Advanced Threat Analytics 攻击模拟手册Advanced Threat Analytics attack simulation playbook

本指南将帮助你了解凭据盗窃(如传递哈希、传递票证、超传递哈希),以及如何使用公开发布的调查工具来模拟此类行为。This guide will help you to learn about credential theft such as Pass-the-Hash, Pass-the-Ticket, Over-Pass-the-Hash, and how to use publicly available research tools to perform such actions. 本攻击模拟手册的基础攻击场景是攻击者使用有效的 Internet 工具展开攻击。This simulation playbook is based on a scenario that is build with valid Internet tools used by attackers. 旨在介绍如何像攻击者一样思考(图像式思维)、如何在凭据被盗的环境中移动,以及如何使用 Microsoft Advanced Threat Analytics (ATA) 在环境中检测这些活动。The intent is to show how to think like an attacker (in graphs), move within an environment with stolen credentials, and how to use Microsoft Advanced Threat Analytics (ATA) to detect these activities in your environment.

本指南将介绍以下攻击场景:This guide will illustrate the following attack scenarios:

  • DNS 侦测DNS Reconnaissance
  • 目录服务枚举Directory Services Enumeration
  • SMB 会话枚举SMB Session Enumeration
  • 搜集凭据 (lsass.exe)Harvesting credentials (lsass.exe)
  • 超传递哈希Overpass-the-Hash
  • 传递票证Pass-the-Ticket
  • 远程执行代码Remote Code Execution
  • 万能密钥Skeleton Key
  • DC 同步DC Sync

重要

只能在实验室环境中执行本指南中的步骤,不能在生产环境中执行。The steps provided in this guide should be performed in a lab environment only, and not in production.

配置实验室环境Configuring your lab environment

建议严格遵循下面这些说明(包括最后的试验)。We recommend following these instructions closely, including the experiments at the end. 需要进行一些设置,具体包括设置四台计算机、三位用户,以及用于抢占 Internet 的某调查软件。There is some setting up to do, specifically four computers, three users and some research software to grab off the Internet.

有关如何安装 ATA 并获取 90 天评估版的详细指南,请参阅 Advanced Threat Analytics 评估Visit Advanced Threat Analytics Evaluations, for more guidance on how to install ATA and obtain a 90 days evaluation copy.

重要

本指南以 ATA 版本 1.7 为依据。This guide was built based on ATA version 1.7.

方案Scenario

在此示例实验室环境中,JeffV 是他自己的工作站管理员。In this lab's example, JeffV is an admin of his own workstation. 许多 IT 服务提供商仍为其用户群提供管理员权限。Many IT shops still have their user-population running with admin privileges. 在这种情况下,本地特权提升攻击是没有必要的,因为攻击者已在要执行后渗透操作的环境中拥有管理员访问权限。In these scenarios, local escalation attacks aren’t necessary as the adversary already has admin access in the environment from which to perform their post-infiltration operations.

不过,即使 IT 服务提供商将特权降为使用非管理员帐户,攻击者也可以展开其他形式的攻击(如已知应用程序漏洞、零日攻击等)来实现本地特权提升。However, even when IT shops reduce the privileges to using non-admin accounts, other forms of attacks (such as known application vulnerabilities, 0-days and such) are executed to achieve local privilege escalation. 在此示例中,本指南假定攻击者已在受害者 PC 上实现本地特权提升。In this case, this guide assumes that the adversary achieved local privilege escalation on Victim-PC. 在这个虚构的实验室中,本地特权提升是通过向 JeffV 发送鱼叉式网络钓鱼电子邮件实现,本指南的后面部分将对此进行详细介绍。In this fictitious lab, this was achieved via a spearphishing e-mail to JeffV, as explained in more details later in this guide.

服务器和工作站Servers and workstations

下面列出了需要使用的计算机,以及本次练习用到的配置。The following lists the computers you will need and the configurations used in this exercise. 这些全都暂存为 Windows 10 Hyper-V 上的来宾虚拟机 (VM)。These are all staged as guest virtual machines (VMs) on Windows 10 Hyper-V. 如果你选择这样做(也是建议操作),请确保 VM 位于同一虚拟交换机中。If you go this route, and we recommend you do, make sure the VMs are placed in the same virtual switch.

FQDNFQDN 操作系统OS IPIP 目的Purpose
DC1.contoso.localDC1.contoso.local Windows Server 2012 R2Windows Server 2012 R2 192.168.10.10192.168.10.10 已安装 ATA 轻型网关 (LWGW) 的域控制器Domain Controller with ATA the Lightweight Gateway (LWGW) installed
ATACenter.contoso.localATACenter.contoso.local Windows Server 2012 R2Windows Server 2012 R2 192.168.10.20192.168.10.20 ATA 中心ATA Center
Admin-PC.contoso.localAdmin-PC.contoso.local Windows 7 企业版Windows 7 Enterprise 192.168.10.30192.168.10.30 管理员的 PCAdmin's PC
Victim-PC.contoso.localVictim-PC.contoso.local Windows 7 企业版Windows 7 Enterprise 192.168.10.31192.168.10.31 受害者的 PCVictim's PC

此实验室的域为“CONTOSO.LOCAL”。The domain for this lab is called “CONTOSO.LOCAL”. 创建此域,然后将这些计算机加入域中。Create the domain, and then domain join these computers. 四台计算机全都设置且已加入域后,请立即转到下一部分,将一些虚构用户添加到环境中。Once all four machines are up and domain joined, go to the next section to add some fictitious users to the environment.

用户配置User's configuration

现在要为技术支持和域管理员创建不同的角色。Now you will create different roles for Helpdesk and Domain Administrators. 创建这些角色旨在进行职责分离。不过,在本指南的后面部分中,你将了解到这并不足以防止凭据盗窃、横向移动或域权限提升发生,因为了解超越环境中这两组的安全依赖项并非易事。The intent of creating those roles is to provide separation of duties, however you will learn later in this guide that this isn’t enough to prevent credential theft, lateral movement or domain escalation, because understanding security dependencies that transcend these two groups across an environment is tricky.

首先,在域中创建以下用户:First create the following users in the domain:

NameName 成員Members 目的Purpose
支持人员Helpdesk RonHDRonHD 管理 contoso.local 的客户端。Manages the clients of contoso.local.

现在,创建以下安全组,每组包含一个特定成员:Now create the following security group with one specific member:

全名Full Name SAM 帐户SAMAccount 目的Purpose
Jeff 受害者Jeff Victim JeffVJeffV 另一效果显著的鱼叉式网络钓鱼攻击的受害者The victim of yet another impressively effective spear phishing attack
Ron HDRon HD RonHDRonHD Ron 是 Contoso 的 IT 服务提供商的技术支持。Ron is the "go-to-guy"; at Contoso's IT shop. RonHD 是“技术支持”安全组的成员。RonHD is a member of the "Helpdesk"; security group.
Nuck ChorrisNuck Chorris NuckCNuckC 此前,认为不存在的角色。Before now, believed not to exist. 恰好是 Contoso 的域管理员At Contoso, he happens to be our Domain Admin.

重要

请确保已将 RonHD 添加为“技术支持”安全组的成员,然后再继续执行操作。Before proceeding, ensure RonHD was added as a member to the Helpdesk security group.

Contoso 的域管理员 Nuck Chorris 使用管理员 PC 工作站。Nuck Chorris, Contoso's domain admin, uses the Admin-PC workstation. 技术支持”安全组(包含 RonHD 成员)也管理 NuckC 计算机。The Helpdesk security group (that RonHD is a member of) also manages NuckC computer. 可以使用受限制的组对此进行配置。This can be configured using Restricted Groups. 管理员的组属性应如以下屏幕快照所示:The Administrator's group proprieties should look similar the following screen:

管理员属性

此外,JeffV 被添加为他自己设备(受害者 PC)上的管理员,就像许多 IT 服务提供商采用的设置一样。In addition, like in many IT shops, JeffV was added as an Administrator on his own device (Victim-PC). 这样做是有意而为之,本文的后面部分将对此进行说明。This was done on purpose and will be explained later in this article. 本地管理员的组属性应如以下屏幕快照所示:The local Administrator's group properties should look similar the following screen:

管理员属性 2

安全调查工具Security research tools

若要配置此实验室,需要下载下列工具,并将其安装到受害者 PC 中的 C:\tools 下:To configure this lab you will need to download and install the tools below under C:\tools in the Victim-PC computer:

工具文件夹应如以下屏幕快照所示:The tools folder should look similar the following screen:

管理员属性

重要

这些工具仅用于调查用途。These tools are for research purposes only. Microsoft 既没有这些工具的所有权,也无法保证其行为。Microsoft does not own these tools nor can it guarantee their behavior. 只能在测试实验室环境中运行这些工具。These tools should only be run in a test lab environment.

鉴于此实验室的用途,请禁用受害者 PC 中的所有防病毒软件。For the purpose of this lab, turn off all antivirus in the Victim-PC computer. 虽然禁用防病毒软件可能看似会导致结果出现偏差,但请务必注意,这些工具的源代码可免费获取,也就是说,攻击者可以修改源代码来规避基于防病毒软件特征的检测。Although turning off antivirus might seem like this just skewed the results, it is important to note that the source code for these tools is freely available, which means attackers can modify it to evade antivirus signature based detection. 还请务必注意,只要攻击者成为计算机上的本地管理员,就很有可能规避防病毒软件。It is also important to note that as soon as an adversary achieves local admin on a machine, evasion of antivirus becomes very possible. 此时的目标是保护组织的其余部分。The goal at that point is protecting the rest of the organization. 一台计算机遭到入侵不得导致域权限提升发生,当然也不得导致域入侵发生。One computer compromise should not lead to domain escalation, and certainly not domain compromise.

环境拓扑Environment topology

此时,实验室应如下所示:At this point, your lab should look similar to the one below:

拓扑

如本指南的前面提到,存在不同的域管理员技术支持角色,但在演示期间,你将会发现,只需利用一个安全依赖项联系角色(在此示例中,为用户 RonHD),攻击者就可以使用随时可用的调查工具操纵整个环境。As mentioned earlier in this guide, there are different roles for Domain Admins and Helpdesk, however during the demonstration you will see that one security dependency linkage (in this case the user RonHD) is all what an adversary needs to take over the entire environment with readily available research tools.

技术支持模拟Helpdesk simulation

若要模拟常见的技术支持场景(即技术支持人员登录不同的计算机),请通过 RonHD 登录受害者 PC,然后以 JeffV 身份重新登录。To simulate a common helpdesk scenario, in which helpdesk personnel are logged into different computers, log in with RonHD to Victim-PC and then log back in as JeffV. 利用“切换用户”机制在此工作站上模拟特权凭据管理。Use the “switch user” mechanism to simulate privileged credential management on this workstation.

切换用户

还可以通过其他方式在此实验室中模拟这一管理工作流,如在命令行中创建批处理脚本服务帐户、计划任务和 RDP 会话或“runas”。There are other ways to simulate this management workflow in this lab, such as creating batch script service accounts, scheduled tasks, and RDP session or ‘runas’ in the command line. 在安全操作中,某对象(不一定是某人)必须管理这些资源,而管理则表示拥有本地管理员权限。In secure operations something (not always a someone) has to manage these resources and management means local admin privileges. 鉴于此实验室的用途,为了节省时间,我们选择了模拟此工作流的最快方式。For the purpose of this lab and to optimize your time, the quickest route to simulate this workflow was selected.

重要

此时,请勿注销或重启受害者 PC,因为这样会从内存中擦除 RonHD 的凭据,然后需要重现技术支持*场景。Do not log out or restart *Victim-PC at this point, as this will wipe RonHD’s credentials from memory and require re-enacting the *helpdesk *scenario.

下表汇总了每台计算机上保存的凭据:The table below summarizes the credentials that are saved on each computer:

计算机Computer 计算机上保存的凭据Credentials saved on computer
管理员 PCAdmin-PC - NuckC- NuckC
受害者 PCVictim-PC - JeffV 和 RonHD(通过模拟技术支持场景)- JeffV and RonHD (Caused by enacting the helpdesk scenario)

此时,实验室环境已准备就绪。At this point the lab environment is ready. 当前的实验室处于距域入侵攻击一步之遥的状态 (#1ea)。The current lab state is in a position where it is one-exploit-away (#1ea) from domain compromise. 接下来,你将看到野心勃勃且不会善罢甘休的攻击者通常会从环境中需要最低权限的资产开始,入侵大多数面向 Internet 的应用程序。Next you will see that a single compromise typically comes from your environment’s lowest privileged assets against the most Internet facing applications from an adversary who is highly motivated and won’t stop. 这样一来,假设泄漏方法就派上用场了。This is where the assume a breach methodology comes in to place.

执行攻击Executing the attack

在本指南的这一部分中,你将使用真实工具来模拟攻击者的后渗透活动。In this section of this guide you will use real-world tools and simulate the post-infiltration activities of an adversary.

通过鱼叉式网络钓鱼占领据点Beachhead via spearphish

对于此类攻击模拟,假定攻击者已在环境中的一台计算机上获取了本地管理员权限。For this attack simulation, the assumption is that the adversary achieved local admin privileges in one machine in the environment. 虽然这可以通过不同方法实现,但经常是通过对组织展开鱼叉式网络钓鱼活动来实现。While this can be achieved through different methods, all-too-often this is achieved via spearphshing campaigns against an organization.

Microsoft 安全情报报告第 21 卷中介绍了两个不同的参与者组(PROMETHIUM 和 NEODYNIUM)。In the Microsoft Security Intelligence Report Volume 21, two different actor groups were discussed, PROMETHIUM and NEODYNIUM. 两个活动组均参与鱼叉式网络钓鱼,以便在其目标环境中占领据点。Both of activity groups take part in spearphishing to gain a foothold in their target environments. 原因是什么?Why? 从攻击者的角度来看,使用电子邮件,可以快速规避组织的网络防御。Email is a quick way to evade network defenses in an organization from an attacker’s perspective. 下图中的真实示例展示了 Microsoft Threat Intelligence Center 破译并处理的一个鱼叉式网络钓鱼电子邮件。The following image has an example of a real spear phishing Email eracked and responded to by Microsoft's Threat Intelligence Center.

鱼叉式网络钓鱼电子邮件

在安全环境中,一个主机遭到入侵不得导致整个域或林被入侵。In a secure environment, the loss of a single host should not lead to the compromise of an entire domain or forest. 在“后泄漏”场景中,请务必检测攻击者的后续行为。Detecting the adversary's next step is imperative in the “post breach” world.

侦测Reconnaissance

当攻击者占据环境后,侦测(亦称为“侦察”)就开始了。Once a human adversary gains presence in an environment, reconnaissance (also called recon) begins. 在此阶段,攻击者会花时间来调查环境(发现设置、相关计算机、枚举安全组及其他相关活动目录对象等),以掌握环境的大致情况。At this phase, the adversary spends time researching the environment: discovering settings, computers of interest, enumerating security groups and other active directory objects of interest, etc. to paint a picture for themselves of your environment.

DNS 侦测DNS Reconnaissance

许多攻击者首先都会做的一件事是试图从 DNS 接收所有内容,而 Microsoft ATA 可以检测此行为。One of the first things many adversaries will do is to try to receive all the contents from the DNS, and Microsoft ATA can detect this action.

在受害者 PC 中,展开 DNS 侦测的第一步是使用 JeffV 凭据(这就是攻击者刚刚入侵的 PC 和用户)登录,然后运行以下命令:In the Victim-PC you will start the DNS Recon by log in using JeffV credential, which is the PC and user whom the adversary just compromised, and run the following commands:

nslookup
ls -d contoso.local

结果应如以下屏幕快照所示:The results should look similar to the following screen:

Nslookup

在此实验室中,DNS 已配置为阻止对域执行此类 DNS 转储操作。In this lab, the DNS is configured to block this DNS dump operation against the domain. 不过,令人担忧的是,在网络杂讯中,此事件经常会被忽略或丢失,导致网络防御者没有发现攻击者已获取对其环境的某级别访问权限,并正在蓄谋更有针对性的攻击。Unfortunately, though, all too often, this event gets ignored or is lost in the network noise, preventing network defenders from realizing that an adversary has reached some level of access in their environment and is in the beginning phases of a more targeted attack.

Microsoft ATA 可标记可疑的 DNS 活动,有助于检测这种类型的攻击,如下图所示:Microsoft ATA helps detecting this type of attack by flagging a suspicious DNS activity, as shown below:

Nslookup

由于 ATA 持续分析 DNS 流量,因此它可以查看转储请求,无论其成功与否。Since ATA continuously parses the DNS traffic, it can see the dump request, whether it is successful or not. 这样,以后如果可疑活动合法且来自获准 的 DNS 扫描设备,你也可以借鉴此事件。It even gives you the ability to learn from this event in the future, in case the suspicious activity is legitimate, and coming from an approved DNS scanning device.

在此示例中,攻击者差一点就大获全胜(即执行 DNS 转储,开始采用其他侦测技术)。In this case the adversary is blocked from what would have been a big win for them: doing a DNS dump, turns to other reconnaissance techniques.

重要

检测对环境展开的失败攻击与检测成功展开的攻击一样富有洞察力。Detecting failures can be just as insightful as detecting successful attacks against an environment.

在上面的 ATA 警报中,你可能会发现“可疑活动”中的蓝色气泡,这表示 ATA 在不断学习生成的数据和分析反馈。In the ATA alert shown above you may notice the blue bubble in the Suspicious Activity, this means that ATA is constantly learning, based both on consumed data and from the analyst. 分析反馈有助于剔除无害的警报,并随着时间的推移减少噪音,从而自定义 ATA 及其环境可疑活动检测。The analyst feedback helps remove benign true positives and reduce noise over time, customizing ATA and its Suspicious Activity detections to your environment.

目录服务枚举Directory Services Enumeration

安全帐户管理器远程协议 (SAMR) 提供了域用户和组管理功能。Security Account Manager Remote Protocol (SAMR) provides management functionality for users and groups across a domain. 了解用户、组和特权之间的关系对攻击者来说极为重要。Knowing the relationship between users, groups, and privileges can be extremely important to an adversary. 任何经过身份验证的用户都可以执行这些命令。Any authenticated user can execute these commands. 若要详细了解 SAMR 设置,以及如何限制为只有属于本地管理员组的用户才能进行此类侦测,请参阅这篇文章For more information on SAMR settings and restricting such reconnaissance to only users who are members of the Local Administrators Group, refer to this paper.

枚举所有用户和组Enumerate all users and groups

枚举用户和组对攻击者非常有用。Enumerating users and groups is very useful to an adversary. 知道用户名和组名称也很有用。Knowing user names and the names of groups can come be useful. 作为攻击者,在侦测阶段希望获取尽可能多的信息。As an attacker, you want to obtain as much information as you can during the reconnaissance phase.

若要模拟枚举用户和组,应使用遭到入侵的 JeffV 帐户登录受害者 PCTo simulate the enumeration of users and groups you should use the compromised JeffV account, to log in to Victim-PC. 登录后,尝试使用以下命令拉取所有域用户和组:Once logged in, you will try to pull all the domain users and groups by using the following commands:

net user /domain
net group /domain

第一个命令的结果示例如下图所示:An example of the result of the first command is shown in the following image:

Net user

第二个命令的结果示例如下图所示:An example of the result of the second command is shown in the following image:

Net group

之所以能够成功执行这些操作,而未遇到任何问题是因为,这些操作是使用合法凭据执行的。The reason these operations succeed without any problem is because they were performed using legitimate credentials. 当前的问题是,攻击者现已了解环境中的所有用户和组。The problem now is that the attacker now knows all the users and groups in the environment. 如果不使用诸如 Microsoft ATA 之类的工具,此行为可能会遭到忽略。Without a tool like Microsoft ATA, this action would probably go unnoticed.

对于此行为,Microsoft ATA 会显示攻击警报,以及攻击者能够获取的数据。For this operation, Microsoft ATA flags an alert that shows the attack, and it also displays the data the attacker was able to obtain.

侦测

枚举高权限帐户Enumerate high privileged accounts

此时,攻击者持有用户列表和组列表。At this point the attacker holds both, the user list and the group list. 但了解每个用户具体位于哪个组中也很重要,尤其对于高权限组(如“企业管理员”和“域管理员”)。But knowing who is in which group is also important, specifically for highly privileged groups such as Enterprise Admins and Domain Admins. 若要在实验室环境中获取此类信息,请在受害者 PC 中以 JeffV 的身份登录,然后执行以下命令:To obtain this information in your lab environment, log in as JeffV in the Victim-PC and execute the command below:

net group “domain admins” /domain

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

Net group 2

攻击者现持有所有用户列表和组列表,并了解哪些用户属于高权限“域管理员”组。The attacker now has all the users and groups, and knows which users belong to the highly privileged Domain Admins group. 在实际情形中,攻击者很有可能继续提升权限并试图获取企业管理员权限,因为“企业管理员”与“域管理员”之间没有安全边界。In a real world scenario, the likelihood that the attack will continue to escalate and try to obtain Enterprise Admins is very high, since there is no security boundary between Enterprise Admins and Domain Admins.

重要

若要详细了解林和域、“企业管理员”和“域管理员”之间的安全边界以及其他“第 0 层”权限,请参阅保护特权访问参考资料For more information on security boundaries between Forests and Domains, Enterprise Admins and Domain Admins, and other “Tier-0”-level privileges, please refer to Securing Privileged Access Reference Material.

若要在实验室中获取“企业管理员”组的成员列表,请在受害者 PC 上运行以下命令:To obtain the list of members of the Enterprise Admins group this in your lab, run the following command on Victim-PC:

net group “enterprise admins” /domain

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

Net group 3

在上面的示例中,“企业管理员”组中有一个帐户。In the example shown above, there is a single account in the Enterprise Admins group. 在此示例中,该信息并不十分有用,因为这只是默认帐户,但攻击者对帐户的了解远远大于此,并已确定他们最想要入侵的用户。In this case this is not a very useful information since it is just the default, but the attacker has that much more knowledge into your accounts and has identified which user they most want to compromise.

SMB 会话枚举SMB session enumeration

此时,攻击者知道要入侵哪个用户的凭据,但根据当前信息,他们并不完全知道如何入侵这些凭据。At this point the attacker knows who they want to compromise the credentials, however with the current information they don’t exactly know how to compromise those credentials. 使用 SMB 枚举,攻击者可以精确了解最关注的这些帐户的公开位置。By using SMB enumeration they can obtain the precise location for where these highly interesting accounts are exposed.

所有经过身份验证的用户都必须连接域控制器,才能(针对 SYSVOL)处理组策略,这就使得 SMB 枚举成为攻击者的宝贵工具。All authenticated users must connect to the domain controller to process Group Policy (against the SYSVOL) making SMB enumeration a valuable tool for attackers. 这样一来,域控制器 (DC) 就成为 SMB 枚举的主要目标。This makes Domain Controllers (DC) prime targets to perform SMB Enumeration against.

在这部分的实验室中,将用到 NetSess,这是从 Internet 下载的第一个调查工具。In this part of the lab you will use NetSess, the first research tool downloaded from the Internet. NetSess 是用于在指定的本地或远程计算机上枚举 NetBIOS 会话的命令行工具。NetSess is a command line tool to enumerate NetBIOS sessions on a specified local or remote machine.

若要枚举在受害者 PC 上连接特定计算机(在此示例中,为 DC)的用户,请转到 NetSess 的本地保存位置,然后运行以下命令:To enumerate who’s connected to a specific machine, in this case the DC, on Victim-PC, go to the location where NetSess is saved locally and run the following command:

NetSess.exe dc1.contoso.local

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

NetSess

使用传统的安全控件(如防火墙)难以检测这种类型的侦测。This kind of reconnaissance is hard to detect with traditional security controls, such as a firewall. SMB 协议被 IT 服务提供商广泛使用,并且是 Active Directory 在执行许多操作时依赖的协议,这增加了此攻击获得成功的可能性。What increases the likelihood of this attack to succeed is the fact that SMB protocol is widely used by IT shops and it is a protocol that Active Directory relies on for many operations. Microsoft ATA 可以检测 SMB 会话枚举活动,并触发警报来提示哪些帐户已公开。Microsoft ATA is able to detect to detect SMB session enumeration activity and trigger an alert to notify which accounts were exposed.

使用 Microsoft ATA,可以获取与攻击者一样的相关数据,包括源帐户、源计算机以及在攻击者进行枚举时公开的帐户和 IP 地址。Microsoft ATA allows you to get the same relevant data that the attacker did, it identifies the source account, the source computer, as well as the exposed accounts, and the IP addresses at the time of adversary enumeration. 有关示例,请参阅下面的屏幕快照:You can see an example of this in the following screen:

SMB

Microsoft ATA 提供的数据对于提高安全意识至关重要,这有助于你充分做好应对攻击的准备。The data that Microsoft ATA offers to you is vital to improve your security awareness, which helps you to be more prepared to respond to attacks.

横向移动Lateral Movement

此阶段的目标是访问之前发现的 IP 地址 (192.168.10.30),即公开 NuckC 的计算机凭据的位置。The goal of this phase is to access the IP address that was previously discovered (192.168.10.30), where NuckC’s computer credentials are exposed. 为此,请枚举受害者 PC 上的内存中凭据。To perform this action you will enumerate in-memory credentials located on Victim-PC. 请注意,受害者 PC 不只公开 JeffV 凭据,攻击者还可能会发现其他许多有用的帐户。Remember that Victim-PC isn’t just exposed to JeffV’s credentials, there are many other accounts that might be useful to an attacker to discover.

若要从受害者 PC 中提取凭据,请使用 mimikatz,这是从 Internet 下载的另一个调查工具。To extract the credentials from Victim-PC you will use mimikatz, another research tool downloaded from the Internet. 受害者 PC 上提升的命令提示符处,转到保存 Mimikatz 的工具文件夹,然后执行以下命令:From an elevated command prompt on Victim-PC, go to the tools folder where Mimikatz is saved and execute the following command:

mimikatz.exe “privilege::debug” “sekurlsa::logonpasswords” “exit” >> c:\temp\victim-pc.txt

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

mimikatz

以上命令将执行 mimikatz,然后将搜集内存中凭据。The above command will execute mimikatz, which will then harvest credentials in-memory. 此工具会将凭据写入“victim-pc.txt”文本文件中。The tool will write this into a text file named “victim-pc.txt”. 打开“victim-pc.txt”文件,看看可以获取哪些信息。Open the file “victim-pc.txt” to see what you can find.

下一步是分析 mimikatz 的凭据转储输出。为此,需要在记事本中打开文件“victim-pc.txt”。The next step is to parse mimikatz’s credential dump output, and to do that you need to open the file, “victim-pc.txt” in notepad. 文件可能会因使用了不同的密码(默认设置是否启用因操作系统而异)而有所不同,因此如果文件与以下示例不完全一样,也不要惊慌。Your file will look different as different passwords were used, potentially different operating systems with default settings on/off, so don’t be alarmed if it doesn’t look exactly like the example below.

輸出

根据此示例输出,攻击者发现了 JeffV 的凭据,这样就可以模拟 JeffV 了。As per this sample output, the attacker found JeffV’s credentials, which will allow him to impersonate JeffV. 攻击者还发现了可以添加到其他计算机的“本地管理员”组和其他高权限安全组的计算机帐户,与用户帐户相似。The attacker also found the computer account, which, like a user account, can be added to other computers’ Local Admin group and other highly privileged security groups. 在此攻击场景中,此信息没有用,但应务必注意“计算机帐户”也可以映射到其他位置的权限帐户。That isn’t useful in this scenario but you should always remember that Computer Accounts can map to privileges elsewhere as well.

在下面的示例中,你将会注意到,攻击者还发现了一个可能会关注的帐户 RonHDIn the example below you will noticed that the attacker also discovered a potentially interesting account, RonHD. 请注意,RonHD 已在设置阶段登录受害者 PCRemember that RonHD was logged on to Victim-PC during the setup phase. 此凭据在设置阶段就已向内存中 LSA 进程公开,而 mimikatz 只是向攻击者显示此凭据。That credential was exposed to the LSA process in-memory at that time, which mimikatz just gave the attacker visibility to. 枚举“域管理员”或“企业管理员”中的用户时,用户 RonHD 未列出,但现在有权访问他的凭据了。The user RonHD wasn’t listed when you enumerated against users in Domain Admins or Enterprise Admins, but now have access to his credentials.

Nslookup

还有一点值得一提,在某些情况下,当环境未更新或未配置为阻止 WDigest 时,mimikatz 转储可能会公开纯文本密码。It is also worth noting that in some cases, the mimikatz dump might reveal plaintext passwords, when the environment is not updated or not configured to prevent WDigest. 根据最佳做法,最新环境将返回空的“密码”字段。An up-to-date environment, following best practices, will return an empty Password field.

作为攻击者,下一步自然是验证 RonHD 的帐户是否包含任何值。为此,攻击者将侦测该帐户。As an attacker, the next natural step is to verify if RonHD’s account has any value, and to do that the attacker will do some recon against that account. 若要在实验室中模拟此行为,请在受害者 PC 上执行以下命令:To simulate this from your lab, execute the following command Victim-PC:

net user ronhd /domain

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

net user domain

据此结果,攻击者就会知道 RonHD 是“技术支持”组的成员。Based on this result the attacker will learn that RonHD is a member of the Helpdesk. 这样,RonHD 帐户就引起了攻击者的关注。RonHD’s account just became interesting to the attacker. 不过,需要进一步执行其他分析,才能确定此帐户是否拥有其他计算机上的管理员权限。However, further more analysis is needed to see if the account has admin privileges on other computers. 毕竟,如果使用此帐户横向移动到其他计算机,却发现它所拥有的权限低于攻击者的现有权限,那么这样做就没有多大意义。After all, it would make little sense to use it to laterally move to another computer only to discover that it has lower privileges than what the attacker already has.

因此,下一步是枚举远程计算机的成员身份。Based on that, the next step is to enumerate a remote computer’s memberships. 在这一步中,将用到渗透测试程序使用的 PowerShell 模块系列 PowerSploitIn this step you will use PowerSploit, a series of PowerShell modules used by penetration testers. 打开 PowerShell 会话,然后遍历到 PowerSploit受害者 PC 上的本地保存位置。Open a PowerShell session and traverse to the location where PowerSploit is saved locally on Victim-PC. 在 PowerShell 控制台中,执行以下命令:In the PowerShell console, execute the command below:

Import-Module .\PowerSploit.psm1
Get-NetLocalGroup 192.168.10.30

第一个命令用于将 PowerSploit 模块导入内存,第二个命令用于执行此模块提供的函数之一(在此示例中,为 Get-NetLocalGroup)。The first command is used to import the PowerSploit module into memory and in the second command is to execute one of the provided functions provided by that module, in this case, Get-NetLocalGroup.

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

PowerShell

如本指南前面部分所述,在 SMB 枚举阶段发现了 IP 地址 192.168.10.30。The IP 192.168.10.30 is the discovered IP address from the SMB Enumeration phase, as already showed previously in this guide. 攻击者刚刚发现了以下信息:The attacker just found the following:

  • IP 192.168.10.30 连接管理员 PC(名称解析也是通过 PowerSploit 完成)The IP 192.168.10.30 is connected to Admin-PC (the name resolution was done via PowerSploit as well)
  • “Contoso.local/Domain Admins”和“Contoso.local/Helpdesk”是管理员组的成员“Contoso.local/Domain Admins” and “Contoso.local/Helpdesk” are members of the Administrators Group

RonHD 是“技术支持”组的成员,因此 RonHD 可以授予攻击者管理员 PC 上的管理员权限(攻击者在之前的侦测过程中了解到 NuckC 使用管理员 PC)。RonHD is a member of the Helpdesk group, therefore RonHD can give the attacker Admin privileges on Admin-PC (where the attacker knows NuckC is, from earlier reconnaissance).
攻击者利用这样的图像式思维发现网络中的关系。The attacker used this graph-like thinking is to discover relationships in the network. 防御者应采用这种思维来处理企业网络面临的新威胁。This kind of mentality is something that defenders need to adopt to handle new threats to enterprise networks.

现在是时候利用 RonHD 展开超传递哈希攻击,从而执行横向移动了。Now is time to use RonHD to perform lateral movement, by using Overpass-the-Hash attack. 如果攻击者处于的环境未禁用 WDigest,那么攻击者就已经胜利了,因为他们有纯文本密码。If the attacker is in an environment that did not disable WDigest, it is already game over as they have the plaintext password. 不过,鉴于此实验室的用途,假定你不知道/无权访问纯文本密码。But, for the purpose of this lab the assumption is that you do not know/have access to the plaintext password.

使用超传递哈希技术,可以获取 NTLM 哈希,并使用它通过 Kerberos\Active Directory 获取票证授予票证 (TGT)。Using a technique called Overpass-the-Hash you can take the NTLM hash and use it to obtain a Ticket Granting Ticket (TGT) via Kerberos\Active Directory. 借助 TGT,可以仿冒成 RonHD,并访问 RonHD 有权访问的任何域资源。With a TGT you can masquerade as RonHD and access any domain resource that RonHD has access to.

从之前搜集的 victim-pc.txt(通过“操作:转储受害者 PC 中的凭据”)中复制 RonHD 的 NTLM 哈希。Copy RonHD’s NTLM hash from victim-pc.txt, harvested earlier (from “Action: Dump credentials from Victim-PC”). 接下来,转到受害者 PC,访问 mimikatz 在文件系统上的存储位置,然后执行以下命令:Next, go to Victim-PC, access the location where mimikatz is stored on the file system and execute the following commands:

Mimikatz.exe “privilege::debug” “sekurlsa::pth /user:RonHD /ntlm:[ntlm hash] /domain:contoso.local” “exit”

请务必使用从 victim-pc.txt 中粘贴的 NTLM 值替换 [ntlm hash]Make sure to replace the [ntlm hash] with the pasted NTLM value from victim-pc.txt.

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

mimikatz 2

此时,新的命令提示符会话会打开。这个新的命令提示符将 RonHD 的凭据插入了其中。A new command prompt session opens up, and this new command prompt injected RonHD’s credentials into it. 若要验证能否读取管理员 PC 的 C$ 内容(JeffV 本不能执行的操作),请在新的命令行会话中执行以下命令:To validate if you can read the contents of the C$ of the Admin-PC, (something JeffV shouldn't be able to do), execute the command below from the new command line session:

dir \\admin-pc\c$

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

Dir

此命令的结果证明,此时你已有权访问管理员 PC 的 C 驱动器。The result of this command proves that at this point you have access to the C drive of Admin-PC. 现在,这就验证了已打开的新命令提示符已插入 RonHD 票证,并且你没有错误地将 JeffV 配置为拥有读取权限。Now, you will validate that the new command-prompt you have open injected RonHD’s ticket and you didn’t just misconfigure JeffV to have read rights.

接下来,将在超传递哈希命令提示符处检查票证。Next you will inspect tickets in overpass-the-hash command prompt. 在执行超传递哈希攻击时打开的新命令提示符处,执行以下命令:From the new command prompt that opened from the overpass-the-hash attack, execute the following command:

klist

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

klist

可以发现,此时你正在这个命令提示符处模拟 RonHD,这就验证了你已使用他的合法凭据获取了他自己的管理员 PC 的访问权限。As you can see, at this point you are impersonating RonHD in this command prompt which validates that you used his legitimate credential to gain access to his own Admin-PC.

此时,你可能会发现 Microsoft ATA 发出了关于异常协议实现的警报,如下图所示。At this point you may noticed that Microsoft ATA raised an alert about an unusual protocol implementation, as shown below. 这是因为超传递哈希使用 NTLM,所以 RC4 也是。This happens because overpass-the-hash uses NTLM, and thus RC4. 从防御者的角度来讲,你知道的是在受害者 PC 上,RonHD 的帐户已成功对域控制器进行了身份验证。From the defender’s perspective, you will learn that on Victim-PC, RonHD’s account successfully authenticated against the domain controller. 然后,就可以开始调查了。You could then start our investigation.

异常协议

域权限提升Domain escalation

攻击者现已有权访问管理员 PC,在之前的侦测过程中,已发现此计算机是入侵高权限帐户 NuckC 的良好攻击途径。The attacker now has access to Admin-PC, a computer that from earlier reconnaissance was identified as a good attack vector to compromise the high privileged account NuckC. 攻击者现在想要移动到管理员 PC,提升他们的域权限。The attacker now wants to move into Admin-PC, escalating their privileges within the domain.

为此,攻击者将展开传递哈希攻击来搜集凭据,这样就可以移动到管理员 PCTo do that the attacker will harvest credentials by performing a Pass-the-Hash attack will allow us to move to Admin-PC.

在新的命令提示符处,在运行 RonHD 上下文的情况下,从相应的库转到 mimikatz 在文件系统中的位置,然后运行以下命令:From the new command prompt, running in the context of RonHD, go to the part of the file system where mimikatz is located from that library, and run the following command:

xcopy mimikatz \\admin-pc\c$\temp

接下来,运行以下命令,远程执行 mimiKatz,以导出管理员 PC 中的所有 Kerberos 票证:Next, execute mimiKatz remotely to export all Kerberos tickets from Admin-PC, by using the command below:

psexec.exe \\admin-pc -accepteula cmd /c (cd c:\temp ^& mimikatz.exe “privilege::debug” “sekurlsa::tickets /export” ^& “exit”)

运行以下命令,将这些票证重新复制到受害者 PCCopy these tickets back to Victim-PC, by using the command below:

xcopy \\admin-pc\c$\temp c:\temp\tickets

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

XCopy

此操作表明,攻击者已将 mimikatz 工具成功复制到管理员 PCThis operation showed that the attacker successfully copied the mimikatz tool over to Admin-PC. 攻击者成功地远程执行了 mimikatz,导出了管理员 PC 中的所有 Kerberos 票证。The attacker successfully executed mimikatz remotely, exporting all Kerberos tickets from Admin-PC. 最后,攻击者将结果重新复制到了受害者 PC 上,现在攻击者已拥有 NuckC 的凭据,无需入侵他的的计算机了。Finally, the attacker copied back the results to Victim-PC, and now has NuckC’s credentials without having to exploit his computer.

下一步是查找 NuckC TGT。The next step is to locate the NuckC TGT. 为此,必须查找不是 NuckC 的 kirbi 文件(即“ADMIN-PC$),然后删除这些文件并保留 NuckC 票证。To do that you have to locate the kirbi files which are not NuckC (i.e. “ADMIN-PC$”), delete those and keep the NuckC tickets.

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

资源管理器

此时,攻击者可以将票证传递到内存,并使用它们获取对资源的访问权限,就像自己是 NuckC 一样。At this point the attacker can pass the ticket into memory and use them to gain access to resources as if you were NuckC. 攻击者可以将它们导入受害者 PC 的内存,以获取访问敏感资源所需的凭据。The attacker is ready to import them into Victim-PC’s memory, to get the credentials to access sensitive resources. 此操作通过展开传递票证攻击而完成。This operation is done via Pass-the-Ticket attack.

在提升的命令提示符处(即 mimikatz 在文件系统中的位置),执行以下命令:From an elevated command prompt, where mimikatz is located on the file system, execute the following command:

mimikatz.exe “privilege::debug” “kerberos::ptt c:\temp\tickets” “exit”

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

mimikatz 权限

请确保 NuckC@krbtgt-CONTOSO.LOCAL 票证已成功导入,如上面的示例所示。Ensure that the NuckC@krbtgt-CONTOSO.LOCAL tickets were successfully imported as illustrated in the sample above.

接下来,应验证命令提示符会话中的票证是否正确。eext you should validate that the right tickets are in the command prompt session. 为此,请在同一个提升的命令提示符处执行以下代码:To do that Execute the following in the same elevated command prompt:

klist

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

klist 2

攻击者现已成功地将搜集的票证导入会话,并且现在将利用他们的新权限和访问权限来访问域控制器的 C 驱动器。The attacker now successfully imported the harvested ticket into the session, and will now leverage their new privilege and access to access the domain controller’s C drive. 在刚刚导入票证的同一个命令提示符处执行以下命令:Execute the following command in the same command prompt to which the tickets were just imported:

dir \\dc1\c$

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

dir 2

从各方面来说,攻击者现在就是 NuckCThe attacker is now, for all intents and purposes, NuckC. 只有管理员才能访问域控制器的根。Only administrators should be able to access the root of the domain controller. 攻击者现在使用的是合法凭据,可以访问合法的资源并执行合法的可执行文件。The attacker is using legitimate credentials, can access legitimate resources and executing legitimate executables.

大多数 IT 服务提供商都会无视其环境中存在的这种后渗透活动。Most IT shops would be blind to this post-infiltration activity going on in their environment. Microsoft ATA 可以检测这种活动,如下图所示:Microsoft ATA is able to detect this as shown in the image below:

渗透

可以发现,Microsoft ATA 检测到 Nuck Chorris 的票证从管理员 PC 中被盗,并被移动到受害者 PC 中。As you can see, Microsoft ATA detected that Nuck Chorris’s tickets were stolen from ADMIN-PC and moved to VICTIM-PC. ATA 还显示攻击者使用被盗的票证访问了哪些资源。ATA also shows which resources were accessed using the stolen tickets. 这样,不仅可以发现攻击,还能深入了解该从何处开始调查。Not only did you become aware of the attack, you gain insight into where to start your investigation. 下图也表明 ATA 可以发现通过相关的传递票证攻击访问的资源:The image below shows also that ATA is able to see the resources accessed with the associated Pass-the-Ticket:

资源

作为网络防御者,这是需要关注的非常重要信息。This information is highly important to focus on as a network defender. 攻击者使用“dir \dc1\c$”命令访问了 CIFS。The attacker accessed the CIFS, using the “dir \dc1\c$” command. 攻击者向本地 DC1 发送了 LDAP 请求,以访问 CIFS。The attacker sent an LDAP request to the local DC1 for purposes of the CIFS. KRBTGT 被用来直接与 DC1 通信并进行身份验证(访问 DC 的 c$ 驱动器的必需流程)。The KRBTGT was used to directly talk to DC1 and authenticate (a necessary process for accessing the c$ drive of the DC). 由此,作为防御者,我们可以确认传递票证攻击活动促成了对 DC1 计算机的直接访问。From this, we, as defenders can confirm that the Pass-the-Ticket activity led to direct access to the DC1 computer.

此时,大多数攻击者将尝试对 DC 远程执行代码。At this point most adversary will try to perform a remote code execution against a DC. 这非常重要,因为修改“身份”层本身后要检测攻击者的存在极为困难。This is critical because making modifications to the Identity layer itself can make it extremely hard to detect their presence. 若要模拟此行为,执行远程命令向域添加用户,然后使用 NuckC 的合法凭据,将其添加到“管理员”安全组。To simulate that, execute remote commands to add a user to the domain, and add them to the Administrators security group, using NuckC’s legitimate credentials. 所有这些都可通过内置工具完成,无需使用恶意软件或调查工具。All this can be done using built-in tools, no malicious software or research tools necessary.

从 PsExec 在受害者 PC 上的位置处,执行以下命令:From the location where PsExec is located on Victim-PC, execute the following commands:

psexec \\dc1 -accepteula net user /add InsertedUser pa$$w0rd1
psexec \\dc1 -accepteula net localgroup “Administrators” InsertedUser /add

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

psexec

攻击者刚刚创建了一个用户帐户,并使之成为管理员The attacker just created a user account and made the account an Administrator. 你显然通过远程执行代码利用了现在拥有的域管理员权限。You clearly exerted the Doman Admin privileges you now possess, via remote code execution. 此外,你还可以创建其他域管理员和删除域管理员。Not only that, you can create more Domain Admins, remove domain admins.

Microsoft ATA 检测到受害者 PC 对 DC1 远程执行代码。Microsoft ATA detected the remote execution against DC1 from Victim-PC. 在下面的示例屏幕中,ATA 检测的是攻击者成功和失败的攻击尝试。In the sample screen below, ATA is detecting the successful and failed attempts by the adversary.

远程执行代码

域控制Domain dominance

攻击者已实现了域控制,他们可以管理员的身份运行任意代码,并能访问域中的所有资源。The attacker has achieved domain dominance, they can run any code, as administrators, and access any resource in the domain.

不过,为了确保域控制的持久性,需要采用后门程序和其他机制作为保险策略,以防原攻击方法被发现或凭据随机被重置。However, to ensure the persistence of domain dominance, backdoors and other mechanisms are put in place as insurance policies, in case the original method of attack was discovered or a credential randomly reset. 此时假定攻击者想要创建到达 DC 的最终后门程序,即快速创建拥有管理员权限的用户的方法,此方法被称为“万能密钥”。The assumption at this point is that the attacker wants to create the ultimate backdoor to the DC, a way to instantly create Admin privileged users, this method is known as Skeleton Key.

下一步是在 DC1 上插入万能密钥攻击。Next step is to inject the Skeleton Key attack on DC1. 首先,必须将 mimikatz 复制到 DC。First, you must copy mimikatz over to the DC. 请注意,在此阶段务必要确定 DC 是 32 位还是 64 位计算机。Note that in this phase it is important to know if the DC is a 32-bit or 64-bit machine. 示例使用的是 64 位计算机,请根据特定环境的需求进行修改。The example uses a 64-bit machine—modify it to the needs of your specific environment.

xcopy x64\mimikatz.exe \\dc1\c$\temp\

接下来,将运行以下命令使用 PsExec 远程执行它,并部署万能密钥:Next, you will use PsExec to execute it remotely, and deploy the Skeleton Key, using the command below:

PsExec \\dc1 -accepteula cmd /c (cd c:\temp ^& mimikatz.exe “privilege::debug” “misc::skeleton” ^& “exit”)

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

PSExec2

攻击者使用万能密钥“修补”了 LSASS.exe 二进制文件。The attacker “patched” the LSASS.exe binary with the Skeleton Key. 此时,攻击者已可以使用万能密钥。At this point the attacker could leverage the Skeleton Key. 若要模拟此行为,以 JeffV 身份打开命令提示符。To simulate that, open a command prompt as JeffV. 首先要验证没有其他用户的票证。First you will validate that there is no tickets from other users. 执行此步骤只是为了可以完全确认当前的运行状况。This steps is just to so you can confirm exactly what is going. 受害者 PC 中,以 JeffV 身份执行以下命令:From Victim-PC, as JeffV, execute the command below:

klist

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

klist nucko

如上面的示例所示,没有高权限票证。As shown in the sample above, no high privileged tickets are there. 也就是说,攻击者将要运行的每个命令只能拥有 JeffV 的权限。This means that every command that the attacker will run should only have the privileges JeffV has. 现在要尝试通过映射 DC1 的 C$ 来对 DC1 进行身份验证。Now you will attempt to authenticate against the DC1, by trying to map the C$ of DC1. 为了说明并不是每个密码都有效,将故意使用错误的密码。You will use a wrong password, on purpose, to illustrate that not every password will work. 在同一个干净的命令提示符处,执行以下命令:From the same clean command prompt, execute the command below:

net use k: \\dc1\c$ wrongpassword /user:Administrator@contoso.local

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

net use

如上面的示例所示,此命令失败了,与预期的一样。As shown in the sample able, this command failed, as it should. 但万能密钥将派上用场。But this is where Skeleton Key will be used. 你将重新尝试执行同一命令,但现在使用的是你刚刚向对 DC1 进行过身份验证的各个帐户(插入万能密钥的位置)添加的万能密钥。You will try the same command again, but now with the Master Key which you just added to every account authenticated against DC1, where you injected the Skeleton Key. 在命令提示符处,执行以下命令,但这次使用的是主密钥“mimikatz”:From the command prompt, execute the following command, but this time using the master key “mimikatz”:

net use k: \\dc1\c$ mimikatz /user:Administrator@contoso.local

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

net use 2

借助主密钥“mimikatz”(硬编码),攻击者可以获取管理员权限。With the master key, “mimikatz” (hardcoded), the attacker could gain administrator privileges. 此密钥不是帐户密码,而是使用修补进程到达 DC1 并以管理员(或其他任何安全组)的身份对任意用户进行身份验证的方法。That key is not the password to the account, a way to reach DC1, using the patched process, and authenticate any user as administrator (or any other security group). 请注意,每个帐户现在有 2 个活动密码:Note that there are 2 active passwords for each account now:

  • 用户/管理员创建的原密码。The original, user/admin created password.
  • 万能主密钥The skeleton master key

Microsoft ATA 可以检测此活动,如以下示例所示:Microsoft ATA will be able to detect this activity as shown in the sample below:

万能密钥

目前,攻击者无论在 DC 上执行什么操作,都必须在 DC 上运行任意代码。So far, everything the attacker did on the DC required them to run arbitrary code on the DC. ATA 通过显示相应的可疑活动标记,并向网络防御者提供要修正的信息,从而检测到这些行为。ATA detected these actions by raising the respective Suspicious Activity flag as well as providing the network defender with information to remediate. 不过,攻击者可能想要展开更为隐蔽的攻击来继续他的入侵,这种攻击不在 DC 上运行任意代码(无需 PsExec 或将万能密钥直接插入 LSASS 进程)。However, an attacker might want to continue his intrusion by performing more covert attack, one that doesn’t run arbitrary code on the DC (without PsExec or injecting the Skeleton Key into the LSASS process directly). 此时选择的调查工具 Mimikatz 具有称为“DC 同步”的功能。Mimikatz, the research tool of choice in this area, has a capability called “DC Sync”. 这样一来,攻击者可以使用域管理员凭据将任意凭据重新复制到计算机上,如同是在 DC 上一般。This allows the attacker, with Domain Admin credentials, to replicate any credential back to them as if they were a DC.

打开包含 NuckC 凭据的命令提示符,转到命令提示符处,并确保 NuckC 的票证仍已插入会话,如以下示例所示:Open the command prompt that has NuckC’s credentials, go to the command prompt and make sure that NuckC’s ticket is still injected in the session, as shown in the sample below:

票证

至此,你知道自己使用的是正确的工作台,可以模拟攻击者并尝试获取域的终极凭据:KRBTGTNow that you know you’re working from the correct console, you can emulate the attacker and try to get the ultimate credentials of the domain: the KRBTGT. 之所以需要使用此帐户是因为通过此帐户你可以签署自己的票证。The reason why you need to use this account, is because with this account you can sign your own tickets.

受害者 PC 上现已验证的 NuckC 命令提示符处,遍历到 mimikatz 在文件系统上的位置,执行以下命令:From the now validated NuckC command prompt on Victim-PC, traverse to where mimikatz is located on the file system and execute the following command:

mimikatz.exe “lsadump::dcsync /domain:contoso.local /user:krbtgt “exit” >> krbtgt-export.txt

此命令的结果示例如下图所示:An example of the result of this command is shown in the following image:

lsadump

攻击者打开“krbtgt-export.txt”后,便拥有所需的 KRBTGT 详细信息。Once the attacker will open-up the “krbtgt-export.txt” they will have the KRBTGT details needed. 打开刚刚将哈希导出到其中的“krbtgt-export.txt”文件,如以下示例所示:Open the “krbtgt-export.txt” file you just exported the hash to, as shown in the sample below:

KRBTGT

此时,攻击者已拥有所需的一切,可以使用窃取的 NTLM 哈希签署所有资源的任何 TGT,无需再返回域控制器。At this point, the attacker has all he needs to sign any TGT for any resource using the stolen NTLM hash without ever going back to the Domain Controller. 这样一来,攻击者就可以根据需要随时仿冒任何人员(直至 KRBTGT 帐户本身重置两次)。With this, the attacker can become anyone at any time he so desires (until the KRBTGT account itself is reset, twice).

Microsoft ATA 可以发现这种类型的攻击,如以下示例所示:Microsoft ATA is able to identify this type of attack as shown in the sample below:

攻击

Microsoft ATA 不仅检测到此攻击,还提供了执行修正操作所需的信息。Microsoft ATA not only detected the attack but also provided the information needed to take remedial actions.

利用 KRBTGT 签署伪造票证被称为“黄金票证”攻击,也可以通过 ATA 检测到。Leveraging the KRBTGT to sign fake tickets is known as a Golden Ticket attack, which is also detected by ATA. 不过,鉴于基于范围和签名的检测的目的,它已超出本指南的范围。However, for purposes of scope and signature-based detections, it is outside the scope of this guide.

结论Conclusion

Microsoft ATA 可以提供其他服务所不能提供的信息和见解,从而帮助你保护网络。Microsoft ATA gives you information and insight into defending your network that aren’t available anywhere else. Microsoft ATA 将标识平台变成了发现环境中的后渗透活动的强大检测工具。Microsoft ATA turns the identity-plane into a powerful detection tool that discovers post-infiltration activities in your environment. Microsoft ATA 可帮助你汇编宏事件,并将其迅速转变成连贯的攻击场景。Microsoft ATA helps you digest macro-events and turn them quickly into cohesive attack stories.

结论

Microsoft ATA 提供了“假设泄漏”(必须发现后渗透活动)的必备见解和情报。Microsoft ATA provides the necessary insights and intelligence into the “assume breach” world, where discovering post-infiltration activities is a must. 防火墙、防病毒引擎、入侵检测服务和入侵防护服务都会尝试阻止攻击者进入,但是当攻击者恶意利用包含合法凭据的合法工具入侵后,它们或多或少都会有所懈怠。Firewalls, antivirus engines, intrusion detection services, and intrusion prevention services all attempt to keep the bad guy out but are more-or-less blind after the bad guy gets in, when legitimate tools with legitimate credentials are used maliciously. 在网络安全领域,真正了解这些恶意活动非常关键。In the world of cybersecurity, it is crucial to truly understand these malicious activities.

有关 Microsoft ATA 的详细信息,请访问 Microsoft ATA 页面,或发送电子邮件至 ataeval@microsoft.com。For more information about Microsoft ATA, visit Microsoft ATA page or send an email to ataeval@microsoft.com.