The Importance of Lateral Movement Detection
30 July 2018
Many of the most devastating attacks today rely heavily on privilege escalation and undetected lateral movement to obtain incrementally greater access to resources and services. These techniques typically involve exploitation of known vulnerabilities in the Kerberos protocol and its inherent role in the Active Directory authentication process, including the development of trust relationships throughout the network.
For most organizations, the current state of Active Directory defense relies on intricate configuration management processes, disparate event and log correlation, and the integration of various third-party point solutions. This results in time-consuming administration, huge data storage requirements, and numerous software licenses—inevitably causing information overload for operational teams and ultimately doing little to protect business operations and data on the network. The number of Active Directory attack techniques has rapidly outpaced detection and mitigation solutions, with increasingly available and easily deployed tools making it possible for even mediocre threat actors to leverage sophisticated attack vectors once only available to the elite.
Deterministic vs. Heuristic Attack Detection
Kerberos is a stateless protocol, therefore instrumenting for near real-time and deterministic detection of Golden and Silver Ticket attacks is not natively possible. ACDP’s unique instrumentation effectively adds state to the Kerberos protocol and therefore provides assurance that the resultant authentication events and logs are deserving of trust.
Golden Tickets are forged Kerberos Ticket Granting Tickets (TGTs) that give attackers Domain Administrator privileges, with full access to any Kerberos service in the domain.
Silver Tickets are forged Kerberos Ticket Granting Service (TGS) tickets, also called service tickets. While a Golden Ticket provides access to any Kerberos service, a Silver Ticket only allows access to a specific service on a targeted server. However, Silver Ticket attacks can be generated without suspicious interactions with the DC(s). Since most providers only monitor interactions between endpoints and DCs for detection of credential compromise, they have no mechanism to detect Silver Ticket attacks. This makes Silver Tickets exceedingly dangerous in the eyes of many security analysts.
Most cybersecurity providers claiming to be able to detect Golden and Silver Ticket attacks utilize an approach reliant on heuristics-based analysis of anomalous behavior signatures. This makes them susceptible to false-positives and known bypass techniques. It also limits them to a small fraction of the attack variants already supported by open source pen-test and attack tooling.
More specifically, these providers typically attempt to perform these detections by establishing a baseline of what is considered a typical Kerberos ticket on any given network. For example, there are numerous configuration parameters that can be tailored for Kerberos authentication, including the supported encryption types (or etypes). The etype specifies what encryption types are supported by both the Domain Controller (DC) and the authenticating user.
Known attack tools such as Mimikatz default to a less secure encryption type when generating Golden Ticket. This allows some providers to detect a Golden Ticket attack by comparing the known etype baseline with the current authentication request. At least one known bypass technique allows attackers to defeat this type of Golden Ticket detection by ensuring that the etype is the same as a normal Kerberos ticket. In other words, Golden Ticket detection by these providers can be defeated simply by changing a single command line parameter in a known attack tool. It also means that network settings changes can result in false positives when they differ from a learned baseline. Ultimately, these providers are blind to at least 80 variants of Golden and Silver Ticket attack variations which are reliably and deterministically detected by ACDP.
By comparison, ACDP maintains a stateful view of Kerberos authentication by keeping a ledger of valid tickets issued from the DC(s). New authentication requests are compared to a known list of valid tickets, allowing ACDP to detect Golden Tickets regardless of any attempt to modify configuration parameters to simulate a valid ticket. This means that ACDP is able to validate every single Kerberos transaction and that its attack detection techniques remain valid regardless of which tool is used to attempt to forge a ticket. ACDP is also deterministic, meaning that there are no false positives and attack detection is immediate once krbtgts are reset—either manually during installation/configuration as recommended or automatically when the ticket renewal window expires (10 hours by default). This validation technique does not rely on a learned heuristic signature.
Although ACDP does use heuristics-based behavioral indicators and analysis to support other types of attacks, behavioral analysis is wholly unsuited for validating the stateless Kerberos protocol and deterministically detecting Golden and Silver Tickets attacks. For the heuristics-based detection of other lateral movement attack techniques listed in the table below, ACDP provides more confidence by integrating and contextualizing security data from more data sources than other cybersecurity solutions.
Lateral Movement Detection Comparison Summary
The table below highlights ACDP’s lateral movement detection capabilities as they compare to a leading competitor:
Heuristic Attack Detection
Kerberoasting is an increasingly common and effective method for extracting service account credentials from Active Directory as a regular user. It is unique in its ability to do so without sending any packets to the target system, exploiting the fact that people commonly create poor passwords. Since many service account passwords are the same length as the domain password minimum, even brute force cracking can be effective prior to normal password expiration. Additionally, since most service accounts don’t have passwords set to expire, it is often possible to have passwords remain static for prolonged periods. ACDP's Active Directory monitoring service helps reduce the likelihood of service accounts being over-permissioned, but these service accounts are often found to be members of the Domain Admin group, with the ability to modify attributes far beyond the minimally required servers associated with the service prior to being uncovered during ACDP installation. ACDP monitors for TGS-REQ packets for suspicious actions (e.g. RC4 encryption) via its Kerberos Agent and compares transaction history with Domain Controller logs which provide coverage for establishing behavioral indicators of attempted Kerberoasting activity.
Pass-the-Hash Attack Detection
Pass-the-Hash is a lateral movement technique, with a similar goal of enabling privilege escalation and/or lateral movement similar to the previously described Golden and Silver Ticket attacks. Pass-the-Hash attacks exploit the fact that NTLM authentication is not a recommended authentication mode for any enterprise network. The Kerberos protocol was designed to enable sharing of secrets over untrusted networks to eliminate fundamental limitations and risks associated with NTLM. Pass-the-Hash attacks enable attackers to steal a user’s NTLM hash from one computer (or in transit) and use it to gain access to another computer or service.
Overpass-the-Hash Attack Detection
Overpass-the-Hash is a variation on the Pass-the-Hash lateral movement technique in which the attacker passes a user’s Kerberos key for authentication rather than their NTLM hash.
Pass-the-Ticket Attack Detection
Pass-the-Ticket is another lateral movement technique, similar to Golden and Silver Ticket attacks. In executing Pass-the-Ticket attacks, attackers steal issued Kerberos tickets which were issued legitimately on one principal and use them to gain access to an unauthorized machine. In this detection analytic, a valid Kerberos ticket will be used from two (or more) different computers to authenticate with other network services.
Skeleton Key Detection
Skeleton Key attacks occur when malware with domain-level admin rights (including debug rights which admins have by default) is able to run on domain controllers. This special type of malicious code must be installed with the ability to “patch” LSASS, enabling it to permit a new password to be accepted for any user. This patched password is the Skeleton Key and will allow authentication to the domain with any account. Skeleton Key attacks generally force encryption downgrades during attempted logons with the false password. Normal users can continue to use their normal password. Using its ability to detect encryption downgrades and additional log and telemetry data, ACDP provides a heuristic approach to identify Skeleton Key attacks.
DCSync attacks are post-exploitation attacks which require domain administrator privileges. Once an attacker has these privileges they use DCSync to effectively mimic a valid domain admin in order to request password data from the domain controller. ACDP uses a heuristic approach to identify DCSync attacks, and can also whitelist trusted domains using its ability to track all connected domain controllers across multiple domains, forests, and complex trust relationships.
DCShadow attacks are post-exploitation attacks which require domain administrator privileges. Once an attacker has these privileges, using DCShadow, they effectively have control of the target domain. Specifically, DCShadow attacks simulate the behavior of a Domain Controller to inject its own data, bypassing most of the common security controls.
Ntds.dit Exfiltration Detection
Ntds.dit is a database that stores Active Directory data, including password hashes for all users in a domain. Techniques are available that allow threat actors to download a copy of the Ntds.dit file to extract and/or crack these hashes offline, so the extractions themselves are undetectable. With the extracted hashes, tools like Mimikatz can be used to perform Pass-the-Hash attacks, for example, ultimately allowing attackers to obtain Domain Administrator access.
Deterministic Kerberos Detection
Kerberos Detection Summary
|Golden and Silver Ticket attack variation types||28 Golden, 56 Silver (comprising all variations tested)|
|Golden Ticket false positives||0|
|Silver Ticket false positives||0|
|Baseline establishment time period||None|
|Time to detect||< 1 minute|
|Deployment model||Cloud/API/On-premesis flexibility|