Credentials theft and lateral movement
Credential theft plays a major part in any attack. EPM's advanced credential theft capabilities helps organizations detect and block attempted theft of Windows credentials and those stored by popular web browsers and file cache credential stores.
|
Overview
EPM's Threat Protection policies guard against threats to environments that retain user passwords that are often similar to the users' corporate passwords. Attackers can steal these passwords without needing administrator privileges, giving them an easy path to achieve lateral movement.
Microsoft retains passwords and credentials in many locations. These are used to assist the user, especially in Single Sign-On (SSO) situations, which allow users to authenticate at a single location and access a range of services without re-authenticating. These Threat Protection policies protect the key assets in Microsoft against attacks, stopping attackers from escalating and moving laterally in the system.
For more details, see Detect a Potential Security Threat.
Policies
The remote access and IT applications protected by the Threat Protection policies are those used by IT personnel to manage the critical infrastructure of an organization, such as WinSCP and mRemoteNG. These applications save the credentials of these privileged users, who can run code remotely and connect almost everywhere in the organization. Attackers use password stealing malware to access these credentials, giving them privileged access to the most sensitive parts of the organization.
The Threat Protection policies are managed in the following groups:
|
Group |
Description |
|---|---|
|
Agent Safe Protection |
Policies that protect the EPM agent’s operations and integrity |
|
Browsers stored credentials theft |
Policies that protect browsers' auto-fill credentials saved by the user |
|
IT application credentials theft |
Policies that protect credentials stored in the most common IT applications |
|
Remote access applications credential theft |
Policies that protect credentials for remote systems, stored by commonly used remote access applications. |
|
Suspicious actions |
Policies that protect against suspicious actions. These actions are likely to occur during an attack, but they do not necessarily indicate of one. |
|
Windows Credentials Harvesting |
Policies that protect operating system credentials, including both local and domain credentials. |
Threat detection rules
The following table lists some of the rules that EPM deploys to protect Microsoft assets:
|
Rule Name |
Description |
Protects |
|---|---|---|
|
LSASS Credentials Harvesting |
Local Security Authority Subsystem Service (LSASS) is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It retains users credentials in memory, both as hashes and clear text, and is a main attack point. |
All workstations and servers |
|
SAM Hash Harvesting |
The Security Account Manager (SAM) stores users' passwords. It can be used to authenticate local and remote users. Credentials are saved in SAM as NTLM hashes, which can be easily uncovered with new computers. |
All workstations and servers |
|
Domain Credential Theft From Local Cache |
The Domain Credentials Cache (msvcachedv2) contains hashes of domain users' credentials. It is used to validate domain users who log in from outside their organization's network. |
All workstations and servers |
|
Credential Theft From Service Account |
Services can be executed with different permissions, using different users. To enable the service to start even when the user is not logged in, the credentials are stored on the machine. An attacker can use these credentials to run malicious code with the service user’s permissions. Some Microsoft services contain domain user credentials. Attackers can harvest encrypted service credentials from the Local Security Authority (LSA) Secrets registry hive and inject them into a new malicious service to achieve lateral movement and full domain compromise. For more information, see https://www.cyberark.com/blog/cyberark-labs-research-stealing-service-credentials-achieve-full-domain-compromise/. |
All workstations and servers |
|
Agent Safe Protection |
Windows Safe Mode is built into all Windows Operating Systems (OS) on both PCs and servers. In Windows 10, Safe Mode turns off Microsoft’s Virtual Secure Module (VSM). Attackers can remotely activate Safe Mode to bypass and manipulate endpoint security measures, achieve lateral movement and steal credentials. For more information, see https://www.cyberark.com/blog/cyberark-labs-from-safe-mode-to-domain-compromise/. |
All workstations and servers |
|
Credential Theft From Windows Credential Manager |
Windows credential manager allows users to save their login information for websites (IE and Edge browsers), connected applications, and networks. Attackers can easily fetch the users’ credentials by using undocumented windows APIs. |
All workstations and servers |
|
Credential Theft From Active Directory Database (NTDS.DIT) |
The Microsoft Active Directory Data Store (NTDS.dit) contains database files and processes that store and manage directory information for users, services, and applications. An attacker can steal the krbtgt account, which is a preliminary step to the Golden Ticket attack, and harvest all the organization user hashes to execute pass the hash attacks and lateral moves in the organization network. |
Servers (DC) |
|
Local Security Authority (LSA) Secrets Harvesting |
LSA Secrets is a special protected storage for important data used by the Local Security Authority (LSA) on Windows. The secrets can contain user passwords, service account passwords, RAS connection passwords, user encryption keys and more, all of which are valuable for attackers. |
All workstations and servers |
|
Pass The Hash Attack |
Password hashes are equivalent to clear-text passwords. An attacker who obtains a password hash can use it to gain access to a system without the need to know the actual password. This type of attack is known as Pass The Hash. |
All workstations and servers |
|
Crypto RSA Machine Keys Harvesting |
RSA is an asymmetric encryption algorithm. The private key can be used for authentication, encryption, and signing, and for a symmetric key exchange during establishment of an SSL\TLS session. Stolen private keys can be used for a variety of post exploitation attacks, such as stealing authentication tokens from any identity management solution that stores its key in the Windows private key store. For more information about Golden SAML attacks, see https://www.cyberark.com/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-cloud-apps/. |
Servers only (identity management solutions like ADFS and Okta) |
|
Kerberos Ticket Hash Harvesting |
Kerberos tickets are the authentication objects used in a domain environment. Pass the ticket is a method of authentication to a system using a Kerberos ticket without having access to the account's password. In this attack, a valid Kerberos ticket is obtained and injected in the memory of the attacker's session. |
All workstations and servers |
|
Total Commander Credentials Theft |
Total Commander is a popular file manager for Windows that can also manage FTP connections. Users can store their FTP Server passwords locally using Total Commander, exposing their credentials to potential attackers running on the machine. |
All workstations and servers |
|
PuTTy Credentials Theft |
PuTTy is a popular SSH client for Windows. The application stores private SSH keys that can be used as credentials to remote Servers. In addition, PuTTy enables you to store passwords for proxy Servers locally. Storing the private SSH keys or proxy password leaves user credentials exposed to attackers. Requires PuTTy version 0.7 or later. |
All workstations and servers |
|
Okta AD Agent Tamper Protection |
Okta is an identity management solution that provides a single sign-on experience. It enables users to log in one time to Okta's server and then log into many other applications without having to insert their credentials. OKTA has an AD Agent that manages connection from an Active Directory environment. The agent stores a token to the domain that can be abused by an attacker to steal user credentials from the domain. EPM protects this token and the agent’s private key (using the Crypto RSA Machine Keys Harvesting rule) from being stolen, the AD agent from being manipulated and the authentication process from being tampered with. |
OKTA AD Agent servers |
|
Git Credentials Theft |
Git is a version-control system for tracking changes in source code during software development. Users can store their Git server credentials locally, exposing the credentials to potential attackers. Requires the official and signed Git tool. |
All workstations and servers |
|
DbVisualizer Credentials Theft |
DbVisualizer is a database management and analysis tool for all major databases. The application stores database credentials locally, exposing the credentials to potential attackers running on the machine. |
All workstations and servers |
|
Credential Theft from WinLogon Automation |
WinLogon Automation is a Windows feature allowing automatic login at startup of the computer. Windows stores the password in cleartext which makes it easy to exploit. |
All workstations and servers |
|
Composer Credentials Theft |
Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage them for you. The application stores databases credentials locally exposing their credentials to potential attackers running on the machine. |
All workstations and servers |
|
Tortoise SVN Credentials Theft |
TortoiseSVN is a famous version management client. Users can store their SVN server credentials locally exposing their credentials to potential attackers. |
All workstations and servers |
|
VMware Workstation Credential Theft |
VMware Workstation is a hosted hypervisor that runs on Windows systems, which enables users to set up virtual machines on a single physical machine, and use them simultaneously along with the actual machine. VMware Workstation enables users to connect to a remote server that hosts virtual machines. This rule protects your system against harvesting of any stored credentials on these servers. |
Workstations |
|
Open VPN |
OpenVPN is a common VPN client for windows. Users can choose to store their server credentials locally, thus exposing the credentials to potential attackers running on the machine. |
|
|
KeePass |
KeePass is a common open-source password manager. It allows users to store and manage all of their passwords one location. The password database is stored locally on the machine, and this can expose all of the credentials stored in this database to potential attackers running on the machine. |
|
|
Suspicious Request to set "Always Install Elevated" mode |
AlwaysInstallElevated is a setting that enables all users (especially low privileged users) on Windows machines to run any MSI file with elevated privileges. MSI is a Microsoft based installer package file format which is used for installing, storing and removing programs. This option is equivalent to granting full administrative rights, which can pose a massive security risk. CyberArk strongly discourages the use of this setting and, by default, this option is turned off. This rule protects your system by preventing this option from being changed by malicious activity. |
All workstations and servers |
|
Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources. The Azure CLI is designed to get you working quickly with Azure and it stores an authentication token that can be extracted and exploited by an attacker. This rule protects against token harvesting from Azure CLI applications. |
All workstations and servers |
|
|
Credential Theft from SolarWinds Orion (beta) |
The SolarWinds Orion is an infrastructure monitoring and management platform. The application stores credentials for remote access and different services like AWS/Azure and more, exposing the credentials to potential attackers running on the machine. EPM protects against credentials harvesting from the SolarWinds Orion application. |
SolarWinds installed Servers |
|
Duo Integration Secrets Dump (beta) |
The Duo MFA is a two-factor authentication solution for both administrators and users that can integrate with many applications, like Windows devices login, Outlook on the web (OWA) and others. The application stores a secret key that can be abused by an attacker to bypass MFA. EPM protects this secret key from being stolen and the authentication process from being tampered with. |
All workstations and servers with Duo MFA integration |
Policy group summary
The grid in the Privilege Threat Protection page displays an at-a-glance overview of the Threat Protection policies. By default, the policy group names are displayed, and you can see the status of the policies in each group and the computers where the policies are applied.
|
Column |
Description |
|---|---|
|
Status |
The status of the policies in each group, indicating whether the policies are set to Block, Detect, or Off. Expand a group to view the settings for each policy. |
|
Computers |
The computers where the policies apply. Expand a group to view the computers where a specific policy is applied. |
|
Last modified |
The date when the policy was last modified. |
|
Agent version |
The first EPM version that supports this policy. |
View policy details
The policy details pane displays an at-a-glance view of policy properties, targets, and excluded applications.
-
Expand a policy group and click a specific policy; the Details pane slides over the Privilege Threat Protection grid.
Edit a policy
You can edit a policy directly from the Privilege Threat Protection page or from the Policy overview.
-
Click
to display the pop-up menu, then select Edit to display the Edit policy page. -
In Policy options, set the following:
Option
Description
Status
Whether the policy is set to Detect or Block, or not activated.
End user notification
The type of end user notification that is displayed to end users, if any.
-
In Policy targets, set the following:
Option
Description
Apply policy to
Targets to which the policy is applied. This includes specific computers, Active Directory security groups, and OS users and groups.
Exclude policy from
Targets from which the policy is excluded. This includes specific computers and Active Directory security groups.
-
In Excluded applications, click Exclude from policy and specify the application to exclude from the policy.
Option
Description
File name
The name of the application file to exclude from the policy.
Location
The location of the application to exclude.
Publisher
The name of the publisher who certified the application.
Activate/deactivate a policy
You can activate or deactivate a policy directly from the Privilege Threat Protection page or from the Policy overview.
-
Click
to display the pop-up menu, then set the policy to Block or Detect, or deactivate it.
Summary status
In the Console's Summary page, you can review the status of the Threat Protection policies in your Set.
The summary status shows:
-
The number of endpoints that do and don't support Threat Detection
-
The number of Threat Protection policies that are inactive, in Block mode, or in Detect mode
-
The number of protected and at-risk Windows and non-Windows credentials
Default policy
In the Default Policy page, you can set the default 'Protect against credentials theft and lateral movement' policy in one click.
For more details, see Privilege Threat Protection.
