CISA and NSA’s Top 10 Control Misconfigurations? Use BAS and MITRE ATT&CK to Defend Against Them

The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) recently released their top 10 list of common cybersecurity misconfigurations. Some of these include your standard slew of don’t use default software settings, don’t make weak passwords, and don’t practice poor MFA hygiene. No surprise there for most security teams, but apparently, it’s common enough that they all made the top 10 list of things people do anyway. Read More

And the list is:

  1. Default configurations of software and applications
  2. Improper separation of user/administrator privilege
  3. Insufficient internal network monitoring
  4. Lack of network segmentation
  5. Poor patch management
  6. Bypass of system access controls
  7. Weak or misconfigured multi-factor authentication (MFA) methods
  8. Insufficient access control lists (ACLs) on network shares and services
  9. Poor credential hygiene
  10. Unrestricted code execution

We at AttackIQ are always in the business of security controls, so when we saw this the first thing we thought was how can our customers make sure they aren’t members of the top 10, hall-of-fame-for-bad- things-to-do-according-to-America’s-leading-spy-agency?

Well, we’ve got our own little list for you – and we’ve checked it twice.

One note: Attacks can occur with multiple steps and build on top of each other, so there is plenty of overlap between the listed vulnerabilities, where they may fall within the MITRE ATT&CK matrix, and the emulation scenarios AttackIQ offers to help defenders detect these vulnerabilities.


#1 Default configurations of software and applications:

MITRE Tactic: Credential Access

Technique ID (T1649): Steal or Forge Authentication Certifications
  1. Adversaries can compromise authentication by stealing or forging digital certificates, commonly used to sign, encrypt messages, and authenticate users. For instance, certificates like those from Azure AD or AD CS can be pilfered from storage, misplaced, or obtained through enrollment processes, potentially leading to unauthorized access, lateral movement, privilege escalation, and persistence, especially when adversaries have access to root CA certificate private keys.
Mitigations:
  • M1015 – Active Directory Configuration: Ensure certificate authorities (CA) are properly secured, including treating CA servers (and other resources hosting CA certificates) as tier 0 assets. Harden abusable CA settings and attributes.
  • M1047 – Audit: Check and remediate unneeded existing authentication certificates as well as common abusable misconfigurations of CA settings and permissions, such as AD CS certificate enrollment permissions and published overly permissive certificate templates (which define available settings for created certificates).
  • M1042 – Disable or Remove Feature or Program: Consider disabling old/dangerous authentication protocols (e.g. NTLM), as well as unnecessary certificate features, such as potentially vulnerable AD CS web and other enrollment server roles.
  • M1041 – Encrypt Sensitive Information: Ensure certificates as well as associated private keys are appropriately secured. Consider utilizing additional hardware credential protections such as trusted platform modules (TPM) or hardware security modules (HSM). Enforce HTTPS and enable Extended Protection for Authentication.
Emulation Scenarios within the AttackIQ Security Validation Platform:
  • Enumerate ADCS Vulnerabilities
  • ADCS ESC1 Attack
  • ADCS ESC4 Attack

#2 Improper Separation of User/Administrator Privilege

MITRE Tactic: Credential Access

Technique ID (T1558): Steal or Forge Kerberos Tickets
  1. Adversaries may exploit vulnerabilities in Kerberos authentication in Windows domain environments by stealing or forging tickets, facilitating unauthorized access through techniques like Pass the Ticket. The klist utility on Windows and the “ccache” file on Linux store Kerberos tickets, which adversaries can manipulate. On macOS, Kerberos tickets are stored in a ccache format, and adversaries can use open-source tools or Apple’s framework to extract TGT or Service Tickets through lower-level APIs.
Mitigations:
  • M1026 – Privileged Account Management: Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts. Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.
  • M1015 – Active Directory Configuration: For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.
  • M1041 – Encrypt Sensitive Information: Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
  • M1027 – Password Policies: Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. Also consider using Group Managed Service Accounts or another third party product such as password vaulting.
Emulation Scenarios within the AttackIQ Security Validation Platform:
  • Kerberoasting
  • Kerberoasting using Obfuscated Rubeus
  • Kerberoasting using PowerShell Empire’s Invoke-Kerberoast Script

For customers with access to our PCAP replays, we have some handy Kerberoasting scripts there you can run as well.


#3 Insufficient Internal Network Monitoring

MITRE Tactic: Lateral Movement

Technique ID (T1072): Software Deployment Tools
  1. Adversaries can exploit third-party software suites, including administration and deployment systems, installed within an enterprise network to move laterally. Gaining access to network-wide software allows remote code execution on connected systems, enabling adversaries to move between systems, collect information, or execute specific actions, such as wiping hard drives. The permissions needed for these actions depend on the system configuration, with local or domain credentials possibly required, and administrative access may be necessary for certain operations.
Mitigations:
  • M1015 – Active Directory Configuration: Ensure proper system and access isolation for critical network systems through use of group policy
  • M1032 – Multi-factor Authentication: Ensure proper system and access isolation for critical network systems through use of multi-factor authentication.
  • M1030 – Network Segmentation: Ensure proper system isolation for critical network systems through use of firewalls.
  • M1027 – Password Policies: Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network.
  • M1026 – Privileged Account Management: Grant access to application deployment systems only to a limited number of authorized administrators.
  • M1029 – Remote Data Storage: If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.
  • M1051 – Update Software: Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation.
  • M1018 – User Account Management: Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation.
  • M1017 – User Training: Have a strict approval policy for use of deployment systems.
Emulation Scenarios within the AttackIQ Security Validation Platform:
  • Lateral Movement Through Remote Service
  • Lateral Movement Through Remote Desktop Protocol
  • Lateral Movement Through SSH
  • Lateral Movement Through Exploitation
  • Lateral Movement Through WinRM
  • Lateral Movement Through PAExec
  • Lateral Movement Through WMI
  • C&C Address Retrieval From Web Service
  • SysJoker C2 Server Retrieval from Google Drive
  • Discover SQL Servers
  • Discover SQL Servers using the Osql Utility
  • Network Service Scanning Script
  • Exfiltrate Files over ICMP
  • Exfiltrate Files over HTTP
  • Exfiltrate Files over DNS A Record – 50 Credit Cards
  • Send Reconnaissance Data to C2 Server Over ICMP
  • Commonly Used Port
  • DNSMessenger PowerShell Communication
  • Send Reconnaissance Data to C2 Server Over HTTP
  • Send IP Information to C2 Server Over HTTP
  • DNS Communication
  • HTTP Communication
  • FTP Communication
  • SMTP Communication
  • HTTP Communication Through Port 443
  • Standard Application Layer Protocol
  • Bulk Exfiltration via HTTP
  • Exfiltration Over Command and Control Channel
  • Exfiltrate Text File Containing Password Patterns via HTTP to Test Server
  • APT29’s CosmicDuke Exfiltration over C&C Channel
  • NSLookUp Script
  • Malicious Outgoing Traffic
  • SysJoker C2 Communication – whoami Command Results
  • SysJoker C2 Communication – Initial Token Request
  • SysJoker C2 Communication – New Command Request
  • OilRig’s TONEDEAF C2 Initial Checkin Web Request
  • OilRig’s QuadAgent C2 Goodbye Web Request
  • OilRig’s QuadAgent C2 Initial Checkin Web Request
  • Send Process Discovery Data to C2 Server Over HTTP
  • APT28 Zebrocy GoLang HTTP Downloader POST Request
  • Remote File Copy Script

#5 Poor Patch Management

MITRE Tactic: Initial Access

Technique ID (T1190): Exploit Public-Facing Application
  1. Adversaries exploit vulnerabilities in Internet-facing systems, such as software bugs or misconfigurations, to gain initial network access. This can target various applications, including websites, databases, and network protocols, potentially compromising cloud instances or containers and exploiting weak access management. Edge network infrastructure lacking robust defenses may also be targeted, with common web-based vulnerabilities identified in the OWASP top 10 and CWE top 25 for websites and databases.
Mitigations:
  • M1051 – Update Software: Update software regularly by employing patch management for externally exposed applications.
  • M1048 – Application Isolation and Sandboxing: Application isolation will limit what other processes and system features the exploited target can access.
  • M1050 – Exploit Protection: Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.
  • M1030 – Network Segmentation: Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.
  • M1026 – Privileged Account Management: Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system.
  • M1016 – Vulnerability Scanning: Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.
Emulation Scenarios within the AttackIQ Security Validation Platform:
  • ProxyShell Exploit (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
  • Log4Shell (CVE-2021-44228) Signature-Based Web Requests (with multiple payloads)
  • Also, any WAF testing and PCAP replay scenarios related to CVEs can be included.

#6 Bypass of System Access Controls

MITRE Tactic: Privilege Escalation, Defense Evasion

Technique ID (T1548): Abuse Elevation Control Mechanism
Sub-Technique ID (T1548.002): Bypass User Account Control
  1. Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Mitigations:
  • M1047 – Audit: Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.
  • M1026 – Privileged Account Management: Remove users from the local administrator group on systems
  • M1051 – Update Software: Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass
  • M1052 – User Account Control: Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking
Emulation Scenarios within the AttackIQ Security Validation Platform:
  • Pass the Hash using dumped credentials
  • Pass the Hash to the Domain Controller using dumped credentials
  • Also applies to MITRE Technique (T1003) OS Credential Dumping under Credential Access, which is touched on below under Vulnerability #9

#7 Weak or Misconfigured MFA Methods

MITRE Tactic: Credential Access, Reconnaissance

Technique ID(s):
(T1621): Multi-Factor Authentication Request Generation
  • Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users. Adversaries in possession of credentials to Valid Accounts may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.
(T1598): Phishing for Information
  • Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code (see mitigations and AttackIQ scenario emulations within vulnerability #10)

#8 Insufficient ACLs on Network Shares and Services

MITRE Tactic: Discovery

Technique ID (T1135): Network Share Discovery
  1. Adversaries may search for shared folders and drives on remote systems to identify potential sources of information and targets for lateral movement within a network. They commonly exploit shared network drives and folders, using commands such as “net view” on Windows or “sharing -l” on macOS to query and identify available shared drives, facilitating reconnaissance for subsequent actions like collection and lateral movement.
Mitigations:
  • M1028 – Operating System Configuration: Enable Windows Group Policy “Do Not Allow Anonymous Enumeration of SAM Accounts and Shares” security setting to limit users who can enumerate network shares.
Emulation Scenarios within the AttackIQ Security Validation Platform:
  • Discover SMB Shares via “Get-SmbShare” PowerShell Command
  • NFS Discovery through EFS service
  • Getting Shares using Invoke-ShareFinder Script
  • Network Share Discovery Script
  • Get Network Shares Information through WMI
  • Get Network Shares Information through Windows Command Line

#9 Poor Credential Hygiene

MITRE Tactic: Credential Access

Technique ID (T1003): OS Credential Dumping
  1. Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Mitigations:
  • M1015 – Active Directory Configuration: Manage the access control list for “Replicating Directory Changes” and other permissions associated with domain controller replication. Consider adding users to the “Protected Users” Active Directory security group. This can help limit the caching of users’ plaintext credentials.
  • M1040 – Behavior Prevention on Endpoint: On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing
  • M1043 – Credential Access Protection: With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping.
  • M1041 – Encrypt Sensitive Information: Ensure Domain Controller backups are properly secured
  • M1028 – Operating System Configuration: Consider disabling or restricting NTLM, and/or disabling WDigest authentication
  • M1027 – Password Policies: Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
  • M1026 – Privileged Account Management:
    • Windows: Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers
    • Linux: Scraping the passwords from memory requires root privileges. Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive regions of memory.
  • M1025 – Privileged Process Integrity: On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA
  • M1017 – User Training: Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
Emulation Scenarios within the AttackIQ Security Validation Platform:
  • Customers can run any of our credential dumping scenarios that gather clear text passwords or our credentials in the registry scenarios.

#10 Unrestricted Code Execution

MITRE Tactic(s): Execution, Persistence, Discovery

Technique ID(s)

While our scenarios span across multiple tactics and techniques, we’ve identified these techniques as two of the more prevalent examples:

(T1574) – Hijack Execution Flow
  1. Adversaries can manipulate the execution flow of operating systems to deploy their malicious payloads, aiming for persistence or evading defenses like application control. This can involve hijacking the way programs are run, manipulating program and library locations, and poisoning directories or the Windows Registry to include harmful elements.
(T1218) – System Binary Proxy Execution
  1. Adversaries can circumvent process and signature-based defenses by using trusted, signed binaries to proxy the execution of malicious content. This often involves Microsoft-signed files, implying they are either from Microsoft or are inherent in the operating system, allowing them to execute on Windows systems with digital signature validation. Additionally, on Linux systems, adversaries may exploit trusted binaries like ‘split’ to proxy the execution of malicious commands.
Mitigations:

Most have already been covered in earlier examples, but click the link for each above technique for their specific mitigations.

Emulation Scenarios within the AttackIQ Security Validation Platform:
  • DLL Side-Loading
  • DLL Search Order Hijacking
  • Execute DLL Through RegSvr32
  • Execute DLL Through RunDLL32
  • Initial Access using Office Document
  • Download and Execute Remote Payload with MSHTA
  • Mshta Script
  • Persistence Through Scheduled Task

Just see which tactic that technique falls under – look at the side bar on the left of the technique page

Adversaries can compromise authentication by stealing or forging digital certificates, commonly used to sign, encrypt messages, and authenticate users. For instance, certificates like those from Azure AD or AD CS can be pilfered from storage, misplaced, or obtained through enrollment processes, potentially leading to unauthorized access, lateral movement, privilege escalation, and persistence, especially when adversaries have access to root CA certificate private keys.

Mitigations:
  1. M1015 – Active Directory Configuration: Ensure certificate authorities (CA) are properly secured, including treating CA servers (and other resources hosting CA certificates) as tier 0 assets. Harden abusable CA settings and attributes.
  2. M1047 – Audit: Check and remediate unneeded existing authentication certificates as well as common abusable misconfigurations of CA settings and permissions, such as AD CS certificate enrollment permissions and published overly permissive certificate templates (which define available settings for created certificates).
  3. M1042 – Disable or Remove Feature or Program: Consider disabling old/dangerous authentication protocols (e.g. NTLM), as well as unnecessary certificate features, such as potentially vulnerable AD CS web and other enrollment server roles.
  4. M1041 – Encrypt Sensitive Information: Ensure certificates as well as associated private keys are appropriately secured. Consider utilizing additional hardware credential protections such as trusted platform modules (TPM) or hardware security modules (HSM). Enforce HTTPS and enable Extended Protection forAuthentication.

Adversaries can compromise authentication by stealing or forging digital certificates, commonly used to sign, encrypt messages, and authenticate users. For instance, certificates like those from Azure AD or AD CS can be pilfered from storage, misplaced, or obtained through enrollment processes, potentially leading to unauthorized access, lateral movement, privilege escalation, and persistence, especially when adversaries have access to root CA certificate private keys.

Adversaries may exploit vulnerabilities in Kerberos authentication in Windows domain environments by stealing or forging tickets, facilitating unauthorized access through techniques like Pass the Ticket. The klist utility on Windows and the “ccache” file on Linux store Kerberos tickets, which adversaries can manipulate. On macOS, Kerberos tickets are stored in a ccache format, and adversaries can use open source tools or Apple’s framework to extract TGT or Service Tickets through lower-level APIs.