認證竊取帳號吸引Attractive Accounts for Credential Theft

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

認證竊取攻擊就是在其中一開始攻擊最高權限 (根,系統管理員或根據使用中的作業系統系統,) 的存取權的網路,然後使用免費工具從其他登入帳號的工作階段解壓縮認證的電腦。Credential theft attacks are those in which an attacker initially gains highest-privilege (root, Administrator, or SYSTEM, depending on the operating system in use) access to a computer on a network and then uses freely available tooling to extract credentials from the sessions of other logged-on accounts. 系統設定,根據這些認證可以 hashes、 門票或甚至純文字密碼的形式解壓縮。Depending on the system configuration, these credentials can be extracted in the form of hashes, tickets, or even plaintext passwords. 如果任何收割後的認證區域 (例如,在 Windows 中,系統管理員帳號或根帳號 OSX、 UNIX,或 Linux) 的網路上的其他電腦上有可能是帳號,攻擊者提供的認證到其他電腦傳播危害到其他電腦,並取得帳號兩種特定類型的憑證嘗試在網路:If any of the harvested credentials are for local accounts that are likely to exist on other computers on the network (for example, Administrator accounts in Windows, or root accounts in OSX, UNIX, or Linux), the attacker presents the credentials to other computers on the network to propagate compromise to additional computers and to try to obtain the credentials of two specific types of accounts:

  1. 有特殊權限的網域帳號 broad 和深度的權限 (也就是帳號有多部電腦上與 Active Directory 中的系統管理員等級權限)。Privileged domain accounts with both broad and deep privileges (that is, accounts that have administrator-level privileges on many computers and in Active Directory). 這些帳號不可能的 Active Directory 中的最高權限群組成員,但它們可能會被授與系統管理員等級權限許多伺服器和工作站網域或森林,讓它們在 Active Directory 有效地權力特殊權限群組成員。These accounts may not be members of any of the highest-privilege groups in Active Directory, but they may have been granted Administrator-level privilege across many servers and workstations in the domain or forest, which makes them effectively as powerful as members of privileged groups in Active Directory. 在大部分案例中,帳號授與權限等級高 broad 負責 Windows 基礎結構所有的服務帳號,因此隨時可評估服務帳號幅度和深度的權限。In most cases, accounts that have been granted high levels of privilege across broad swaths of the Windows infrastructure are service accounts, so service accounts should always be assessed for breadth and depth of privilege.

  2. 「 非常重要的人員] (VIP) 網域帳號。"Very Important Person" (VIP) domain accounts. 本文件處在 VIP account 是攻擊想 (診斷作業和其他重要資訊),資訊的存取權的任何帳號或任何帳號,可以用來完全掌控存取該資訊。In the context of this document, a VIP account is any account that has access to information an attacker wants (intellectual property and other sensitive information), or any account that can be used to grant the attacker access to that information. 這些帳號的範例包括:Examples of these user accounts include:

    1. 高階主管其帳號存取敏感公司資訊Executives whose accounts have access to sensitive corporate information

    2. 帳號,有義務維護主管所使用的應用程式與電腦之人員協助 Desk 人員Accounts for Help Desk staff who are responsible for maintaining the computers and applications used by executives

    3. 帳號法律員工是否可以存取組織超出定約和合約文件自己公司或組織 client 的文件Accounts for legal staff who have access to an organization's bid and contract documents, whether the documents are for their own organization or client organizations

    4. 管線 product 規劃存取計劃與規格你有公司的開發人員,無論你會公司的類型Product planners who have access to plans and specifications for products in an company's development pipeline, regardless of the types of products the company makes

    5. 其帳號用於存取研究資料、 product 遭遇或任何其他研究攻擊感興趣的研究人員Researchers whose accounts are used to access study data, product formulations, or any other research of interest to an attacker

因為在 Active Directory 高度授權的帳號傳播危害和操作 VIP 帳號或他們可以存取的資料,認證竊取攻擊的最適合帳號是帳號,在 Active Directory 中的企業系統管理員,網域系統管理員及系統管理員群組成員。Because highly privileged accounts in Active Directory can be used to propagate compromise and to manipulate VIP accounts or the data that they can access, the most useful accounts for credential theft attacks are accounts that are members of Enterprise Admins, Domain Admins, and Administrators groups in Active Directory.

因為網域控制站的 AD DS 資料庫存放庫中,網域控制站在 Active Directory 擁有完整存取權的所有資料網域控制站的也針對洩露是否同時認證竊取攻擊,或一或多個高特殊權限的 Active Directory 之後已遭入侵帳號。Because domain controllers are the repositories for the AD DS database and domain controllers have full access to all of the data in Active Directory, domain controllers are also targeted for compromise, whether in parallel with credential theft attacks, or after one or more highly privileged Active Directory accounts have been compromised. 雖然許多發行 (和許多攻擊) 專注於網域系統管理員群組成員資格描述 pass hash 和其他認證竊取攻擊時 (中所述減少 Active Directory 攻擊),可用於的列在此處群組成員 account 危害整個 AD DS 安裝。Although numerous publications (and many attackers) focus on the Domain Admins group memberships when describing pass-the-hash and other credential theft attacks (as is described in Reducing the Active Directory Attack Surface), an account that is a member of any of the groups listed here can be used to compromise the entire AD DS installation.

注意

完整 pass hash 和其他認證竊取攻擊相關資訊,請查看Mitigating Pass--Hash (PTH) 攻擊和其他認證竊取技術中列出的白皮書附錄 m: 文件連結,並建議朗讀For comprehensive information about pass-the-hash and other credential theft attacks, please see the Mitigating Pass-the-Hash (PTH) Attacks and Other Credential Theft Techniques whitepaper listed in Appendix M: Document Links and Recommended Reading. 如需來判斷對手攻擊的有時稱為 「 進階持續威脅 」 (APTs),請查看判斷對手和目標攻擊For more information about attacks by determined adversaries, which are sometimes referred to as "advanced persistent threats" (APTs), please see Determined Adversaries and Targeted Attacks.

增加危害的可能性的活動Activities that Increase the Likelihood of Compromise

因為的認證竊取目標通常是非常有特殊權限的網域帳號,VIP 帳號,很重要的系統管理員會了解增加成功憑證竊取攻擊的機率的活動。Because the target of credential theft is usually highly privileged domain accounts and VIP accounts, it is important for administrators to be conscious of activities that increase the likelihood of success of a credential-theft attack. 攻擊者也針對 VIP 帳號,如果 Vip 不提供高等級的系統上或網域中的權限,但其認證竊取需要其他類型的攻擊,例如上工程 VIP 提供機密資訊。Although attackers also target VIP accounts, if VIPs are not given high levels of privilege on systems or in the domain, theft of their credentials requires other types of attacks, such as socially engineering the VIP to provide secret information. 或攻擊者必須先取得哪一個 VIP 的快取認證系統有特殊權限的存取。Or the attacker must first obtain privileged access to a system on which VIP credentials are cached. 因此,增加認證竊取以下所述的可能性的活動的著重於防止取得高特殊權限管理的認證。Because of this, activities that increase the likelihood of credential theft described here are focused primarily on preventing the acquisition of highly privileged administrative credentials. 這些活動的攻擊者會危害取得權限的認證系統的常見的機制。These activities are common mechanisms by which attackers are able to compromise systems to obtain privileged credentials.

登入不安全的帳號特殊權限的電腦Logging on to Unsecured Computers with Privileged Accounts

讓成功認證竊取攻擊核心弱點是登入電腦,而不安全帳號,是針對整個環境深特殊權限的行為。The core vulnerability that allows credential theft attacks to succeed is the act of logging on to computers that are not secure with accounts that are broadly and deeply privileged throughout the environment. 這些登入可以錯誤以下所述的各種組態的結果。These logons can be the result of various misconfigurations described here.

不維護不同管理認證Not Maintaining Separate Administrative Credentials

雖然這較少,評定各種 AD DS 安裝,但我們發現 IT 員工單一帳號使用所有他們的作品。Although this is relatively uncommon, in assessing various AD DS installations, we have found IT employees using a single account for all of their work. Account 的至少一個 Active Directory 中的最高特殊權限群組成員,且相同的員工使用登入他們的工作站在早上、 查看他們的電子郵件帳號,瀏覽網際網路網站和下載 content 到他們的電腦。The account is a member of at least one of the most highly privileged groups in Active Directory and is the same account that the employees use to log on to their workstations in the morning, check their email, browse Internet sites, and download content to their computers. 當使用本機系統管理員權限與權限授與帳號執行時的使用者時,他們公開本機電腦,以完成危害。When users run with accounts that are granted local Administrator rights and permissions, they expose the local computer to complete compromise. 當那些帳號也 Active Directory 中最有特殊權限群組成員,他們將公開整個樹系危害,讓您很輕鬆攻擊者的 Active Directory 和 Windows 環境完整控制權。When those accounts are also members of the most privileged groups in Active Directory, they expose the entire forest to compromise, making it trivially easy for an attacker to gain complete control of the Active Directory and Windows environment.

同樣地,在某些環境中,我們發現的相同使用者名稱和密碼用於根帳號非 Windows 電腦上在可用的 Windows 環境,可從 Windows 系統反之亦然 UNIX 或 Linux 系統擴充危害攻擊。Similarly, in some environments, we've found that the same user names and passwords are used for root accounts on non-Windows computers as are used in the Windows environment, which allows attackers to extend compromise from UNIX or Linux systems to Windows systems and vice versa.

登入危害的工作站或成員伺服器帳號特殊權限Logons to Compromised Workstations or Member Servers with Privileged Accounts

高度授權的核對危害的工作站或成員伺服器互動方式登入以使用時,該危害的電腦可能蒐認證登入系統任何 account 從集。When a highly privileged domain account is used to log on interactively to a compromised workstation or member server, that compromised computer may harvest credentials from any account that logs on to the system.

不安全的系統管理工作站Unsecured Administrative Workstations

許多組織中的 IT 人員都使用多個帳號。In many organizations, IT staff use multiple accounts. 一個 account 用來登入員工的工作站,而且這些都是 IT 人員,因為它們通常本機系統管理員權限上工作站。One account is used for logon to the employee's workstation, and because these are IT staff, they often have local Administrator rights on their workstations. 有時候,UAC 會向左功能,讓使用者在至少會收到分割存取權杖在登入時,並必須時所需的權限提高。In some cases, UAC is left enabled so that the user at least receives a split access token at logon and must elevate when privileges are required. 時維護活動執行這些使用者,他們通常使用本機安裝的管理工具,並提供認證網域權限帳號,選取 [系統管理員身分執行選項,或是地提供認證出現提示時。When these users are performing maintenance activities, they typically use locally installed management tools and provide the credentials for their domain-privileged accounts, by selecting the Run as Administrator option or by providing the credentials when prompted. 看起來適當此設定,但它將會公開危害因為環境:Although this configuration may seem appropriate, it exposes the environment to compromise because:

  • 員工用來登入他們工作站 [一般] 帳號本機系統管理員權限,電腦很容易受到下載磁碟機,中的使用者相信安裝惡意程式碼的攻擊。The "regular" user account that the employee uses to log on to their workstation has local Administrator rights, the computer is vulnerable to drive-by download attacks in which the user is convinced to install malware.

  • 惡意程式碼已安裝的部分管理帳號,現在可以使用電腦擷取按鍵,剪貼、 螢幕擷取畫面,以及存放於記憶體認證,任何,可能會導致曝光強大核對的憑證。The malware is installed in the context of an administrative account, the computer can now be used to capture keystrokes, clipboard contents, screenshots, and memory-resident credentials, any of which can result in exposure of the credentials of a powerful domain account.

本案例中的問題將有兩個。The problems in this scenario are twofold. 首先,本機和網域管理用於不同帳號,雖然電腦為不安全,並不保護針對竊取帳號。First, although separate accounts are used for local and domain administration, the computer is unsecured and does not protect the accounts against theft. 第二,定期帳號和管理 account 獲得過權利與權限。Second, the regular user account and the administrative account have been granted excessive rights and permissions.

瀏覽高度授權 Account 與網際網路Browsing the Internet with a Highly Privileged Account

使用者登入電腦的本機系統管理員群組的電腦上,或是的 Active Directory,以及人特殊權限群組成員帳號,然後瀏覽網際網路 (或危害的內部) 公開本機電腦和 directory 危害。Users who log on to computers with accounts that are members of the local Administrators group on the computer, or members of privileged groups in Active Directory, and who then browse the Internet (or a compromised intranet) expose the local computer and the directory to compromise.

存取惡意的網站與執行系統管理員權限的瀏覽器,可以允許存款中操作有特殊權限使用者的本機電腦上的惡意程式碼的攻擊。Accessing a maliciously crafted website with a browser running with administrative privileges can allow an attacker to deposit malicious code on the local computer in the context of the privileged user. 如果使用者在電腦上有本機系統管理員權限,攻擊可能欺騙使用者下載惡意程式碼或打開電子郵件附件,利用應用程式的安全漏洞利用使用者的權限來擷取本機快取使用電腦所有使用者的認證。If the user has local Administrator rights on the computer, attackers may deceive the user into downloading malicious code or opening email attachments that leverage application vulnerabilities and leverage the user's privileges to extract locally cached credentials for all active users on the computer. 如果使用者透過企業系統管理員,網域系統管理員 」,或在 Active Directory 中的系統管理員群組成員資格 directory 中有系統管理員權限,可以擷取網域認證攻擊者,並使用它們來降低整個 AD DS 網域或森林,而不需要危害森林中的任何其他電腦。If the user has administrative rights in the directory by membership in the Enterprise Admins, Domain Admins, or Administrators groups in Active Directory, the attacker can extract the domain credentials and use them to compromise the entire AD DS domain or forest, without needing to compromise any other computer in the forest.

使用所有系統相同的認證本機特殊權限的帳號設定Configuring Local Privileged Accounts with the Same Credentials across Systems

設定遭竊從坡資料庫危害所有其他使用相同的認證的電腦使用一部電腦上的許多或所有電腦讓認證的相同本機系統管理員 account 名稱與密碼。Configuring the same local Administrator account name and password on many or all computers enables credentials stolen from the SAM database on one computer to be used to compromise all other computers that use the same credentials. 最小,您應該使用不同的密碼本機系統管理員帳號在每個加入網域的系統。At a minimum, you should use different passwords for local Administrator accounts across each domain-joined system. 可能也唯一名稱本機系統管理員帳號,但足以確保認證不能用於其他系統使用各系統有特殊權限本機帳號不同的密碼。Local Administrator accounts may also be uniquely named, but using different passwords for each system's privileged local accounts is sufficient to ensure that credentials cannot be used on other systems.

Overpopulation 和的網域特殊權限的群組超額使用Overpopulation and Overuse of Privileged Domain Groups

攻擊者會授與網域中 EA、 DA 或 BA 群組成員資格建立目標。Granting membership in the EA, DA, or BA groups in a domain creates a target for attackers. 越大成員數個群組,較大的可能性授權的使用者可能不小心濫用認證,並將它們認證竊取公開攻擊。The greater the number of members of these groups, the greater the likelihood that a privileged user may inadvertently misuse the credentials and expose them to credential theft attacks. 每個工作站或伺服器特殊權限的網域使用者登入時提供的特殊權限的使用者的認證可能會被收集和使用危害的網域 AD DS 和樹系可能機制。Every workstation or server to which a privileged domain user logs on presents a possible mechanism by which the privileged user's credentials may be harvested and used to compromise the AD DS domain and forest.

不安全的網域控制站Poorly Secured Domain Controllers

網域控制站儲存的網域 AD DS 資料庫的複本。Domain controllers house a replica of a domain's AD DS database. 唯讀模式網域控制站在本機資料庫的複本包含 directory,這都有特殊權限的網域帳號,預設的帳號子集的認證。In the case of read-only domain controllers, the local replica of the database contains the credentials for only a subset of the accounts in the directory, none of which are privileged domain accounts by default. 讀取寫入網域控制站,每個網域控制站維護完整 AD DS 資料庫,包括不僅等網域系統管理員權限使用者的認證的複本,但有特殊權限的帳號,例如網域控制站帳號或的網域 Krbtgt 帳號,也就是 KDC 相關聯的那個服務網域控制站上。On read-write domain controllers, each domain controller maintains a full replica of the AD DS database, including credentials not only for privileged users like Domain Admins, but privileged accounts such as domain controller accounts or the domain's Krbtgt account, which is the account that is associated with the KDC service on domain controllers. 如果不必要的網域控制站功能的其他應用程式的網域控制站上安裝或網域控制站並未嚴格修補及安全攻擊可能危害它們透過未弱點,或他們可能會利用直接在安裝惡意軟體的其他攻擊。If additional applications that are not necessary for domain controller functionality are installed on domain controllers, or if domain controllers are not stringently patched and secured, attackers may compromise them via unpatched vulnerabilities, or they may leverage other attack vectors to install malicious software directly on them.

提高權限和傳Privilege Elevation and Propagation

使用攻擊方法,無論 Active Directory 永遠為目標,當 Windows 環境受到攻擊,因為它最終控制存取至任何攻擊。Regardless of the attack methods used, Active Directory is always targeted when a Windows environment is attacked, because it ultimately controls access to whatever the attackers want. 這不 」 表示針對整個 directory,但是。This does not mean that the entire directory is targeted, however. 特定帳號,伺服器,並基礎結構元件通常攻擊 Active Directory 的主要目標。Specific accounts, servers, and infrastructure components are usually the primary targets of attacks against Active Directory. 這些帳號所述方式,如下所示。These accounts are described as follows.

永久特殊權限的帳號Permanent Privileged Accounts

由於引入 Active directory 之後,這可能使用高度特殊權限帳號建置 Active Directory 樹系然後代理人的權利和權限,才能執行日常的系統管理帳號權限較低。Because the introduction of Active Directory, it has been possible to use highly privileged accounts to build the Active Directory forest and then to delegate rights and permissions required to perform day-to-day administration to less-privileged accounts. 在 Active Directory 中企業系統管理員,網域系統管理員 」 或系統管理員群組成員資格只有需要暫時並不常實作日常管理最低權限的方法環境中。Membership in the Enterprise Admins, Domain Admins, or Administrators groups in Active Directory is required only temporarily and infrequently in an environment that implements least-privilege approaches to daily administration.

永久特殊權限的帳號是放在 [權限的群組並左有每天從帳號。Permanent privileged accounts are accounts that have been placed in privileged groups and left there from day to day. 如果您的組織到網域系統管理員 」 的網域群組地點五個帳號,這些五個帳號可以目標的 24 小時星期 7 天、。If your organization places five accounts into the Domain Admins group for a domain, those five accounts can be targeted 24-hours a day, seven days a week. 不過,帳號使用網域系統管理員權限的實際需要是通常只會針對特定全網域設定,以及簡短一段時間。However, the actual need to use accounts with Domain Admins privileges is typically only for specific domain-wide configuration, and for short periods of time.

VIP 帳號VIP Accounts

在 Active Directory 破壞常被忽略的目標是 「 非常重要的人員] (或 Vip) 帳號是在組織中。An often overlooked target in Active Directory breaches is the accounts of "very important persons" (or VIPs) in an organization. 有特殊權限的帳號為目標,因為這些帳號可以權限授與對攻擊者,讓他們危害,或甚至破壞目標的系統上,為先前在本區段中所述。Privileged accounts are targeted because those accounts can grant access to attackers, which allows them to compromise or even destroy targeted systems, as described earlier in this section.

[權限連接 「 Active Directory 帳號"Privilege-Attached" Active Directory Accounts

[權限連接 「 Active Directory 帳號的網域帳號不所做的任何最高的 Active Directory 中權限,但改為獲得高階上許多伺服器工作站環境中的權限的群組成員。"Privilege-attached" Active Directory accounts are domain accounts that have not been made members of any of the groups that have the highest levels of privilege in Active Directory, but have instead been granted high levels of privilege on many servers and workstations in the environment. 這些帳號是最常網域型加入網域的系統上,為基礎結構大型區段上執行的應用程式通常會執行服務設定帳號。These accounts are most often domain-based accounts that are configured to run services on domain-joined systems, typically for applications running on large sections of the infrastructure. 雖然這些帳號 Active Directory 中有不權限,如果高權限在系統大量授權,他們可以用於危害,或甚至破壞大量區段的基礎結構,要達到有特殊權限的 Active Directory account 危害相同的效果。Although these accounts have no privileges in Active Directory, if they are granted high privilege on large numbers of systems, they can be used to compromise or even destroy large segments of the infrastructure, achieving the same effect as compromise of a privileged Active Directory account.