Protect against credential theft
This topic focuses on credential theft, which plays a major part in any attack. EPM's advanced anti credential theft capabilities helps organizations detect and block attempted theft of Windows credentials and those stored by popular web browsers and file cache credential stores.
|
Overview
EPM's threat protection policies guard against threats to environments that retain user passwords that are often similar to the users' corporate passwords. Attackers can steal these passwords without needing administrator privileges, giving them an easy path to achieve lateral movement.
Microsoft retains passwords and credentials in many locations. These are used to assist the user, especially in Single Sign-On (SSO) situations, which allow users to authenticate at a single location and access a range of services without re-authenticating. These Threat Protection policies protect the key assets in Microsoft against attacks, stopping attackers from escalating and moving laterally in the system.
For more details, see Detect a potential security threat.
For details about managing, exporting, and importing existing policies, see Apply policies.
Threat protection policies
The remote access and IT applications protected by the threat protection policies are those used by IT personnel to manage the critical infrastructure of an organization, such as WinSCP and mRemoteNG. These applications save the credentials of these privileged users, who can run code remotely and connect almost everywhere in the organization. Attackers use password stealing malware to access these credentials, giving them privileged access to the most sensitive parts of the organization.
The Threat Protection policies are managed in the following groups. For details about the rules in each group, see Threat protection rules, below.
|
Group |
Description |
|---|---|
|
Browsers stored credentials theft |
Policies that protect browsers' auto-fill credentials saved by the user. |
|
IT application credentials theft |
Policies that protect credentials stored in the most common IT applications. |
|
Remote access applications credential theft |
Policies that protect credentials for remote systems, stored by commonly used remote access applications. |
|
Suspicious actions |
Policies that protect against suspicious actions. These actions are likely to occur during an attack, but they do not necessarily indicate one. |
|
Threat Protection |
Policies that protect against suspicious requests. |
|
Windows Credentials Harvesting |
Policies that protect operating system credentials, including both local and domain credentials. |
Threat protection rules
This section lists some of the rules that EPM deploys to protect Microsoft assets.
Browsers Stored Credentials Theft
These rules protect browsers' auto-fill credentials saved by the user.
|
Rule |
Description |
Protects |
|---|---|---|
|
Chrome Credentials Theft |
The Chrome browser stores its credentials, encrypted, in specific file. An alternative way of getting control of users’ web accounts could be by retrieving their cookies, which are saved in a different file. Moreover, sensitive data such as credit cards information that is stored because of the browsers’ autofill feature can be stolen as well. |
All workstations and servers with Chromium based web browsers |
|
Cookies Theft From Web Browsers (beta) |
Web browsers store HTTP cookies include authentication cookies for websites and services. Those cookies can be extracted and abuse by an attacker to take actions on behalf of the user and hijack the user’s session. The EPM protects the cookies storage of common browsers (Google Chrome, Mozilla Firefox, Opera, Microsoft Edge, and Internet Explorer) from being stolen and abused.
|
All workstations and servers with common browsers (Google Chrome, Mozilla Firefox, Opera, Microsoft Edge, and Internet Explorer) |
|
Firefox Credentials Theft |
The Firefox browser stores its credentials, encrypted, in a specific file. An alternative way of getting control of users’ web accounts could be by retrieving their cookies, which are saved in a different file. Moreover, sensitive data such as credit cards information that is stored because of the browsers’ autofill feature can be stolen as well. |
All workstations and servers with Firefox browsers |
|
Memory Dump from Chromium Based Web Browsers (beta) |
Web browsers store credentials and HTTP cookies in their process memory, including authentication cookies for websites and services. These credentials and cookies can be extracted by dumping the browser memory and then abused by an attacker to take action on behalf of the user and hijack the user’s session. The EPM agent protects the memory of Chromium based web browsers from being dumped. You can strengthen this rule by implementing five advanced policies to protect the browser memory (Chrome, Edge) from malicious credentials/cookies stealing attacks. Download these policies, then import the policies and activate them. For details, see Import policies. |
All workstations and servers with Chromium based web browsers |
|
Microsoft Internet Explorer and Edge Credentials Theft |
User's credentials under "Windows Credential Manager" are exposed to credentials theft. Attackers can easily fetch the user credentials by accessing the user registry key that saved the Internet Explorer and Edge password as data storage within this registry key. Credentials can be stolen by other methods as well. For instance, a native windows DLL exports two functions that can lead to credentials theft. Another way is by stealing cookies, which are almost as good as credentials. Moreover, sensitive data such as credit cards info that is stored because of the browsers’ autofill feature can be stolen as well. |
All workstations and servers with Internet Explorer and Edge browsers |
|
Opera Credentials Theft |
The old Opera browser kept credentials in a single file. The new Opera browser is Chromium-based, and stores its credentials, encrypted, in a specific file. An alternative way of getting control of users’ web accounts could be by retrieving their cookies, which are saved in a different file. Moreover, sensitive data such as credit cards information that is stored because of the browsers’ autofill feature can be stolen as well. Opera is a Chromium-based browser like Chrome, so it’s very similar to the Chrome browser. |
All workstations and servers with Opera based browsers |
IT application credentials theft
These rules protect credentials stored in the most common IT applications.
|
Rule |
Description |
Protects |
|---|---|---|
|
AWS Access and Secret Keys Credentials Theft |
Amazon offers Amazon Web Services that is a popular cloud computing service. The AWS application stores its credentials locally on the machine which can then be stolen by an attacker. This rule protects against harvesting these credentials. |
All workstations and servers |
|
Azure CLI Credentials Theft |
Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources. The Azure CLI is designed to get you working quickly with Azure and it stores an authentication token that can be extracted and exploited by an attacker. This rule protects against token harvesting from Azure CLI applications. |
All workstations and servers |
|
Composer Credentials Theft |
Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage them for you. The application stores databases credentials locally exposing their credentials to potential attackers running on the machine. |
All workstations and servers |
|
Credential Theft from SolarWinds Orion |
The SolarWinds Orion is an infrastructure monitoring and management platform. The application stores credentials for remote access and different services like AWS/Azure and more, exposing the credentials to potential attackers running on the machine. EPM protects against credentials harvesting from the SolarWinds Orion application. |
SolarWinds installed Servers |
|
DashLane Credentials Theft |
DashLane is a password manager, which stores encrypted credentials on the machine exposing them to potential attackers. |
All workstations and servers |
|
DbVisualizer Credentials Theft |
DbVisualizer is a database management and analysis tool for all major databases. The application stores database credentials locally, exposing the credentials to potential attackers running on the machine. |
All workstations and servers |
|
Duo Integration Secrets Dump |
The Duo MFA is a two-factor authentication solution for both administrators and users that can integrate with many applications, like Windows devices login, Outlook on the web (OWA) and others. The application stores a secret key that can be abused by an attacker to bypass MFA. EPM protects this secret key from being stolen and the authentication process from being tampered with. |
All workstations and servers with Duo MFA integration |
|
FileZilla Credentials Theft |
FileZilla is a free open source FTP client, which stores credentials that are used to access FTP servers locally, potentially exposing them to attackers |
All workstations and servers |
|
Git Credentials Theft |
Git is a version-control system for tracking changes in source code during software development. Users can store their Git server credentials locally, exposing the credentials to potential attackers. Requires the official and signed Git tool. |
All workstations and servers |
|
KeePass is a common open-source password manager. It allows users to store and manage all of their passwords one location. The password database is stored locally on the machine, and this can expose all of the credentials stored in this database to potential attackers running on the machine. |
All workstations and servers |
|
|
Okta AD Agent Tamper Protection |
Okta is an identity management solution that provides a single sign-on experience. It enables users to log in one time to Okta's server and then log into many other applications without having to insert their credentials. OKTA has an AD Agent that manages connection from an Active Directory environment. The agent stores a token to the domain that can be abused by an attacker to steal user credentials from the domain. EPM protects this token and the agent’s private key (using the Crypto RSA Machine Keys Harvesting rule) from being stolen, the AD agent from being manipulated and the authentication process from being tampered with. |
OKTA AD Agent servers |
|
Putty Credentials Theft |
PuTTy is a popular SSH client for Windows. The application stores private SSH keys that can be used as credentials to remote Servers. In addition, PuTTy enables you to store passwords for proxy Servers locally. Storing the private SSH keys or proxy password leaves user credentials exposed to attackers. Requires PuTTy version 0.7 or later. |
All workstations and servers |
|
SQL Server Management Studio Credentials Theft |
SQL Server Management is a Microsoft MS SQL client. The server manager stores the credentials for the client on the machine exposing them to potential attackers. |
All workstations and servers |
|
Toad For Oracle Database Client Credentials Theft |
Toad for Oracle is a client for DB administration by Quest Software. Toad stores credentials locally on the machine thus exposing them to potential attackers running on the machine. |
All workstations and servers |
|
Tortoise SVN Credentials Theft |
TortoiseSVN is a famous version management client. Users can store their SVN server credentials locally exposing their credentials to potential attackers. |
All workstations and servers |
|
Total Commander Credentials Theft |
Total Commander is a popular file manager for Windows that can also manage FTP connections. Users can store their FTP Server passwords locally using Total Commander, exposing their credentials to potential attackers running on the machine. |
All workstations and servers |
|
VMware Workstation Credential Theft |
VMware Workstation is a hosted hypervisor that runs on Windows systems, which enables users to set up virtual machines on a single physical machine, and use them simultaneously along with the actual machine. VMware Workstation enables users to connect to a remote server that hosts virtual machines. This rule protects your system against harvesting of any stored credentials on these servers. |
Workstations |
Remote Access Application Credentials Theft
These rules protect credentials for remote systems, stored by commonly used remote access applications.
|
Rule |
Description |
Protects |
|---|---|---|
|
CheckPoint Endpoint Security VPN Credentials Theft |
CheckPoint Endpoint Security VPN is a service provided by CheckPoint to provide secure access for remote users. The VPN stores encrypted credentials in the registry potentially exposing them to attackers |
All workstations and servers |
|
LogMeIn Pro Credentials Theft |
LogMeIn is a remote desktop control app, which stores credentials in the registry exposing them to attackers. |
All workstations and servers |
|
mRemoteNG Credentials Theft |
mRemoteNG is a program that enables system administrators to manage remote connections to servers. It is extremely important to secure the cached credentials of this program since it may contain the most privileged accounts of an organization. |
All workstations and servers |
|
Open VPN Credentials Theft |
OpenVPN is a common VPN client for windows. Users can choose to store their server credentials locally, thus exposing the credentials to potential attackers running on the machine. |
All workstations and servers |
|
Remote Desktop Connection Manager Credentials Theft |
Remote Desktop Connection Manager is a program by Microsoft that enables system administrators to manage remote connections to servers. It is extremely important to secure the cached credentials of this program since it may contain the most privileged accounts of an organization. |
All workstations and servers |
|
TeamViewer Credentials Theft |
TeamViewer is a proprietary software package for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers online. TeamViewer stores credentials in the registry, potentially exposing them to attackers on the machine |
All workstations and servers |
|
VNC Credentials Theft |
UltraVNC and RealVNC are remote control softwares that store credentials locally in files and in the registry, leaving them potentially exposed to attackers |
All workstations and servers |
|
WinSCP Credentials Theft |
WinSCP is a free and open-source FTP, SFTP (and a few other protocols) client for windows. It is used for transferring files between computers. WinSCP stores credentials both in files and in the registry exposing them to potential attackers. |
All workstations and servers |
Suspicious Actions
These rules protect against suspicious actions, which could indicate that an attack is happening.
|
Rule |
Description |
Protects |
|---|---|---|
|
Suspected Path Rename of Credentials Store Locations |
The EPM protects certain files and registry keys from being read/modified, etc. This rule protects renames of all assets. |
All workstations and servers |
|
Suspected Registry Dump |
The EPM protects certain registry paths from being read/modified, etc. This rule protects against saving of every hive and folder that contains a protected asset. |
All workstations and servers |
Threat Protection
These rules protect against suspicious requests.
|
Rule |
Description |
Protects |
|---|---|---|
|
Suspicious Request To Boot In Debug Mode |
When a machine is configured for Debug Mode, it may be exposed to threats at the kernel level. This rule protects the configuration of the machine in this mode. |
All workstations and servers |
|
Suspicious Request To Boot In Safe Mode |
Windows Safe Mode is built into all Windows Operating Systems (OS) on both PCs and servers. In Windows 10, Safe Mode turns off Microsoft’s Virtual Secure Module (VSM). Attackers can remotely activate Safe Mode to bypass and manipulate endpoint security measures, achieve lateral movement and steal credentials. For more information, see https://www.cyberark.com/blog/cyberark-labs-from-safe-mode-to-domain-compromise/. |
All workstations and servers |
|
Suspicious Request To Boot In Test-Signing Mode |
When a machine is configured for Test Signing Mode, it may be exposed to threats at the kernel level. This rule protects the configuration of the machine in this mode. |
All workstations and servers |
|
Suspicious Request to set "Always Install Elevated" mode |
AlwaysInstallElevated is a setting that enables all users (especially low privileged users) on Windows machines to run any MSI file with elevated privileges. MSI is a Microsoft based installer package file format which is used for installing, storing and removing programs. This option is equivalent to granting full administrative rights, which can pose a massive security risk. CyberArk strongly discourages the use of this setting and, by default, this option is turned off. This rule protects your system by preventing this option from being changed by malicious activity. |
All workstations and servers |
Windows Credentials Harvesting
These rules protect operating system credentials, including both local and domain credentials.
|
Rule |
Description |
Protects |
|---|---|---|
|
Credential Theft From Active Directory Database (NTDS.DIT) |
The Microsoft Active Directory Data Store (NTDS.dit) contains database files and processes that store and manage directory information for users, services, and applications. An attacker can steal the krbtgt account, which is a preliminary step to the Golden Ticket attack, and harvest all the organization user hashes to execute pass the hash attacks and lateral moves in the organization network. |
Servers (DC) |
|
Credential Theft From Service Account |
Services can be executed with different permissions, using different users. To enable the service to start even when the user is not logged in, the credentials are stored on the machine. An attacker can use these credentials to run malicious code with the service user’s permissions. Some Microsoft services contain domain user credentials. Attackers can harvest encrypted service credentials from the Local Security Authority (LSA) Secrets registry hive and inject them into a new malicious service to achieve lateral movement and full domain compromise. For more information, see https://www.cyberark.com/blog/cyberark-labs-research-stealing-service-credentials-achieve-full-domain-compromise/. |
All workstations and servers |
|
Credential Theft From Windows Credential Manager |
Windows credential manager allows users to save their login information for websites (IE and Edge browsers), connected applications, and networks. Attackers can easily fetch the users’ credentials by using undocumented windows APIs. |
All workstations and servers |
|
Credential Theft from WinLogon Automation |
WinLogon Automation is a Windows feature allowing automatic login at startup of the computer. Windows stores the password in cleartext which makes it easy to exploit. |
All workstations and servers |
|
Crypto RSA Machine Keys Harvesting |
RSA is an asymmetric encryption algorithm. The private key can be used for authentication, encryption, and signing, and for a symmetric key exchange during establishment of an SSL\TLS session. Stolen private keys can be used for a variety of post exploitation attacks, such as stealing authentication tokens from any identity management solution that stores its key in the Windows private key store. For more information about Golden SAML attacks, see https://www.cyberark.com/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-cloud-apps/. |
Servers only (identity management solutions like ADFS and Okta) |
|
Domain Credential Theft From Local Cache |
The Domain Credentials Cache (msvcachedv2) contains hashes of domain users' credentials. It is used to validate domain users who log in from outside their organization's network. |
All workstations and servers |
|
Local Security Authority (LSA) Secrets Harvesting |
LSA Secrets is a special protected storage for important data used by the Local Security Authority (LSA) on Windows. The secrets can contain user passwords, service account passwords, RAS connection passwords, user encryption keys and more, all of which are valuable for attackers. |
All workstations and servers |
|
LSASS Credentials Harvesting |
Local Security Authority Subsystem Service (LSASS) is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It retains users credentials in memory, both as hashes and clear text, and is a main attack point. |
All workstations and servers |
|
Pass The Hash Attack |
Password hashes are equivalent to clear-text passwords. An attacker who obtains a password hash can use it to gain access to a system without the need to know the actual password. This type of attack is known as Pass The Hash. |
All workstations and servers |
|
Pass The Ticket Attack |
Kerberos tickets are the authentication objects used in a domain environment. 'Pass the ticket' is a method of authentication to a system using a Kerberos ticket without having access to the account's password. In this attack, a valid Kerberos ticket is obtained and injected in the memory of the attacker's session. |
All workstations and servers |
|
SAM Hash Harvesting |
The Security Account Manager (SAM) stores users' passwords. It can be used to authenticate local and remote users. Credentials are saved in SAM as NTLM hashes, which can be easily uncovered with new computers. |
All workstations and servers |
|
Windows Hello Credential Harvesting |
Windows Hello stores biometric data for logins in the System32 folder on disk. These credentials can be stolen or modified by an attacker and then abused to allow an attacker to log into machines on behalf of the user. The EPM agent protects the files where those biometric credentials from being stolen or modified. |
All workstations and servers |
Policy group summary
The Privilege threat protection policies grid in the Policies page displays an at-a-glance overview of the Threat Protection policies. By default, the policy group names are displayed. Expand a group to see the status of the policies in that group, and the computers where the policies are applied.
The following table explains the focus of each column.
|
Column |
Description |
|---|---|
|
Status |
The status of the policies in each group, indicating whether the policies are set to Block, Detect, or Off. Expand a group to view the settings for each policy. |
|
Computers |
The computers where the policies apply. Expand a group to view the computers where a specific policy is applied. |
|
Last modified |
The date when the policy was last modified. |
|
Agent version |
The first EPM version that supports this policy. |
View policy details
The Policy Details pane displays an at-a-glance view of policy properties, targets, and excluded applications.
-
Expand a policy group and click a specific policy; the Policy Details pane slides over the Privilege Threat Protection grid.
|
To view global excluded applications, go to Agent Configuration > Threat Protection > Configure EPM service settings. |
Set the default policy
In the Default Policy page, you can activate the default Protect against credentials theft and lateral movement policy in one click.
-
Set Protect against credentials theft and lateral movement to either Detect or Block.
-
Click Yes to accept the default settings,
or,
Click Customize policy options to display the Privilege Threat Protection page and customize settings.
For more details, see Privilege threat protection policies.
Customize a Privilege Threat Protection policy
You can edit a policy directly from the Policies page.
-
In the EPM Management Console, click Policies.
-
From the Policies dropdown list, select Privilege threat protection policies.
-
Expand a policy group and, in the line of the policy to edit, click
and select Edit. -
In Policy options, set the following:
Option
Description
Status
Whether the policy is set to Detect or Block, or is not activated.
End user notification
The type of notification that is displayed to end users, if any.
For details about end user notifications, see Configure end user notifications.
-
In Policy targets, define the computers, users, and groups to include and exclude from this policy.
Option
Description
Computers in this set
This policy is applied to computers in this Set that are defined by this target.
Computers in AD security groups
This policy is applied to computers that are identified by EPM agents as members of the specified AD security computer groups.
-
In Excluded applications, click Exclude from policy and specify the application to exclude from the policy.
Option
Description
File name
The name of the application file to exclude from the policy.
Location
The location of the application to exclude.
Publisher
The name of the publisher who certified the application.
Activate or deactivate a policy
You can activate or deactivate a policy directly from the Privilege Threat Protection page or from the Policy overview.
-
In the line of the actvate or deactivate, click
, then set the policy to Block or Detect, or deactivate it.
Summary status
In the Console's Summary page, you can review the status of the Threat Protection policies in your Set.
-
In the EPM Management Console, go to Reports > Summary.
The summary status shows:
-
The number of endpoints that do and don't support Threat Protection.
-
The number of Threat Protection policies that are inactive, in Block mode, or in Detect mode.
-
The number of protected and at-risk Windows and non-Windows credentials.
