EA044131B1 - METHOD AND SYSTEM FOR PREVENTING UNAUTHORIZED ACCESS TO CORPORATE NETWORK OBJECTS - Google Patents

Description

Field of technology

The invention relates to the field of ensuring corporate network security, in particular, by preventing unauthorized access to corporate network objects that are highly privileged assets (High Value Asset or HVA).

State of the art

The concept of HVA refers to network objects that store critical information for the full functioning of the network infrastructure and the compromise of which can lead to critical or irreversible consequences in its operation. Examples of this type of asset include:

Domain controllers;

List of domain administrators;

Groups such as: Enterprise Admins, Domain Admins, Backup Operators, Server Operators;

Database servers;

AD CS (certificate authority servers), etc.

Another example of determining HVA in a corporate network can be the approach proposed by Microsoft® (https://docs. microsoft.com/ru-ru/security/compass/privileged-access-access-model).

Due to the huge number of objects, their lists and access control entries (ACL - Access control list and ACE - Access control entries), which are located in the Microsoft Active Directory (MS AD) directory service to control the granting of access to each of the objects, manage such permissions extremely difficult. Also, the ability to manage is complicated due to the lack of a graphical representation of control objects and the connections between them. Failure to configure access control lists and entries (ACLs and ACEs) is a common security configuration flaw. While inside a corporate network and with network access to a directory service, domain, or even a group of domains (a forest), the attacker will analyze the powers and privileges of all objects relative to the compromised account or host to which he has access and possibly control. The subject of the analysis will be the search for a short route to a highly privileged asset, which can be a host or an account of various types (both an administrator and a service or computer account). By implementing a set of privilege escalation and lateral promotion actions, the attacker will exploit the security configuration flaws of the access control lists and access control entries (ACLs and ACEs) of the controlled object until he gains control of the desired highly privileged asset.

A solution is known from the prior art for generating a representation of the network structure in the form of a graph for subsequent modeling of the attack vector on network nodes (US 20170032130 A1, 02/02/2017). The solution describes an event information and response system (SIEM), into which data is transmitted to simulate attack vectors that may indicate anomalous activity on the network. A list of ranks and a criterion for the difficulty of accessing a particular asset within the network, which may become a target for attackers, is generated.

The uncovered area of the above-mentioned SIEM solution is the lack of analysis of the directory service itself and the analysis of existing ACLs and ACEs of objects, which does not allow identifying existing attack paths on HVA within the corporate network.

The essence of the invention

The technical problem solved within the framework of the stated solution is the creation of a new effective approach to prevent the compromise of objects that allow access to HVA.

The technical result is to increase the efficiency of protecting the corporate network from compromising objects and gaining access to highly privileged assets.

The claimed technical result is achieved through a method for preventing compromise of directory service objects (MS AD) in a corporate network, performed using a computing device and containing the steps of:

receive data from the MS AD storage of the corporate network, characterizing network objects and their attributes, including at least a security descriptor containing lists (ACLs) and records (ACEs) of object access control;

parses attributes of MS AD objects;

determine MS AD highly privileged objects (HVA) in the corporate network based on rules and ACL and ACE parsing, the rules representing at least the number of connections of the HVA object with other MS AD objects;

define MS AD objects associated with the HVA, which allow access to them through current access privileges, or their change, or through horizontal movement through the network;

form a graph based on the collected data, where the nodes are MS AD objects, and the edges are access parameters between MS AD objects;

perform modeling of an attack path on the HVA based on the resulting graph, on which at least one subgraph with MS AD objects is determined, containing nodes that allow one to gain control over the HVA or associated MS AD objects using at least one of:

- 1 044131 transferring current access rights, changing current access rights, adding new access rights or using current access rights;

monitor MS AD objects to determine changes in access privilege parameters on nodes identified in the subgraph;

transmit data on objects identified on the subgraph to the control system when their access privileges change;

manage access privileges on identified MS AD objects in terms of isolating them from other MS AD objects and/or lowering their access privileges.

In one particular example of implementation, access parameters between MS AD objects represent at least one of: privilege relationships between objects to which these privileges apply, permissions between objects, trust parameters between domains.

In another particular embodiment, MS AD object privileges are access tokens with associated user privileges.

In another particular implementation, access token privileges are a way to change the level of access to an MS AD object on a corporate network.

In another particular embodiment, each MS AD object represents at least one of: users, computers, security groups, Group Policy Object, Organizational Unit, trust relationships between domains.

In another particular example of implementation, errors in the MS AD security configuration are monitored on the identified subgraph, based on error checking rules in the configuration of MS AD objects.

In another particular example of implementation, access privilege configurations are adjusted on MS AD objects.

The claimed solution is also implemented using a system for preventing compromise of directory service objects (MS AD) on a corporate network, wherein the system contains at least one processor and memory storing machine-readable instructions, which, when executed by the processor, implement the above method.

Brief description of drawings

Fig. 1 illustrates a block diagram of the claimed method.

Fig. Figure 2 illustrates an example of an MS AD object graph.

Fig. Figure 3 illustrates an example of a subgraph of MS AD objects.

Fig. 4 illustrates an example of a computing system.

Carrying out the invention

In fig. 1 shows a flowchart of the stages of the claimed method (100) for preventing the compromise of MS AD objects in the corporate network. At the first stage (101), a call is made to MS AD to obtain information on objects. Data collection can be performed by an automated data collection module. Data collection is performed using the Windows API and the LDAP namespace function to collect data from domain controllers and Windows-based systems joined to the domain. When collecting information, it is automatically determined which domain the host belongs to, and basic data about the object is collected, for example, the following type:

Security group membership;

Domain trust;

Rights to Active Directory objects;

Group Policy Links;

OU tree structure;

Properties of computer, group and user objects;

SQL administrator rights;

And others.

Additionally, an additional set of data can be collected from each computer:

Members of the Local Administrators, Remote Desktop, Distributed COM, and Remote Control groups;

Active sessions associated with systems and hosts where users are interactively logged on.

Based on the results of data collection, a text file can be generated in one of the formats: json, .csv, .html or data can be transferred via one of the well-known transfer protocols (syslog, smtp, etc.) to the database. Before saving data in any of the formats (either in a database or in a text file), the attributes of MS AD objects are parsed, which are, for example, Security Descriptors, presented in SDDL (Security Descriptor Definition Language) format. records. The security descriptor, in turn, contains the owner SID, the object's primary group SID and two lists (ACLs) - SACL (system access control list), DACL (discretionary access control list). ACL is a list of entries (ACE) that identifies objects trusted for management and defines access rights - allowing, denying or auditing for these objects. ACE includes a list of records with the fields: SID of the object for which access rights are determined, access mask, ACE type, sign of inheritance of access rights to the object.

When collecting data, a system of filters can also be used, allowing you to collect only the required set of data, depending on the settings. Data collection is carried out according to a scheduler or cyclically.

At step (102), MS AD high privileged objects (HVA) in the corporate network are determined based on rules and ACL and ACE parsing. The specified rules represent, for example, an analysis of the number of connections of an HVA object with other MS AD objects (for example, a connection with five or more objects). HVAs can also be technical or service accounts with more connections or enhanced access privileges.

Depending on the domain controller object and allocated HVA, data collection occurs in stages for each object class. For example, changes to HVA are collected first, and information on related objects is also updated first and in the shortest possible time. The collection is carried out using multi-threaded technologies, which in turn allows for the fastest possible receipt of data and updates on this data. The collection is carried out within the framework of a special LDAP connection between the data collection module and the domain controller. The connection is protected by additional organizational methods of information protection (strict firewall rules, specific permissions of security devices (SD), and so on), as well as monitoring tools. Data transfer is carried out using SSL for the LDAP protocol.

After collecting the MS AD object data, step (103) identifies objects associated with the HVA that can, by using or changing current access privileges, or by moving laterally through the network, gain access over the HVA. In table 1 below are some examples of these types of access privileges.

Table 1

Examples of access privileges

Privilege Possible actions GenericAll Full rights to an object (adding users to a group or resetting a user's password) GenericWrite Updating object attributes (i.e. login script) WriteOwner Changing the owner of the object to an attacker-controlled user who will take over the object WriteDACL Changing the ACE of an object and giving full control over the object AllExtendedRights Ability to add a user to a group or reset a password ForceChangePassword Ability to change user password

Identification of all MS AD objects associated with the HVA is necessary for analyzing the connections for the subsequent construction of a graph in step (104) to find short routes to the HVA. In the generated graph, the nodes are MS AD objects, and the edges are access parameters between MS AD objects.

The graph node can be: group policy, computer, user, OU tree structure or group. The connections (edges) are access parameters, in particular, the privileges of one object over another, user sessions, group membership, access with the local administrator level, etc. For example, an example of a relationship would be the following entities: the object is a member of a group, the user has administrative privileges on the computer, the object is subject to group policy, the user has an active session on the computer, and other types of entities. In fig. 2 shows an example of a graph (200) generated at step (104), displaying current connections between MS AD objects. At step (105), an automated modeling of the attack path against the HVA is performed based on the obtained graph at step (104). During the attack path modeling, a subgraph (300) is determined, shown in FIG. 3. On the subgraph (300), nodes are defined that allow you to gain control over the HVA or associated MS AD objects using at least one of: transferring current access rights, changing current access rights, adding new access rights, or using current access rights .

The terms graph and subgraph should be understood as modeling the display of MS AD objects for which automated information processing is performed using an automated analytical algorithm aimed at monitoring the state of domain zones of the corporate network and responding to changes in its objects.

As shown in the example in FIG. 3 user group USER-ADM and all its members (participants)

- 3 044131 has ForceChangePassword privileges (it is possible to change the password without asking for the old one) over the Exchange Admin user. The Exchange Admin user has GenericAll privileges (this privilege allows you to perform any action, such as adding new users to this group) over the ADMSYSTEMS group. The ADMSYSTEMS group has WriteDacl privileges (a privilege that allows you to change the ACL of the Domain Admins object, for example, adding full rights (GenericAll) over the Domain Admins group) over the Domain Admins group, which is the HVA in this case.

Thus, an attacker, having compromised an account, for example, User 1, can gain domain administrator privileges by becoming a member of the Domain Admins group. The attack vector could be: User 1 is a member of the User-ADM group. User 1 changes the password for the Exchange Admin user, using this user's Account adds his Account User 1 to the ADMSYSTEMS group, then for the ADMSYSTEMS group he gives full privileges to Domain Admins and makes his Account User 1 a member of the Domain Admins group.

When analyzing MS AD objects defined on the subgraph (300), a starting node or group of objects is selected from which the attack path will be built. The starting node can be any object, or a group of objects that by default do not have critical privileges, but have the ability to expand their rights, or objects that initially have critical rights that affect access to the HVA. For example, some objects may have WriteDACL permission, which allows the object's Access Control Entry (ACE) to be modified and give the attacker full control of the object—effectively gaining GenericAll privileges over the target object. When modeling the attack vector, it will be assumed that the starting node will be a host or information system compromised by the attacker.

Attack paths (vectors) can be built in the opposite direction - from HVA to objects with critical privileges or other connections that allow privileges to be expanded horizontally. When constructing the paths of all possible attacks on HVA for objects, inheritance and priority of access control entries (ACEs) are taken into account in the following order:

Explicit prohibition;

Explicit permission;

Inherited ban;

Inherited permission.

Thus, if an object has two conflicting access control entries (ACE) for an explicit permission and an explicit denial (for example, the user is a member of two groups, one of which has permission to access a folder, and the second has an explicit denial, then the ban will work and the user will be denied access), then the second will have priority, since prohibiting rules always take precedence over allowing rules. At step (105), a real-time analysis of the graph display of the MS AD structure is performed. The analysis can be performed using a special automated analytics module, which monitors the current state of access rights of MS AD objects and responds to changes in permissions regarding HVA. When analyzing the status of access rights in MS AD, information security threats are assessed in real time for timely response and signaling of changes regarding security trends. An example of a sharp change in the security trend could be adding a new user to the domain administrators group, granting rights to manage any HVA, etc.

Analysis of changes in access privileges on the generated subgraphs (300) allows you to generate notifications and perform automated responses according to specified rules developed using logical operators, objects, attributes and their values. Such a check is iteratively carried out at stage (106) for all generated subgraphs (300) of the general graph MS AD (200). When determining MS AD objects for which a change in their access privileges occurs in the subgraph (300) and which can gain access over the HVA, one of the selected response policies is applied at stage (107), in particular, information on such nodes (objects) transmitted to the control system for subsequent response. Using the control system, access privileges are managed on identified MS AD objects in terms of isolating them from other MS AD objects and/or lowering their access privileges. This reaction of the control system is carried out on the basis of established rules and security policies in terms of responding to a specific type of change in access privileges on MS AD objects.

One of the particular examples of rules for responding to MS AD objects may be the following situations:

If, after updating information, an object has DSReplication-Get-Changes/DS-Replication-Get-Changes-All (DCSync) privileges, then the control system reacts by lowering the object’s privileges to the original value. The system informs about the eliminated threat;

If a new account appears in the administrators group and this account is not added to the corresponding value sheet, then the system’s reaction is to remove it from the group, thus lowering the account’s privileges to the original ones. Deletion commands are executed from privileged accounts, with account and group names passed as variables. The system informs you that the threat has been eliminated.

Also, the claimed solution can additionally identify errors in the MS AD security configuration, based on the rules for checking errors in the configuration of MS AD objects. To do this, users are checked for certain privileges in their Access Tokens, which allow them to perform actions that bypass the ACLs of objects. This check can also be performed using an automated module that provides functionality to search for typical configuration errors in a domain controller. Configuration error analysis is performed using a verification mechanism (checker) to verify known domain controller vulnerabilities.

One of the options for checking privileges in access tokens is to run the whoami /priv command in the command shell, parse and analyze the results obtained; the analysis takes into account the name of the privilege in the access token and the status (enabled/disabled).

Below in the table. Figure 2 shows some examples of privileges in access tokens that are identified during configuration error detection.

table 2

Examples of privileges in access tokens

Privilege name Description SeEnableDelegationPrivilege Allows you to control the Kerberos Unconstrained and Constrained Delegation settings in the domain, which an attacker can use to escalate privileges SeDebugPrivilege Allows a user for any Windows process to execute code as part of debugging, which may result in privilege escalation or reading of the process's reserved memory area. An example of exploitation is reading the secrets of the Isass process of UZ users authorized in the system. SelmpersonatePrivilege Any process with this privilege can impersonate (but not create, impersonate) any token for which it can obtain a handle. In some situations, it is possible to impersonate a process that belongs to another OS, or create a privileged token from a Windows service (DCOM), force it to perform NTLM authentication against the exploit, and then execute the process as SYSTEM.

This configuration error scan looks for common domain controller configuration errors and vulnerabilities. One example of such errors is when Kerberos pre-authentication is disabled for a user (opening up the possibility of an ASREPRoast attack). One option to check is to run the Get-DomainUser PreauthNotRequired -verbose command through a command shell extension. The result of the command is a list of vulnerable accounts.

Another example of an error could be the presence of domain users who have local administrator rights on computers (an attack on the Local Administrator Password Solution (LAPS)). One test option is to run the Get-LAPSComputers command using the PowerShell command line extension and the LAPSToolkit library of additional functions and methods. The result of the command is a list of computers with the LAPS mechanism enabled. Typically, permission to read LAPS passwords is assigned to a user group. To search for such groups, the Find-LAPSDelegatedGroups method is used; to search for members of these groups (users), the Get-NetGroupMember -GroupName group_name method of the LAPSToolkit library is used.

Another example of a typical error can be the presence of domain users in default MS AD groups with elevated privileges that do not contain any users. For example, such groups are Account Operators, Backup Operators, Server Operators and others. One option to verify the users of these groups is to run GetDomainGroupMember -Identity group_name using the PowerShell command line extension and

- 5 044131 libraries of additional functions and methods of PowerView. The result of the work is a list of users with extended privileges.

The stated solution may also use a recommendation mechanism. Recommendations are a sequence of system PowerShell commands on Windows OS and comments. This mechanism can be implemented using an automated module that provides contextual information to the user for the purpose of their execution and compensation of emerging security risks. Recommendations have connections with attributes of MS AD objects, thus a certain set of attribute values is characterized by a recommendation for the system user. In a particular case, recommendations can be presented in json format and displayed in the user interface for certain objects/relationships. To remove permissions from an MS AD PowerShell directory service object, use the Remove-ADPermission cmdlet.

An example is running the following command: Remove-ADPermission -identity Replication Database-User domain/ivanpetrov -AccessRights WriteDacl. The syntax for using the Remove-ADPermission cmdlet is:

Remove-ADPermission -Identity <ADRawEntryIdParameter> -User <SecurityPrincipalIdParameter> [AccessRights <ActiveDirectoryRights[]>] [-ChildObjectTypes <ADSchemaObjectIdParameter[]>] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-ExtendedRights <Extended RightIdParameter[ ]>] [InheritanceType <None | All | Descendents SelfAndChildren | Children>] [-InheritedObjectType <ADSchemaObjectIdParameter>] [-Properties <ADSchemaObjectIdParameter[]>]

Remove-ADPermission [-Identity <ADRawEntryIdParameter>] -Instance <ADAcePresentationObject> [AccessRights <ActiveDirectoryRights[]>] [-ChildObjectTypes <ADSchemaObjectIdParameter[]>] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-ExtendedRights < ExtendedRightIdParameter[]>] [InheritanceType <None | All | Descendents SelfAndChildren | Children>] [-InheritedObjectType <ADSchemaObjectIdParameter>] [-Properties <ADSchemaObjectIdParameter[]>] [-User <SecurityPrincipalIdParameter>]

Remove-ADPermission -Identity <ADRawEntryIdParameter> [-DomainController <Fqdn>]

Additionally, a reporting generator can also be used, made in the form of an automated module that implements the functionality of generating reports. The input data for the reporting module are objects and their attributes from the database. The result of reporting generation is a text file in one of the formats: pdf, html, xlsx. One particular example of a report could be a statistical report with analytical elements, containing information on the following objects:

Total number of administrators. Changes in quantity over a period of time;

The name of the administrator groups and the number of participants in each group. It is also possible to include required groups if they are highly privileged assets;

List of users without pre-authentication (ASREPRoast);

List of objects with constrained delegation.

The infrastructure of almost all companies includes domains built on MS AD. The claimed solution makes it possible to achieve the above technical result through constant monitoring of directory service object permissions and MS AD configuration errors, which significantly increases the effectiveness of security to prevent compromise of network objects. An attacker, getting into the network and attempting to lateralize and escalate privileges in order to compromise the HVA, is forced to change object permissions or exploit errors in the directory service configuration. Constant monitoring of object permissions allows you to quickly identify such attempts and immediately respond to them, isolating the attacker from further progress, and in some cases, disconnecting him from the network. The advantage of this solution is the analysis of ACLs and ACEs of network objects, as well as MS AD configuration errors. Other solutions do not provide this kind of functionality, which leads to the fact that this type of security system is not able to notice and respond to such incidents.

In fig. 4 shows a general view of a computing system implemented on the basis of a computing device (300). In general, a computing device (300) contains one or more processors (301), memory devices such as RAM (302) and ROM (303), input/output interfaces (304), and input/output devices connected by a common data exchange bus. (305), and a networking device (306).

The processor (301) (or multiple processors, multi-core processor) may be selected from a variety of devices commonly used today, such as Intel™, AMD™, Apple™, Samsung Exynos™, MediaTEK™, Qualcomm Snapdragon™, etc. . By processor it is also necessary to take into account a graphics processor, for example an NVIDIA or ATI GPU, which is also suitable for carrying out the method (100) in whole or in part. In this case, the memory means can be the available memory capacity of the graphics card or graphics processor. RAM (302) is a random access memory and is designed to store computers executed by the processor (301).

Claims (4)

readable instructions to perform the necessary logical data processing operations. RAM (302) typically contains executable operating system instructions and associated software components (applications, program modules, etc.). ROM (303) is one or more permanent storage devices, such as a hard disk drive (HDD), a solid state drive (SSD), flash memory (EEPROM, NAND, etc.), optical storage media (CD-R) /RW, DVD-R/RW, BlueRay Disc, MD), etc. To organize the operation of device components (300) and organize the operation of external connected devices, various types of I/O interfaces (304) are used. The choice of appropriate interfaces depends on the specific design of the computing device, which can be, but is not limited to: PCI, AGP, PS/2, IrDa, FireWire, LPT, COM, SATA, IDE, Lightning, USB (2.0, 3.0, 3.1, micro, mini, type C), TRS/Audio jack (2.5, 3.5, 6.35), HDMI, DVI, VGA, Display Port, RJ45, RS232, etc. To ensure user interaction with the computing device (300), various I/O information tools (305) are used, for example, a keyboard, a display (monitor), a touch display, a touch pad, a joystick, a mouse, a light pen, a stylus, a touchpad, trackball, speakers, microphone, augmented reality tools, optical sensors, tablet, light indicators, projector, camera, biometric identification tools (retina scanner, fingerprint scanner, voice recognition module), etc. The network communication means (306) ensures that the device (300) transmits data via an internal or external computer network, for example, an Intranet, the Internet, a LAN, etc. One or more means (306) may be used, but not limited to: Ethernet card, GSM modem, GPRS modem, LTE modem, 5G modem, satellite communication module, NFC module, Bluetooth and/or BLE module, Wi-Fi module and etc. Additionally, satellite navigation tools can also be used as part of the device (300), for example, GPS, GLONASS, BeiDou, Galileo. The submitted application materials disclose preferred examples of implementation of a technical solution and should not be interpreted as limiting other, particular examples of its implementation that do not go beyond the scope of the requested legal protection, which are obvious to specialists in the relevant field CLAIM 1. A method of preventing compromise of directory service objects (MS AD) on a corporate network, performed using a computing device and containing the steps of: receive data from the MS AD storage of the corporate network, characterizing network objects and their attributes, including at least a security descriptor containing lists (ACLs) and records (ACEs) of object access control; parsing attributes of MS AD objects; determine MS AD highly privileged objects (HVA) in the corporate network based on rules and ACL and ACE parsing, where the rules represent at least the number of connections of the HVA object with other MS AD objects; define MS AD objects associated with the HVA that allow them to be accessed through current access privileges, or changing them, or by moving laterally across the network; form a graph based on the collected data, where the nodes are MS AD objects, and the edges are access parameters between MS AD objects; perform modeling of an attack path on the HVA based on the resulting graph, on which at least one subgraph with MS AD objects is determined, containing nodes that make it possible to gain control over the HVA or associated MS AD objects using at least one of: transferring current access rights, changing current access rights, adding new access rights or using current access rights; monitor MS AD objects to determine changes in access privilege parameters on nodes identified in the subgraph; transmit data on objects identified on the subgraph to the control system when their access privileges change; manage access privileges on identified MS AD objects in terms of isolating them from other MS AD objects and/or lowering their access privileges. 2. The method according to claim 1, in which the access parameters between objects represent at least one of: privilege associations between objects to which these privileges apply, permissions between objects, trust parameters between domains. 3. The method of claim 1, wherein the privileges of the directory service objects are access tokens with associated user privileges. 4. The method according to claim 3, in which the privileges of the access token are a way to change the access level -