학술논문
Security Resilience : Exploring Windows Domain-Level Defenses Against Post-Exploitation Authentication Attacks
Document Type
Conference
Source
Proceedings of the 11th Annual Cyber and Information Security Research Conference. :1-4
Subject
Language
English
Abstract
We investigated the security resilience of the current Windows Active Directory (AD) environments to Pass-the-Hash and Pass-the-Ticket, two prominent post-exploitation, credential theft attacks. An operating system's security resilience consists of its native features that allow for containing a detected attack. Post-exploitation refers to an attacker's activities subsequent to penetration. Specifically, we discovered a way to trigger the removal of all previously issued authentication credentials for a client, thus preventing its use by attackers. After triggered, the user is forced to contact the domain administrators to re-authenticate to the Domain Controller (DC) to continue. This could become the basis for a response Windows system administrators could use to halt the spread of a detected attack. Operating in a virtualized XenServer environment, we were able to carefully determine and recreate the conditions necessary to cause this response.