According to the Sophos Active Adversary Playbook 2021, the use of valid accounts (via a user name and password) featured in the top five techniques for initial access in breaches (MITRE ATT&CK Technique T1078). While valid credentials feature heavily in the initial access stage, they can obviously be used throughout the attack chain, including persistence, privilege escalation and defense evasion.
A challenging issue
Adversary use of valid accounts is particularly challenging for cyber security professionals. It is extremely difficult to identify unauthorized use of valid accounts among all the legitimate use, and credentials can be obtained in many different ways. A valid account can have varying levels of authorization within an organization, from a basic user right up to Domain Administrator privileges.
A further complication is that you may set up testing accounts, service accounts for non-human access, APIs, accounts for 3rd parties to access your systems (e.g. an outsourced helpdesk), or have equipment with hardcoded credentials.
We know people use their organization credentials with unrelated online services, and most use an email address in place of the username, extending the threat exposure. Password re-use is commonplace, so once one is obtained, it provides the key to many other doors. The COVID-19 pandemic saw organizations quickly pivot to allowing remote access for all, further exposing the attack surface to unauthorized use of Virtual Private Networks (VPN) and remote access tools.
How do threat actors get our credentials?
The list of ways is extensive, but let’s explore a few. While the adversaries’ end goal is to obtain the highest level of privilege needed to achieve their objectives (e.g. disable security, exfiltrate data, delete backups and deploy ransomware), they wouldn’t expect to get domain administrator accounts via a phishing email, so they start with easier targets and work upwards.
External methods including phishing (T1598), brute force (T1110), social engineering (could be as simple as someone pretending to be from a trusted IT provider and asking for an account to be created – T1593.1) and SQL Injection (T1190) are sometimes aggregated into Compilations of Many Breaches (COMB) and made available for a fee or even free.
Opportunists attempt to match the credentials obtained to your external access methods (RDP – see Hindsight #2, VPN, FTP, Terminal Services, CPanel, remote access tools like TeamViewer, cloud services like O365 or security consoles) in a technique known as credential stuffing to see if anything works. Since users can’t be expected to remember more than a few passwords, it is common for credentials to be re-used and usernames can often be derived based on email address formats. It is for this reason that Multi-Factor Authentication (MFA/2FA) is important on all external-to-internal access (see Hindsight #1). Once a set of credentials is successfully paired with a remote access method, the threat actor can become a valid user, hiding in your organization.
Before I move on to privilege escalation methods, it is important to note that other access methods exist that don’t require credentials. Exploits (T1212) or default passwords (T1078.1) in VPN concentrators, Exchange, firewalls/routers, webservers and SQL injection have all been utilized to gain a foothold. Drive-by-downloads can also be used to establish a backdoor (T1189). Once inside, basic user accounts still have sufficient access to carry out various reconnaissance techniques and map out a way to pivot to more privileged access or creating accounts to maintain access.
As a threat actor, I want to try and avoid using any tools that might put up a red flag initially, so I might simply:
- Search LDAP to see what other accounts might be interesting (T1087.2)
- Search the Windows registry (T1552.2) for stored credentials
- Search web cookies for stored credentials (T1539)
- Drop a PowerShell-based command and control tool, so I can get back in even if you do change a password or patch your exploit (T1059.1)
- Discover what programs are installed – remote access tools and admin tools like PSExec and PSKill can be super useful if they already exist (T1592.2)
Next, and only if needed, the threat actor might move on to installing and/or using ‘Potentially Unwanted Programs’. The above mentioned PSExec and PSKill are official Microsoft admin tools, but have plenty of other uses. IOBit, GMER, Process Hacker, AutoIT, Nircmd, port scanners and packet sniffers have all been used in breaches we’ve worked on. These tools will feature in the next Hindsight Security article. The goal of these tools is to cripple any endpoint security solutions, so the threat actor can move onto the next step where they use tools that probably would raise the red flag.
Popular tools for finding higher privilege accounts include Mimikatz, IcedID, PowerSploit and Cobalt Strike. Trickbot was an old favorite too. They contain sophisticated abilities to capture, interpret, export and manipulate the very pieces of information that networks use to authenticate users (e.g. Kerberos). While the data is encrypted to some extent, this has proven to be just an inconvenient speed bump for skilled attackers. The encrypted token representing the valid account can often be passed and accepted over the network, known as pass-the-hash (T1550.2) and pass-the-ticket (T1550.3) techniques. Vast tables of passwords and what their encrypted versions would look like are used to quickly match an encrypted password with the clear text version (T1110.2). Keylogging tools may be used to capture the keyboard strokes on a device the next time someone logs in. Certain vulnerabilities have been found that allow access to credentials, even without any administration rights, such as HiveNightmare/SeriousSam and PrintNightmare. And if all that wasn’t bad enough, there are easily available toolkits like LaZagne that do it all for you, even retrieving passwords stored in browsers, Instant Messaging software, databases, games, email and WiFi.
Using valid credentials
Valid credentials, especially with administration rights, have a few significant uses. They can be used across an organization to change group policy (T1484.1), disable security tools (T1562.1), delete accounts and create new ones. Data can be exfiltrated and then sold, used for extortion or for industrial espionage. They may be used for impersonation and business email compromise attacks with a high level of authenticity. But most often, they are just a great way to distribute and run whatever ransomware-as-a-service is popular on the day. And if that fails, we have seen adversaries just use the valid account to activate BitLocker (or shift the key).
Protecting your organization
The problem is serious, the consequences are real, but the solutions are well known and addressed through people, process, and technology. Cybersecurity employee training usually focuses on the people:
- How to spot a phishing email
- Not re-using passwords – password management tools can help with this
- Not using work passwords for personal accounts
- Password complexity requirements
- Avoiding dubious websites
In terms of process and technology
- Multi-factor authentication should be used as widely as possible
- The external attack surface should be as small as possible and kept up to date
- Keep the number of highest-level accounts to a minimum. Let’s just say that eight Domain Administrators is too many…
- Restrict use of local administration rights
- Service account hygiene – remove un-used service and testing accounts
- Control and monitor the use of powerful admin tools and potentially unwanted programs
- Monitor for unexpected logins (e.g. geography and time)