Top 5 Insider Threat Findings

Malicious insiders, also called insider threat assessments, are one assessment we deliver here at Lares. The primary objective is to remain under the radar and evade detection while pursuing goals set out by the client. We, as attackers, thrive in attack paths and compromising systems. Many areas of system weakness can be attacked and leveraged to gain a foothold or an upper hand within an environment.    

The top five findings we come across within clients’ environments are as follows:

1. Weak passwords and password re-use across privileged accounts
2. Insecure Handling of Sensitive Information/Data Governance Faults
3. Active Directory Certificate Services Vulnerabilities (ADCS Abuse)
4. Active Directory Misconfigurations
5. Identity and Access Management Faults

While some of these findings carry patches and risk management, others often do not have a simple patch or fix. However, several root causes can be remedied with best practices both in policy and technical controls.

The webinar accompanying this post can be found at the bottom of this page.

Weak Passwords, Policy, and Re-Use Across Privileged Accounts

A trio of bad practices combined with technical and procedural controls that are hard to enforce and easy to bypass. Weak passwords are an age-old issue and continue to be the vehicle we can exploit to gain initial access, further escalate privileges, or identify flaws within environments. The most common finding, be it compromised credentials from external password spraying or cracked hashes from a domain controller sync(DCSync) attack, is that weak passwords are still, in 2023, at the forefront of issues affecting an organization’s assets.

Attacking an organization from the inside usually starts with the recon and enumeration phases, identifying passwords already breached in database dumps and previous hacks externally and leveraging this information internally. In addition to enumeration, previous breach data allows us to work out users' password structure and tendencies. Examples might be companyname123 or specific dictionary words followed by numbers; this varies based on companies' password policies but is often an excellent baseline to track; once inside a network, an attacker can leverage a multitude of protocols and tools to enumerate valid accounts while remaining under the radar and evading detection.

Another subset issue is password reuse, whereby simply compromising one set of credentials opens many doors. Often users in non-technical roles do not appreciate why having a strong password is essential, and equally practising good password and data management is also necessary. Educating your workforce, peers, friends, and family on the impact of what an attacker can do with their password is critical to hammering home the fundamental importance of good practices.

In terms of recommending remediations for poor password practices, there are technical controls that can be applied, such as privileged access management, password vaulting, and deny lists, but ultimately, it comes down to setting a robust password policy and educating users to change their mindset on the approach to passwords, we recommend users use passphrases over passwords as these tend to be longer in password length and are easier to remember. For more information on good practices around passwords, my colleague Ben has written a post in the past explaining some good techniques.

Insecure Handling of Sensitive Information

The initial foothold from credentials is often leveraging crawling accessible SMB shares and filesystems of neighbouring machines looking for sensitive information such as build scripts, credentials, and hard-coded keys.

Data is gold dust when it comes to being an attacker. Along with weak passwords, one of the most significant areas where we, as attackers, see success is the mismanagement of data governance within an organization. Therefore, operating with good data governance across an organization is essential outside and inside the network. Covering everything from LinkedIn to File shares internally and all locations in between.

Essentially these types of faults tend to be remediated with policy. However, it is also vital to back up a policy with technical controls. They usually stem from harmful practices and habits learned by users from administrators littering data around an environment and being encouraged to put specific data in certain locations. This results in lots of information being shared. However, often that information is contained with weak permissions, or all users can access everything, which, as you can imagine from an attacker’s perspective, is perfect as it gives us many windows for attack and elevates privilege inside an environment.

File shares within a Windows estate tend to have a wealth of information. The primary risks associated with this are users not having sufficient access controls on shares within a network. Once an attacker gains access to an internal network, the first enumeration step will be after critical data and information. Searching file shares can be achieved using a variety of tools; the one we find the most success with at Lares is:

Snaffler works by enumerating computers from Active Directory and subsequent shares on those systems; it indexes the files and runs a series of regular expression and files content searches.

Like SharePoint, file shares are often littered with data. Depending on the retention policies and controls, they are often several years old and frequently have valid credentials. Typically, scripts and Excel spreadsheets have the highest percentage of success in gaining access to credentials; users tend to use spreadsheets as makeshift password management and can be easily searched due to the file structure, which is an excellent resource for an adversary.

Where possible, establish an organizational policy that prohibits password storage in files. Alternately, restrict file shares to specific directories with access only to necessary users. Additionally, shares with high-value content or used by administrators should be monitored for any abnormal activity or standard users attempting to access; by doing so, such actions may alert to potential malicious activity on the estate. Scripts used for maintenance and automation tasks should be written with security in mind to avoid leaking sensitive information and passwords for privileged accounts. It is recommended that passwords are not left hardcoded in the scripts. Microsoft provides APIs that enable secure password databases and encryption techniques; however, these need to be used correctly to benefit net security. Network file shares should be audited thoroughly to ensure that they are accessible to allowed users only.

Active detection and mitigation are essential to locking down file shares. However, overall understanding and controls around data management are essential. Several steps can be taken to mitigate and improve data governance faults. The first is auditing the share and file permissions to ensure only those authorized users are permitted access to shares. In addition, other steps can be taken to detect activity regarding share scanning.

Ensure that group policy audit settings are configured so that authentication successes and failures are logged so that real-time analysis and offline analysis can be used to identify common indicators of compromise. Specifically, ensure the following event IDs are logged and forwarded to SIEM solutions.

Logon Success

• Windows Server 2003: 540
• Windows Server 2008-2012: 4624

Logon Failure

• Windows Server 2003: 680
• Windows Server 2008-2012: 4625

Network Share Object was Accessed.

• All versions: 5140

Below is a list of common Indicators of Compromise (IoCs) that can be used to identify potential SMB scanning. Please note that not all IoCs will work in every environment due to false positives generated by legitimate applications and processes. However, in some environments, modifying IoC thresholds or signatures may be possible to reduce the number of false positives to an acceptable level.

Consider creating correlation rules based on Active Directory and Local Windows authentication logs for:

• A single system authenticates many systems via SMB (port 445) in a short period and accesses Windows shares—for example, ten or more systems in under a minute. Use the events above to build detections.

Consider implementing a honey pot or canary system that supports SMB shares that can be used to generate alerts when accessed.

If network shares are not required, disable them or block access using host-based firewalls. Ensure that sensitive information is not available on these shares. To restrict access under Windows, open Explorer, right-click on each of the shares, go to the 'Sharing' tab, and click 'Permissions'. From here, add or remove permissions for various users and groups. Guest access to the system should also be revoked, and adequate access controls should be in place for each shared resource. NULL sessions should be disabled.

Active Directory Certificate Services Vulnerabilities (ADCS) Abuse

While not a particularly new vulnerability-as-a-feature, ADCS remains an excellent foothold for our consultants inside networks and an easy path to higher privileges within an estate. Large and small clients alike are more and more likely to have some form of implementation of ADCS, which is easily exploitable; by default, the implementation is exploitable as a standard domain user and can be leveraged to impersonate higher-tier administrative users.

There are many ways to exploit the different certificate template implementations with relative ease, both living off the land and external tooling enable such attacks:

Alex, one of our adversarial engineers, has written a great PowerShell script that uses built-in Windows functions to exploit the ESC1 implementation; his script can be found here. In addition, we also frequently use the following:

• Certipy – If we can install with pip/python on endpoints, it does light work of exploiting ADCS vulnerabilities.
• Certify – A C# implementation of Certipy that offers the ability to run natively on Windows systems, find vulnerable templates, and request new ones.
• PoshADCS – Another PowerShell implementation that allows the exploitation of various ESC implementations.
• Certi - Utility to play with ADCS, allows to request tickets and collect information about related objects. It is the impacket copy of Certify.
  

Typical attack paths provide a direct path to Domain Administrator due to a combination of three factors:

• ENROLLEESUPPLIESSUBJECT in its msPKI-Certificate-Name-Flag attribute allows a user to supply any Subject Name in the certificate request.
• Client Authentication in its pkiextendedkeyusage attribute
• The ability for all authenticated users to enrol in the certificate template.

In essence, any user in the domain can use this certificate template to impersonate and authenticate as any other user in the domain, including as a domain administrator.

Unfortunately, there are few mitigations around mitigating ADCS vulnerabilities; therefore, the following steps can be undertaken to help mitigate the impact and direct risks associated.

• It is important to correctly configure Active Directory Certificate Services, control who owns high CA privileges, and provide each template with the minimum possible requirements for each role. The following is a list of best practices for hardening against ADCS attacks:
• The company's CA configuration should not allow users with low privileges to request certificates if unnecessary.
• Where possible, the approval manager should be enabled for each certificate and require at least one authorized signature.
• The certificate template should define the EKU for a specific purpose, never any purpose or no EKU.
• The CA should not allow users/machines with low privileges to certificate templates on behalf of other principals with elevated privileges.
• Certificates templates are AD objects, so they have security descriptors. It is important to control who has permission on these objects since an excess of them would allow unprivileged users to modify them.
• If EDITF_ATTRIBTJXESUBJECTALTNAME2 flag is enabled on an enterprise CA; alternative names are allowed for any certificate templates, regardless of their restrictions. Microsoft strongly does not enable this flag on an Enterprise CA.

It is also essential to monitor and analyze the events that Active Directory Certificate Services generates:

• Event 4898 -> Certificate Services loaded a template.
• Event 4886 -> Certificate Services received a certificate request.
• Event 4887 -> Certificate Services approved a certificate request and issued a certificate.
• Event 4890 -> The certificate manager configuration for Certificate Server has changed.
• Event 4882 -> Certificate Services security permissions changed.

Active Directory Misconfigurations

Active Directory is a beast on its own and an archaic system that many organizations have implemented for centralized authentication management within a Windows estate. From an attacker’s perspective, it is the gift that keeps on giving; we have seen a large proportion of environments in the last year with misconfigurations around nested groups and permissions, even where controls such as local administrator password solution(LAPS) are implemented there have been weaknesses whereby users can read all of the LAPS passwords across an environment.

Specifically, on insider threat assessments, we have succeeded in using ADExplorer to gather snapshots of an AD environment and allow ease of enumeration. There are many quick wins within environments spanning from identifying users with service principal names associated with later Kerberos abuse to identifying certificate templates that may be vulnerable; we also often find a lot of detail in account description fields. Another useful area we tend to look for is if ms-DS-MachineAccountQuota is setup as these detail if users can add machines to the domain, which by default, all authenticated accounts in Active Directory can add computers to the domain (10 by default). This can be restricted in other places, such as a Group Policy, but it is worth checking the value. If it is 0, standard users cannot add computers to the domain. Using ADExplorer, it sails past many defences as it is a typical system administration tool and valid signed Microsoft binary.

Once a snapshot has been obtained, we often convert it to bloodhound data using ADExplorerSnapshot.py as it allows quick and easy conversion of a .dat file to bloodhound-compatible JSON and allows for easier graphing of an environment. Bloodhound is another great tool we will often use on assessments to give additional attack paths and show areas where users may have unnecessary AD permissions and controls, such as GenericAll and GenericWrite on certain groups or machines, allowing users to escalate privileges quickly.

One of the other problem areas where we see a lot of misconfigurations is where clients have implemented Azure Active Directory (AzureAD), often allowing for attack paths from systems on-premises to cloud-connected networks. AzureAD has a host of issues that we actively exploit as malicious insiders gaining access to other applications within Azure and resources within cloud environments.

There is no single fix for AD misconfigurations. However, we often recommend investigating users’ permissions within an environment, leveraging tooling we use as attackers in a defensive context to help harden your environment and undertaking frequent assessments to validate controls and test implementations. There are fixes such as application allowlisting and locking down a base image to prevent execution of tooling like ADExplorer, locking down inbound proxy settings and inbound applications to restrict what standard users are allowed to execute and access. In addition, if tools like ADExplorer are uncommon in your environment, there are alerts and indicators that the tool has been run that are worth implementing and watching for, such as the following registry keys with dword value 1:

• HKEY_USERS\Software\MSDART
• HKEY_USERS\Software\MSDART\Active Directory Explorer
• HKEY_USERS\Software\Sysinternals
• HKEY_USERS\Software\Sysinternals\Active Directory Explorer

In addition, some steps can be undertaken to identify when the tooling is being used, such as monitoring for abnormal LDAP lookups.

• AD Explorer uses ‘objectGUID=*’ in many of its queries, a standard indicator is that it is being run or has been previously run.
• SharpHound uses various distinctive patterns; for example,
• (|(samaccounttype=268435456)(samaccounttype=268435457)
• (samaccounttype=536870912)(samaccounttype=536870913))

Identity and Access Management Faults

Like weak passwords and active directory misconfigurations, identity and access management faults are another significant areas where we see a proportion of insider threat findings. Multiple implementations will be across an environment where identity is managed. Access to confluence, GitLab, and Jira are handled separately from AD, resulting in often weak passwords and configurations. Combined with poor data governance often, internal wiki pages are a wealth of information for attackers.

The most significant area where we see IAM faults are within cloud environments; there is often a gap in cloud permissions resulting in easy attack paths. It is often not just a single permission that could allow a user to perform an unwanted action within a cloud environment but the combination of a single misconfigured authorization with all the others already owned by the user. This is represented across multiple cloud environments, often with users having overly permissive control over areas such as role assignment within Amazon Web Service environments or portals and bulk operations access within Azure. While cloud systems often have a lot of secure defaults enabled. These are often implemented later or not configured in legacy environments, allowing for easy traversal across cloud panes.

Alongside the cloud, another area where we have a lot of success is conditional access and multi-factor authentication(MFA) misconfigurations; often, companies will have an armadillo approach to IAM and conditional access in that the outer shell of the environment is hardened. However, once on the inside, the controls are laxer. From our perspective, this makes for light work accessing otherwise restricted resources from an internal environment where MFA might not be enforced or similar protections might not apply.

Correcting faults and implementations is often a single point of remediation and broader policy and technical controls to help harden an implementation. There is no silver bullet to fix these types of faults. Often, they are uncovered through extensive working within an environment to understand how it is constructed and where the gaps may occur.

Conclusion

Attacking networks where users have weak passwords, systems are outdated, files are littered with sensitive information, and a lack of visibility from a defensive standpoint is equivalent to bringing a fire hose to a water fight.

Using credentials to elevate privileges and leverage this access to traverse a poorly segregated network can often mean accessing systems over protocols like SMB and RDP are easy for remote access across a network. Life for an attacker can be straightforward, and it is one of the many reasons ransomware attacks are so prevalent inside immature environments.

It is another reason you should consider insider threat assessments as part of your security appetite and look at your environment from the perspective of a malicious insider who often identifies overlooked flaws in the process and technical controls that would not necessarily be identified in a standard penetration test.

If you want to watch the webinar, it can be found here

It should be noted that the Top 5 discussed within this post & webinar do not pretend to showcase the findings as being the most severe but rather the most frequently encountered during engagements for the past year. If you are interested in how Lares can help you understand your environment via an insider threat assessment or our other services, please get in touch with our sales team by clicking here.