Server 2016 and the End of Lateral Movement (Or is it?)

hi my name's Ryan president of a deaf security we talk about some new protections and Windows Server 2016 and Windows and Enterprise Edition I will talk a little bit about drama Widow and the actor but you know going to three specific technologies are we talking about and they now complete little recap in going forward with a plan B so Windows Server 2016 he now has the ignite conference so wild act obviously 2013 but guilty law Armond running Windows 2012 and you know Windows Jeremy comes in three fingers addition the standard datacenter and potential division and anything you read myself definitely having all the new security features that they've been focusing on these releases and they are calling that the

cloud ready server environment with a lot of updates the hyper-v he probably really read this but it's a type of parenting day back to 7/8 our sale 24 - and Windows Server 2016 electorally but a few of the things you'll get with Windows Server 2016 you can't backwards and these other ones are the shielded virtual machine credential guard no credential guard and device card that we don't over closest

with up in enterprise edition one thing Microsoft is trying to pull backs on security features leave us be on the enterprise edition to give some of these previous regards by star and some the other features that come along with their app Locker and application virtualization Microsoft Caesar and harmony virtualization they really focus a lot of virtual I bring these environments to help better sandbox and perhaps call the credentials in the Africville when they get exploited these efforts can't really escape their sandbox so I wonder a typical attack scenario here comes Doug like these really well-made diagrams I created and this is a pentagon Oakland attacker comes in from the outside and usually pretty easy for hackers to get around in cyber

environment so first up there are bad actors coming in and the exploits an application server or your users opens an email they shouldn't have and your type of gift is initial foothold in your network first thing up it's a escalation system privileges Delk your local action maker on nimac app and both them credentialed out of memory here we've got a developer logged into the server and can't really be keys but when these helpers are logged in with a lot of the current ways promoting in the bottom bring all your credentials with you as our attacker can actually just pick those right up off the box once he's on it and use those credentials to access our machine that

is right - a lot of times you need to keep the clear text potential as you can just use the hash so once the other hacks you can pass that hash along with the exit your name and jump into hit Bob usually the kind of standard attack arrow is you do you pop a box you numerate that bar foliated financials you can search around a network and see a bio active any other boxes with the credential and really what you're looking for are one of these highly privileged accounts without a care of a domain administrator which will go key really looking for a box that has its privileges so this attacker notices but there's the

bell for server that this guy has a connection to that these credentials are going to work on the same scenario we're going to pass the hash again and jump onto that development server now at this time there's a domain administrator locked in so it's the same routine nimma cap give your initials and now essentially once you have a domain administrators right you own the network you don't even have to actually move any further you'll have to jump on a box anymore you can just start using query to the domain controller and pull all the credentials you need one during the now tear the deep deep thing which essentially you're studying up so you fill the main demand controller that hey

I'm a new domain controller on the network I need to sync up with all the other disease so it means a database that has all their credentials in it so I can authenticate people in the network and give access to all the network shares now you don't even have to leave your box dakari compromised as long as you get those potential

and so Microsoft penis and how you have been around to move around ir domains and now they can has assumed breach mentality and from Microsoft MVP and they really scope it in Windows in 2016 about lateral movement answers of desolation so now they know it's really hard protects all your external Beijing boxes officially developers putting on the scenes repenting over time and running over software so they're really focusing on Phil what you do copyright machine let's not let them go anywhere or seal any of the credit that are on that box and that kind of just leave them stuck so they have to actually find UX to compromise other machine such as moving around the network and so yeah

the from of the current enterprise environments are taking are the privilege escalation lateral movement and detection because a lot of that last attack scenario you're not dropping any EA fees or viruses onto the network there's no antivirus going to pick it up it's all branded memory and then once we have valid credentials it just looks like another two may have been watching the boxes or the developer just blocking into other machines doing noble work a lot of networks it's also just a fee for all its users in there you might have to give access to contractors and third parties even your own employees with over privileged right customers maybe login to your firearm and you might already have adversaries

in there you still know about

it's just really hard to protect against all these and the current environments were working with there's a ton of wage actors in grab Prudential just simple ducky logging and Network snipping and then all those logon credentials that they bring along with them spearfishing in a cap and a lot of times the week off a drop higher Newark where the users all don't have very much rights but you have local absent in the passwords of same a tropical environment there's no lapse or anything implemented and so with a local right I can still watch to all the boxes and try to find it in a handsome and famous lateral movement whether it's there's lots of ways to everyone moving around the

network to do administration with remote desktop or I've even seen some unauthenticated being few dozens where I can vaguely to hit the end point I'm already logged in with that user stranger and then the attackers never even need real clear text results now we just have houses and it lets you login there's a lot of new attacks will coming out that make finding some of those potentials a lot easier beware than that that septum you walk in there to try to cut down specific targets in the domain let's go upstairs use a little bit more and appreciate it pull it out look on essentially once you compromise one machine you can just query to DC with commands and aren't

malicious or anything wrong with it and they look like normal pants and basically have to DP for Philly where all the machines are tell me who's logged in to all of them total acknowledge that you need to have Malcolm close to the picture of running bloodhound and inner floors enterprise environment and they're kind of mapped out an attacker the quickest path where they're at to get it to be an admin and you can see these large environments on a way any of these boxes get compromised they can get Jimmy admin still and Microsoft has been working on that they understand it though slimming technology and we're going to go over just enough administration prudential grower and device yard g

productions organ stop those people there are going to be by papal to come out but we begin connecting into a be privileged type environment to hopefully protect the most potential so just enough administration main gold the ultimate just another administration g accession or the reduced the number of administrators on your network and that's not actually reducing the number of admins working on your network but it's reducing the number of admin credentials that are out on your network and you can also limit what those admins are doing so they might need to be adding had then but on every box they don't need to have to be Navin right they may be just mean to global out and

write up a lot of your work you are going to give them permission Google to work on a local machine individually but it's not bring along all the rights for an attacker to deal with them and then another thing at this you can monitor your users a lot better now because you can set up get transcripts running on all these sessions that they are initiating and you have log for later forensic or anything else want to look at and see what they were doing and the tr0 equivalence groups so most enterprises know that they need to protect their enterprise that end and jamayne happen but there's a lot of other groups that can get to domain abs

and with the current rights that they have that aren't really looked at one example with the server operators that maybe have access to your domain controller backup backup they're going to have traditional database that you can still feel an attacker until I get a server operator account that's just like me happening rapidly

so definitely ministration so I got that ported on server 2016 in Windows 10 they did backward a lot of the functionality if you install the windows management framework 5.1 you can get limited support most of the future is as far back as Windows 7 it takes really just to file with roll tape ability files little setup and there's session configuration file that will point to you which roles you're going to be using for that session they do a give up outcome starter templates and providing you with Daddy and so this is a role configuration file you make you're setting up what you want this user to be able to do when they do into a lock and you can even set it up

so much of curricula parameters assertive command can get so there you can expand lit and if somewhat majors translation you can even cut the part which parameters they can choose spectrum and that you can lock it down maybe even more stretch it and you can pretty much load uni come in they're going to ever need on that box digiti file but nothing else so it really is almost like white listening for that session specifically what possibilities you this is showing just setting up a the actual session configuration so you're in bigger bowls of based on groups in your domain and like for this apply we've got the photo domain with the gif DNF happening they get three

different role capability that they've used they're going to use or administer lock and in so we set up the judgment administration file we tell us what directory we're going to put the transcript and what roles we want that file that would be associated with they also offer having taxpayers anything but that kind of seems like a lot of were still the Pentagon enhancement they did relieve the helper tool which gives you a nice little GUI you can spell these up and build each child literally keep your way to look around so a little scenario here we've got that I have a smaller version of our environment earlier but we've got a Windows pin box and a domain admin third

person here and you people brick hacking the brick inside Rick opens an email or was running the service you should know that we've got a spot again in the first scenario the to be happening the remote desktop and do it work in the second we give the G efficient so from the attackers perspective attacker is on the windows in buck here so we drop the system will is up incognito so you can view all the other sessions on the box the Polka sticking with it you'll see we've got a delegation took himself or third person these are the main axle and it's really is simple at first meeting that user dropping to a shell on that

box you can see one thing I first made them and drop to a shell I'm running on that machine as the user I check the domain admin group and sure enough on in the doing engine troop and at appointment here much if I can either add a new user is going to be a little noisier at the end of the domain happens through you can add yourself to the video game box to give you an email or really just wreak havoc if you want to put a little day take away now the next scenario here we've got our user this is actually entering a remote Power Cells education gia as what we just set up the session

given configuration were in the end and it logs through to that off so I gave them permission around do my and to do at the top of process and only stop the process calculator your calculators problems be probably government or anyway the directory commands you can see here they don't work either so you can even do two file system you working on you can only run the Pacific commander setup in fact in the attackers perspective the engine area where you popped up in the Inbox each Java system loads up incognito to look for tokens you can see now we've got a a is a demo account that looks but a lot of dense and by default to gia

sessions do set up a local admin account on that lock you'll be his so ends up come with them but an impersonation token and the difference between those it's like you're a personation so in a little while personally that user and look like them locally on the bottom but you won't have to you the networked romantical is good at that normally we'd use them the same two main have an account and logging into the stock but none is domain admin person so not with them but we didn't person ate that thing so can go drop through a shell and I can run new high but I can't even query the domain for the other domain controllers

and just to kind of show like I can also impersonate that G addition user and they do have some still on machines because they're local afferent but I still can't make any query accusative name and he changes the domaine have the main admin and so potentially we are it's a specific feature that's not part of device cards and bring myself decided to isolate where the passwords are going to be stored in kind of file out first what our credentials one of my talk to you velka crystals aren't just your username and password a lot of times till it's maybe use single sign-on to log in but there's a lot of derived Rachel's that come out of

that and the protocol the CL anymore trigger up if your remoting around or you don't need the logs anymore that they are stored somewhere or you can you certificate and a lot of that people are kind of getting even away from certificate and see machine traditionally spiritual restored and the fam dated a way back to like Windows 98 I think and then they came out yell if they secret that's right to protect it a little bit more as an anklet across definitely strip them to talks and the difference between the elf after hasta and the al de secret belt abs just in memory credentials they don't first disco reboot the illogic secret will persist and come back I kind of machines routed

and then on the domain controller the file we kind of hinted at earlier the in key in ddae that contains all your users username and passion for the whole thing like that's what the attackers are really trying to get grandpa guard is kind of a combo of hardware software security that's going to protect the ntlm kerberos and prudential manager and credential and back to the they really are emphasizing virtualized a security with a container everything into these virtualized droplet of the environment that the only specific thing with you talk to and the thrilled ingles the federal protects you against these threats that are in your network and lingering around trying to and really at the core with the

virtualization is that your normal process that did not have an isolated virtual secure mode where that for your view credentials are going to say and really nothing can talk to those we use them to get onto the box but then nothing shouldn't need them any longer once you're on machine and in a little better view here so the elf a photography isolated L desktop that and a usable remote procedure call to talk to them and this is a kind of what the view is that I little would commence with our Nagel so what's producer agarte unfortunately does big windows in enterprise they really didn't lie on it they are only protecting these enterprise users because you'll be able to get this in

your windows pro edition and it is available on Windows Server 2015 as long as that server isn't acting as a domain controller and so it will need support for the virtualization big security 64 50p years each year the reports in a page table window hypervisor and secure boot and for a few other features you can install a surface platform model TPM you have unified walk and what is critical our protection typically your demeaning out throughout New Zealand presidential so evening on the domain so they really are focused on not worrying about the end point biggest compromise and just the lateral you can't feel tougher to get you anywhere else on the network though for attackers

we still have local account and so if your local admin after three years across your network you it's still mighty horrible to be total to the audience that they offer that they also protect the digest for the key credential or if you have logged into your dream Coulomb potential quarter name said the taxes until grasses using credential garden but device guard comes in where okay so we kind of think we are credentials protected but without the users moving around the network or our dropping exploits to disk or anything and so weather is another combination of hardware and software and receive better features that they're implementing to protecting its power specifically gender control blood run in your environment

that on your specific machines it's basically white lifting tool do you think about that way today along the windows and Enterprise leg anomaly you can get an education though and Windows Server 2016 so antivirus illogical or employing and I don't know anyway I'll have it more busy but he kind of threw that antivirus and some cases maybe makes me more vulnerable when you got and a lot of times there are based on gypsy signatures and identifying now or that way well you're not going to really protect me on unknown breath in that scenario because you don't have a difference or that they don't either so they can drop a obfuscated d-level repeated hit and run I start taking that approach up

let's just treat everything on the whole operating system militia story and so we're a employee code integrity policy they kind of say we interrupt these applications they're going to be flying around and so there's some of the things that device protection against with the unknown malware any unkind code so you might still have to be if they are trusted but if they're not find anymore and so on as we reverse it or dropped it back to the world like into a putty is the common one to get back were these doing but I feel look like they're run honey with respect for sending a shell back tears happen ill in a protected the direct memory access attack and that if

you get or the stolen or something in a physical access for drive as a handbook and you shipped in the kernel an hour so probably can't breathe much of this at all but food and dairy off the air favorably xml file that looked a lot like the GF configuration file we're going to specify what programs beans are dates to run even set by what version of that programs of even approve the waited specific version of their program it lacks building on either so it will take a little bit of work keeping it up Matt braver cannot compete without a vocalist and wait whatever text against most of the well-known by APIs for devices jars and guitars there's a lot

even built in window programs that are being used to watch other services so the original service inside was accepted but we can use that service to launch powder and those guys that were control are making sure that they protecting a solo and so death can be hard the implemented policy on your developers office Katie Smith can ecliptic appear made out of where to start in your environment and because our just static devices things that aren't going to give you software very often or update if you can lock this down really Pacific to only do their function that they and even to the years of different Department they have the organization and finance probably have a somewhat idea of what they're

going to be to run and most of the time and you can apply it inflate the most of the parts that should work and then East Department Bartlett but it should we accept the idea there feel a little more difficult to get these guys have to usually be testing new software and new types of join in they'll have to change the way they work a little bit and then of course the developers who are often new thing go hot bring up servers and taking out fervor what their codes of work but fine and so there's nothing working there so does it ever get apart implement on but it is possible H think that the C's the way the work a

little bit or they're going to need a sign on their software before they employ it but it's still worth it even if you can start protecting at the bottom you can lead to start having some idea but not going to be happy on some devices you know they're locked in and so the recap a Microsoft really taken us assume the breach mentality to heart where we are make sure we protect all our in point from being able to go anywhere else so they understand it's really hard to protect the whole outside you don't know especially in big companies doing development work is being left out there and tracking all of your internal IP and everything conflict

and networks are changing so much it's really difficult so we're going to try to limit that post exploitation so it make it a lot harder for these hackers to how to find you exploit from every single machine they want to optimize we're all going to limit where all the - Prudential Oracle Network a lot of limitations that keep getting more privileged users because it's easier way to do it but now we can specify the specific session configuration what we completely pull out in mice but not going to give you a way to take all your potential for the whole network to get on with you and just go for your Yugi wins the EBS and like there's critical

devices that aren't going to have a lot of your software going out for and it can be a simple either it was a guy that I kind of follow they also work on a lot of the bypasses the capital for distinctiveness hypothesis I mean a lot of our silver $80 a really good site to follow they have a lot of good stuff like d4 the guys are come out with a new with great ad they would end with well how he picked it or got this reporter to Microsoft nice sonic half runs there Friday with a Microsoft Certified Master everyday something like that that did for me

in the NW clothing store on reason an aquaria t-shirt that was too

it'll walk all you can set by command function custom command live PowerShell module be specified

I'm sure potato my feet so nicely find that out top now creatively most of the time is setup is it making sure that you are four name em from doing the work and that's where I take you suggest to start with your devices no there's not too much going on I think I use is that any building up these configuration file for those are going to be easiest I'm sorry I recommend starting from there include the ones Microsoft had they found even by pathogen they're all templates they have posted so if you guys are be kind of working by well we find ways around it start with the in template away from their simplest on the endpoint themselves over that

part yeah you'll need to deploy these for the fishing configuration file to be on the boat that they're watching from and in the ability of files will be sitting on the end point so no command say that I'm this kind of user and what kind of writing I hope to have that why she will know was also associated

yeah can't with you all of your time next and so they need to be signed in there but also so there that way you can't be I just delegating and modify the template and then just bypass that way yeah the point about that's it you also just attempting to make sure there's why yes we've been advertised do teams and only twelve you can get no the ability if you ought to take the forest functional level or any things you just need to update the windows management framework helps you I think 5.0 is going to start a dream infinity 5.1 added a bunch more features on a putt earlier in I talk about what you can get further back that's just not

ministration available always a company but some of the potential real world regardless on 2016 in the enterprise because the power to the virtualization with other changes my job is all women now that I know it doesn't run by default I think it would lock everything down to maybe you have people people in Philippines it is evil but if you will be turned on is because you have to charge my puppet and pride our business papers expert number two mitigating hat I think you made a problem yes they are in architecture - today's video they don't like that don't diagnose

yes a lot of the detection can show up where it all started learning you when it rings worth of have to ask happening or someone's trying to access those they're great but that's all going to be built into 2015 in your administrative console yeah lívia support evacuate a party to have them when they're supporting but yeah updating the man has been framework 5.1 will help you get some of these actually delete with just met administration a pretty fully fledged salty backs be opening another person boss