Vikram Navali, Senior Technical Product Manager – The tactics employed by adversaries are as varied as their motives. Some prefer spear-phishing, while others make use of malware, executing targeted attacks. However, the result is inevitably the same: getting unprivileged access to shared resources like files, folders, and intellectual property.
Adversaries use various techniques to interact with network shares, performing targeted attacks through remote services such as Server Message Block (SMB) shares, Windows Admin shares, or SYSVOL directory on Domain Controller. Once they make it inside an organization’s firewall, network-level security does little to protect sensitive data. Security teams must adopt security controls that can detect attacks to mitigate lateral movements. Some of the common scenarios discussed below can help the security team to secure shared resources.
Scenario#1: Protection of SMB shares from a Ransomware Attack
Ransomware attacks are becoming increasingly advanced and typically follow a series of steps from initial reconnaissance to exfiltration. Adversaries may choose not to use malware or tools with an initial level of access. They also make it harder to detect their presence as well.
The Attivo Networks Endpoint Detection Net (EDN) solution defends against ransomware attacks in two ways:
1)Blocking ransomware attack activities on endpoints
The EDN suite mitigates ransomware attacks that leverage stored account information to spread throughout the network by deploying lures on production machines in the form of deceptive SMB shares and credentials. The EDN solution defends against credential theft and redirects the infection to engagement servers. The solution slows down the attack with high interaction activities that feed the malware data and rate-limits the connection, stalling the encryption process while generating alerts for the security team.
2)Cloaking files, folders, and mapped network drives
Once adversaries get access to the files on a compromised endpoint, they will attempt to encrypt local data. Cloaking files, folders, and network drives can prevent such data destruction and mitigate the effects of a ransomware attack.
The EDN concealment capabilities enable organizations to define files, folders, and network or cloud mapped shares to hide and restrict access from untrusted processes. The Windows data cloaking feature provides the following flexible options to conceal shared resources:
- Local folders
- Sensitive user profile data
- All files and child folders in a folder but not the parent folder
- Specific files and child folders
- Cloud-storage primary folder (from OneDrive, DropBox, and others) on endpoints
- All removable media
- Files and folders in removable media
- Mapped network drives
- Mapped cloud drives
Scenario#2: Protection of Windows Admin shares
Windows systems have hidden default network shares (C$, ADMIN$, and IPC$) accessible only to the local administrator account. Adversaries use readily available tools to obtain admin credentials from a compromised endpoint and move laterally throughout the network to gain control of remote systems.
Some typical example techniques are:
Adversaries run the command “tasklist /s <remote computer hostname>” to query a list of processes on the remote machine and gather some basic details about each process (PID, session number, memory usage, and more).
Adversaries abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components and system utilities such as sc.exe and Net.
To remotely restart the World Wide Web Publishing Service on the host SERVER-A, use the command “C:\Windows\System32>sc \\SERVER-A restart w3svc”.
Windows systems provide the “net use” command to connect, remove, configure connections to the shared resources like mapped drives, network resources, and network printers. Adversaries use the “net use”command to join file share as “Administrator” with the /USER option.
CONTI is a malicious software classified as modern ransomware. It traverses the network, laterally moving until it gains domain and admin credentials for admin privileges. Conti’s unique feature is that it allows command line arguments to encrypt the local hard drive or network shares.
The Attivo Networks Endpoint Detection Net (EDN) solution hides local administrator accounts, avoiding any privilege escalation techniques. The DataCloak function denies adversaries the ability to exploit shared resources, perform lateral movement activities, and limit attack damage.
Scenario#3: Protection of SYSVOL shares – MS14-025 Vulnerability
The System Volume (SYSVOL) is the domain-wide share in Active Directory to which all authenticated users have read access. SYSVOL contains logon scripts, Group Policy data, and other domain-wide data which need to be available anywhere there is a Domain Controller. The MS14-025 vulnerability allows privilege elevation when using Active Directory Group Policy preferences to distribute passwords across the domain. Adversaries take advantage of this vulnerability to retrieve and decrypt the passwords stored within these group policy preferences.
Adversaries make use of Windows mapped network drives and SYSVOL folders in Active Directory to connect and gain administrative access to all remote systems. When they try to access deceptive Group Policy Objects, the Attivo Networks BOTsink solution detects the activity and raises an alert.
The Attivo Networks BOTsink solution can deploy deceptive SYSVOL Group Policy objects in the production Active Directory. The deceptive group policy objects inserted in the production AD deceive adversaries looking for privileged credentials using this vulnerability.
One can leverage these and other tools and tactics to protect against adversaries that target shared resources in Windows networks. For more information, please visit www.attivonetworks.com