Heading to Washington D.C. for #ILTACON2018 one day late thanks to American Airlines scrapping my flight Sunday. To be honest, I did enjoy the “extra” day with my family.
Panagiotis Gkatziroulis writing for the Blue Team Medium account has a very detailed article describing steps an organization can take to limit the effectiveness of various Mimikatz exploits. https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5
Even though that Microsoft introduced a security patch which can be applied even in older operating systems such as Windows 2008 Server still Mimikatz is effective and in a lot of cases it can lead to lateral movement and domain escalation. It should be noted that Mimikatz can only dump credentials and password hashes if it is executed from the context of a privilege user like local administrator.
The vTPM can also be used to store “sealed” drive encryption keys, making it difficult if not impossible to gain access to the contents of a virtual machine’s drives unless the operating system boots in a “known-good” state. If the VM’s operating system, boot loader, or firmware image is compromised, the system won’t reboot—so an attacker won’t be able to decrypt the virtual disks. The same would be true if a snapshot of the VM is moved into a different context by an attacker.
I need to unpack this more but at first glance it sounds very promising for improving the reliability of cloud computing. This approach sounds very similar to Device Guard, Credential Guard and Secure Boot we deploy on modern workstations today.
- Patch the operating system on all PCs and Servers. Windows security updates should be applied and Windows Update should be set to download and install automatically. [Preventative]
- Update Microsoft Office with all available updates. Set Windows Update to also update any other Microsoft products. [Preventative]
- Update all web browsers. Preferred browser would be 64 bit Google Chrome Enterprise as it is fairly secure by default and includes its own sand-boxed Flash player and PDF viewer. [Preventative]
- Update Adobe Flash to most current version or remove if using Chrome as advised above. Update Adobe Reader to most current version or remove if using Google Chrome. [Preventative]
- Remove Java. If you must run Java, update to most current version but seriously consider removing Java. [Preventative]
- Raise the level of User Access Control (UAC) to the highest level – requiring Admin account to install or modify the system. [Preventative]
- Users must not be Local Admin on their PC. [Preventative]
- Enable Windows firewall on all PCs and servers. Only enable ports and applications both inbound and outbound as required (block inbound by default minimum). [Preventative]
- Implement a backup solution for all user data. Restore must be tested periodically. Ideally, versioning or offline snapshots should be enabled to protect against ransomware. [Preventative]
- All mobile devices should be updated to latest version of OS and device pass codes must be set (at least 6 digits). [Preventative]
- Install antivirus / anti-malware software on PCs and servers. Any IPS / IDS functionality would be good to apply. Solution should be set to update signatures automatically. [Preventative / Detective]
- Bitlocker hard drive encryption should be enabled and enforced via GPO.[Preventative]
- Application whitelisting using AppLocker with trusted publishers or hashes of known good applications. [Preventative]
- Install SYSMON on all PCs and Servers. Configure for logging process creation, command line execution parameters, process creation, optionally network events. [Detective]
- Turn on Windows Event logging for critical events see SANS Detecting Security Incidents Windows Event Logs. [Detective]