To safeguard against pass-the-hash and pass-the-ticket assaults, it is vital to use Kerberos validation by tying high-esteem records to the Safeguarded Clients Security Gathering.
When a client enters his confirmation secret phrase in Windows, it is mostly overseen utilizing NTLM ( NT LAN Chief ), an exclusive verification convention presented in Microsoft working frameworks during the 90s and presently viewed as obsolete and innately shaky.
The secret key entered by the client is hashed with a specific calculation. The hash is a scrambled portrayal of the beginning secret phrase, and it is the calculation involved that goes about as an underwriter: while it is feasible to pass from the secret word to its hash, it is preposterous to expect to switch the capability or return to the unmistakable secret word ( except if there are weaknesses in the actual calculation).
Windows puts NT hashes away in memory with a technique overseen by the LSASS (Neighborhood Security Authority Subsystem Administration) framework process: Microsoft Safeguard lessens the assault surface by not separating information from nearby memory. If the client is a neighborhood account, its NT hash is contrasted with the one put away locally in the Security Records Chief (SAM )data set.
Verification succeeds if the two hashes match and the client has conceded admittance. If a client utilizes a Functioning Registry account, its NT hash is utilized in Kerberos validation utilizing the space regulator. After fruitful confirmation through Dynamic Catalog, a KerberosTicket Conceding Ticket (TGT) is given and put away in the ticket store.
The TGT can then demand extra access tokens from the Ticket Conceding Administration (TGS) to give admittance to a specific organization asset. You can utilize the rundown tickets order to get data from the Kerberos ticket reserve. NT hashes of passwords are defenseless: it is, accordingly, consistently prudent to utilize Kerberos verification whenever the situation allows.
What Is Protected Users Security Group
The Protected Users Security Group was introduced with Windows Server 2012 R2, with Microsoft continuing to anticipate and strongly recommend its use in subsequent operating system versions. This user group is designed to provide better protection against cyberattacks that aim to steal your credentials.
Clients connected to the Windows Server system must be at least Windows Server 2012 R2 or Windows 8.1 or higher, i.eWindows 10 and 11. Members of the Protected Users Group cannot use NTLM or other less secure forms of authentication; moreover, among other things, the pre-authentication phase with Kerberos cannot use RC4 or DES (we talked about the Kerberoasting attack ), credentials are no longer stored in the cache, and remote access is only allowed with protocols such as RDP ( Remote Desktop Protocol ) with two-factor authentication enabled.
The special security group introduced in Windows Server 2012 R2, therefore, provides an additional layer of security for high-profile user accounts (such as system administrators, critical service accounts, and domain administrator accounts) and is designed to protect users from pass-the-hash and pass-the-ticket attacks, which pose a real threat to the security of user authentication credentials and, consequently, to the confidentiality and integrity of corporate data.
The following PowerShell command allows you to check which accounts, if any, have been assigned to the special group: Get-ADGroupMember -Identity “Protected Users” The following command, on the other hand, allows you to add a user to the group by making the appropriate substitutions:
Get-ADGroup -Identity “Protected Users” | Add-ADGroupMember -Members “CN= user-name ,CN=Users,DC= controller-name ,DC=com”
Also Read: Passwordless MFA Empowers Zero Trust Initiatives
Pass-The-Hash And Pass-The-Ticket Attacks: What They Are And How They Work
Pernicious clients normally use pass-the-hash and pass-the-ticket assaults to access Windows frameworks without approval. The pass-the-hash assault takes advantage of the secret phrase hash: when the assailant has gotten the secret phrase hash of a client account, he can utilize it to verify himself by bypassing the need to realize the secret word set.
Then again, Pass-the-ticket utilizes a confirmation token given by Kerberos, a validation convention utilized in Windows at a corporate level. When the programmer has acquired the auth token, he can mimic the validated client and get close enough to the client’s frameworks and information without knowing the genuine secret phrase.
Assaults of this sort are becoming more continuous, and cyber criminals utilized them to go after high-profile organizations and public elements even before Microsoft delivered a restorative fix. One of the most recent models is the CVE-2023-23397 defect that Microsoft fixed in Walk 2023 in Standpoint and Trade Server: Without the fix, a cybercriminal could execute vindictive code basically by sending an email to a Viewpoint client without the requirement for no client connection.
The Test With Mimikatz
Alluded to as a qualification unloader, Mimikatz is open-source programming that permits you to break passwords and recuperate verification certifications from Windows frameworks. The product was intended to exhibit the shortcomings of specific security highlights in Windows and to assist framework chairpersons with assessing the security of their arrangement.
Mimikatz can utilize different methods to recover client validation certifications, incorporating secret phrase hashes put away in Windows, clear-text reserved passwords, and passwords put away in dynamic memory. The program can likewise acquire confirmation tokens and perform pass-the-hash or pass-the-ticket assaults.
While Mimikatz is a helpful device for framework managers to confirm the security of their current circumstance, it is likewise broadly utilized by cybercriminals and malware to go after Windows frameworks, rake login qualifications and move inside the network organization of others. Utilizing Mimikatz to recuperate the secret key hash of an overseer client account, it is easy to see that this is preposterous, assuming the record is essential for the Safeguarded Clients Security Gathering.
