Whenever an attacker compromises an appliance, one of his first steps is to collect all the credentials he can find there. If he stumbles upon credentials of privileged users, it can facilitate his effort to take over the whole network. Moving laterally without a privileged account is a rather demanding task.
LIFARS cyber security and risk advisory consultants – technical capability to develop advisories and mitigations on evolving cybersecurity threats.
Making accounts of privileged users secure has been an important topic for many years now. A tremendous amount of security controls was developed to mitigate the risk of an attacker getting access to the credentials in a compromised system. However, these protections do not mitigate the risk of credential theft entirely. Therefore, it is very important to have access rights and permissions set up correctly for all users (especially for the privileged ones) to slow down the lateral movement and minimize the damage in case of a successful intrusion.
Tools of the Adversaries
How can an attacker get the credentials of privileged users? There is a great number of tools whose aim is to steal passwords from the compromised device in an attempt to discover credentials to privileged accounts. These tools try to get to hashes, tickets, tokens, or passwords saved on the disk or in the operating memory in an unencrypted form. Programs and operating systems try to halt such behavior and they cease to hold unencrypted credentials in memory. Moreover, they protect hashes, tickets, and passwords through virtualization.
Weak passwords (or passwords encrypted with a weak algorithm) are also an enormous hole in defense because the attacker can easily crack them. One of the ways to mitigate this risk is to block weak passwords or NTLM authentication for privileged users on the system level.
Another risk can be a privileged account of a local administrator who has the same passwords across multiple devices. If an attacker gains access to one of these devices, he automatically gains access to many others. To eliminate this risk, Windows default settings have restricted permissions for remote actions of the local administrator. For example, a local administrator can not remotely write to files or remotely use tools (like PSExec, schtask, etc.) that malware usually utilizes to create persistence.
Despite all of the aforementioned mitigations, there still is a big chance that an attacker will get into a privileged account. Therefore, it is crucial to assign roles to users and users to roles very carefully. If an attacker compromises an account that has more privileges and permissions than needed, it will significantly facilitate the compromise of the whole network.