Finding a Needle in an Encrypted Haystack: Leveraging Cryptographic Abilities to Detect the Most Prevalent Attacks on Active Directory

The presentation discusses vulnerabilities in the NTLM protocol used in Active Directory and presents a new approach to detecting NTLM Relay attacks using cryptographic operations.

• Active Directory is a popular target for attackers and NTLM Relay is a common attack technique
• NTLM protocol authentication is not bound to the target server, making it vulnerable to compromise
• New vulnerabilities in NTLM protocol were discovered, allowing attackers to bypass present mitigations against NTLM Relay
• A new approach to detecting NTLM Relay attacks using cryptographic operations is presented
• The first deterministic algorithm to detect NTLM Relay attacks is introduced

The presenters demonstrated how they were able to bypass all present mitigations against NTLM Relay and take over any machine in the domain, even with the strictest security configuration. They also showed how a new defensive approach leveraging cryptographic operations can improve detection capabilities against prevalent attacks. Finally, they introduced the first known deterministic algorithm to detect NTLM Relay attacks.

Active Directory has always been a popular target for attackers, with a constant rise in attack tools attempting to compromise and abuse the main secret storage of the organization. Although defensive security products were able to mitigate some of the attack techniques by methods such as log collection or raw traffic inspection, some of the most common offensive techniques are left with no efficient countermeasures. One of the latter is the good old NTLM Relay, which is especially favored by attackers. Recently it has been exploited yet again in the PrivExchange vulnerability discovered earlier this year.We will present several new ways to abuse this infamous authentication protocol, including a new critical zero-day vulnerability we have discovered which enables attackers to abuse NTLM Relay and take over any machine in the domain, even with the strictest security configuration (including server signing). In addition, we will show another vulnerability we have discovered in the way NTLM implements channel binding, which might put your cloud resources at risk as well. We will then demonstrate a new defensive approach that leverages cryptographic operations to gain improved defensive capabilities against some of the most prevalent attacks today. Among others, we will explain how this method led us to devise the first known deterministic algorithm to detect NTLM Relay attacks.