Authentication is the procedure to validate the digital identity of the requester or sender of the information. Passwords are the most common forms of authentication used today. But when passwords are leaked to the dark web, adversaries can use them to intrude into your network and cause damage.
There are different ways a hacker can obtain credentials. One way is by modifying the authentication process to gain access to enterprise resources, privileged and root accounts, take control of remote systems, and even laterally move to other servers with the acquired controls.
The authentication process is handled by different entities in different operating systems. In Windows systems, it's handled by the security accounts manager and the local security authority subsystem service; in Unix-based systems, it's handled by the pluggable authentication module; and in MacOS systems, it's handled by custom authorization plug-ins. These entities are responsible for storing and validating the credentials received against a database.
As a security professional, it is important to know where and how hackers can modify the authentication procedures. MITRE ATT&CK presents four techniques that adversaries commonly use to reveal or bypass these mechanisms. They are:
Let's look at the process behind each modification technique, how to detect them, and ways to avoid them in the future.
How it works
In 2015, researchers at Dell SecureWorks posted details about an in-memory malware, Skeleton Key, discovered in a customer site. When adversaries succeed in installing this malware in the domain controller (DC), it modifies the system to accept a new master password from any domain user, including admins.
The Skeleton Key malware allows adversaries to authenticate themselves as any domain user to access resources using admin credentials, even if they don't have the actual admin passwords. Once the master password is hacked, they use it to login as any domain user and make the login look legitimate.
Since this is an in-memory attack, network-based intrusion detection system and intrusion prevention system (IDS/IPS) tools cannot detect this. Security tools that detect threats based on signatures and behaviors should be used to detect this attack.
This section helps you uncover the clues in domain controller logs that help you detect this attack.
| Event ID | Description | Reason to audit |
|---|---|---|
| 4697 | A service was installed in the system. | This is used to detect if malware is installed in the DC. |
| Description | ||
| 4673 | A privileged service was called. | The installation of malwares in the DC requires Admin or higher privileges. This means unusual DC logon activity must be monitored. |
| Reason to audit | ||
| 4611 | A trusted logon process has been registered with the Local Security Authority (LSA). | This event gets logged every time the server starts and after every login. Since the malware configures a new logon process, this event can help pull out rogue logon processes. |
Apart from configuring your security solution to capture and analyze these events for detecting the attack, you can use a behavioral analytics tool to spot suspicious behaviors.
Configuring a user and entity behavior analytics (UEBA) tool to notify you of suspicious activities helps detect this attack. Examples include:
The ideal way is to use a security information and event management (SIEM) solution that utilizes signature-based and behavior-based attack detection techniques. Obtaining a combined analysis view helps you validate suspicious events better and accurately detect DC authentication manipulation.
SIEM tools correlate logs from multiple sources and send alerts when something suspicious is found. Beyond rules and correlations, they provide UEBA capabilities to understand the behavior of the employees and discover irregular patterns.
Let's investigate password filter DLLs in part two of this series.
You will receive regular updates on the latest news on cybersecurity.
© 2022 Zoho Corporation Pvt. Ltd. All rights reserved.
