iThome2024 Wailing Wall of Enterprise Security

Transcript

1. NotSurprised @ iThome [email protected]

2. https://speakerdeck.com/notsurprised/ithome2024-wailing-wall-of-enterprise-security 2

3. 3 > Outline • Internal SOC / external MSSP? –

   SOC Introducing – Analysis & Response – Scanning & Assessment • Mitigation / Workaround? – Managed Service Account (gMSA/sMSA) – ADCS Certified Pre-Owned – Credential Dump

4. > NotSurprised 4 Intro • UCCU Hacker • AIS3 2016

   trainee • HITCON Defend 2018 3rd (etc.) • SITCON 2019 / MOPCON 2019 speaker • HITCON Training 2019 lecturer named • ITRI, CPC, SIPA, NCU, NKUST lecturer (etc.) • LINE Becks.io#5 speaker • iThome CyberSec 2020/2021 speaker • ITRI Deputy-Engineer, MediaTek Engineer Email : [email protected] Skill • Windows Kernel Driver • Penetration Test • Malware Analysis • Operation Technical • Car Security • Ethereum Smart Contract

5. Credit: Keanu Reeves

6. None

7. > 組織建立與通報流程制定 • [TPEX 臺灣證券櫃檯買賣中心] 上市上櫃公司資通安全管控指引 第八章第十八條 • [TPEX 臺灣證券櫃檯買賣中心]

   上市上櫃公司資通安全管控指引 第八章第三十二條 • [TPEX 臺灣證券櫃檯買賣中心] 上市上櫃公司資通安全管控指引 第八章第三十三條 7

8. > 8 No Authority Shared Authority Full Authority Security Team

   Internal Distributed SOC Internal Centralized SOC Internal combined distributed and centralized SOC Coordinating SOC User Availability SOC Accuracy SOC Efficiency Blind Spot waiting for approvements cost from wrong decisions Standards & Policies waste of profits waste of investment From Carnegie Mello CERT : • Constituency • Organizational Model • Authority

9. > SOC Chief SOC Deputy Chief Analysis & Response Lead

   Scanning & Assessment Lead System Life Cycle Lead Tier 1 Lead(s) Tier 2+ Lead(s) Trending Lead Scanning Lead VA/PT Lead System Admin Lead Engineering Lead • Call Center • Realtime monitoring & Triage • Cyber news collection & analysis • Incident analysis • Incident coordination & response • Forensic artifact handling & analysis • Malware& implant analysis • Tradecraft analysis • Insider threat case support • Cyber news collection & analysis, distribution, creation, fusion • Emergency alerts & warnings • Trending • Threat assessment • Tradecraft analysis • Network scanning • Vulnerability scanning • Situational awareness • Vulnerability assessment • Penetration testing • Red team • Product assessment • Security consulting • SOC infrastructure O&M • Sensor tunning & maintenance • Custom signature creation • Scripting automation • Audit collection & storage • Tool engineering & deployment • Scripting & automation Front Office Compliance & Awareness Lead Compliance Awareness • Policy compilation & maintenance • Compliance auditing • Define Security Standards • Supply-chains auditing • Security training material compilation • Training course handling • Social engineer exercise CISO • Finance Admin • SOC website Credit: MITRE

10. 10 > SIEM & Other Specialized Tools • Trending •

    Real-time monitoring • Advanced analysis • Correlation • Free-from query • Visualization • Case management • Historical analysis Constituency IT Assets Collect security relevant events Tune, filter & customize (Hours-Days) “Outside the Box” Analytics (Minutes-Hours) Sensor & SIEM tuners Trending & Fusion Analysts Cyber Intel, Threat, Vulnerabilities Real-time Monitoring (Seconds-Minutes) Tier 1 Analysts Constituents & Employee System Owners & System Admin Tier 2+ Analysts & Leads In depth analysis (Hours-Months) Media images Traffic captures Malware samples In depth analysis Coordinate & Consult Decision Making Incident Report How to Respond • Block Activity • Deactivate Account • Continue Watching • Refer to Outside Party Credit: MITRE

11. > 11 • Event • Any observable occurrence on a

    manufacturing system. • Alert • Notification that a specific attack has been directed at an organization’s information systems. • Incident • An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Credit: https://csrc.nist.gov/glossary

12. 12 > Main-SIEM APS/NGFW IPS/IDS Subsidiary-SIEM Branches-SIEM Subsidiary Security Controls

    Branches Security Controls NDR EDR NGAV VPN WAF GRC SOAR Vuln Mgmt. Vuln Scanners Asset DHCP Government Risk Compliance, GRC (VIARPCC): • Vulnerability Ticket • Incident Ticket • Asset Ticket • Risk Ticket • Project Ticket • Change Management Ticket • Compliance Ticket Incident Ticket Asset Mgmt. Asset Scanners Alert Ticket Alert Ticket Compliance Mgmt. Compliance Scanners

13. Identity Protect Detect Response Recover Devices Applications Networks Data Users

    Degree of Dependency Technology People Process > 13 NGAV Credit: SOUNILYU Cont. Threat Expose Mgmt. SAST/DAST IDS NDR EDR NGFW/IPS Zero Trust App Access Active Directory Security Solutions Data Encryption Cyber Threat Intel. Data Leakage Prevention Vuln Assessment WAF Data Audit Phishing Simulation Identity Protection (MFA) MDR XDR Forensic Service Backup NetFlow Fuzzer Heath Check Version Control Golden Image Zero Trust Net Access Backup Line Remote Backup Net Seg.

14. General standard: 90 accessible/searchable, 365 retrievable. • Business Transaction &

    Incident • 7+ years • Business Document (e.g. Email) • Incident Archive (e.g. evidence, forensic report, tracing email, chat record) • Alert • 3 years (ISO27001 & NIST-800-53) • Archived alerts with related raw logs • Events & Server Log • 1 year • Server Log (KAVIAA; Key-in Log, Audit Log, Vulnerability, Integrity, Account, Antivirus) • Traffic Log • 92 Days (NIST CSF DE.AE Security Logging Standard 4.4.a) • Metadata without PCAP (e.g. Traffic Log, Syslog, Threat Log) 14 >

15. > • [TWSE 臺灣證券交易所] 臺灣證券交易所股份有限公司對有價證券上市公司重大訊息之查證暨公開處理程序 第四條 第一項第二十六款 • [European Parliament]

    General Data Protection Regulation Art. 33 Notification of a personal data breach to the supervisory authority • [United State Congress] Cyber Incident Reporting for Critical Infrastructure Act Public Law 117–103 ‘SEC. 2242. REQUIRED REPORTING OF CERTAIN CYBER INCIDENTS. • Vendor Contracts 15

16. > 16 TLP Type Description Data Classification TLP:RED Not for

    disclosure, restricted to participants only. • Secret TLP:AMBER Limited disclosure, restricted to participants’ organization and its clients. • Budge • Network Topology TLP:GREEN Limited disclosure, restricted to the community. • Security controls’ brands • Unfixed Vulnerability • Blind point beyond monitoring • VA/PT/RT report • Security Policy • Security incident information • SOC team members’ information TLP:CLEAR Disclosure is not limited. • Malicious reconnaissance activity • Information of fixed vulnerability • Malware Information • Mitigation • CSIRT contact window Credit: https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=A0030307 Credit: https://www.cisa.gov/news-events/news/traffic-light- protocol-tlp-definitions-and-usage

17. > 17 Credit: https://dsp.twse.com.tw/public/static/downloads/listedCompany/%E3%80%8C%E9%87%8D%E5%A4%A7%E8%A8 %8A%E6%81%AF%E7%99%BC%E5%B8%83%E6%87%89%E6%B3%A8%E6%84%8F%E4%BA%8B%E9%A0%85%E5% 8F%83%E8%80%83%E5%95%8F%E7%AD%94%E9%9B%86%E3%80%8D11304_20240401093212.pdf Credit: https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=A0030305

18. > 18 Category Severe Data Breach Severe Data Diddling Denial/Delete

    Light Data Breach Light Data Diddling Official Website Lv.4 (Critical) Lv.4 (Critical) Lv.4 (Critical) Lv.3 (High) Lv.3 (High) Personal information Lv.4 (Critical) Lv.4 (Critical) Lv.4 (Critical) Lv.3 (High) Lv.3 (High) Key Critical Service Lv.4 (Critical) Lv.4 (Critical) Lv.4 (Critical) Lv.3 (High) Lv.3 (High) Critical Service Lv.3 (High) Lv.3 (High) Lv.3 (High) Lv.2 (Medium) Lv.2 (Medium) Non-Critical Service Lv.2 (Medium) Lv.2 (Medium) Lv.2 (Medium) Lv.1 (Low) Lv.1 (Low) TLP:RED Lv.4 (Critical) Lv.4 (Critical) Lv.4 (Critical) Lv.3 (High) Lv.3 (High) TLP:AMBER Lv.3 (High) Lv.3 (High) Lv.3 (High) Lv.2 (Medium) Lv.2 (Medium) TLP:GREEN Lv.2 (Medium) Lv.2 (Medium) Lv.2 (Medium) Lv.1 (Low) Lv.1 (Low)

19. Cyber Incident Response Phases Pre-Incident Incident Response Operations (IRO) Post-Incident

    19 Preparation Detection Analysis Containment Eradiation Recovery Report Remediation Operate Declare Isolate Cleanup Harden Rollback If unsuccessful New findings cycle into new investigation Monitoring Solutions SIEMs’ Thresholds User behavior verification, Correlation Classified the incident level with SLA False Positive, Undetermined Undetermined False Positive True Positive Alert Eradiation refer to SWGDE Escalate to War Room Lv1 & Lv2 Lv3 & Lv4 Recovery refer to SWGDE Outsourcing to qualified Forensic Lab EO, PR, LA Store the Evidences & Report To the Court Announceme nt according to contract Remediation Time to Detect (MTTD) Time to Investigate (MTTI) Time to Contain Time to Mitigate Time to Response (MTTR) Time to Resolve (MTTR) Time to Exposure

20. > War Room Role/Group Description Required Director Directs various team.

    EO Level Public Relations Consultant Handles news interviews and releases required for incident. Crisis PR Legal Consultant Provides consultation on legal issues and clarification of legal regulations. Legal Expert Affected Constituency Risk manager of affected business units/lines. Risk Mgr. 3 Party Forensics Experts Outsourced incident investigation/digital forensics experts who take charge of providing professional techniques and suggestions for incident. Forensics Certified Investigator Do the matchmaking to ensure smooth communication between incident response team and external consultants. SOC Tier-3 Infrastructure Support Helps to block attack traffic, isolate the victims machines, collect evidence, and provide reserve machines for replacement. IT Professionals Access Control Handles the access control of evidences in forensics lab and do the meeting minutes. - 20

21. Credit https://www.ithome.com.tw/news/162568

22. Credit https://ec.ltn.com.tw/article/breakingnews/4554247 Credit https://www.moneydj.com/kmdj/news/newsviewer.aspx?a=050 db21f-4348-40d7-8373-8f259e133de1

23. Identity Protect Detect Response Recover Devices Applications Networks Data Users

    Degree of Dependency Technology People Process > 23 NGAV Credit: SOUNILYU Cont. Threat Expose Mgmt. SAST/DAST IDS NDR EDR NGFW/IPS Zero Trust App Access Active Directory Security Solutions Data Encryption Cyber Threat Intel. Data Leakage Prevention Vuln Assessment WAF Data Audit Phishing Simulation Identity Protection (MFA) MDR XDR Forensic Service Backup NetFlow Fuzzer Heath Check Version Control Golden Image Zero Trust Net Access Backup Line Remote Backup Net Seg. MSSP

24. Identity Protect Detect Response Recover Devices Applications Networks Data Users

    Degree of Dependency Technology People Process > 24 NGAV Credit: SOUNILYU Cont. Threat Expose Mgmt. SAST/DAST IDS NDR EDR NGFW/IPS Zero Trust App Access Active Directory Security Solutions Data Encryption Cyber Threat Intel. Data Leakage Prevention Vuln Assessment WAF Data Audit Phishing Simulation Identity Protection (MFA) MDR XDR Forensic Service Backup NetFlow Fuzzer Heath Check Version Control Golden Image Zero Trust Net Access Backup Line Remote Backup Net Seg. MSSP

25. Cyber Incident Response Phases Pre-Incident Incident Response Operations (IRO) Post-Incident

    25 Preparation Detection Analysis Containment Eradiation Recovery Report Remediation Operate Declare Isolate Cleanup Harden Rollback If unsuccessful New findings cycle into new investigation Monitoring Solutions SIEMs’ Thresholds User behavior verification, Correlation Classified the incident level with SLA False Positive, Undetermined Undetermined False Positive True Positive Alert Eradiation refer to SWGDE Escalate to War Room Lv1 & Lv2 Lv3 & Lv4 Recovery refer to SWGDE Outsourcing to qualified Forensic Lab EO, PR, LA Store the Evidences & Report To the Court Announceme nt according to contract Remediation Time to Detect (MTTD) Time to Investigate (MTTI) Time to Contain Time to Mitigate Time to Response (MTTR) Time to Resolve (MTTR) Time to Exposure MSSP

26. Cyber Incident Response Phases Pre-Incident Incident Response Operations (IRO) Post-Incident

    26 Preparation Detection Analysis Containment Eradiation Recovery Report Remediation Operate Declare Isolate Cleanup Harden Rollback If unsuccessful New findings cycle into new investigation Monitoring Solutions SIEMs’ Thresholds User behavior verification, Correlation Classified the incident level with SLA False Positive, Undetermined Undetermined False Positive True Positive Alert Eradiation refer to SWGDE Escalate to War Room Lv1 & Lv2 Lv3 & Lv4 Recovery refer to SWGDE Outsourcing to qualified Forensic Lab EO, PR, LA Store the Evidences & Report To the Court Announceme nt according to contract Remediation Time to Detect (MTTD) Time to Investigate (MTTI) Time to Contain Time to Mitigate Time to Response (MTTR) Time to Resolve (MTTR) Time to Exposure MSSP

27. > • [TWSE 臺灣證券交易所] 臺灣證券交易所股份有限公司對有價證券上市公司重大訊息之查證暨公開處理程序 第四條 第一項第二十六款 27

28. 28

29. > FIRST (SIM3) • For better communication and coordination between

    teams. • Has a low required level set of Security Incident Management Maturity Model ISO 27001 • ISO 27001 ANNEX A 有 114 項控制措施，ISO 27002 有 ISO 27001 ANNEX A 的實行細則 ISO 27001+ (e.g. TISAX, TARA) • CIS Control 有 18 個類別，針對 18 各類別使用 IPDRR (Identify, Prevent, Detect, Response, Recover) 的方式控制 • NIST-800-53 R5 提升至 20 個控制類別，CMMC Lv3 (Cybersecurity Maturity Model Certification)的制度 認證 • 會更進階的明定實行細則中的細項 (e.g. Application Log 需包括"使用者登入紀錄"，並定期由負責人審核報表) NIST-800-53 • NIST-800-53B 為執行細則，其中詳列了 Moderate Impact 287 控制措施 • JS ISMAP 更進一步細分了 1416 項控制措施 • 可進行 Common Criteria Certification EAL4+ (商用最高規格，軍用為 Common Criteria EAL5) 29

30. > Security Incident Management Maturity Model • CSIRT Maturity is

    an indication of how well a team governs, documents, performs and measures their function. The maturity of a CSIRT is measured with the Security Incident Management Maturity Model, also called SIM3. • Maturity Quadrants • O-Organization • H-Human • T-Tool • P-Process • Maturity Parameters • Maturity Level • 0 = not available / undefined / unaware • 1 = implicit (known/considered but not written down, “between the ears”) • 2 = explicit, internal (written down but not formalized in any way) • 3 = explicit, formalized on authority of CSIRT head (rubberstamped or published) • 4 = explicit, audited on authority of governance levels above the CSIRT head (subject to control process/audit/enforcement) 30 Credit: https://opencsirt.org/csirt-maturity/sim3-online-tool/

31. 31 O – "Organization" Parameters O-1 MANDATE Description: The PSIRT’s

    assignment as derived from upper management. 3 O-2 CONSTITUENCY Description: Who the PSIRT functions are aimed at CONSTITUENCY the "clients" of the CSIRT. 3 O-3 AUTHORITY Description: What the PSIRT can do towards their constituency in order to accomplish their role. 3 O-4 RESPONSIBILITY Description: What the PSIRT is expected to do towards their constituency in order to accomplish their role. 3 O-5 SERVICE DESCRIPTION Description: Describes what the PSIRT service is and how to reach it. Minimum requirement: Contains the PSIRT contact information, service windows, concise description of the PSIRT services offered and the PSIRT’s policy on information handling and disclosure. 3 O-10 ORGANIZATIONALFRAMEWORK Description: Fits O-1 to O-9 together in a coherent framework document serving as the controlling document for the PSIRT. Minimum requirement: Describes the PSIRT’s mission and parameters O-1 to O-9. note: for FIRST application, change "O-1 to O-9" into "O-1 to O-5" 3 H – "Human" Parameters H-1 CODE OF CONDUCT / PRACTICE / ETHICS Description: A set of rules or guidelines for the PSIRT members on how to behave professionally, potentially also outside work. Clarification: E.g. the FIRST Code of Ethics. Behavior outside work is relevant, because it can be expected of CSIRT members that they behave responsibly in private as well where computers and security are concerned. 2 H-2 PERSONNEL RESILIENCE Description: How PSIRT staffing is ensured during illness, holidays, people leaving, etc. Minimum requirement: three (part-time or full-time) PSIRT members. 2 H-7 EXTERNAL NETWORKING Description: Going out and meeting other CSIRTs. Contributing to the CSIRT/PSIRT system when feasible. 2 P – "Processes" Parameters P-1 ESCALATION TO GOVERNANCE LEVEL Description: Process of escalation to upper management for PSIRTs who are a part of the same host organization as their constituency. For external constituencies: escalation to governance levels of constituents. 3 P-11 SECURE INFORMATION HANDLING PROCESS Description: Describes how the PSIRT handles confidential incident reports and/or information. Also has bearing on local legal requirements. Clarification: it is advised that this process explicitly supports the use of TLP, the Traffic Light Protocol. 2

32. Identity Protect Detect Response Recover Devices Applications Networks Data Users

    > 32 Vulnerability Test Penetration Test Red Team Credit: DEVCORE Forensics

33. 33

34. 34 >

35. 35 > • Scope – Define the war field of

    the drill, there might be several network segmentations that are extremely sensitive, beyond controlled, or have known issues, that will waste the assessment (e.g. subsidiary, branch) • Scenario – Their might be several phases in Red Team assessment according to MITRE ATT&CK (e.g. Initial Access, Persistence, Escalation, Lateral Movement) – Set the goals(TTPs), time frame of each phases, and start point • Targets – Critical Systems/Machines – Critical Accounts – Sensitive confidential Data

36. 36

37. > 37 Initial assessment Prepare a detailed design Determination of

    the required resources Identify the risk involved Investigate the data recovered Completion of case report Critique the case • Situation of the case • Nature of the case • Specifics about the case • Type of evidence • Operating system used by the suspect • Known disk format • Location of evidence • The motive of the suspect • Have skilled professionals • Work station and data recovery lab • Alliance with a local District Attorney • Define the methodology • Document the hardware configuration of the system • Document the system date and time • Document file names, dates, and times • Document all findings • Good understanding of the technical, legal, and evidentiary aspects of computers and networks • Proper methodology • Steps for collecting and preserving the evidence • Steps for performing forensic analysis • To carry out an investigation a search warrant from a court is required • Find the evidence • Discover the relevant data • Prepare an Order of Volatility • Eradicate external avenues of alter • Gather the evidence • Prepare chain of custody • Data-recovery lab • Computer- forensic Workstation • Record all the steps (camera record & screen record) • Include what was done and results in the final report • The steps can be repeated and the result obtained are same every time • Explain the computer and network processes • Explanation should be provided for various processes and the inner working of the system and its various interrelated components

38. > • ISO/IEC 17025:2023, General Requirements for the Competence of

    Testing and Calibration Laboratories. • ISO/IEC 17020 covers the activities of inspection bodies whose work can include the examination of materials, products, installations, plants, processes, work procedures or services, and the determination of their conformity with requirements and the subsequent reporting of results of these activities to clients and, when required, to authorities. • ASCLD/LAB-International Supplemental Requirements for the Accreditation of Forensic Science Testing and Calibration Laboratories, published by American Society of Crime Laboratory Directors (ASCLD), corresponds to ISO/IEC 17025. • Scientific Working Group on Digital Evidence (SWGDE) brings together organizations actively engaged in digital and multimedia evidence. 38
39. None
40. None

41. 41 > Service Principal Name (SPN) • A service principal

    name (SPN) is a unique identifier of a service instance. • SPNs are used by Kerberos authentication to associate a service instance with a service logon account. • This allows a client application to request that the service authenticate an account even if the client does not have that service’s uing permission. KDC will still response the TGS for request, let service to judge the using permission.

42. 42 > waza/ 1234 User LSASS Kerberos des_cbc_md5 rc4_hmac_nt (NTLM/md4)

    f8fd987fa7153185 cc36cf7a8514893e fccd332446158b1a Key Distribution Center (KDC) aes128_hmac aes256_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 1a7ddce7264573ae1 f498ff41614cc7800 1cbf6e3142857cce2 566ce74a7f25b Service TGT 1. AS-REQ 2. AS-REP 3. TGS-REQ TGS 4. TGS-REP 5. Usage

43. 43 1. Get SPN (or add SPN) & TGT 2.

    TGS-REQ 3. TGS-REP – (Get Kerberos Ticket encrypted with Service Password Hash) 4. Brutal Force to decrypt the service password (Service Secret) Key Distribution Center (KDC) 1. Get SPNs TGS(A) 4. TGS-REP(A) Hacker TGS(B) 4. TGS-REP(B) TGS(C) 4. TGS-REP(C) 2. SPN list 3. TGS-REQ(A) TGT 3. TGS-REQ(B) 3. TGS-REQ(C) Service Principal Time Stamp Service Session Key Service Principal Time Stamp Service Session Key Service Ticket (TGS) TGS Session Key Service Hash TGS-REP Client Name

44. 44 > Roasting Cost • Hashes = 95^8 (bytes) •

    GH_per_NTD = 36 (Hashcat with Tesla T4: 36 GH/s) * 10^9 (bytes) * 60^2 (sec) / 0.35 (GCP Tesla T4 USD/hr) / 27.79 (USD to NTD) • Hashes / GH_per_NTD ~= 498 NTD

45. 45 Credit: Futurama

46. 46 > • Using Managed Service Account • Audit Event

    id 4769 with TicketEncryptionType = 0x17, 0x18
47. None

48. 48 > Lock down Service Accounts • Service accounts are

    those accounts that run an executable, task or service, AD authentication, etc. – Use long Strong passwords – Give access to only what is needed – Try to avoid granting local administrator rights – Do not put in Domain Admins – Deny logon locally – Deny logon as a batch – Require vendors to make their software work without domain admin rights

49. 49 > standalone Managed Service Account (sMSA) & group Managed

    Service Account (gMSA) • A sMSA/gMSA is a managed domain account that provides automatic password management (240 bytes, which is 120 characters, and cryptographically random), SPN management and the ability to delegate the management to other administrators. • MSA was introduced in Windows Server 2008 R2 and Windows 7. • Who can access the MSA to manage the SPN will become important.

50. 50 >

51. 51 >

52. 52 > waza/ 1234 User LSASS Kerberos des_cbc_md5 rc4_hmac_nt (NTLM/md4)

    f8fd987fa7153185 cc36cf7a8514893e fccd332446158b1a Key Distribution Center (KDC) aes128_hmac aes256_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 1a7ddce7264573ae1 f498ff41614cc7800 1cbf6e3142857cce2 566ce74a7f25b Service TGT 1. AS-REQ 2. AS-REP 3. TGS-REQ TGS 4. TGS-REP 5. Usage

53. 53 > waza/ 1234 User LSASS Kerberos des_cbc_md5 rc4_hmac_nt (NTLM/md4)

    f8fd987fa7153185 cc36cf7a8514893e fccd332446158b1a Key Distribution Center (KDC) aes128_hmac aes256_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 1a7ddce7264573ae1 f498ff41614cc7800 1cbf6e3142857cce2 566ce74a7f25b Service TGT 1. AS-REQ 2. AS-REP 3. TGS-REQ TGS 4. TGS-REP 5. Usage
54. None

55. 55 > A public key infrastructure (PKI) is a set

    of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email.

56. 56 > AD CS provides customizable services for issuing and

    managing digital certificates used in software security systems that employ public key technologies. Digital certificates are used to provide: • Confidentiality through encryption • Integrity through digital signatures • Authentication by associating certificate keys with computer, user, or device accounts on a computer network

57. 57 >

58. 58 > • ESC1 – Allow setting SAN • ESC2

    - Any Proposed EKU • ESC3 – Enrollment Agent allows principal to enroll for another user • ESC4 - Misconfiguration of ACL leads to other ESC • ESC5 - Misconfiguration of PKI leads to ADCS compromised • ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 allow any user to defined SAN • ESC7 - Misconfiguration of ADCS ACL • ESC8 - NTLM Relay to AD CS HTTP Endpoints • ESC9 - No Security Extension • ESC10 - Weak Certificate Mappings • ESC11 - Relaying to AD Certificate Services over RPC • ESC12 - Shell access to ADCS CA with YubiHSM • ESC13 - Microsoft AMA abuse

59. 59 > • Virtual Desktop Infrastructure (VDI) will request the

    CA with unmatched SAN&UPN for VDI user
60. None

61. 61 https://speakerdeck.com/notsurprised/ircon2021-mediatek-activedirectory-hardening 61

62. 62 > • Disable Local Admin • Enable Local Admin

    Password Solution • Disable Debug Program • Disable WDigest • Lessen Credential Caching • Enable LSA Protection • Enable Restricted Admin Mode • Leverage Protected Users Group

63. 63 > Enable Local Admin Password Solution (LAPS) • LAPS

    is a Microsoft tool that provides management of local account password of domain joined computers. It will set a unique password for every local administrator account and store it in Active Directory for easy access. • LAPS will automatically renew the password regularly. • Just like else solution like MSA we will talk about later, who has the privilege to access and read the password is matter, this should be monitored and set up notice. AdmPwd.dll GPO Framework Managed machine Active Directory Computer account Admin Password Pwd Expiration GPO Framework

64. 64 Credit: 家有喜事

65. 65 > Disable Debug Program • Debug program give the

    privilege for user(Admin by default) to access the LSASS memory, if disable his privilege and monitor the change can help to prevent from Credential dump.

66. 66 >

67. 67 Credit: Rage Comics

68. 68 > Lessen Credential Caching • In the event that

    the domain controller is unavailable Windows will check the last password hashes that has been cached in order to authenticate the user with the system. • To minimize the cache amount, set secpol.msc -> Computer Configuration -> Windows Settings -> Local Policy -> Security Options -> Interactive Logon: Number of previous logons to cache -> 0 or the number which is acceptable. • By default, only SYSTEM can access the HKEY_LOCAL_MACHINE\Security, but hacker can still add permission to the registry with Administrator privilege.

69. 69 >

70. 70 Credit:新世紀エヴァンゲリオン

71. None

72. 72 > & Cred/Device/App Guard • Windows 10 enterprise (WinSrv2016)

    new feature • Combined with secure boot, LSA Credential Guard with UEFI lock, and Hypervisor Virtualization for security feature (VBS) • LSA in Host OS is a proxy instance that simply communicates with the isolate one • Switch all important services to VSM to secure their integrity • Configurable Code Integrity(CCI) check code is signed before it run (e.g. .ps1 .bat) • Kernel mode code integrity • Secure boot enforce EV signature on firmware and boot loader code. Credit: techcommunity.microsoft

73. 73 > & Cred/Device/App Guard • CCI is enhance version

    of AppLocker, can prevent malicious script files, execute malicious scripts directly and malicious applications not in whitelist. • LSA, firmware, boot loader code and kernel code also been secured. • CVE-2018-8216 still shows that DeviceGuard might be vulnerable under targeting attack, this CVE allows attacker to inject payload into the script that CCI trusts. https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419

74. > Hacker

75. 75 > & & Privileged Access Workstation (PAW) or Secure

    Admin Workstation (SAW) • PAW & SAW is a dedicated operating system used to securely access privileged resources, similar to a jump server. • PAW is a workstation that is dedicated solely to accessing sensitive tasks and information. These devices are typically locked-down and therefore insulated from Web-based attacks and other threat vectors

76. 76 > DC01.test.com Active Directory paw.test.com Windows Server Hacker Firewall

    Device Guard Credential Guard App Guard Air Gap RDP Gateway 2FA Restricted Admin RDP

77. 77 > Devices that use 802.1x wireless or wired network,

    RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running. • Kerberos unconstrained delegation • Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman • MS-CHAP • WDigest • NTLM v1

78. 78 > Workstation /VDI/VPN Admin NAC Notebook RDP Workstation /VDI/VPN

    Admin NAC Notebook RDP Wireless Wired

79. 79 > Credit: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues

80. 80 > Credit: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues

81. None