![Page 1: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/1.jpg)
The Enemy Within: Stopping Advanced Attacks
Against Local Users
Tal Be’ery, Sr. Security Research Manager, Microsoft ATA, @TalBeerySecMarina Simakov, Security Researcher, Microsoft ATA
![Page 2: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/2.jpg)
![Page 3: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/3.jpg)
![Page 4: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/4.jpg)
![Page 5: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/5.jpg)
Intro
![Page 6: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/6.jpg)
![Page 7: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/7.jpg)
![Page 8: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/8.jpg)
![Page 9: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/9.jpg)
![Page 10: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/10.jpg)
• Authentication
• Authorization
DC
waza1234/
LSASS (NTLM)
NTLM(rc4_hmac_nt)
cc36cf7a8514893efccd332446158b1a
User
Server① Negotiate
③ Response
② Challenge
⑥ Auth verified
![Page 11: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/11.jpg)
![Page 12: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/12.jpg)
waza1234/
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2
566ce74a7f25b
DC
DC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
![Page 13: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/13.jpg)
![Page 14: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/14.jpg)
![Page 15: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/15.jpg)
![Page 16: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/16.jpg)
![Page 17: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/17.jpg)
![Page 18: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/18.jpg)
“When the Cyber Kill-Chain Met Local Users”
![Page 19: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/19.jpg)
Group:
IT
Admins
User:
Bob
Computer:
Server1
User:
Mary
Group:
Domain
Admins
http://www.slideshare.net/AndyRobbins3/six-degrees-of-
domain-admin-bloodhound-at-def-con-24
![Page 20: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/20.jpg)
![Page 21: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/21.jpg)
![Page 22: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/22.jpg)
![Page 23: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/23.jpg)
https://www.safety.com/wp-content/uploads/2012/12/Burglar-Entry-300x300.jpg
![Page 24: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/24.jpg)
![Page 25: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/25.jpg)
![Page 26: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/26.jpg)
![Page 27: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/27.jpg)
![Page 28: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/28.jpg)
![Page 29: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/29.jpg)
Admin Recon
![Page 30: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/30.jpg)
![Page 31: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/31.jpg)
![Page 32: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/32.jpg)
![Page 33: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/33.jpg)
![Page 35: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/35.jpg)
Defending
![Page 36: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/36.jpg)
![Page 37: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/37.jpg)
![Page 38: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/38.jpg)
![Page 39: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/39.jpg)
![Page 40: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/40.jpg)
![Page 41: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/41.jpg)
![Page 42: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/42.jpg)
![Page 43: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/43.jpg)
![Page 44: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/44.jpg)
![Page 45: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/45.jpg)
![Page 46: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/46.jpg)
![Page 47: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/47.jpg)
http://s1206.photobucket.com/user/harbottle1/media/Posters%202/LocalHeroQuad.jpg.html
![Page 48: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/48.jpg)
Parting Thoughts
![Page 49: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/49.jpg)
![Page 50: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/50.jpg)
![Page 51: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/51.jpg)
![Page 52: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/52.jpg)
Win version Who can query SAMR by default Can default be changed
< Win10 Any domain user No
Win10 Any domain user Yes (only via registry)
> Win10 (e.g.
anniversary)
Only local administrators Yes (registry or GPO)
![Page 53: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/53.jpg)
![Page 54: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/54.jpg)
![Page 55: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/55.jpg)
![Page 56: The Enemy Within: Stopping Advanced Attacks … Kit/BlueHat IL Decks...The Enemy Within: Stopping Advanced Attacks Against Local Users Tal Be’ery, Sr. Security Research Manager,](https://reader034.vdocuments.pub/reader034/viewer/2022051722/5aa7947b7f8b9a54748c3e56/html5/thumbnails/56.jpg)