Just-in-time provisioning of Active Directory

Hello. This is Dan Conrad from One Identity. And welcome to Virtual Unite 2020. Really glad you're joining us for this session today. Today, I'm going to talk to you about a point-and-click Active Directory breach. And some simple steps that you can take to protect against that. We've seen-- if you're into cybersecurity at all, you look at different ways to do breaches, and different ways things are attacked, and different ways that attackers will try to grab the intellectual property or whatever it is they're after on your environment. And we've seen some deep-dive command-line stuff. But today, I'm going to show you about as simple as it can possibly be of what an Active Directory breach looks like. And then I'm going to walk you through some of the One Identity tools that protect against that. A little bit about my lab here. So this is a test lab. This is not an instructional video on how to do this. This is a simple sample of what it could look like in your environment. This lab, I call it the perfect storm of vulnerabilities. So it's running, first off, a legacy operating system. So it's an old operating system that doesn't have a lot of the modern protections built into that. The user has local admin rights. So this could be a workstation. This could be a server. But the person using the workstation actually has local admin rights to the box. And then in this case, we're going to assume that the attacker already has remote access. That could have been through a phishing attempt or something like that that actually gave the attacker a way to install things on that box. In this case, the attacker has installed a little program called Mimikatz. Maybe you've heard of it, maybe not. If not, I'm going to walk you through what that looks like. So real quick, let's jump over. And we're going to take a look at taking a breach into our lab environment. So I'm logged on to a server in my environment here as my user. So I'm going to emulate what an attacker would do in this environment. So first off, I want to see who I am right now. So I'm logged on as this user, ginabai. So let's go over to the Mimikatz directory. And then it's the tools we want are in x64 directory. And then I'm going to launch the Mimikatz command line. So now I'm in Mimikatz. So let's clear the screen. First thing you want to do in Mimikatz is get a cup of coffee. So, oops, c-o-f-f-e-e. So there's your cup of coffee. And Mimikatz doesn't do anything. It's just interesting. So first thing we're going to do is raise our privilege level. So we're going to type-- set it to the debug level. So that worked. So now we're going to run a command called sekurlsa. And we're going to do a switch on that call logonpasswords. This is going to reach into memory and pick up all the locally cached logon passwords on that machine. So as the screen is scrolling by, it looks a little bit scary. It's really not that bad. So I'm going to open up Notepad so I can capture some of these. Let's go back to the top and start looking at what we want here. So I can see a username right here, SGTempDomAdmin1. Let's copy that, put it over in Notepad because I'm going to use that later. So that looks like an account that I'm going to be able to use. Paste that in over here. I know the domain name. Then I'm going to go down, and you can see right here this is my NTLM hash. So let me capture this NTLM hash right here. And this is what's going to give me access to the rest of the environment. Guess I'll paste this in over here. Let's go grab a couple more. So same one, same one. Some of these are server names that are authenticating. Don't need to worry about those. I'm going to look for more users. Here's ginabai. So that's my-- let me go ahead, and I'll use hers as well. So that's the username. And here's the NTLM hash right there on this user. I'm going to grab this just in case I need to use it later. Typically, an attacker is going to grab every hash possible and try them all. But this lab, this environment, I set it up, so I know what I'm looking for. But you would typically grab all of these. Are servers authenticating. So here's an account called da2. So let's grab this one as well. So here's the NTLM hash right here. And we'll paste this in right here. All right, so now we've got some hashes that we can use. If I was going to keep going, i would grab more and more of these. An interesting tidbit on the hashes here-- you'll notice that ginabai starts with "64f" and ends in "949b." The account da2 starts with "64f," and that ends in "949b." That means they have the same password. So now we're going to go try to use those hashes. OK, so now we're going to run the sekurlsa command again. And we're going to do colon colon pth the Pass The Hash. We're going to choose the username, da2. We're going to choose the domain name, fully qualified. Then I'm going to pass the credential, which is the NTLM hash right here. We go capture that, take this space out right here. So this is going to launch a command prompt for me so that I can actually run that as the da2 account simply by passing the NTLM credential right here. So now I have a command prompt. So you could do a lot of things from a command prompt right here. But I have a point-and-click