Red Team Blues: A 10 step security program for Windows Active Directory environmentsFebruary 6, 2020
A fun tweet crossed our path recently, the author asked, “Redteam operators: Which defensive settings have you encountered that made it *super* painful for you to operate in a Windows AD environment?”.
Here at Digital Shadows we spend quite a bit of time attacking, defending and researching Windows AD environments, so we thought we’d chip in with a list of controls that we have found to give Red Teams the Blues. Since the tweet attracted a bit of attention, we felt it might be helpful to expand our thinking into a blog.
We’re heavily inspired by the ASD Essential 8 and have written about how it applies against APT tradecraft, Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework, but there’s some important additions, in our opinion, which are necessary when dealing with attackers.
A 10 step security program for Windows Active Directory environments
1 – Endpoint Protections
When it comes to intrusions, endpoints are the first line of defense. They will be receiving client-side attacks such as malicious attachments like macro-enabled documents. Appropriately defending these systems is a key priority.
- Endpoint Detection and Response (EDR): if you’re defending an organization, it’s absolutely worth spending the money on a high quality EDR system. They provide detection of even in-memory execution of attacker tools, visibility into your estate and the ability to respond in a timely fashion to an intrusion.
- Windows Defender: if you don’t have the budget, Windows 10’s built-in Windows Defender tool is excellent. Microsoft has created an impressive product, leveraging the massive coverage they have to build an effective tool. Whilst it can still be bypassed, Defender still causes a lot of headaches for attackers.
2 – Powershell mitigations
We have written about various Powershell security options (PowerShell Security Best Practices) and one of the single most effective defensive techniques is to enable Powershell Constrained Language Mode. This breaks most attacker tool sets such as Powershell Empire and can be applied to all users who are not using Powershell as part of their daily work. Other Powershell security best practices can be seen in the blog linked above.
3 – Automated defanging of attachments
Spearphishing with malicious attachments is still an extremely popular attacker TTP (Tactic, Technique or Procedure) so multiple layers of defense should be used to mitigate this threat (WannaCry 5 Lessons: Prevent Attacks with Security Engineering). When email attachments reach your systems, it is possible to use an email filtering gateway or cloud service to automatically convert Microsoft Office documents to PDFs. The recipient can still request the original document, subject to a security scan, but in many cases the converted PDF is adequate. This approach effectively mitigates not only embedded exploits, such as those exploiting CVE-2017-11882, but also feature abuse such as Macros, DDE (Dynamic Data Exchange) and OLE (Object Linking & Embedding) embedded objects.
4 – Microsoft Office hardening by disabling Macros, OLE objects and DDE entities
Microsoft Office is extremely popular and widely-used in Windows AD environments. Its rich feature set often makes it an attractive target for attackers. While some attack vectors rely on memory corruption vulnerabilities, others rely on abusing the built-in features of Microsoft Office to install their malicious payload on the target machines. The three most commonly-used vectors are:
- VBA Macros are used by many threats including the FIN7 group (Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations) and the Emotet malware (Deobfuscating VBA & PowerShell Scripts of an Emotet Trojan Downloader) among many, many others. The NCSC has an excellent updated article on how to handle Macros in an enterprise environment: https://www.ncsc.gov.uk/guidance/macro-security-for-microsoft-office
- OLE (Object Linking & Embedding) is another technique for gaining code execution on a target machine. According to open source reporting it is sometimes used in conjunction with memory corruption vulnerabilities: The Return of the Equation Editor Exploit – DIFAT Overflow
- DDE (Dynamic Data Exchange) has also been used by attackers to successfully exploit systems: Exploit Using Microsoft Excel Power Query for Remote DDE Execution Discovered
Unless there is a specific business requirement for these features to be used, it is recommended to disable them. Security Without Borders has released a very useful tool called HardenTools which can be used by home users to disable some of the more risky features of Microsoft Office and Windows.
5 – Disabling Windows Script Hosting (WSH)
Windows Script Hosting (WSH) is used to execute JScript and VBScript on Windows machines. Other scripting engines can be added too. Again, unless there is a specific business requirement for these features to be used by a specific user or group, it is recommended to disable it. WSH is used to execute attack tools such as Koadic and has been observed in “in-the-wild” attacks, according to open source reporting.
6 – Host Isolation
In enterprise environments, it is usually not the case that there are any business requirements for user workstations to be able to communicate with one another. Unfortunately, by default, communication is usually possible, thereby allowing attackers to move laterally inside of the network by hopping from one machine to another. In order to prevent this, hosts need to be isolated from one another. There are two common ways of achieving this:
- Private VLANs: in the case where it is possible, private VLANs allow hosts to be isolated at the switch level and can only see the other hosts which necessary for the business to function, for example, DHCP servers, DNS servers, Domain Controllers and default gateways. This dramatically reduces the attack surface which is open to attackers
- Windows Firewall: in the cases where Private VLANs are not feasible, Windows Firewall can be configured appropriately to provide host isolation. A guide describing this can be found here: https://medium.com/@cryps1s/endpoint-isolation-with-the-windows-firewall-462a795f4cfb
7 – Application Whitelisting
Application whitelisting allows you to control which applications can be executed from where in your environment. A typical use-case is to prevent users from executing files from their “Downloads” folder, which may be malware dropped as the result of a social engineering attack.
Windows 10 offers a built-in application whitelisting solution called AppLocker. This solution is well-described in the Microsoft document here: AppLocker (Windows 10) – Windows security. Depending on your environment, you may have pre-existing commercial 3rd party application whitelisting solutions in place.
8 – Principle of Least Privilege (PoLP): users not being local Administrators
In the Mitre ATT&CK™ framework, a repository of attacker behavior, there is an entire class of tactics around privilege escalation. That is, once an attacker has gained a foothold in your environment as a regular user, they attempt to escalate their privileges to that of a (local) Administrator in order to run tools such as Mimikatz which require higher levels of privilege, for example, to attach a debugger to a process or to the kernel (Preventing Mimikatz Attacks – Blue Team). The first step is to not make this easy for attackers by allowing users to run as local Administrators!
As part of their daily work, there are very few legitimate reasons why a user should have these privileges. The Principle of Least Privilege (PoLP) should be applied and only the necessary privileges should be granted which are necessary for the user to do their job.
9 – Two Factor Authentication (2FA)
We have written extensively on the value of two factor authentication here: Two-Factor in Review – A Technical Assessment. In the context of Windows AD environments, there are two main places for 2FA:
- Internal resources: in any AD environment there are usually email, wikis, instant messaging services, employee services portals, etc. which can all potentially contain useful information for attackers. By using 2FA, possibly in conjunction with an SSO (Single Sign On) solution, it makes it more difficult for attackers to reuse (stolen) credentials to gain more information about the environment.
- Authentication to AD: Azure AD provides 2FA options for authenticating to AD itself, including via FIDO2: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894 thereby offering best-in-class authentication options for AD.
10 – Patching all the things
According to the Google Project Zero “0 day in-the-wild” tracker, in 2019 there were only twenty 0day exploits observed being used in-the-wild. This is contrasted by the sheer number of indictments, breach reports, personal communications, etc. detailing the usage of N-day (where N is the number of days elapsed since the vulnerability was disclosed) for which a patch already exists. The goal is to increase attacker costs. 0days are expensive and difficult to obtain for many groups, and so it is effective to prevent the usage of N-day exploits in your environment through aggressively patching the following:
- Microsoft Windows
- Microsoft Office – Any other document handling applications like Acrobat or Fox-IT Reader
- Web Browsers
- 3rd party applications used to open external content like media players
These ten steps will make it much more difficult for attackers to gain a foothold and move inside of your AD environment. However, they definitely fall into the category of “necessary but not sufficient”. As Richard Betjlich commented on our list: “This is indeed interesting and worthwhile, but note these are all static *technical and tool defenses*. It’s important to develop and implement tactical, operational, and strategic *programs*, all of which require people and process, because the adversary is smart and adaptive”.
We couldn’t have said it better ourselves!
In order to make best use of these defenses, you need to have a robust and well-tested Incident Response (IR) process, an assessment process such as regular Purple Team assessments, independent assessments, table top exercises and more. However, these defensive techniques should help get you started on your security journey!
To stay up to date with the latest from the team, make sure to subscribe to our email list below.