Remediant Blog

Throughout my years leading cyber investigations and providing advisory support to companies and governments, the most consistent indicators of a compromise have always been user profile propagation and the abuse of standing privileges.  This is also the most consistently frustrating cyber risk – because it has repeatedly been demonstrated as high business impact and is easy to identify and control.

• Profile propagation: This is simply “how many computers in a network have which user profiles on them?”
  
  For example, during an investigation I notice that a certain user profile has been created on several computers over time. Review of that profile reveals that the indicated user is not associated with the business units of the other computers, and that begins a question to seek answers to. Profile propagation might not happen maliciously, indeed over time it will always happen to some extent; however, if it isn’t assessed and remediated, the profiles become standing privileges, which are targets sought by attackers.
  
  
• Standing Privilege: This is even simpler, “how many user accounts are on my computer, and when/why were they used?”
  
  For example, just open a CMD window and type DIR C:\Users /a /tc /od and then NET USER – which user accounts have been created for use with certain privileges on your computer are shown. How often have you done that before? Do you know who each account represents and why they used your computer (remotely)?

Figure 1: Profiles

Profile propagation is a natural occurrence of service and administrative interactive profiles use, such as the help desk. They also occur as people will often use others’ computers for varied reasons. After use however, the profiles are seldom removed – leading to standing privileges. The combination of these issues presents a security risk as those profiles can be mined for application settings/rights/paths as well as passwords in some cases; and depending upon operating system or other application vulnerabilities (of build level or configuration) – might provide access to passwords or authentication tokens for network services access to other computers.

Malicious actors are generally aware of the opportunity available to them to abuse standing privileges. They can be creative and use various tools like meterpreter , mimikatz or forensic tools to capture processes and extract secrets, or more commonly they can simply use built-in commands to view who they are (WHOAMI), what resources they have available (NET SHARE), and what their privileges are (SET) to local and accessible network services.

[1] https://subscription.packtpub.com/book/networking_and_servers/9781788623179/5/ch05lvl1sec76/dumping-the-contents-of-the-sam-database
[2] https://subscription.packtpub.com/book/networking_and_servers/9781788623179/5/ch05lvl1sec79/using-mimikatz

Figure 2: Standing Privileges

Certain accounts are always tempting for attackers – because they are most often overlooked as standing privileges intended to support IT remote services. For example, every Windows computer is provisioned with a local user account called “Administrator”, and that account is seldom changed or deprecated.

Figure 3: Standing Risk

In the figure above the Administrator local account is not only useful for “local” logon, but also “Remote Desktop Users” logon – with or without domain restrictions. Many backdoor trojans used by financially-motivated cybercriminals such as CITADEL and CORCOW malware used to steal $Billions from financial services companies around the world have even embedded system commands into their tools (Figure 4) so that when the tools are installed, the system is conditioned with a standing privilege that will enable their remote access and use – independent of domain services.

[3] https://securityaffairs.co/wordpress/27274/malware/new-citadel-trojan-variant.html
[4] https://www.group-ib.com/blog/polygon

Figure 4: CORCOW Banker Trojan creates standing privileges

This describes and opportunity that attackers are aware of and one which they have preyed upon in their compromise activities – whether they are malicious outsiders, or insiders. The opportunity is simply to utilize a credential that has rights to use more than one system, because of standing privileges or the ability to propagate across a network due to limited restrictions of use.

Some observations from the field are useful to describe the risk:

• First, the rights of an Administrator group are never limited to the commands or services required to perform their specific (business or occupational) function.
• Next, I consistently see that Administrator and Service accounts are not controlled in terms of which computers or associated resources they are authorized for use.
• Consequently, Administrator and Service profiles, through uncontrolled administrator group rights, are widely and somewhat indiscriminately provisioned across computers in an organization.

This results in every member of a related group being provided access to every computer managed by domain services – thereby creating standing privileges that have been proven repeatedly to be weak points of security programs, and that lead to breach and compromise.

Figure 5: Administrator profile propagation seen by Remediant during a POC

Once profiles are used across networked computers, they tend to remain on those machines. Sometimes this is because of a common misperception of Domain administrators, “disabled (domain) profiles control the risk.” That is unfortunately not true.

There is a difference between an account, a credential, and a privilege. Accounts are created and managed by local and domain security authorities – such as the SAM or the Active Directory. A credential is created and stored for local or domain services use according to policies of use that generally relate to binary (on/off) configurations. The privileges allowed for credentialed use of the account are according to the security authority as defined by local or group policies. The profile is a configuration store of credentials and privileges representing an account, for both local as well as domain (or other) services. Therefore, accounts that are disabled on the domain but still have profiles stored on local computers where they have been used, are still risks due to their standing privileges.

[5] https://www.windows-active-directory.com/windows-security-account-manager.html

Figure 6: Profile Propagation and Standing Privileges

The good news? Controlling this risk means simply reducing standing privileges with good (and repeated) hygiene by removing unused or unnecessary profiles/accounts from local and domain security authorities.

The better news? If a breach occurs, the clues will be even more evident – of which computers they were interested in, and what resources were compromised. The method of managing this risk is called “Privileged Access Management” (PAM).

I provide a lot of training for police forces and corporate security staff. The fundamentals are simple: There are only three things that a cybercriminal needs to achieve their objectives.

1. A tool, whether it be malware or existing software that is vulnerable to exploitation, by build or configuration, that is leveraged to infiltrate and manipulate computers.
2. A credential, meaning the right to use the tool.
3. Time, and this is very important as many people overlook this - they need time to use the tools and credentials to perform related tasks.

Therefore, managing cyber risk can be achieved by monitoring and controlling privileged use of resources:

- Who is allowed to use which credentials, under what circumstances?
- Why are they allowed to access which computers and services?
- When are they allowed to use them?

Standing Privileges are targets for compromise in the early stages of APT activity

Regardless of an actor’s objective, I’ve commonly observed the exploitation of standing privilege as an initial activity. Whether the goal of the threat actor is long term (create and catalog the access for future use) or near term (targeted business interruption or extortion via IP theft), an early and common clue available to SOC monitors or incident investigators – is the abuse of standing privileges. 

This is evidenced by profile propagation, and coincidental or consecutive use on multiple computers[6].  As such, standing privileges are a risk factor to be considered and managed in every organization’s security program.

Figure 7: Remediant's dashboard identifying Standing Privileges across a network

Incidentally, they are also the easiest to remediate. For example, an Active Directory GPO can be used to periodically scan for and remove profiles that have not been used past a certain timeframe. In addition, profiles that are no longer enabled in Active Directory can be easily removed from endpoints.

[6] https://www.scmagazine.com/home/security-news/threat-actors-are-taking-a-more-targeted-approach-to-their-distribution-of-malware-gaining-admin-privileges-and-using-custom-notes-with-ransomware/

Local service accounts are also targets

Local accounts created for specific business purposes also pose a risk of compromise due to the level and persistent nature of their privileges. Service accounts created to support application or database processes often require elevated privileges to perform specific transactions. These types of accounts make easy targets for threat actors since (1) they are widespread (across any workstation or server on the network by default) and highly privileged with access to System functions. In addition, (2) they are unknown and hidden to the general user of the endpoint and (3) they unfortunately tend to use shared passwords in order to facilitate helpdesk services.

Figure 8: Remediant dashboard of local Service and Administrator accounts

Remediating local service and administrator privileges on a computer is possible by performing routine profile checks and clean-up of accounts; however, many of these accounts do have true business purposes and may require access, but not standing privileges.

This is where “Just-In-Time” Privileged Access Management is helpful.  Remediant PAM provisions access only when needed, uses one-time passwords, eliminates shared passwords, enforces password strength & complexity best practices, and provides and multi-factor authentication. These capabilities improve the security risk posture of an organization by controlling the 3 factors of compromise – the use of tools, credentials, and time available to an actor.

[7] https://social.technet.microsoft.com/wiki/contents/articles/28647.how-to-automatically-delete-user-profiles-older-than-a-certain-number-of-days-using-group-policy.aspx

About the Author
Dr. Shook is a Venture Consultant with ForgePoint Capital with more than 30 years of experience as a consultant, author, trainer and expert witness in cybercrime and technology-related investigations.