The New Unified Identity SecOps Experience

The new Unifed Identity SecOps Experience brings together information from Azure ATP, Microsoft Cloud App Security (MCAS) and Azure AD Identity Protection.

In this blog post, we will look into the new UI and evaluate which value it has. However – as always-, I am trying to add a little ‘spice’ and therefore we will build in some mimikatz action. Be excited :-).

Even in a 100% cloud world (if it is a company of a certain size) we will not get rid of the local Active Directory anytime soon. That means we need to synchronize users between the on premises AD and the Azure AD and this makes the on-premise AD a possible attack vector for Azure AD / O365 services.

Imagine an ‘on premises’ attacker wants to take control over the CEOs personal data (in OneDrive). I will walk you now through the complete kill-chain of such an attack and show you meanwhile where the new improvements and the known features of MCAS can help to detect an respond to the attack:

Let’s assume the credentials of a user account called “Jule” have been compromised. An attacker is then utilizing those credentials to logon to Jule’s laptop and later running some tools to get higher privileges.

Azure AD Identity Protection has recognized that the credentials may have been compromised and has created a risky sign-in alert. Since this information is now synced with MCAS, we see an increase in the “investigation priority score” of “Jule”:

What you can see above is the brand new “User Page” in MCAS (actually, it is so brand new that it is still in private preview, so things could change here, keep this in mind).

Our (IT) world is getting more complex every day. In order to handle more and more alerts, prioritization is key. So, depending on the alerts that come up related to a certain identity, Microsoft is calculating an investigation priority score for this identity.

Because Identity Protection has found a risky sign-in for “Jule”, she got assigned an “investigation priority score” of +23.

On the MCAS Dashboard, we have a new section called “Top users by investigation priority”:

This helps us to prioritize our investigation work. We see “Jule” is under the top three users in my test lab. But wait a minute! Why is a user called “admin” even higher rated?

Well, with the stolen credentials, our attacker was able to logon to Jule’s laptop and to install a tool called “mimikatz”. With mimikatz you can do many nasty things, the attacker used it to gain an important password hash. Note: it is not that easy to run mimikatz on an up-to-date Windows machine. E.g. Windows Defender will not let you run it.

However, let’s assume the attacker found a way to run it. The password hash, the attacker is searching for, is in the memory of a Windows component called “Local Security Authority Subsystem Service (lsass)”. To access it, you have to be either local admin or find another way. For our purpose, let’s say Jule was already local admin. With that, the attacker could easily get “Debug” privileges:

He then ran “sekurlsa::logonpasswords” to retrieve the passwords he was looking for from memory.

Anyway, this did not reveal any interesting password hashes yet. Now, lets assume an administrator had to connect via a TeamViewer session to the client in order to support her in whatever case. Let’s further assume, this administrator had to do a “runas” on Jule’s laptop to do his stuff:

Gotcha. That’s exactly what the attacker needed to run “sekurlsa::logonpasswords” again. Now, he found the password hashes from the Admin user, he was looking for:

The attacker could then use mimikatz to take this hash and use it in a “pass-the-hash” (pth) attack. In a nutshell, a pth attack is a attack where the attacker presents the hash of the password to the system it tries to logon instead of the actual password:

When firing a pth attack, mimikatz automatically opens a new command prompt. The attacker then used psexec to gain a remote shell on the local dc (without suppling admin credentials, remember, the attacker is still on Jule’s Laptop in Jule’s user context with no permission on the domain):

That worked, the attacker now has a remote shell on the domain controller! Let’s see which privileges he now has:

As you can see, the pass the hash attack worked like a charm. Mimikatz impersonated the attacker as admin since he was able to read the password hash of the admin user from memory and passed the pw hash over for logon. (So, never ever use Domain Admin credentials to do local machine admin stuff!).

By analyzing the eventlog and monitoring the traffic on the DC, Azure ATP came up with two new alerts during the attacker’s pth-journey:

Those alerts are now also visible in MCAS. In fact, we can see here the complete kill-chain in the alerts section – which is great for investigation:

First the risky sign-in, then the pth-attack on “admin”, then the remote code execution from Jule’s Laptop to the DC.

When you simply click on the alert and then on the “admin-tag” you can see, that these alerts then also pay into the investigation priority score on the admin’s user page in MCAS:

When you click on the machine name tag in the alert, you come to the (also brand new) machine page:

As you can perfectly see here, “jule” and “admin” used their credentials on this machine – also both alerts are associated with the machine. From an investigator’s perspective, we know now exactly what happened.

Anyway, back to our kill-chain: since the attacker now has an admin shell (context of user “admin”), he is trying to make his new power more persistent by adding the user account, he is already controlling (Jule), to the Domain Admins group:

The problem, the attacker is facing now, is, he needs to somehow bridge the gap to the cloud. He has domain admin permission locally, but unfortunately, this admin user has zero permissions in the cloud.

Then he installs the RSAT tools on Jule’s laptop to make things a little more comfortable (by the way, the RSAT tools are an optional windows feature now, which you don’t have to download but only enable in windows optional settings):

By investigating the Active Directory, the attacker finds a promising OU with a promising user:

Since the attacker has compromised Jule’s account and then escalated her user privileges to “Domain Admin” by the pass-the-hash attack, he is now able to change the password of the user “IT Service Admin” and then use it to logon to portal.office.com (remember, we are syncing passwords from on-premises to the cloud):

MFA would be another obstacle here, so better enable all users to use MFA. Anyway, our attacker now is one step further:

Now he uses the admin center to access the CEO’s OneDrive files, yes, in my lab I’am CEO baby 🙂

Et voilà:

The attacker now only has to download all the files and upload them to his dropbox:

Again, our friend MCAS alerts us here and tells us, there is something going on:

Summary

Beside the fact we paved the way for our attacker a little (we disabled Antivir and made the attacked user ‘Jule’ a local admin right from the start), we saw a nice real-world kill-chain: The attacker escalated the privileges of an account he had compromised before. Then he gained some persistence and then he took over the control of the CEO’s personal files in OneDrive.

More importantly: we showed how the tools from the new Unified Identity SecOps Experiencealerted us in every phase of the kill chain.

We didn’t show how Windows Defender and Microsoft Defender ATP would have prevented all the nasty things the attacker did, but I showed that already in another post.

Some people say, when it comes to ‘Security’, you need diversity (in regards to the manufacturer). Actually, I believe the real power here comes from the smooth integration of the different tools. As you have seen, it looks like Microsoft is doing a pretty good job in this area.

Go, hack yourself!

While talking about the protection mechanisms in modern cloud environments, one tends to forget the other side.

You must know your enemy in order to fight him successfully. Today we will build a lab to attack a modern Microsoft cloud environment that is protected by the brightest star on Microsoft’s security sky: Microsoft Defender ATP*.

*Windows Defender ATP was recently renamed to Microsoft Defender ATP, since it now also supports some functionality on MacOS (and more is planned)

But first, lets move to the dark side. I am sure you already heard of many of the tools used by attackers today, but have you ever used them to attack your own machines? Let’s see how that works!

Our lab is simple:

  • 1 x Windows 10 1809, AAD joined, Intune managed, Microsoft Defender ATP secured, 100 % Cloud
  • 1 x Kali Linux with Metasploit

In case you don’t know it, Kali Linux is a Linux distribution that comes with many important attacking and penetration testing tools. Metasploit is a framework for the complete kill-chain.

A kill-chain?

A kill-chain describes the process from the first contact of the attacker to the ‘promised land’ (whatever they are gaining to obtain).

1-1Pic01: kill chain

Attack vectors are the first contact the attacker has with your property: He leaves a prepared USB stick on your company parking, he writes an Email with an attachment or with a link to your users, or he attacks you e.g. with a password spray attack.

In former times then, when he accessed ‘Patient 0’, the first computer: he was in. ‘In’ meant your managed environment, behind your firewalls. Now, in modern concepts, there is no ‘in’ or ‘out’ anymore. Clients are built to be always in an open network. This is, what makes one of the next steps harder: lateral movement. Hopping from one computer to the next was easier in former times, since everything inside the perimeter was considered as ‘safe’. (Is this still the case in your environment? Go 100% cloud!)

To move laterally, the attacker would try to gain more permissions (admin etc.) and gather more information about your network and directory (e.g. Global Address List discovery).

Now, let’s start with the fun part of this post. On the left you can see the Metasploit console, on the right, you see our Windows 10 client:

2Pic02: our setup

First, we must choose an exploit we can use on the Windows machine. I have chosen exploit-db.com to find the appropriate exploit. I have then decided to take an exploit in a popular video player software, VLC:

3Pic03: choose an exploit

This exploit is a so called ‘use after free’ exploit that tries to use memory that was just freed from the application.

Many exploits are already integrated in the Metasploit database, however, ‘my’ exploit wasn’t. The VLC exploit is quite new. Exploit-db.com gives you the possibility to download the exploit, so that you can use it in Metasploit. After download, you just tell Metasploit to use it:

4
Pic04: use the exploit

With ‘show payloads’, you can examine the possible payloads of this exploit. When you read the description of the exploit, you see that the author of the exploit recommends to only use certain payloads with the exploit since others (e.g. the meterpreter payload) crashes the application:

5Pic05: show payloads

With show options you can see what options are necessary to configure the exploit:

6Pic06: show options

In the options above, we see, that the exploit will generate two MKV (video) files. The first has to be opened by the victim (the second has to reside in the same directory). We also see, what settings are already set or still empty. The only setting that is missing here is ‘LHOST’, the IP address of our attacking machine. So let’s set it:

7Pic07: set LHOST

That’s it, we are ready to run the exploit:

8Pic08: run the exploit

As expected, Metasploit has generated the two .mkv files for us:

9Pic09: here we go

Now, when we remind ourselves on the kill-chain diagram at the beginning, we need an attack vector. How do we distribute the .mkv files to the victim? Well, that is pretty easy, we can zip it and send it by Email or – that’s what I did-, we can put it on Dropbox and share it with the user. If you attach it with a ‘social-engineering made up’ text, you can make sure that it is being watched, or better: ‘double-clicked’. (I just had to convince myself).

The .mkv files are on the client now. In the meanwhile, we need to setup a ‘Listener’ on our attacking machine that waits for the victim to double-click on the .mkv file. I have decided to create a reverse shell handler (which is also the default payload option for the exploit):

10Pic10: setup the listener

When you observe the above screenshot, you see that we ‘use’ an exploit again, in this case for the listener “exploit/multi/handler”, we then set the payload and the ‘LHOST’ IP and are then ready to exploit (run) it:

11Pic11: start the listener

The listener is now doing what it should: listening. I now went on the Windows 10 machine and double-clicked the first .mkv file. After a few seconds, I started to receive some data on the listener and finally got a Windows command prompt on my Kali Linux machine!

And what do you do, when you have a command prompt on a unknown Windows machine? Exactly, I did a ‘DIR’:

12Pic12: orientation

Ok, that was a hesitantly first try – I must admit that, let’s get gutsy and start something:

Pic13: finally got some help with mental math (click to enlarge)

Pretty cool, isn’t it? Meanwhile on the good side of the planet, Microsoft Defender ATP started sending me first Alerts:

14Pic14: ooh

In the artifact timeline we can see which application triggered the alert:

15Pic15: artifact timeline

Uh-huh, VLC seams to make some bad stuff on one of the Windows clients in my environment 😊 As we can see in the process tree, ATP has exactly found what our exploit was doing, it started allocating some free memory (like in the exploit description: ‘use after free’):

16Pic16: process tree

Anyway, lets try to get a step further. I am trying now to upgrade the remote shell session to a meterpreter session. With meterpreter we have more possibilities. You can easily run a keylogger, Mimikatz or much more. To upgrade to meterpreter, we have to put the remote session into a background session by pressing ctrl+Z. Then we use the exploit “shell_to_meterpreter”:

17Pic17: trying to start a meterpreter session

With ‘sessions’ we can see the current remote shell session. We set the exploit to session 1 to tell the shell_to_meterpreter exploit to use our remote shell session to upgrade, then we run the exploit:

18Pic18: not working somehow

With that, ATP freaked out:

19Pic19: new alerts in ATP (1)

And:

20Pic20: new alerts in ATP (2)

And we didn’t get any new (meterpreter) session, but still have just the remote shell session:

21Pic21: no new session

What happened? As we can see in the ATP machine timeline, it was ATP’s friend Windows Defender Antivirus that remediated our attempt to attack the machine with the meterpreter payload:

22Pic22: friends will be friends (Windows Defender Antivir did the job)

Which is good or bad, depending on the perspective. Let’s take a look on the complete alert history:

23Pic23: Alerts queue

What scared me a little here is the fact that all these alerts had an assigned severity of “medium”. So, you really must look into your medium alerts!

Windows Defender and Microsoft Defender ATP worked hand in hand in my scenario. However, I had access to the targeted machine and could execute arbitrary code (calc.exe). ATP recognized that – which is good, but wouldn’t it be even better if we could get a hint upfront?

Microsoft Defender ATP Threat and Vulnerability Management

Microsoft is currently rolling out this new feature to tenants worldwide. With TVM, ATP gathers information about the applications on your clients, the installed versions and the configuration. This data is then compared with Microsoft’s Threat Intelligence. That’s why ATP could already tell me before my Windows 10 machine was attacked that it has a vulnerability in an application called “VLC”:

24
Pic24: we could have known before

ATP even tells me which vulnerabilities are associated with the installed version of VLC:

25Pic25: CVEs associated with the software version

You might have recognized that our CVE is (the second) is listed. When we click on this CVE, we get a description that is quite similar to the description on exploit-db.com:

26Pic26: CVE details

Conclusion

I have just scratched the surface. After I had access to the target machine and was able to execute calc.exe, I gave up quite early when the meterpreter session couldn’t be established. There are many possibilities to obfuscate the payload to make it harder to be recognized. The fact that ATP noticed that the VLC exploit allocated just freed memory shows the real power of the tool, the power of behavioral analysis.

Threat & Vulnerability Management completes Microsoft Defender ATP. It gives you a vulnerability-based view on the application landscape of your environment and gives you prioritized advices on how to get rid of the vulnerabilities before it gets actively exploited.

However, to be able to judge the importance of tools like Microsoft Defender ATP, you must betake yourself to the red-team’s point of view. If you try to think like an attacker, you will be better able to understand how to protect your environment. So … go, hack yourself!