Jeffrey A. Nichols, Benjamin A. Taylor, Laura Curtis
{"title":"Security Resilience: Exploring Windows Domain-Level Defenses Against Post-Exploitation Authentication Attacks","authors":"Jeffrey A. Nichols, Benjamin A. Taylor, Laura Curtis","doi":"10.1145/2897795.2897800","DOIUrl":null,"url":null,"abstract":"We investigated the security resilience of the current Windows Active Directory (AD) environments to Pass-the-Hash and Pass-the-Ticket, two prominent post-exploitation, credential theft attacks. An operating system's security resilience consists of its native features that allow for containing a detected attack. Post-exploitation refers to an attacker's activities subsequent to penetration. Specifically, we discovered a way to trigger the removal of all previously issued authentication credentials for a client, thus preventing its use by attackers. After triggered, the user is forced to contact the domain administrators to re-authenticate to the Domain Controller (DC) to continue. This could become the basis for a response Windows system administrators could use to halt the spread of a detected attack. Operating in a virtualized XenServer environment, we were able to carefully determine and recreate the conditions necessary to cause this response.","PeriodicalId":427043,"journal":{"name":"Proceedings of the 11th Annual Cyber and Information Security Research Conference","volume":"45 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 11th Annual Cyber and Information Security Research Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2897795.2897800","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 3
Abstract
We investigated the security resilience of the current Windows Active Directory (AD) environments to Pass-the-Hash and Pass-the-Ticket, two prominent post-exploitation, credential theft attacks. An operating system's security resilience consists of its native features that allow for containing a detected attack. Post-exploitation refers to an attacker's activities subsequent to penetration. Specifically, we discovered a way to trigger the removal of all previously issued authentication credentials for a client, thus preventing its use by attackers. After triggered, the user is forced to contact the domain administrators to re-authenticate to the Domain Controller (DC) to continue. This could become the basis for a response Windows system administrators could use to halt the spread of a detected attack. Operating in a virtualized XenServer environment, we were able to carefully determine and recreate the conditions necessary to cause this response.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
