Pentest reports tell a story. The story of how the team managed to break into your environment. In my experience, a critical component usually missing from these reports is the rationale behind the choices made by the pentesters who ran the assessment.
- Why did they go after a particular account?
- Why did they target a specific set of servers?
- Why did they choose one lateral movement technique over the other?
Asking why allows you to deconstruct choices that real threat actors might make in your environment. Having a sense of those choices will give you some active defense opportunities.
Let me demonstrate this with a little thought experiment. Let’s consider a pentest where the objective was to demonstrate access to the customer database. Here’s what the pentesters broadly did:
- Established a C2 using PowerShell.
- Enumerated the Active Directory domain for users and groups, specifically privileged groups.
- Enumerated the domain to find computers.
- Attempted privilege escalation techniques and compromised the domain admin.
- Scanned a subset of computers to identify the customer DB.
- Used the domain admin account to login to the database server.
- Logged into the Customer DB.
In each of these steps, the pentesters made some choices. As you’ll now see, deconstructing these choices can help build better defenses.
Deconstructing the pentest report to find Active Defense plays
The Active Defense matrix was released by MITRE to provide a framework for identifying opportunities where adversary behavior can be influenced to enable defenders to easily spot threats.
The foundation of the Active Defense approach rests on three principles:
- Beat the human behind the software
- Do simple things the adversary does not anticipate to encourage or complicate their operation.
- Make sure the things you do allows the corresponding telemetry to stand out i.e. collect more effective telemetry.
So let’s begin by deconstructing each of the 7 steps in the report to identify Active Defense opportunities
#1 – C2 using PowerShell
Why PowerShell?
- Sophisticated off the shelf tooling
- PowerShell logging & blocking not widely implemented
- Great obfuscation capabilities
Active Defense Opportunity
Block PowerShell to force the adversary to use non-PowerShell options.
Advantage
Since PowerShell usage for C2 is fairly common, it reduces the risk of being hit with commodity malware that uses PowerShell even today.
MITRE Shield Technique: Security Controls
#2 – Enumerated the domain for users and groups
Why enumerate the users?
- Find privileged group members of groups like Domain and Enterprise Admin. Successful compromise of DA / EA will almost certainly result in customer DB access down the line, so it’s important to know who they are.
- Run keyword searches across attributes like username, SPN, description, etc. to find accounts that can be used for SQL logins. Example ‘SQL’, ‘DB’, ‘etc’. This will be useful down the line when it’s time to figure out how to login to the database, regardless of whether you have domain admin credentials or not.
Active Defense Opportunity
Setup attractive decoy accounts, assign attractive privileges, and setup attribute level auditing on description, SPN, etc. to monitor enumeration attempts. This has the added advantage of detecting password spraying regardless of intensity and staggering strategies.
Advantage
Gain insight into enumeration activities being conducted against the domain from a user perspective.
(Note: Don’t ever use these accounts for any operations. There are ways to make this opsec safe)
MITRE Shield Technique: Decoy Account
#3 – Enumerated the domain for computers
Why enumerate the computers?
- Run keyword searches across attributes like hostname, SPN, description, etc. to find accounts that could be SQL servers. Example ‘SQL’, ‘DB’, ‘etc’. This will be useful down the line when it’s time to figure out where the DB is located.
Active Defense Opportunity
Setup decoy computers, assign attractive hostnames to databases, and setup attribute level auditing on description, SPN, etc. to monitor enumeration attempts.
Advantage
Gain insight into enumeration activities being conducted against the domain from a computer perspective.
MITRE Shield Technique: Decoy System
#4 – Privilege Escalation
Why Privilege Escalation?
- Get to a higher level of privilege. In this case, the target privilege level is the database/server administrator on the customer database.
- Escalated privileges can allow you admin access to one, few, many, or all systems on the network.
- With high privileges, you have the opportunity to log in to more systems and steal credentials.
Let’s assume that Kerberoasting was the privilege escalation technique that worked. In this case, let’s also assume that the service account was a domain admin.
Why Kerberoasting?
- It targets service accounts i.e. accounts that have an SPN attribute configured.
- Service account passwords never expire.
- Sometimes, service accounts are granted DA privileges. At the very least, they have admin privileges somewhere.
- Some service accounts are so old that no one remembers they exist and have weak passwords.
- It’s really difficult to detect on the wire.
- Logs related to service ticket operations are not logged by default. If they are, it is difficult to tell the difference between legitimate and malicious service ticket operations.
Active Defense Opportunity
- Setup a decoy kerberoastable account, assign attractive usernames to databases (e.g. SQLAdmin), add a SQL-related SPN (e.g. MSSQLSvc/custdb.domain.com), and write a rule to capture Event ID 4769 for the decoy account.
- Remove the real domain admin service account from being kerberoastable or downgrade its privileges.
Advantage
Makes the adversary believe they have obtained hashes to the customer database SQL service account while at the same time removing the risk of kerberoasting a real domain admin account.
A similar approach can be used for other popular privilege escalation techniques.
- Tomcat Manager exploit – Plan a decoy system with Tomcat manager and monitor for connections and interactions towards this system.
- LLMNR poisoning – Use a tool like Conveigh to send decoy broadcasts over the subnet and monitor for responses to these broadcasts.
- Credential Dumping – Use Invoke-runas to plant fake domain admin credentials in memory using the /netonly technique.
There are many techniques available for privilege escalation, and some of them lend themselves well to an Active Defense approach. However, in cases where that doesn’t work, focus on what the adversary intends to accomplish with those privileged credentials.
MITRE Shield Technique: Decoy Account, Decoy System, Security Controls
#5 – Scanned a subset of computers to identify the customer DB
Why Scan?
- Check if the database server is reachable from the target list compiled in #3.
- Check if the database port is open.
- Check if any banners reveal which might be the customer database.
- Check for default passwords on SQL servers for the ‘sa’ account.
Active Defense Opportunities
- Plant a decoy SQL server on the network. Alert when you see port enumeration.
- Make the real customer database accessible only from certain machines.
Advantage
Even a single port query against the decoy SQL server system is worth investigating while complicating access to the real customer database.
MITRE Shield Technique: Network Diversity, Decoy Diversity, Network Manipulation
#6 – Used the domain admin account to login to the customer database server
Why log in to the customer database server?
- With domain admin privileges, you can extract credentials from memory from the customer database.
- Helps you compromise the logged-on SQL administrator account (whether it’s a user or service doesn’t matter).
Active Defense Opportunities
- Implement a standard operating procedure to prevent a domain admin from ever logging into the database server. Implement the corresponding rule for this server alone in your SIEM.
- Plant decoy SQL administrator credentials in memory.
Advantage
Even a single port query against the decoy SQL server system is worth investigating while complicating access to the real customer database
MITRE Shield Technique: Standard Operating Procedure, Decoy Credentials
#7 – Login to the database itself
Unfortunately, if the adversary has reached this point, detection difficulty increases. This is because, from an analytics perspective, you are looking for a legitimate account, logging into a legitimate database, and running possibly legitimate queries. However, there are still things we can do.
Active Defense Opportunities
- Setup query auditing on the SQL server for accounts with DB admin rights.
- Hunt for non-standard queries in the hope of spotting the adversary running ‘select *’ operations and join operations to fully extract the customer database.
MITRE Shield Technique: Hunting, System Activity Monitoring
Apply Active Defense Approach to any use case
I present an abstracted approach to applying Active Defense use cases. It has 4 pieces:
- Deceive – Can I do something to trick the adversary en route to/on the system?
- Standardize – Can I define how a particular system must be used/controlled?
- Analyze – Can I bubble-up anomalies against the system I am protecting?
- Control – Can I make it more difficult to reach and compromise the system?
You can use the above as a combination to assess a use case beyond just analyzing pentest reports. The pentest report was just a means for me to present my idea.
Closing Notes
I would like you to note a few things.
- Use of the Active Defense approach covers the kill-chain and encourages you to think about the ‘why’ to build better defenses and how your network, endpoints, and active directory are all interconnected.
- It reduces complexity otherwise introduced by large scale data analytics across GBs of logs a day.
- The active defense approach is not limited to decoys alone, but it is a significant component.
- You don’t have to baseline and standardize operating procedures across everything. Just the stuff that matters to you.
- You can tighten your hunt use cases with Active Defense, making hunting a lot more productive.
- You can take a targeted approach to apply controls, rather than spray controls all over the network that costs time and requires effort.
Continue Reading
Using deception to shield the insurance sector
Insurance companies are under siege from cyberattacks. We take a look at some of the key pieces of an insurer’s infrastructure the adversaries target and how you can use deception to build active defenses.By Sudarshan PisupatiFour MITRE Shield Techniques You Can Implement in 2021
For free, of course. At this point, I’m positive that you’ve heard of MITRE Shield. It’s a new active defense knowledge base released by MITRE – stuff they’ve been implementing for over a decade to engage adversaries and derail attacks. They’ve opened it up to everyone, and for the first time perhaps, the infosec community […]By Sudarshan PisupatiActive Defense – Incident Response’s New Best Friend
Active defense provides defenders with a shared vocabulary and framework for actively dealing with threats instead of passively reacting to them.By Sudarshan Pisupati
- Detect zero-days, APTs, and insider threats
- 10x the detection capabilities with 1/2 the team
- Get started in minutes, fully functional in hours
