Highlight of the week

Microsoft Detection and Response Team (DART) wrote a big piece about the most common Active Directory issues they use to find in their engagements and recommendations on how to fix them.

Seemingly small misconfigurations but combined altogether, they are often enough to fully compromise a domain. Monitoring changes to the Active Directory and correcting it requires a continuous governance.

A summary of their recommendations:

Initial Access

Weak password policies: if you can’t deploy these measures anywhere, focus on your high privileges accounts. Use passwordless mechanisms like Windows Hello or FIDO2 keys. If it’s not possible, use long (14+ characters) but less complex passwords and don’t rotate them often. If you have the money and AAD P1, you can prevent users from using weak passwords or from a specific list.

Excessive privilege and poor credential hygiene: restrict the global admin count (even though there is no “magic number”). Grant lower privileges everywhere it’s possible and evaluate gMSA (group managed service accounts).

Insecure account configuration: identify and reconfigure accounts with the following attributes: Do not require Kerberos pre-authentication / Store password using reversible encryption / Password not required / Password stored with weak encryption.

Credentials Access

Privileged credential exposure: deploy a tiered access model, where privileged accounts access Tier 0 assets only from hardened jump hosts or workstations. Again, use the least privilege principle.

Kerberoasting: if possible, remove accounts with SPNs to prevent Kerberoasting. If not possible, monitor closely these accounts and put in place a dedicated detection & alerting logic.

Insecure delegation configuration: restrict account’s delegation to required services and disable it for admin accounts. If possible (because it adds additional protection measures and can break stuff), add the admin accounts to the “Protected Users” group.

Local Administrator Password Solution (LAPS) misconfiguration: deploy LAPS and audit who’s able to read LAPS passwords. This is controlled by the “ms-Mcs-AdmPwd” attribute.

Excessive privilege via built-in groups: audit, restrict access and alert on the well-known built-in privileged groups (full list).

Privilege Escalation

Access control list (ACL) abuse: audit and monitor ACLs (GenericAll, WriteDacl mostly) and the ones applied to the AdminSdHolder object. This can be performed by identifying attack (thus focused remediation!) paths with Bloodhound (or again Defender for Identity).

Escalation via Exchange permissions: reduce the permissions of Exchange, or better, deploy the split permissions model, or even better, turn off the on-premises Exchange servers ! BUT DON’T UNINSTALL IT…

Group Policy abuse: control the permissions assigned to create, update or link GPOs (same ‘ol Least Privilege).

Insecure trust configuration: restrict the usage of trusts to migrations. If a trust needs to remain active, implement SID Filtering and Selective Authentication.

Compromise of other Tier 0 assets: apply Tier 0 controls to all interconnected systems managing the end-to-end identity chain (ie linked to the Domain Controllers), which now includes at least Active Directory Federation Services, Azure Active Directory Connect and Active Directory Certificate Services.

A wonderful resource (and a compelling case for Least Privileges Principle ) for securing on-prem AD !

🧠 https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/total-identity-compromise-dart-lessons-on-securing-active/ba-p/3753391

Selection of the week

Virutotal released the “Crowdsourced YARA Hub” to provide a better visibility of rules’ usage.

The new repository makes it easy to find existing YARA rules. Users can filter rules based on different criteria such as when the rules were created, who authored them, number of matches and threat category (based on the top threat categories in the samples matching the rule), in addition to search rules by name, description or metadata.

📰 https://blog.virustotal.com/2023/05/actionable-threat-intel-i-crowdsourced.html

The AI Village at DEF CON 31 (Aug. 10-13 2023) will host the largest-ever public generative AI red team event, with thousands of participants testing large language models from Anthropic, Google, Hugging Face, NVIDIA, OpenAI, and Stability. The AI Village wants to highlight the risks of automating new technologies at scale, including hallucinations, jailbreaks, bias, and a drastic leap in capabilities, and will provide an opportunity for new communities to learn skills in AI by exploring its quirks and limitations.

📰 https://aivillage.org/generative red team/generative-red-team/

Trend Security Research identified a new subgroup of APT41 called Earth Longzhi and discovered in Q4 2022 targeting the Philippines, Thailand, Taiwan, and Fiji (Government, healthcare, technology, and manufacturing industries), with two campaigns identified from 2020 to 2022. Earth Longzhi improved its tactics and has deployed a fake mpclient.dll through signed Windows Defender binaries to decrease its risk of exposure. The group has also adopted various novel approaches to evade and disable security products:

1. It used Microsoft Windows RPC to create a system service instead of standard Windows APIs.
2. It terminated running security products via a vulnerable driver, zamguard64.sys, which is essentially a BYOVD attack.
3. It modified IFEO registries to restrict the execution of security products.

Trend Security provides TTPs, a MITRE ATT&CK mapping and a detailed analysis.

📝 https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html

ZeroNetworks published an open source tool called “LDAP firewall” to provide controls over LDAP operations and a better logging of requests . For example, it can block sAMAccountName spoofing attacks by blocking the combination of Name Impersonation (CVE-2021-42278) and KDC bamboozling (CVE-2021-42287).

🧰 https://github.com/zeronetworks/ldapfw

A fun read… Amazon PrimeVideo team reverted back to using a big monolith instead of microservices, and it saved them huge costs. I don’t agree with the un-nuanced point of view microservices is a zombie architecture, because it’s always the same thing: no size fits all. You need to adapt your XX (controls, operating model, development methodology…) to your context !

🗣️ https://world.hey.com/dhh/even-amazon-can-t-make-sense-of-serverless-or-microservices-59625580

A very good wrap-up on Raspberry Robin.

📝 https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html

Conclusion

I hope you enjoyed this edition (and wondered where the last 2 are…).

Have a good week!