Setting The Stage
It’s a very rare moment when the Cybersecurity industry is able to obtain deep levels of insight from malicious attacker groups. On July 24th, 2021, the playbook from the malicious attacker group Conti was leaked. The leak provides excellent detailed instructions from a malicious attacker’s perspective on how use specific vulnerabilities for lateral movement, privilege escalation, and exploitation.
The playbook assumes that the attacker has already gained a foothold in the network via phishing or an insecure system. Once the foothold has been established, the playbook starts with exploring to find valuable systems to exploit.
Our goal in this article is to provide a summary on the guide, how it is used to compromise systems and networks, and what you can do today to protect your organization.
Attackers Always Start with Discovery
The playbook starts by providing methods of reconnaissance and information gathering. It instructs the user to search the internet for information regarding the company, any financial information, and any websites they may own.
From there, it lists some commands that can be used to gather information regarding resources on the network, specifically domain controllers and administrators:
shell whoami
shell nltest /dclist
net domain_controllers
shell net localgroup administrators
shell net group “Domain Computers” /domain
The Vulnerabilities that Attacker’s Use
Next, users are instructed to use a PowerShell script to find writable shares that the payload can be uploaded to. The goal here is to find shares that only administrators would have access to. It also explains how to find and extract data from critical areas of the business including, financial shares, accounting, IT, clients, and/or ongoing projects.
The preferred method to gather the credentials needed for this is through Kerberoasting. However, there are walkthroughs for several other methods of exploitation, including Mimikatz, PrintNightmare, and Zerologon. The specific methods used to exploit each of these is outside the scope of this article. However, it is important to know the basics of how each of them works in order to protect against them.
Attack Name | Description |
Kerberoasting | Exploit the Kerberos ticketing process, stealing the password hashes for accounts through the Service Principal Name (SPN) ticket. From there, the hashes are run through a hash cracker such as Hashcat, in an attempt to crack the password. If successful, passwords can then be used across the domain |
Mimikatz | An opensource tool specifically designed to steal Windows passwords. It achieves this by stealing the passwords that are stored in the memory by WDigest in order to aid with Single Sign On (SSO). There have since been modifications to the program to also target the Local Security Authority Server Service (LSASS). |
PrintNightmare | A vulnerability in which the attacker can exploit the Print Spooler service to execute privileged operations on the target system. In doing so, they can remotely execute code with SYSTEM privileges essentially giving them complete control of the system. |
Zerologon | To exploit a cryptographic flaw that allows them to logon on to servers using Windows New Technology LAN Manager (NTLM). Essentially, all the attacker has to do is spoof the identity of a computer on the network, which isn’t difficult due to weak cryptography. From there, they can disable signing and sealing, enabling all messages to be transmitted in the clear. |
The Attacker’s End Game - Sensitive Data Extraction
After the attacker is able to accomplish lateral movement and privilege escalation with any of the techniques listed, they then attempt to establish persistence on the network. This is typically done using one of two applications: AnyDesk or Atera (remote access programs). They like to install AnyDesk on any hosts that are not in use, or abandoned, and Atera on the rest. Given that they have achieved administrator privileges, they are able to install and configure these applications in methods that allow them to exfiltrate whatever data they desire, including further enumeration, emails, and other data goldmines.
The guide continues on to describe how to package up the data, exfiltrate it, and even how to disable AV services such as Sophos. The instructions contained are fairly easy to follow and even provide guidance on when the attacker needs to request help from the Conti chain-of-command. In order to protect valuable assets from being exploited using these methods, there are some best practices and CIS hardening strategies that can mitigate all of these threats.
Building an Effective Defense
Step 1 – Patch Your Systems
The first step, and arguably the most important, is to ensure that all computer systems and applications are updated. In larger organizations, this is best achieved through a well-planned and executed patching program. Being able to test security patches and updates and push them to production as quickly as possible will help minimize the risk of these being exploited. Patching and computer hardening strategies can literally make all the difference in the world. Of course, each of the listed vulnerabilities have their own unique methods for mitigation as well.
Step 2 – Establish Monitoring Alerts
It can be difficult to prevent Kerberoasting altogether, however by following some best practices, the risk can be minimized. Ensuring that solid monitoring is in place,
Windows EventID 4769, can help to detect if an attack is occurring. Also, following security best practices such as limiting Service Principal Name (SPN) accounts, removing any accounts that are no longer needed, and following the rule of least privilege can all help in preventing a successful Kerberoast attack.
Step 3 – Configure Stronger Password Settings
Mimikatz can also be somewhat mitigated through updates and configuration hardening. Updating to Windows Server 2016 or newer and updating Active Directory functional level is a start. From there, disabling the “store passwords using reversible encryption” and password caching will help prevent passwords from being stolen and make them extremely difficult to crack if they are. It is worth noting that disabling password caching can have a negative effect on things like Single Sign On, so make sure this is tested prior to being implemented in production. Also, ensuring that admin accounts are put in the “Protected Users” group in AD will help, but can break some configurations so again, testing before implementation is important.
Refer to the CIS benchmark guidelines 1.1.7 (L1), 18.3.7 (L1), and 18.8.5.1 (NG) to learn more about these settings. Finally, Windows Credential Guard can be extremely useful in trying to protect credentials.
Also, following CIS guidelines 1.1.5 (L1) and 1.1.6 (L1) regarding password complexity requirements can help ensure that any stolen hashes will be extremely difficult to crack.
Step 4 – Use Next-Gen Security Features
To help protect against Kerberoasting, Mimikatz, and other potential credential theft threats, Microsoft introduced the Credential Guard feature in Windows 10 and Server 2016. This feature isolates credentials on systems using virtualization-based security. This ensures that access to stored credentials is only available to a few privileged processes. Refer to Microsoft documentation to learn more about the requirements needed to leverage Credential Guard, as well as the process of enabling it on servers and endpoints.
Step 5 – Configure Secure Baseline Standards
Finally, Microsoft has also released security patches to mitigate both the Zerologon and PrintNightmare vulnerabilities. For the Zerologon issue, refer to 18.9.108 in the CIS Benchmarks for more information regarding the patch.
Regarding PrintNightmare, there are several other mitigation methods that can be utilized in addition to patching. Mainly, the idea is to completely disable the Print Spooler service on any computer where it is not needed. The following sections in the CIS control guidelines specifically address this vulnerability and its mitigations:
Server
5.1 (L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only) (Automated)
5.2 (L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only) (Automated)
18.3.5 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' (Automated)
18.6.1 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' (Automated)
18.6.2 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' (Automated)
18.6.3 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' (Automated)
Client
5.18 (L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (Automated)
Summary
The Conti Group has been very successful in exploiting these vulnerabilities to achieve their desired results. The playbook that was released is very detailed and just goes to show how organized they really are. Hopefully, this article has provided some guidance on how to help beef up an organizations security posture and protect critical data from groups such as Conti. Following a solid patching program and applying the configuration settings outlined in the CIS Benchmarks can go a very long way in solidifying defenses and ensuring due diligence is being exercised in order to keep everyone safe.
REFERENCES
Conti Playbook
https://talosintelligence.com/resources/269
This one is a better translation, done by Cisco
Hardening and Patching Resources
Technical Remediation Recommendations
PrintNightmare: CVE-2021-34527
Summary: A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Remediation: Apply appropriate Windows Updates listed here.
Workarounds:
Option 1 - Disable the Print Spooler service
Option 2 - Disable inbound remote printing through Group Policy
CIS Controls:
Server
5.1 (L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only) (Automated)
5.2 (L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only) (Automated)
18.3.5 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' (Automated)
18.6.1 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' (Automated)
18.6.2 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' (Automated)
18.6.3 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' (Automated)
Client
5.18 (L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (Automated)
Reference: https://www.kb.cert.org/vuls/id/383432
ZeroLogon: CVE-2020-1472
Summary: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
Remediation: Apply appropriate Windows Updates listed here.
CIS Controls:
Server
18.9.108 Windows Updates
EternalBlue (MS17-010): CVE-2017-0147
Summary: An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server.
To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
Remediation: Apply appropriate Windows Updates listed here.
Workarounds: Disable SMBv1
CIS Controls:
Server & Client
18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' (Automated)
18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' (Automated)
Kerberoasting:
Summary: An attacker can enumerate Active Directory accounts that have Service Principal Name (SPN) values set. They can either target as many service accounts they desire, or they can target very specific accounts if they are after certain privileges. They will then use that information to request Ticket-Granting-Service (TGS) tickets and steal the password hashes for those accounts from memory.
From there, they can finish the attack completely offline, as access to Active Directory is no longer needed. The hashes will then be passed through a hash cracker, such as HashCat. If successful, the attacker can then log in with the service account credentials and have all the privileges of that account.
Remediation:
Monitor Event 4769 with a SIEM solution.
Limit SPN accounts.
Remove service accounts that are no longer needed.
Strong password requirements.
Use Multifactor Authentication (MFA)
CIS Controls:
Server & Client
1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' (Automated)
1.1.6 (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled' (Automated)
Reference: https://adsecurity.org/?p=3458
Mimikatz:
Summary: This is an open-source platform designed with the sole intent of stealing passwords from Windows based operating systems. The original version was created to demonstrate a flaw with WDigest that allowed attackers to steal passwords from memory. Since then, it has gone through many iterations and currently has many password stealing capabilities, including pass-the-hash, pass-the-ticket, Kerberos Golden and Silver tickets, and pass-the-key. Although WDigest is disabled by default as of Windows 10, an attacker that is able to escalate privileges can enable it and use Mimikatz to steal the passwords on the machine.
More recently, Mimikatz was also updated to include a pass-the-cache attack, which attempts to steal stored credentials from Mac, UNIX, and Linux systems.
Remediation:
Update OS to Win10/Server 2016 or newer.
Update AD Functional Level.
Disable 'Store passwords using reversible encryption'.
Disable password caching (this will jack up offline logins).
Put admin accounts in "Protected Users" AD group (will also jack stuff up).
Use Credential Guard.
Use long and complex passwords.
CIS Controls:
Server
1.1.7 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' (Automated)
18.3.7 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' (Automated)
18.8.5.1 (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' (Automated)
Reference: