Credentials theft and lateral movement

Credential theft plays a major part in any attack. EPM's advanced credential theft capabilities helps organizations detect and block attempted theft of Windows credentials and those stored by popular web browsers and file cache credential stores.

 
  • This is only applicable for Windows endpoints.
  • Privilege Threat Protection is not available for Immediate Enforcement Agents.

Overview

EPM's Threat Protection policies guard against threats to environments that retain user passwords that are often similar to the users' corporate passwords. Attackers can steal these passwords without needing administrator privileges, giving them an easy path to achieve lateral movement.

Microsoft retains passwords and credentials in many locations. These are used to assist the user, especially in Single Sign-On (SSO) situations, which allow users to authenticate at a single location and access a range of services without re-authenticating. These Threat Protection policies protect the key assets in Microsoft against attacks, stopping attackers from escalating and moving laterally in the system.

For more details, see Detect a Potential Security Threat.

Policies

The remote access and IT applications protected by the Threat Protection policies are those used by IT personnel to manage the critical infrastructure of an organization, such as WinSCP and mRemoteNG. These applications save the credentials of these privileged users, who can run code remotely and connect almost everywhere in the organization. Attackers use password stealing malware to access these credentials, giving them privileged access to the most sensitive parts of the organization.

The Threat Protection policies are managed in the following groups:

Group

Description

Agent Safe Protection

Policies that protect the EPM agent’s operations and integrity

Browsers stored credentials theft

Policies that protect browsers' auto-fill credentials saved by the user

IT application credentials theft

Policies that protect credentials stored in the most common IT applications

Remote access applications credential theft

Policies that protect credentials for remote systems, stored by commonly used remote access applications.

Suspicious actions

Policies that protect against suspicious actions. These actions are likely to occur during an attack, but they do not necessarily indicate of one.

Windows Credentials Harvesting

Policies that protect operating system credentials, including both local and domain credentials.

Threat detection rules

The following table lists some of the rules that EPM deploys to protect Microsoft assets:

Rule Name

Description

Protects

LSASS Credentials Harvesting

Local Security Authority Subsystem Service (LSASS) is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It retains users credentials in memory, both as hashes and clear text, and is a main attack point.

All workstations and servers

SAM Hash Harvesting

The Security Account Manager (SAM) stores users' passwords. It can be used to authenticate local and remote users. Credentials are saved in SAM as NTLM hashes, which can be easily uncovered with new computers.

All workstations and servers

Domain Credential Theft From Local Cache

The Domain Credentials Cache (msvcachedv2) contains hashes of domain users' credentials. It is used to validate domain users who log in from outside their organization's network.

All workstations and servers

Credential Theft From Service Account

Services can be executed with different permissions, using different users. To enable the service to start even when the user is not logged in, the credentials are stored on the machine. An attacker can use these credentials to run malicious code with the service user’s permissions.

Some Microsoft services contain domain user credentials. Attackers can harvest encrypted service credentials from the Local Security Authority (LSA) Secrets registry hive and inject them into a new malicious service to achieve lateral movement and full domain compromise. For more information, see https://www.cyberark.com/blog/cyberark-labs-research-stealing-service-credentials-achieve-full-domain-compromise/.

All workstations and servers

Agent Safe Protection

Windows Safe Mode is built into all Windows Operating Systems (OS) on both PCs and servers. In Windows 10, Safe Mode turns off Microsoft’s Virtual Secure Module (VSM). Attackers can remotely activate Safe Mode to bypass and manipulate endpoint security measures, achieve lateral movement and steal credentials.

For more information, see https://www.cyberark.com/blog/cyberark-labs-from-safe-mode-to-domain-compromise/.

All workstations and servers

Credential Theft From Windows Credential Manager

Windows credential manager allows users to save their login information for websites (IE and Edge browsers), connected applications, and networks. Attackers can easily fetch the users’ credentials by using undocumented windows APIs.

All workstations and servers

Credential Theft From Active Directory Database (NTDS.DIT)

The Microsoft Active Directory Data Store (NTDS.dit) contains database files and processes that store and manage directory information for users, services, and applications. An attacker can steal the krbtgt account, which is a preliminary step to the Golden Ticket attack, and harvest all the organization user hashes to execute pass the hash attacks and lateral moves in the organization network.

Servers (DC)

Local Security Authority (LSA) Secrets Harvesting

LSA Secrets is a special protected storage for important data used by the Local Security Authority (LSA) on Windows. The secrets can contain user passwords, service account passwords, RAS connection passwords, user encryption keys and more, all of which are valuable for attackers.

All workstations and servers

Pass The Hash Attack

Password hashes are equivalent to clear-text passwords. An attacker who obtains a password hash can use it to gain access to a system without the need to know the actual password. This type of attack is known as Pass The Hash.

All workstations and servers

Crypto RSA Machine Keys Harvesting

RSA is an asymmetric encryption algorithm. The private key can be used for authentication, encryption, and signing, and for a symmetric key exchange during establishment of an SSL\TLS session. Stolen private keys can be used for a variety of post exploitation attacks, such as stealing authentication tokens from any identity management solution that stores its key in the Windows private key store.

For more information about Golden SAML attacks, see https://www.cyberark.com/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-cloud-apps/.

Servers only (identity management solutions like ADFS and Okta)

Kerberos Ticket Hash Harvesting

Kerberos tickets are the authentication objects used in a domain environment. Pass the ticket is a method of authentication to a system using a Kerberos ticket without having access to the account's password. In this attack, a valid Kerberos ticket is obtained and injected in the memory of the attacker's session.

All workstations and servers

Total Commander Credentials Theft

Total Commander is a popular file manager for Windows that can also manage FTP connections. Users can store their FTP Server passwords locally using Total Commander, exposing their credentials to potential attackers running on the machine.

All workstations and servers

PuTTy Credentials Theft

PuTTy is a popular SSH client for Windows. The application stores private SSH keys that can be used as credentials to remote Servers. In addition, PuTTy enables you to store passwords for proxy Servers locally. Storing the private SSH keys or proxy password leaves user credentials exposed to attackers.

Requires PuTTy version 0.7 or later.

All workstations and servers

Okta AD Agent Tamper Protection

Okta is an identity management solution that provides a single sign-on experience. It enables users to log in one time to Okta's server and then log into many other applications without having to insert their credentials. OKTA has an AD Agent that manages connection from an Active Directory environment. The agent stores a token to the domain that can be abused by an attacker to steal user credentials from the domain. EPM protects this token and the agent’s private key (using the Crypto RSA Machine Keys Harvesting rule) from being stolen, the AD agent from being manipulated and the authentication process from being tampered with.

OKTA AD Agent servers

Git Credentials Theft

Git is a version-control system for tracking changes in source code during software development. Users can store their Git server credentials locally, exposing the credentials to potential attackers.

Requires the official and signed Git tool.

All workstations and servers

DbVisualizer Credentials Theft

DbVisualizer is a database management and analysis tool for all major databases. The application stores database credentials locally, exposing the credentials to potential attackers running on the machine.

All workstations and servers

Credential Theft from WinLogon Automation

WinLogon Automation is a Windows feature allowing automatic login at startup of the computer. Windows stores the password in cleartext which makes it easy to exploit.

All workstations and servers

Composer Credentials Theft

Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage them for you. The application stores databases credentials locally exposing their credentials to potential attackers running on the machine.

All workstations and servers

Tortoise SVN Credentials Theft

TortoiseSVN is a famous version management client. Users can store their SVN server credentials locally exposing their credentials to potential attackers.

All workstations and servers

VMware Workstation Credential Theft

VMware Workstation is a hosted hypervisor that runs on Windows systems, which enables users to set up virtual machines on a single physical machine, and use them simultaneously along with the actual machine. VMware Workstation enables users to connect to a remote server that hosts virtual machines. This rule protects your system against harvesting of any stored credentials on these servers.

Workstations

Open VPN

OpenVPN is a common VPN client for windows. Users can choose to store their server credentials locally, thus exposing the credentials to potential attackers running on the machine.

 

KeePass

KeePass is a common open-source password manager. It allows users to store and manage all of their passwords one location. The password database is stored locally on the machine, and this can expose all of the credentials stored in this database to potential attackers running on the machine.

 

Suspicious Request to set "Always Install Elevated" mode

AlwaysInstallElevated is a setting that enables all users (especially low privileged users) on Windows machines to run any MSI file with elevated privileges. MSI is a Microsoft based installer package file format which is used for installing, storing and removing programs. This option is equivalent to granting full administrative rights, which can pose a massive security risk. CyberArk strongly discourages the use of this setting and, by default, this option is turned off. This rule protects your system by preventing this option from being changed by malicious activity.

All workstations and servers

Azure CLI Credentials Theft (beta)

Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources. The Azure CLI is designed to get you working quickly with Azure and it stores an authentication token that can be extracted and exploited by an attacker. This rule protects against token harvesting from Azure CLI applications.

All workstations and servers

Credential Theft from SolarWinds Orion (beta)

The SolarWinds Orion is an infrastructure monitoring and management platform. The application stores credentials for remote access and different services like AWS/Azure and more, exposing the credentials to potential attackers running on the machine. EPM protects against credentials harvesting from the SolarWinds Orion application.

SolarWinds installed Servers

Duo Integration Secrets Dump (beta)

The Duo MFA is a two-factor authentication solution for both administrators and users that can integrate with many applications, like Windows devices login, Outlook on the web (OWA) and others. The application stores a secret key that can be abused by an attacker to bypass MFA. EPM protects this secret key from being stolen and the authentication process from being tampered with.

All workstations and servers with Duo MFA integration

Policy group summary

The grid in the Privilege Threat Protection page displays an at-a-glance overview of the Threat Protection policies. By default, the policy group names are displayed, and you can see the status of the policies in each group and the computers where the policies are applied.

Column

Description

Status

The status of the policies in each group, indicating whether the policies are set to Block, Detect, or Off. Expand a group to view the settings for each policy.

Computers

The computers where the policies apply. Expand a group to view the computers where a specific policy is applied.

Last modified

The date when the policy was last modified.
This is only displayed for specific policies, and not in the policy group summary.

Agent version

The first EPM version that supports this policy.
This is only displayed for specific policies, and not in the policy group summary.

View policy details

The policy details pane displays an at-a-glance view of policy properties, targets, and excluded applications.

  • Expand a policy group and click a specific policy; the Details pane slides over the Privilege Threat Protection grid.

Edit a policy

You can edit a policy directly from the Privilege Threat Protection page or from the Policy overview.

  1. Click to display the pop-up menu, then select Edit to display the Edit policy page.

  2. In Policy options, set the following:

    Option

    Description

    Status

    Whether the policy is set to Detect or Block, or not activated.

    End user notification

    The type of end user notification that is displayed to end users, if any.

  3. In Policy targets, set the following:

    Option

    Description

    Apply policy to

    Targets to which the policy is applied. This includes specific computers, Active Directory security groups, and OS users and groups.

    Exclude policy from

    Targets from which the policy is excluded. This includes specific computers and Active Directory security groups.

  4. In Excluded applications, click Exclude from policy and specify the application to exclude from the policy.

    Option

    Description

    File name

    The name of the application file to exclude from the policy.

    Location

    The location of the application to exclude.

    Publisher

    The name of the publisher who certified the application.

Activate/deactivate a policy

You can activate or deactivate a policy directly from the Privilege Threat Protection page or from the Policy overview.

  • Click to display the pop-up menu, then set the policy to Block or Detect, or deactivate it.

Summary status

In the Console's Summary page, you can review the status of the Threat Protection policies in your Set.

The summary status shows:

  • The number of endpoints that do and don't support Threat Detection

  • The number of Threat Protection policies that are inactive, in Block mode, or in Detect mode

  • The number of protected and at-risk Windows and non-Windows credentials

Default policy

In the Default Policy page, you can set the default 'Protect against credentials theft and lateral movement' policy in one click.

For more details, see Privilege Threat Protection.