logo
allArticlesConferencesPresentations

Detecting Access Token Manipulation

Conference:  BlackHat USA 2020

2020-08-06

Summary

The presentation discusses techniques for credential theft and how to detect them using user land hooks and ETW providers.
  • Credential theft techniques include Pass the Ticket, Overpass the Hash, and Net Only.
  • ETW providers can be used to enrich the data set and detect techniques not currently detected with standard methods.
  • Frida is a binary instrumentation framework that allows for custom and scriptable detection logic on the fly.
  • An anecdote is given about the limitations of ETW for detecting Kerberos-related attacks.
  • The presentation concludes with a discussion on how to detect these techniques using user land hooks and ETW providers.
The presenter discusses the limitations of ETW for detecting Kerberos-related attacks, noting that there is better logging on domain controllers but the purpose of the presentation was to find client-side manipulation style attacks. The presenter also notes that there are some gaps in what can be natively detected, and that user land hooks and ETW providers can be used to enrich the data set and detect techniques not currently detected with standard methods.

Abstract

Windows access token manipulation attacks are well known and abused from an offensive perspective, but rely on an extensive body of arcane Windows security internals: logon sessions, access tokens, UAC, and network authentication protocols, such as Kerberos and NTLM, to name a few. Furthermore, some of this information is not easily found and can be complex for defensive practitioners to get to grips with, resulting in brittle detections and making it hard to identify the signal from the noise. This presentation aims to demystify how access tokens work in Windows environments and show how attackers abuse legitimate Windows functionality to move laterally and compromise entire Active Directory domains. Most importantly, it will cover how to catch attackers in the act, and at scale, across enterprises. In doing so, defense practitioners will understand the key signals to identify access token manipulation within their own environments in order to detect and respond to these types of attacks. The presentation will be heavy on Windows internals/APIs, undocumented tips and tricks, and reveal how red teaming and attack tools really work their magic.
Materials:
Slides
Tags:

Post a comment

Related work

AAD Joined Machines - The New Lateral Movement

Conference:  Black Hat USA 2022
Authors:
2022-08-10

MFA-ing the Un-MFA-ble: Protecting Auth Systems' Core Secrets

Conference:  BlackHat USA 2021
Authors:
2021-08-04

Paging All Windows Geeks – Finding Evil in Windows 10 Compressed Memory

Conference:  BlackHat USA 2019
Authors:
2019-08-08

Is This My Domain Controller? A New Class of Active Directory Protocol Injection Attacks

Conference:  BlackHat USA 2021
Authors:
2021-11-10

So I became a Domain Controller

Conference:  BlackHat USA 2018
Authors:
2018-08-09

Demystifying MS17-010: Reverse Engineering the ETERNAL Exploits

Conference:  Defcon 26
Authors:
2018-08-01