TY - GEN
T1 - Security resilience
T2 - 11th Annual Cyber and Information Security Research Conference, CISRC 2016
AU - Nichols, Jeffrey A.
AU - Taylor, Benjamin A.
AU - Curtis, Laura
N1 - Publisher Copyright:
© 2016 ACM.
PY - 2016/4/5
Y1 - 2016/4/5
N2 - We investigated the security resilience of the current Windows Active Directory (AD) environments to Pass-the-Hash and Passthe- Ticket, two prominent post-exploitation, credential theft attacks. An operating system's security resilience consists of its native features that allow for containing a detected attack. Postexploitation refers to an attacker's activities subsequent to penetration. Specifically, we discovered a way to trigger the removal of all previously issued authentication credentials for a client, thus preventing its use by attackers. After triggered, the user is forced to contact the domain administrators to reauthenticate to the Domain Controller (DC) to continue. This could become the basis for a response Windows system administrators could use to halt the spread of a detected attack. Operating in a virtualized XenServer environment, we were able to carefully determine and recreate the conditions necessary to cause this response.
AB - We investigated the security resilience of the current Windows Active Directory (AD) environments to Pass-the-Hash and Passthe- Ticket, two prominent post-exploitation, credential theft attacks. An operating system's security resilience consists of its native features that allow for containing a detected attack. Postexploitation refers to an attacker's activities subsequent to penetration. Specifically, we discovered a way to trigger the removal of all previously issued authentication credentials for a client, thus preventing its use by attackers. After triggered, the user is forced to contact the domain administrators to reauthenticate to the Domain Controller (DC) to continue. This could become the basis for a response Windows system administrators could use to halt the spread of a detected attack. Operating in a virtualized XenServer environment, we were able to carefully determine and recreate the conditions necessary to cause this response.
KW - Microsoft version of kerberos protocol
KW - Pass-the-hash attacks
KW - Pass-the-ticket attacks
KW - Windows 7 authentication
KW - Windows 8.1 authentication
KW - Windows server 2012 authentication
UR - http://www.scopus.com/inward/record.url?scp=84968546842&partnerID=8YFLogxK
U2 - 10.1145/2897795.2897800
DO - 10.1145/2897795.2897800
M3 - Conference contribution
AN - SCOPUS:84968546842
T3 - Proceedings of the 11th Annual Cyber and Information Security Research Conference, CISRC 2016
BT - Proceedings of the 11th Annual Cyber and Information Security Research Conference, CISRC 2016
PB - Association for Computing Machinery, Inc
Y2 - 5 April 2016 through 7 April 2016
ER -