Finding a Needle in an Encrypted Haystack: Leveraging Cryptographic Abilities to Detect the Most Prevalent Attacks on Active Directory

Presented at Black Hat USA 2019, Aug. 7, 2019, 2:40 p.m. (50 minutes)

Active Directory has always been a popular target for attackers, with a constant rise in attack tools attempting to compromise and abuse the main secret storage of the organization. Although defensive security products were able to mitigate some of the attack techniques by methods such as log collection or raw traffic inspection, some of the most common offensive techniques are left with no efficient countermeasures. One of the latter is the good old NTLM Relay, which is especially favored by attackers. Recently it has been exploited yet again in the PrivExchange vulnerability discovered earlier this year.

We will present several new ways to abuse this infamous authentication protocol, including a new critical zero-day vulnerability we have discovered which enables attackers to abuse NTLM Relay and take over any machine in the domain, even with the strictest security configuration (including server signing). In addition, we will show another vulnerability we have discovered in the way NTLM implements channel binding, which might put your cloud resources at risk as well. We will then demonstrate a new defensive approach that leverages cryptographic operations to gain improved defensive capabilities against some of the most prevalent attacks today. Among others, we will explain how this method led us to devise the first known deterministic algorithm to detect NTLM Relay attacks.

Presenters:

• Yaron Zinar - Senior Security Researcher Lead, Preempt
  Yaron Zinar is a Lead Security Researcher at Preempt, delivering the industry's first Identity and Access Threat Prevention. Previously, Yaron spent over 12 years at leading companies such as Google and Microsoft where he held various positions researching and leading big data, machine learning and cyber security projects. Yaron is an expert on Windows Authentication protocols, among his team latest finding are CVE-2017-8563 and CVE-2018-0886, which he presented in Black Hat last year. Yaron holds an M.Sc. in Computer Science with focus on statistical analysis.
• Marina Simakov - Senior Security Researcher, Preempt
  Marina Simakov is a security researcher at Preempt with a special interest in network security and authentication protocols. Prior to Preempt, Marina served as a Security Researcher at Microsoft for several years. She holds an M.Sc. in computer science, with several published articles, with a main area of expertise in graph theory. Marina previously spoke at various security conferences such as Black Hat, BlueHat IL and DEFCON.

Links:

• https://www.blackhat.com/us-19/briefings/schedule/#finding-a-needle-in-an-encrypted-haystack-leveraging-cryptographic-abilities-to-detect-the-most-prevalent-attacks-on-active-directory-15486
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/Finding a Needle in an Encrypted Haystack.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/Finding a Needle in an Encrypted Haystack.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=2L7JpcLZ05Q

Similar Presentations:

• Black Hat USA 1998 / Security with the NTLM++ protocol
• ToorCon: Seattle 2008 / Introducing Scurvy: a new NTLM relay attack tool
• DEF CON 27 (2019) / Relaying Credentials Has Never Been Easier: How to Easily Bypass the Latest NTLM Relay Mitigations