromise.
What Should I Do Now?
As I mentioned earlier in the post, Lateral Movement and the plethora of ways it’s made possible is a complex subject. Education on these attack vectors, prioritization of risk, and bandwidth constraints will ultimately dictate what you do next or about this or any subject. But, to make it just a little easier on you, we’re happy to lend a helping hand.
If you want to see whether or not you’re facing these risks and to what extent, our free Security Best Practices Assessment will do just that.
You can download and run it yourself here: https://go.stealthbits.com/security-best-practices-instant-trial
Alternatively, we’d be happy to do it for you and produce a polished, informative Executive Summary for you to deliver your organization’s leadership team to articulate your risk and some highly effective measures that can be taken to reduce that risk. Contact Us today and we’ll get the ball rolling quickly.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Adam Laub is the Senior Vice President of Product Management at STEALTHbits Technologies. He is responsible for setting product strategy, defining future roadmap, driving strategic sales engagements, supporting demand generation activities, enabling the sales organization and all aspects of product evangelism.
Since joining STEALTHbits in 2005, Adam has held multiple positions within the organization, including Sales, Marketing, and Operational Management roles.
Adam holds a Bachelor of Science degree in Business Administration from Susquehanna University, Selinsgrove, PA.