Making Lateral Movement Difficult in an Active Directory Environment
Intro:
I recently saw this post via Twitter:
And one thing that caught my eye was the "Pass the Hash" mitigation screenshot. I saw the GPO settings and understood their functionality but couldn't really piece it's full impact together until I tried it myself. I wanted to do a quick post illustrating a) how easy it is to set the GPO up and b) how large of a security impact it really has.
The Problem:
Does this scenario sound familiar to you: all your organizations' endpoints have a local administrative account with the same password? If it does, you're probably not alone as this is fairly typical practice. From an attackers standpoint though, this is a goldmine, as one compromised credential can mean access to many machines. Access to many machines also means that there's a greater chance that the attacker can grab sensitive credentials - Domain Admins etc - from these machines.
Let's illustrate this. I'm an attacker and I gained access to a workstation where the user was a local administrator. I proceed to dump hashes or pull clear text credentials and I'm now trying these credentials in the environment to see what they have access to.
In the below example, I'm using the awesome CrackMapExec to try a local administrative user / password combo that I acquired on my lab machines:
Awesome, I am now using one set of credentials to access all the machines on the network.
Since this is a local authentication attempt, the SOC will not likely see this unless you are collecting endpoint logs in addition to server and domain controller logs.
How then do we use the GPO above to make things harder for the attacker?
The GPO:
The GPO entries are found in Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment: