Our threat researchers at Lares encounter a seemingly endless number of vulnerabilities and attack vectors when we conduct penetration tests, regardless of an organization’s size or maturity. Yet certain kinds of attacks recur so regularly that security teams should develop standardized practices to defend against them.
A penetration test or pen test is an authorized simulated attack performed on a computer system to evaluate its security. Penetration testers – also known as ethical hackers – use the same tools, techniques, and processes as attackers to find the weaknesses in a system.
Based on an analysis of hundreds of client engagements over the past year, the five most frequently encountered pen-test findings involved:
- Brute Forcing Accounts with Weak and Guessable Passwords
- Excessive File System Permissions
- WMI Lateral Movement
Below is a brief description of each category and some suggested strategies for conducting detection and mitigation.
Brute forcing accounts with weak and guessable passwords
Multifactor authentication (MFA) provides a higher level of security than relying solely on usernames and passwords. Organizations that have not implemented MFA should know that adversaries are prone to target the accounts of users who have selected weak or guessable passwords to gain access to systems, services, and network resources. Some obvious passwords could involve the names of users’ companies, pets, local sports teams, or some combination of the season and year.
It makes sense to monitor authentication logs for system and application login failures of valid accounts to detect such vulnerabilities. If authentication failures are high, there may be a “brute-force” attempt to gain access to a system using legitimate credentials. Another approach is to monitor for many failed authentication attempts from a single source across numerous accounts that may result from password spraying attempts.
To mitigate brute force attacks, set account lockout policies after a defined number of failed login attempts to prevent passwords from being guessed. Also, consider using MFA, but limit the new user enrollment period window to ensure adversaries cannot enroll their own devices. Password vaulting, blacklisting, and regular audits can further help to combat weak passwords. Lastly, never reuse passwords between user, service, and administrative accounts.
Kerberos Service Principal Names (SPNs) uniquely identify each instance of a Windows service configured to accept Kerberos Tickets for authentication. Kerberos authentication requires that SPNs be associated with at least one account specifically tasked with running a service. Adversaries possessing a valid Kerberos Ticket-Granting Ticket (TGT) may request one or more Kerberos Ticket-Granting Server (TGS) Service Tickets for any service with an SPN configured from a Key Distribution Server. The Service Ticket is then brute-forced offline to recover the plain-text credentials of the account. In many environments, the Service Account has administrative permissions to the server where the SPN resides.
To detect Kerberoasting, enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. It is important to investigate irregular activity patterns, such as accounts making numerous requests within a small timeframe.
To mitigate these threats, ensure strong lengths and complexity for all service account passwords – ideally 15+ random characters with multi-case alphanumeric and special characters. Also, ensure that the passwords for these accounts periodically expire.
Excessive file system permissions
Processes may automatically execute specific binaries as part of their functionality. Improperly set permissions on the binary or directory in which it resides may allow attackers to replace the legitimate binary with a file of their choosing. Suppose the legitimate binary was previously configured to execute under higher-level permissions. In that case, the newly replaced binary will run with those same elevated permissions.
Adversaries may use this technique to replace legitimate pre-existing binaries with malicious ones to execute subversive or potentially disruptive code with a much higher permission level than their current user permissions.
An executable that is written, renamed, and/or moved to match an existing service executable could be detected and correlated with other suspicious behavior. Traditional file integrity monitoring tools in conjunction with the hashing of binaries and service executables could also be used to detect replacement or modification against historical data.
For mitigation, use auditing tools such as a File Integrity Monitoring (FIM) tool capable of detecting and correcting file system permissions abuse opportunities on systems within an enterprise. Limit privileges of user accounts and groups, ensuring that only authorized administrators can change services and other system-level functionality.
Remote code execution vulnerabilities exist in the Microsoft Server Message Block 1.0 (SMBv1) server that handles certain requests. An attacker who successfully exploits the vulnerabilities could gain the ability to execute code on the target server.
The EternalBlue and EternalRomance exploits were leaked by “The Shadow Brokers” group in 2017. The included tools targeted multiple vulnerabilities in the Windows implementation of the SMB protocol. The EternalBlue exploit was also leveraged by WannaCry ransomware to compromise Windows machines, load malware, and propagate to other machines in a network.
To detect these kinds of threats, search for SMBv1 protocols communicating on your network by reviewing stateful firewall logs, intrusion detection/protection system logs, or network traffic analysis. Steps for mitigation involve a periodic patch review process that should be developed to ensure applicable critical patches are identified and deployed promptly.
WMI lateral movement
Lateral movement is a critical phase in any attack targeting more than a single computer. This is not a vulnerability, but a technique employed by attackers to interact with or gain access to a system other than the current system upon which they are operating. Lateral movement techniques abuse existing mechanisms often leveraged by legitimate systems administrators, assuming the attacker has the right credentials.
To detect lateral movement, consider enabling WMI Tracing on servers and workstations within the environment and centrally monitor or correlate these events. For mitigation, only administrators are allowed to connect remotely using WMI. Restrict other users who can connect, or disallow all users to connect remotely to WMI.When conducting penetration tests, regardless of an organization’s size or maturity, certain kinds of attacks recur so regularly that #security teams should develop standardized practices to defend against them. #respectdataClick to Tweet
All these common vulnerabilities can be avoided or eliminated through better cybersecurity hygiene practices. Penetration tests should be conducted regularly to confirm the valid attack vectors of your organization. However, this process can only succeed by going beyond identifying and validating vulnerabilities to undertake a full manual exploitation that mirrors a real-world attack.