In a world where almost all data is stored electronically, keeping it secure is a priority. Protecting credentials requires special attention, as they are the key to infiltrating the corporate network.
In this article, we will look at the main types of Windows authentication data theftб, the most effective ways to protect it and a new vulnerability in Outlook (CVE-2023-23397) that hackers use to fish out credentials.
Hackers often begin their journey through an organisation by breaking into one workstation. If they succeed, the attackers seek to gain a foothold in the company's infrastructure by capturing as many other systems as possible. Thanks to this, hackers can encrypt/steal/destroy more data, significantly increasing their chances of getting a ransom. For the plan to succeed, the attackers need to find or steal the credentials of other users, preferably domain administrators, because this will give them absolute control over the corporate network.
However, no matter what the hackers come up with, the field of cybersecurity is also on guard. Developers of operating systems and security tools are constantly improving technologies for protecting credentials. For example, Windows used to store user passwords in clear text, then it began to apply hashing to them, and only then the mechanism for accessing such sensitive data was improved.
But, as practice shows, no OS can provide at least some protection against constantly evolving attacks. Therefore, studying and implementing security solutions with advanced protection mechanisms and continuously adapting to modern conditions is crucial.
Mimic Mimikatz: a regular guest of cyberattacks
One of the "classic" password-stealing tools is Mimikatz. It was developed in 2011 and immediately became indispensable to a hacker's toolkit. Now Mimikatz has infinite clones and variations since the primary mechanism for stealing passwords is still relevant. Mimikatz and all its counterparts have one purpose – to read the contents of authentication data stores, an example of which is the lsass.exe process.
lsass.exe stores various data that helps users access various resources without additional authentication. Without this mechanism, you would have to enter a password literally every minute. But on the other hand, this convenience creates certain risks because the credentials are stored in a process always running in Windows. If a hacker manages to read the contents of lsass.exe RAM (dump it), he will gain access to the stored credentials, and the system can be considered compromised.
The process of stealing passwords from an insecure system
Fewer words – more deeds. After running Mimikatz, the tool needs to get the privilege SeDebugPrivilege, which will read the contents of lsass.exe's memory. It is impossible to steal passwords without this step. mimikatz (comandline) # privilege::debug
After receiving a positive response (Privilege ‘20’ OK) you can start uploading the credentials that have ever been entered in this system: mimikatz (comandline) # sekurlsa::logonpasswords
From the resulting list of stolen data, we are interested in the username, domain, and NTLM line, the user's hashed password.
Next, we can guess the password for this hash or use it in a pass-the-hash attack using the same Mimikatz. Hash selection is simple, and it can be carried out both on websites and with the help of special utilities, such as hashcat.
We use the first available website for selection. The password was guessed in seconds, as it is short and quite common.
It is worth noting that the compromised user has domain administrator rights, mvcloud.com, which puts the entire organisation at risk. Mission accomplished – the hacker has achieved his goal, the user is compromised, and the company risks facing losses.
Credential protection with Trellix Endpoint Security (ENS)
Trellix ENS protects servers, PC systems and laptops from known and unknown threats. These threats include malware, suspicious network connections, unsafe websites, and downloaded files.
Endpoint Security consists of several security technologies that communicate in real-time, analyse threats and protect against them. These technologies are divided into the following modules:
Threat Prevention – Prevents threats from entering the system, automatically scans files on access, and performs targeted checks for malware on client systems.
Firewall – monitors data transfer between the computer, network resources and the Internet. Analyses network traffic based on rules, applications, and reputations.
Internet control – analyses search queries and browsing on the Internet, blocks websites and downloads based on reputations, categories and denylists/safelists.
Adaptive Threat Protection – checks content using behavioural analysis and artificial intelligence and takes appropriate action based on file reputations and activities.
All modules are integrated into a single Trellix ENS interface on the client system. They can be installed together or standalone to provide multi-layered protection without overloading the system.
Gartner ranks Trellix Endpoint Security as one of the top 5 workstation security tools, with the Trellix XDR security platform an all-time leader by multiple analyst agencies.
Let's repeat the attack, but we will enable Trellix Endpoint Security protection this time. It is essential to understand that in actual conditions, Trellix ENS blocks threats much earlier and usually does not reach the credential theft stage.
Like last time, let's try to get the privilege SeDebugPrivilege and then read the contents of lsass.exe's memory. But now these actions resulted in an error – mimikatz got the right privilege because the command line was run as administrator, but he could not read the credentials from lsass.exe. So the attempt was blocked, and the user and administrator were notified accordingly.
It is also worth clarifying that in order to launch this malicious software, almost all protection systems had to be disabled, because the capabilities of ENS are much wider than this example. Using advanced technologies, it can detect and block threats in almost any form, such as fileless or running directly in memory.
Microsoft Utilities for Hacking Windows
Mimikatz is a known malware, but what if we try to steal Windows credentials using tools that Microsoft has developed?
The easiest way is to try dumping lsass.exe through Task Manager. Run it as administrator -> Details -> right click on lsass.exe -> Create dump file
We see that such an attempt was blocked. Of course, you can also dump using the task manager through the command line, which hackers use more often, but Trellix ENS will block such an attempt to access credentials.
Why was a legitimate tool – the task manager – blocked? In this case, the Zero Trust approach works – do not trust anyone, always check. Hackers have learned to use the utilities already on victim systems to make attacks stealthier and more destructive. There are about two hundred such dual-purpose utilities – for example, cmd.exe, wmic.exe and cetrutil.exe. This approach is called Living-off-the-Land and can be found in almost every hacker attack.
Note: ordinary users should NEVER access the memory of the lsass.exe process; this behaviour is a clear sign of a hacker attack. But if administrators need this feature, the best option would be creating a separate permissive access policy for lsass.exe for administrator systems.
The next utility developed by Microsoft is Procdump. This is an application which main purpose is to generate memory crash dumps during peak times. But we don't have to wait for any peaks to steal some passwords. It's enough to run the following command: procdump.exe -accepteula -64 lsass.exe path:\upload\dump.dmp
If Trellix Endpoint Security is installed on the system, it will detect and prevent unauthorised access to credentials, even if it was initiated by a trusted process.
Fileless approach in using Mimikatz
Now let's explore the fileless approach. In fact, we will use mimikatz, but now it will be executed not as a “file.exe” file, but as a set of Powershell commands. Thus, we will increase the secrecy of actions because executable files that anti-virus tools could scan are not downloaded to the victim's system. In Powershell run:
When this command is entered, the Powershell console is instantly closed, and the user sees a warning about the detected malicious script.
We can view each incident in more detail both on the workstation and in the management console. On a workstation, part of the incident information looks like this:
And in the management console like this:
For processes that have been analysed by behavioural analysis technologies, a Story Graph is created, which helps speed up the process of investigating incidents.
Command Obfuscation to Bypass Detection Systems
In the wild, experienced hackers will never use their tools in open form. One way or another, all files or commands will be obfuscated. OnAs a simple example with numbers, obfuscation looks like this:
Initial line: 1+1=2
The result remains the same (2), but the analysis of the "obfuscated" line takes much more time and computational resources. Hackers also use this technique to evade signature analysis, because there are an infinite number of ways to confuse “1 + 1 = 2”, but it is impossible to create a signature for each option.
We need a different approach to detect these kinds of threats. Trellix Endpoint Security offers behavioural analysis and artificial intelligence capabilities, as well as deep integration into the Windows system to intercept the execution of all commands, including CMD and Powershell.
Let's exemplify the case. The initial line is taken from the previous example, and the resulting "obfuscated" line looks like this:
It will still try to steal credentials without leaving any files on our system.
After executing this command, it is transmitted to Trellix ENS, which performs behavioural analysis and flags each suspicious activity. As a result, Endpoint Security concludes that the same fileless mimikatz was executed, after which it is blocked. The Powershell console closes, and the user gets a pop-up notification:
The threat was discovered on one workstation, but the Trellix ecosystem doesn't stop there. Once a malicious activity is detected, all Trellix components share information about threats, which allows other workstations, network devices and cloud scanners to block detected malware without additional checks immediately.
Wake Up Call: New Outlook Vulnerability
During another Patch Tuesday event in March, Microsoft announced a new vulnerability in the Outlook email client. It is critical because it is easy to operate, and Outlook is installed on most corporate Windows systems. Thus, by exploiting this vulnerability, a hacker will gain access to the current user's credentials, which again shows the importance of protecting them.
The operation process is as follows. Through Powershell, the hacker sends a malicious invitation email. In Outlook, it looks inconspicuous and does not arouse unnecessary suspicion.
But the danger of this invitation lies not in the appearance but in the notification's sound about the beginning of the meeting. When compiling this letter, the hacker indicated not the standard location of the sound file (file.wav) on the victim's system but on his SMB server. And now, when Outlook displays a reminder about the beginning of this meeting, it will contact the attacker's file server, try to log in using the current user's credentials and play the file.wav from the hacker's server during the reminder.
So when the user sees a regular notification from Outlook,
the hacker will see the compromised credentials, namely NTLMv2-SSP Hash,
to which he can then guess the password, for example, with the hashcat utility, and use it for further distribution in the corporate network:
How can you protect yourself from this vulnerability?
The first way is to add critical users, such as domain administrators, to the "Protected Users" group. Users in this group are denied NTLM authentication, which fixes the issue. However, the matter is that some applications that require this type of authentication may stop working, and then you have to find a compromise between security and business processes.
The second way is to block outgoing network connections via the SMB protocol using a host firewall or a firewall on the perimeter. Fortunately, Trellix Endpoint Security provides the flexibility to accomplish this task. As mentioned above, one of the ENS modules is the Firewall, which allows you to block network connections created by certain applications granularly. So, let's use this approach and make the following rules:
1. Allow outgoing network access via the SMB protocol on port 445 to internal corporate servers so as not to interrupt business processes.
2. Deny outgoing network access via the SMB protocol on port 445 to all other hosts to prevent sending credentials to third-party servers.
As a result, a retry attempt to exploit CVE-2023-23397 failed, and the user received a notification about a possible intrusion:
Credential protection is an integral part of the cybersecurity process. New methods of compromising them are constantly being improved, so it is essential to have adaptive security tools. Credential theft can be carried out by both third-party and trusted means, so the solution should block all suspicious attempts to access lsass.exe while not disrupting the system. Another security challenge to consider is fileless attacks. Protection against them requires constant monitoring of command lines for malicious content, including obfuscated ones. Trellix ENS is a feature-packed, proven workstation security solution recognized by many industry analysts as one of the best on the market. In our test hacking attempts, the solution successfully repelled all the attacks, including exploiting a new vulnerability in Outlook. To learn more about the solution, contact us: moc.hcetokab%40xillert __________The authors of this article hereby report the following: (1) This article was created solely for explanatory purposes and the distribution of this article is not an activity for which Article 3611 of the Criminal Code of Ukraine establishes criminal responsibility. (2) The software codes and tools mentioned in this article are not created by the authors, obtained by the authors from open sources and tested by the authors at their own risk on their own equipment. (3) All malicious software codes, tools, samples, examples, formulas, etc. given in this article are in no way offered or recommended for use by readers and/or other third parties (regarding third parties).