NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations CISA
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppSearchppThe National Security Agency NSA and Cybersecurity and Infrastructure Security Agency CISA are releasing this joint cybersecurity advisory CSA to highlight the most common cybersecurity misconfigurations in large organizations and detail the tactics techniques and procedures TTPs actors use to exploit these misconfigurationsppThrough NSA and CISA Red and Blue team assessments as well as through the activities of NSA and CISA Hunt and Incident Response teams the agencies identified the following 10 most common network misconfigurationsppThese misconfigurations illustrate 1 a trend of systemic weaknesses in many large organizations including those with mature cyber postures and 2 the importance of software manufacturers embracing securebydesign principles to reduce the burden on network defendersppNSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisoryincluding the followingto reduce the risk of malicious actors exploiting the identified misconfigurationsppNSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing securebydesign anddefault tactics includingppDownload the PDF version of this report PDF 660 KBppNote This advisory uses the MITRE ATTCK for Enterprise framework version 13 and the MITRE D3FEND cybersecurity countermeasures framework45 See the Appendix MITRE ATTCK tactics and techniques section for tables summarizing the threat actors activity mapped to MITRE ATTCK tactics and techniques and the Mitigations section for MITRE D3FEND countermeasuresppFor assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider Tool67ppOver the years the following NSA and CISA teams have assessed the security posture of many network enclaves across the Department of Defense DoD Federal Civilian Executive Branch FCEB state local tribal and territorial SLTT governments and the private sectorppDuring these assessments NSA and CISA identified the 10 most common network misconfigurations which are detailed below These misconfigurations nonprioritized are systemic weaknesses across many networksppMany of the assessments were of Microsoft Windows and Active Directory environments This advisory provides details about and mitigations for specific issues found during these assessments and so mostly focuses on these products However it should be noted that many other environments contain similar misconfigurations Network owners and operators should examine their networks for similar misconfigurations even when running other software not specifically mentioned belowppDefault configurations of systems services and applications can permit unauthorized access or other malicious activity Common default configurations includeppMany software manufacturers release commercial offtheshelf COTS network devices which provide user access via applications or web portalscontaining predefined default credentials for their builtin administrative accounts9 Malicious actors and assessment teams regularly abuse default credentials byppIn addition to devices that provide network access printers scanners security cameras conference room audiovisual AV equipment voice over internet protocol VoIP phones and internet of things IoT devices commonly contain default credentials that can be used for easy unauthorized access to these devices as well Further compounding this problem printers and scanners may have privileged domain accounts loaded so that users can easily scan documents and upload them to a shared drive or email them Malicious actors who gain access to a printer or scanner using default credentials can use the loaded privileged domain accounts to move laterally from the device and compromise the domain T1078002ppCertain services may have overly permissive access controls or vulnerable configurations by default Additionally even if the providers do not enable these services by default malicious actors can easily abuse these services if users or administrators enable themppAssessment teams regularly find the followingppActive Directory Certificate Services ADCS is a feature used to manage Public Key Infrastructure PKI certificates keys and encryption inside of Active Directory AD environments ADCS templates are used to build certificates for different types of servers and other entities on an organizations networkppMalicious actors can exploit ADCS andor ADCS template misconfigurations to manipulate the certificate infrastructure into issuing fraudulent certificates andor escalate user privileges to domain administrator privileges These certificates and domain escalation paths may grant actors unauthorized persistent access to systems and critical data the ability to impersonate legitimate entities and the ability to bypass security measuresppAssessment teams have observed organizations with the following misconfigurationsppNote For more information on known escalation paths including PetitPotam NTLM relay techniques see Domain Escalation PetitPotam NTLM Relay to ADCS Endpoints and Certified PreOwned Active Directory Certificate Services101112ppMany vulnerable network services are enabled by default and assessment teams have observed them enabled in production environments Specifically assessment teams have observed LinkLocal Multicast Name Resolution LLMNR and NetBIOS Name Service NBTNS which are Microsoft Windows components that serve as alternate methods of host identification If these services are enabled in a network actors can use spoofing poisoning and relay techniques T1557001 to obtain domain hashes system access and potential administrative system sessions Malicious actors frequently exploit these protocols to compromise entire Windows environmentsppMalicious actors can spoof an authoritative source for name resolution on a target network by responding to passing traffic effectively poisoning the service so that target computers will communicate with an actorcontrolled system instead of the intended one If the requested system requires identificationauthentication the target computer will send the users username and hash to the actorcontrolled system The actors then collect the hash and crack it offline to obtain the plain text password T1110002ppThe Server Message Block service is a Windows component primarily for file sharing Its default configuration including in the latest version of Windows does not require signing network messages to ensure authenticity and integrity If SMB servers do not enforce SMB signing malicious actors can use machineinthemiddle techniques such as NTLM relay Further malicious actors can combine a lack of SMB signing with the name resolution poisoning issue see above to gain access to remote systems T1021002 without needing to capture and crack any hashesppAdministrators often assign multiple roles to one account These accounts have access to a wide range of devices and services allowing malicious actors to move through a network quickly with one compromised account without triggering lateral movement andor privilege escalation detection measuresppAssessment teams have observed the following common account separation misconfigurationsppAccount privileges are intended to control user access to host or application resources to limit access to sensitive information or enforce a leastprivilege security model When account privileges are overly permissive users can see andor do things they should not be able to which becomes a security issue as it increases risk exposure and attack surfaceppExpanding organizations can undergo numerous changes in account management personnel and access requirements These changes commonly lead to privilege creepthe granting of excessive access and unnecessary account privileges Through the analysis of topical and nested AD groups a malicious actor can find a user account T1078 that has been granted account privileges that exceed their needtoknow or leastprivilege function Extraneous access can lead to easy avenues for unauthorized access to data and resources and escalation of privileges in the targeted domainppApplications often operate using user accounts to access resources These user accounts which are known as service accounts often require elevated privileges When a malicious actor compromises an application or service using a service account they will have the same privileges and access as the service accountppMalicious actors can exploit elevated service permissions within a domain to gain unauthorized access and control over critical systems Service accounts are enticing targets for malicious actors because such accounts are often granted elevated permissions within the domain due to the nature of the service and because access to use the service can be requested by any valid domain user Due to these factors kerberoastinga form of credential access achieved by cracking service account credentialsis a common technique used to gain control over service account targets T1558003ppIT personnel use domain administrator and other administrator accounts for system and network management due to their inherent elevated privileges When an administrator account is logged into a compromised host a malicious actor can steal and use the accounts credentials and an ADgenerated authentication token T1528 to move using the elevated permissions throughout the domain T1550001 Using an elevated account for normal daytoday nonadministrative tasks increases the accounts exposure and therefore its risk of compromise and its risk to the networkppMalicious actors prioritize obtaining valid domain credentials upon gaining access to a network Authentication using valid domain credentials allows the execution of secondary enumeration techniques to gain visibility into the target domain and AD structure including discovery of elevated accounts and where the elevated accounts are used T1087ppTargeting elevated accounts such as domain administrator or system administrators performing daytoday activities provides the most direct path to achieve domain escalation Systems or applications accessed by the targeted elevated accounts significantly increase the attack surface available to adversaries providing additional paths and escalation optionsppAfter obtaining initial access via an account with administrative permissions an assessment team compromised a domain in under a business day The team first gained initial access to the system through phishing T1566 by which they enticed the end user to download T1204 and execute malicious payloads The targeted enduser account had administrative permissions enabling the team to quickly compromise the entire domainppSome organizations do not optimally configure host and network sensors for traffic collection and endhost logging These insufficient configurations could lead to undetected adversarial compromise Additionally improper sensor configurations limit the traffic collection capability needed for enhanced baseline development and detract from timely detection of anomalous activityppAssessment teams have exploited insufficient monitoring to gain access to assessed networks For exampleppNetwork segmentation separates portions of the network with security boundaries Lack of network segmentation leaves no security boundaries between the user production and critical system networks Insufficient network segmentation allows an actor who has compromised a resource on the network to move laterally across a variety of systems uncontested Lack of network segregation additionally leaves organizations significantly more vulnerable to potential ransomware attacks and postexploitation techniquesppLack of segmentation between IT and operational technology OT environments places OT environments at risk For example assessment teams have often gained access to OT networksdespite prior assurance that the networks were fully air gapped with no possible connection to the IT networkby finding special purpose forgotten or even accidental network connections T1199ppVendors release patches and updates to address security vulnerabilities Poor patch management and network hygiene practices often enable adversaries to discover open attack vectors and exploit critical vulnerabilities Poor patch management includesppFailure to apply the latest patches can leave a system open to compromise from publicly available exploits Due to their ease of discoveryvia vulnerability scanning T1595002 and open source research T1592and exploitation these systems are immediate targets for adversaries Allowing critical vulnerabilities to remain on production systems without applying their corresponding patches significantly increases the attack surface Organizations should prioritize patching known exploited vulnerabilities in their environments2ppAssessment teams have observed threat actors exploiting many CVEs in publicfacing applications T1190 includingppUsing software or hardware that is no longer supported by the vendor poses a significant security risk because new and existing vulnerabilities are no longer patched Malicious actors can exploit vulnerabilities in these systems to gain unauthorized access compromise sensitive data and disrupt operations T1210ppAssessment teams frequently observe organizations using unsupported Windows operating systems without updates MS17010 and MS0867 These updates released years ago address critical remote code execution vulnerabilities1718ppA malicious actor can bypass system access controls by compromising alternate authentication methods in an environment If a malicious actor can collect hashes in a network they can use the hashes to authenticate using nonstandard means such as passthehash PtH T1550002 By mimicking accounts without the cleartext password an actor can expand and fortify their access without detection Kerberoasting is also one of the most timeefficient ways to elevate privileges and move laterally throughout an organizations networkppSome networks generally government or DoD networks require accounts to use smart cards or tokens Multifactor requirements can be misconfigured so the password hashes for accounts never change Even though the password itself is no longer usedbecause the smart card or token is required insteadthere is still a password hash for the account that can be used as an alternative credential for authentication If the password hash never changes once a malicious actor has an accounts password hash T1111 the actor can use it indefinitely via the PtH technique for as long as that account existsppSome forms of MFA are vulnerable to phishing push bombing T1621 exploitation of Signaling System 7 SS7 protocol vulnerabilities andor SIM swap techniques These attempts if successful may allow a threat actor to gain access to MFA authentication credentials or bypass MFA and access the MFAprotected systems See CISAs Fact Sheet Implementing PhishingResistant MFA for more information3ppFor example assessment teams have used voice phishing to convince users to provide missing MFA information T1598 In one instance an assessment team knew a users main credentials but their login attempts were blocked by MFA requirements The team then masqueraded as IT staff and convinced the user to provide the MFA code over the phone allowing the team to complete their login attempt and gain access to the users email and other organizational resourcesppData shares and repositories are primary targets for malicious actors Network administrators may improperly configure ACLs to allow for unauthorized users to access sensitive or administrative data on shared drivesppActors can use commands open source tools or custom malware to look for shared folders and drives T1135ppMalicious actors can then collect and exfiltrate the data from the shared drives and folders They can then use the data for a variety of purposes such as extortion of the organization or as intelligence when formulating intrusion plans for further network compromise Assessment teams routinely find sensitive information on network shares T1039 that could facilitate followon activity or provide opportunities for extortion Teams regularly find drives containing cleartext credentials T1552 for service accounts web applications and even domain administratorsppEven when further access is not directly obtained from credentials in file shares there can be a treasure trove of information for improving situational awareness of the target network including the networks topology service tickets or vulnerability scan data In addition teams regularly identify sensitive data and PII on shared drives eg scanned documents social security numbers and tax returns that could be used for extortion or social engineering of the organization or individualsppPoor credential hygiene facilitates threat actors in obtaining credentials for initial access persistence lateral movement and other followon activity especially if phishingresistant MFA is not enabled Poor credential hygiene includesppEasily crackable passwords are passwords that a malicious actor can guess within a short time using relatively inexpensive computing resources The presence of easily crackable passwords on a network generally stems from a lack of password length ie shorter than 15 characters and randomness ie is not unique or can be guessed This is often due to lax requirements for passwords in organizational policies and user training A policy that only requires short and simple passwords leaves user passwords susceptible to password cracking Organizations should provide or allow employee use of password managers to enable the generation and easy use of secure random passwords for each accountppOften when a credential is obtained it is a hash oneway encryption of the password and not the password itself Although some hashes can be used directly with PtH techniques many hashes need to be cracked to obtain usable credentials The cracking process takes the captured hash of the users plaintext password and leverages dictionary wordlists and rulesets often using a database of billions of previously compromised passwords in an attempt to find the matching plaintext password T1110002ppOne of the primary ways to crack passwords is with the open source tool Hashcat combined with password lists obtained from publicly released password breaches Once a malicious actor has access to a plaintext password they are usually limited only by the accounts permissions In some cases the actor may be restricted or detected by advanced defenseindepth and zero trust implementations as well but this has been a rare finding in assessments thus farppAssessment teams have cracked password hashes for NTLM users Kerberos service account tickets NetNTLMv2 and PFX stores T1555 enabling the team to elevate privileges and move laterally within networks In 12 hours one team cracked over 80 of all users passwords in an Active Directory resulting in hundreds of valid credentialsppStoring passwords in cleartext is a serious security risk A malicious actor with access to files containing cleartext passwords T1552001 could use these credentials to log into the affected applications or systems under the guise of a legitimate user Accountability is lost in this situation as any system logs would record valid user accounts accessing applications or systemsppMalicious actors search for text files spreadsheets documents and configuration files in hopes of obtaining cleartext passwords Assessment teams frequently discover cleartext passwords allowing them to quickly escalate the emulated intrusion from the compromise of a regular domain user account to that of a privileged account such as a Domain or Enterprise Administrator A common tool used for locating cleartext passwords is the open source tool Snaffler23ppIf unverified programs are allowed to execute on hosts a threat actor can run arbitrary malicious payloads within a networkppMalicious actors often execute code after gaining initial access to a system For example after a user falls for a phishing scam the actor usually convinces the victim to run code on their workstation to gain remote access to the internal network This code is usually an unverified program that has no legitimate purpose or business reason for running on the networkppAssessment teams and malicious actors frequently leverage unrestricted code execution in the form of executables dynamic link libraries DLLs HTML applications and macros scripts used in office automation documents T1059005 to establish initial access persistence and lateral movement In addition actors often use scripting languages T1059 to obscure their actions T1027010 and bypass allowlistingwhere organizations restrict applications and other forms of code by default and only allow those that are known and trusted Further actors may load vulnerable drivers and then exploit the drivers known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the device T1068ppNSA and CISA recommend network defenders implement the recommendations that follow to mitigate the issues identified in this advisory These mitigations align with the CrossSector Cybersecurity Performance Goals CPGs developed by CISA and the National Institute of Standards and Technology NIST as well as with the MITRE ATTCK Enterprise Mitigations and MITRE D3FEND frameworksppThe CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats tactics techniques and procedures Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protections24ppMisconfigurationppRecommendations for Network DefendersppDefault configurations of software and applicationsppDefault configurations of software and applications Default CredentialsppDefault service permissions and configuration settings Insecure Active Directory Certificate ServicesppDefault service permissions and configuration settings Insecure legacy protocolsservicesppDefault service permissions and configuration settings Insecure SMB serviceppMisconfigurationppRecommendations for Network DefendersppImproper separation of useradministrator privilegeppMisconfigurationppRecommendations for Network DefendersppInsufficient internal network monitoringppMisconfigurationppRecommendations for Network DefendersppLack of network segmentationppMisconfigurationppRecommendations for Network DefendersppPoor patch management Lack of regular patchingppPoor patch management Use of unsupported OSs and outdated firmwareppMisconfigurationppRecommendations for Network DefendersppBypass of system access controlsppMisconfigurationppRecommendations for Network DefendersppWeak or misconfigured MFA methods Misconfigured smart cards or tokenspp ppWeak or misconfigured MFA methods Lack of phishingresistant MFAppMisconfigurationppRecommendations for Network DefendersppInsufficient ACLs on network shares and servicesppMisconfigurationppRecommendations for Network DefendersppPoor credential hygiene easily crackable passwordspp ppPoor credential hygiene cleartext password disclosurepp ppMisconfigurationppRecommendations for Network DefendersppUnrestricted code executionppNSA and CISA recommend software manufacturers implement the recommendations in Table 11 to reduce the prevalence of misconfigurations identified in this advisory These mitigations align with tactics provided in joint guide Shifting the Balance of Cybersecurity Risk Principles and Approaches for SecuritybyDesign and Default NSA and CISA strongly encourage software manufacturers apply these recommendations to ensure their products are secure out of the box and do not require customers to spend additional resources making configuration changes performing monitoring and conducting routine updates to keep their systems secure1ppMisconfigurationppRecommendations for Software ManufacturersppDefault configurations of software and applicationsppDefault configurations of software and applications Default credentialsppDefault configurations of software and applications Default service permissions and configuration settingsppImproper separation of useradministrator privilegeppInsufficient internal network monitoringpp ppLack of network segmentationppPoor patch management Lack of regular patchingppPoor patch management Use of unsupported operating OSs and outdated firmwareppBypass of system access controlsppWeak or Misconfigured MFA Methods Misconfigured Smart Cards or Tokenspp ppWeak or Misconfigured MFA Methods Lack of phishingresistant MFAppInsufficient ACL on network shares and servicesppPoor credential hygiene easily crackable passwordspp ppPoor credential hygiene cleartext password disclosureppUnrestricted code executionppIn addition to applying mitigations NSA and CISA recommend exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory NSA and CISA recommend testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppCISA and NSA recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppThe misconfigurations described above are all too common in assessments and the techniques listed are standard ones leveraged by multiple malicious actors resulting in numerous real network compromises Learn from the weaknesses of others and implement the mitigations above properly to protect the network its sensitive information and critical missionspp1 Joint Guide Shifting the Balance of Cybersecurity Risk Principles and Approaches for SecuritybyDesign and Default 2023 httpswwwcisagovsitesdefaultfiles202306principlesapproachesforsecuritybydesigndefault508cpdf
2 CISA Known Exploited Vulnerabilities Catalog httpswwwcisagovknownexploitedvulnerabilitiescatalog
3 CISA Implementing PhishingResistant MFA httpswwwcisagovsitesdefaultfilespublicationsfactsheetimplementingphishingresistantmfa508cpdf
4 MITRE ATTCK for Enterprise httpsattackmitreorgversionsv13matricesenterprise
5 MITRE D3FEND httpsd3fendmitreorg
6 CISA Best Practices for MITRE ATTCK Mapping httpswwwcisagovnewseventsnewsbestpracticesmitreattckrmapping
7 CISA Decider Tool httpsgithubcomcisagovDecider
8 CISA Cyber Assessment Fact Sheet httpswwwcisagovsitesdefaultfilespublicationsVMAssessmentsFactSheetRVA508Cpdf
9 Joint CSA Weak Security Controls and Practices Routinely Exploited for Initial Access httpsmediadefensegov2022May172002998718110CSAWEAKSECURITYCONTROLSPRACTICESEXPLOITEDFORINITIALACCESSPDF
10 Microsoft KB5005413 Mitigating NTLM Relay Attacks on Active Directory Certificate Services AD CS httpssupportmicrosoftcomenustopickb5005413mitigatingntlmrelayattacksonactivedirectorycertificateservicesadcs3612b77340434aa9b23db87910cd3429
11 Raj Chandel Domain Escalation PetitPotam NTLM Relay to ADCS Endpoints httpswwwhackingarticlesindomainescalationpetitpotamntlmrelaytoadcsendpoints
12 SpecterOps Will Schroeder Certified PreOwned httpspostsspecteropsiocertifiedpreownedd95910965cd2
13 CISA CSA CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks httpswwwcisagovnewseventscybersecurityadvisoriesaa23059a
14 Joint CSA Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple US Government IIS Servers httpswwwcisagovnewseventscybersecurityadvisoriesaa23074a
15 Joint CSA Iranian GovernmentSponsored APT Actors Compromise Federal Network Deploy Crypto Miner Credential Harvester httpswwwcisagovnewseventscybersecurityadvisoriesaa22320a
16 Joint CSA Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite httpswwwcisagovnewseventscybersecurityadvisoriesaa22228a
17 Microsoft How to verify that MS17010 is installed httpssupportmicrosoftcomenustopichowtoverifythatms17010isinstalledf55d3f137a9c688c260b477d0ec9f2c8
18 Microsoft Microsoft Security Bulletin MS08067 Critical Vulnerability in Server Service Could Allow Remote Code Execution 958644 httpslearnmicrosoftcomenussecurityupdatesSecurityBulletins2008ms08067
19 Joint CSA Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization httpswwwcisagovnewseventscybersecurityadvisoriesaa22277a
20 CISA Malware Analysis Report 10365227r1v1 httpswwwcisagovsitesdefaultfiles202306mar10365227r1v1clearpdf
21 Joint CSA StopRansomware BianLian Ransomware Group httpswwwcisagovnewseventscybersecurityadvisoriesaa23136a
22 CISA Analysis Report FiveHands Ransomware httpswwwcisagovnewseventsanalysisreportsar21126a
23 Snaffler httpsgithubcomSnaffConSnaffler
24 CISA CrossSector Cybersecurity Performance Goals httpswwwcisagovcrosssectorcybersecurityperformancegoals
25 Defense Information Systems Agency DISA Security Technical Implementation Guides STIGs httpspubliccybermilstigs
26 NSA Network Infrastructure Security Guide httpsmediadefensegov2022Jun152003018261110CTRNSANETWORKINFRASTRUCTURESECURITYGUIDE20220615PDF
27 NSA Actively Manage Systems and Configurations httpsmediadefensegov2019Sep092002180326110Actively20Manage20Systems20and20Configurationsdocx2020Copypdf
28 NSA Cybersecurity Advisories Guidance httpswwwnsagovcybersecurityguidance
29 National Institute of Standards and Technologies NIST NIST SP 80063B Digital Identity Guidelines Authentication and Lifecycle Management httpscsrcnistgovpubssp80063bupd2final
30 Microsoft UninstallAdcsWebEnrollment httpslearnmicrosoftcomenuspowershellmoduleadcsdeploymentuninstalladcswebenrollment
31 Microsoft KB5021989 Extended Protection for Authentication httpssupportmicrosoftcomenautopickb5021989extendedprotectionforauthentication1b6ea84d377b4677a0b8af74efbb243f
32 Microsoft Network security Restrict NTLM NTLM authentication in this domain httpslearnmicrosoftcomenuswindowssecuritythreatprotectionsecuritypolicysettingsnetworksecurityrestrictntlmntlmauthenticationinthisdomain
33 Microsoft Network security Restrict NTLM Incoming NTLM traffic httpslearnmicrosoftcomenuswindowssecuritythreatprotectionsecuritypolicysettingsnetworksecurityrestrictntlmincomingntlmtraffic
34 Microsoft How to disable the Subject Alternative Name for UPN mapping httpslearnmicrosoftcomenustroubleshootwindowsserverwindowssecuritydisablesubjectalternativenameupnmapping
35 Microsoft Overview of Server Message Block signing httpslearnmicrosoftcomenustroubleshootwindowsservernetworkingoverviewservermessageblocksigning
36 Microsoft SMB signing required by default in Windows Insider httpsakamsSmbSigningRequired
37 NSA Defend Privileges and Accounts httpsmediadefensegov2019Sep092002180330110Defend20Privileges20and20Accounts2020Copypdf
38 NSA Advancing Zero Trust Maturity Throughout the User Pillar httpsmediadefensegov2023Mar142003178390110CSIZeroTrustUserPillarv11PDF
39 NSA Continuously Hunt for Network Intrusions httpsmediadefensegov2019Sep092002180360110Continuously20Hunt20for20Network20Intrusions2020Copypdf
40 Joint CSI Detect and Prevent Web Shell Malware httpsmediadefensegov2020Jun092002313081110CSIDETECTANDPREVENTWEBSHELLMALWARE20200422PDF
41 NSA Segment Networks and Deploy Applicationaware Defenses httpsmediadefensegov2019Sep092002180325110Segment20Networks20and20Deploy20Application20Aware20Defenses2020Copypdf
42 Joint CSA NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems httpsmediadefensegov2020Jul232002462846110OTADVISORYDUALOFFICIAL20200722PDF
43 NSA Stop Malicious Cyber Activity Against Connected Operational Technology httpsmediadefensegov2021Apr292002630479110CSASTOPMCAAGAINSTOTUOO13672321PDF
44 NSA Performing OutofBand Network Management httpsmediadefensegov2020Sep172002499616110PERFORMINGOUTOFBANDNETWORKMANAGEMENT20200911PDF
45 NSA Update and Upgrade Software Immediately httpsmediadefensegov2019Sep092002180319110Update20and20Upgrade20Software20Immediatelydocx2020Copypdf
46 Microsoft Microsoft Security Advisory 2871997 Update to Improve Credentials Protection and Management httpslearnmicrosoftcomenussecurityupdatesSecurityAdvisories20162871997
47 CISA Secure Cloud Business Applications Hybrid Identity Solutions Architecture httpswwwcisagovsitesdefaultfiles202303cssoscubaguidancedocumenthybrididentitysolutionsarchitecture20230322finalpdf
48 CISA Secure Cloud Business Applications SCuBA Project httpswwwcisagovresourcestoolsservicessecurecloudbusinessapplicationsscubaproject
49 NSA Transition to Multifactor Authentication httpsmediadefensegov2019Sep092002180346110Transition20to20Multifactor20Authentication2020Copypdf
50 Committee on National Security Systems CNSS CNSS Policy 15 httpswwwcnssgovCNSSissuancesPoliciescfm
51 NSA NSA Releases Future QuantumResistant QR Algorithm Requirements for National Security Systems httpswwwnsagovPressRoomNewsHighlightsArticleArticle3148990nsareleasesfuturequantumresistantqralgorithmrequirementsfornationalse
52 NSA Enforce Signed Software Execution Policies httpsmediadefensegov2019Sep092002180334110Enforce20Signed20Software20Execution20Policies2020Copypdf
53 Joint CSI Keeping PowerShell Security Measures to Use and Embrace httpsmediadefensegov2022Jun222003021689110CSIKEEPINGPOWERSHELLSECURITYMEASURESTOUSEANDEMBRACE20220622PDF
54 NIST NIST SP 800218 Secure Software Development Framework SSDF Version 11 Recommendations for Mitigating the Risk of Software Vulnerabilities httpscsrcnistgovpublicationsdetailsp800218finalppThe information and opinions contained in this document are provided as is and without any warranties or guarantees Reference herein to any specific commercial products process or service by trade name trademark manufacturer or otherwise does not constitute or imply its endorsement recommendation or favoring by the United States Government and this guidance shall not be used for advertising or product endorsement purposesppActive Directory Microsoft and Windows are registered trademarks of Microsoft Corporation
MITRE ATTCK is registered trademark and MITRE D3FEND is a trademark of The MITRE Corporation
SoftPerfect is a registered trademark of SoftPerfect Proprietary Limited Company
Telerik is a registered trademark of Progress Software Corporation
VMware is a registered trademark of VMWare Inc
Zimbra is a registered trademark of Synacor IncppThis document was developed in furtherance of the authoring cybersecurity organizations missions including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations This information may be shared broadly to reach all appropriate stakeholdersppCybersecurity Report Feedback CybersecurityReportsnsagov
General Cybersecurity Inquiries CybersecurityRequestsnsagov
Defense Industrial Base Inquiries and Cybersecurity Services DIBDefensecybernsagov
Media Inquiries Press Desk 4436340721 MediaRelationsnsagov ppTo report suspicious activity contact CISAs 247 Operations Center at reportcisagov or 888 2820870 When available please include the following information regarding the incident date time and location of the incident type of activity number of people affected type of equipment used for the activity the name of the submitting company or organization and a designated point of contactppSee Table 12Table 21 for all referenced threat actor tactics and techniques in this advisoryppTechnique TitleppIDppUseppActive Scanning Vulnerability ScanningppT1595002ppMalicious actors scan victims for vulnerabilities that be exploited for initial accessppGather Victim Host InformationppT1592ppMalicious actors gather information on victim client configurations andor vulnerabilities through vulnerabilities scans and searching the webppGather Victim Identity Information CredentialsppT1589001ppMalicious actors find default credentials through searching the webppPhishing for InformationppT1598ppMalicious actors masquerade as IT staff and convince a target user to provide their MFA code over the phone to gain access to email and other organizational resourcesppTechnique TitleppIDppUseppExternal Remote ServicesppT1133ppMalicious actors use default credentials for VPN access to internal networksppValid Accounts Default AccountsppT1078001ppMalicious actors gain authenticated access to devices by finding default credentials through searching the webppMalicious actors use default credentials for VPN access to internal networks and default administrative credentials to gain access to web applications and databasesppExploit PublicFacing ApplicationppT1190ppMalicious actors exploit CVEs in Telerik UI VM Horizon Zimbra Collaboration Suite and other applications for initial access to victim organizationsppPhishingppT1566ppMalicious actors gain initial access to systems by phishing to entice end users to download and execute malicious payloadsppTrust RelationshipppT1199ppMalicious actors gain access to OT networks despite prior assurance that the networks were fully air gapped with no possible connection to the IT network by finding special purpose forgotten or even accidental network connectionsppTechnique TitleppIDppUseppSoftware Deployment ToolsppT1072ppMalicious actors use default or captured credentials on software deployment tools to execute code and move laterallyppUser ExecutionppT1204ppMalicious actors gain initial access to systems by phishing to entice end users to download and execute malicious payloads or to run code on their workstationsppCommand and Scripting InterpreterppT1059ppMalicious actors use scripting languages to obscure their actions and bypass allowlistingppCommand and Scripting Interpreter Visual BasicppT1059005ppMalicious actors use macros for initial access persistence and lateral movementppTechnique TitleppIDppUseppAccount ManipulationppT1098ppMalicious actors reset builtin administrative accounts via predictable forgotten password questionsppTechnique TitleppIDppUseppValid AccountsppT1078ppMalicious actors analyze topical and nested Active Directory groups to find privileged accounts to targetppValid Accounts Domain AccountsppT1078002ppMalicious actors obtain loaded domain credentials from printers and scanners and use them to move laterally from the network deviceppExploitation for Privilege EscalationppT1068ppMalicious actors load vulnerable drivers and then exploit their known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the deviceppTechnique TitleppIDppUseppObfuscated Files or Information Command ObfuscationppT1027010ppMalicious actors often use scripting languages to obscure their actionsppTechnique TitleppIDppUseppAdversaryintheMiddleppT1557ppMalicious actors force a device to communicate through actorcontrolled systems so they can collect information or perform additional actionsppAdversaryintheMiddle LLMNRNBTNS Poisoning and SMB RelayppT1557001ppMalicious actors execute spoofing poisoning and relay techniques if LinkLocal Multicast Name Resolution LLMNR NetBIOS Name Service NBTNS and Server Message Block SMB services are enabled in a networkppBrute Force Password CrackingppT1110002ppMalicious actors capture user hashes and leverage dictionary wordlists and rulesets to extract cleartext passwordsppCredentials from Password StoresppT1555ppMalicious actors gain access to and crack credentials from PFX stores enabling elevation of privileges and lateral movement within networksppMultiFactor Authentication InterceptionppT1111ppMalicious actors can obtain password hashes for accounts enabled for MFA with smart codes or tokens and use the hash via PtH techniquesppMultiFactor Authentication Request GenerationppT1621ppMalicious actors use push bombing against nonphishing resistant MFA to induce MFA fatigue in victims gaining access to MFA authentication credentials or bypassing MFA and accessing the MFAprotected systemppSteal Application Access TokenppT1528ppMalicious actors can steal administrator account credentials and the authentication token generated by Active Directory when the account is logged into a compromised hostppSteal or Forge Authentication CertificatesppT1649ppUnauthenticated malicious actors coerce an ADCS server to authenticate to an actorcontrolled server and then relay that authentication to the web certificate enrollment application to obtain a trusted illegitimate certificateppSteal or Forge Kerberos Tickets Golden TicketppT1558001ppMalicious actors who have obtained authentication certificates can use the certificate for Active Directory authentication to obtain a Kerberos TGTppSteal or Forge Kerberos Tickets KerberoastingppT1558003ppMalicious actors obtain and abuse valid Kerberos TGTs to elevate privileges and laterally move throughout an organizations networkppUnsecured Credentials Credentials in FilesppT1552001ppMalicious actors find cleartext credentials that organizations or individual users store in spreadsheets configuration files and other documentsppTechnique TitleppIDppUseppAccount DiscoveryppT1087ppMalicious actors with valid domain credentials enumerate the AD to discover elevated accounts and where they are usedppFile and Directory DiscoveryppT1083ppMalicious actors use commands such as net share open source tools such as SoftPerfect Network Scanner or custom malware such as CovalentStealer to discover and categorize filesppMalicious actors search for text files spreadsheets documents and configuration files in hopes of obtaining desired information such as cleartext passwordsppNetwork Share DiscoveryppT1135ppMalicious actors use commands such as net share open source tools such as SoftPerfect Network Scanner or custom malware such as CovalentStealer to look for shared folders and drivesppTechnique TitleppIDppUseppExploitation of Remote ServicesppT1210ppMalicious actors can exploit OS and firmware vulnerabilities to gain unauthorized network access compromise sensitive data and disrupt operationsppRemote Services SMBWindows Admin SharesppT1021002ppIf SMB signing is not enforced malicious actors can use name resolution poisoning to access remote systemsppUse Alternate Authentication Material Application Access TokenppT1550001ppMalicious actors with stolen administrator account credentials and AD authentication tokens can use them to operate with elevated permissions throughout the domainppUse Alternate Authentication Material Pass the HashppT1550002ppMalicious actors collect hashes in a network and authenticate as a user without having access to the users cleartext passwordppTechnique TitleppIDppUseppData from Network Shared DriveppT1039ppMalicious actors find sensitive information on network shares that could facilitate followon activity or provide opportunities for extortionppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppSearchppThe National Security Agency NSA and Cybersecurity and Infrastructure Security Agency CISA are releasing this joint cybersecurity advisory CSA to highlight the most common cybersecurity misconfigurations in large organizations and detail the tactics techniques and procedures TTPs actors use to exploit these misconfigurationsppThrough NSA and CISA Red and Blue team assessments as well as through the activities of NSA and CISA Hunt and Incident Response teams the agencies identified the following 10 most common network misconfigurationsppThese misconfigurations illustrate 1 a trend of systemic weaknesses in many large organizations including those with mature cyber postures and 2 the importance of software manufacturers embracing securebydesign principles to reduce the burden on network defendersppNSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisoryincluding the followingto reduce the risk of malicious actors exploiting the identified misconfigurationsppNSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing securebydesign anddefault tactics includingppDownload the PDF version of this report PDF 660 KBppNote This advisory uses the MITRE ATTCK for Enterprise framework version 13 and the MITRE D3FEND cybersecurity countermeasures framework45 See the Appendix MITRE ATTCK tactics and techniques section for tables summarizing the threat actors activity mapped to MITRE ATTCK tactics and techniques and the Mitigations section for MITRE D3FEND countermeasuresppFor assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider Tool67ppOver the years the following NSA and CISA teams have assessed the security posture of many network enclaves across the Department of Defense DoD Federal Civilian Executive Branch FCEB state local tribal and territorial SLTT governments and the private sectorppDuring these assessments NSA and CISA identified the 10 most common network misconfigurations which are detailed below These misconfigurations nonprioritized are systemic weaknesses across many networksppMany of the assessments were of Microsoft Windows and Active Directory environments This advisory provides details about and mitigations for specific issues found during these assessments and so mostly focuses on these products However it should be noted that many other environments contain similar misconfigurations Network owners and operators should examine their networks for similar misconfigurations even when running other software not specifically mentioned belowppDefault configurations of systems services and applications can permit unauthorized access or other malicious activity Common default configurations includeppMany software manufacturers release commercial offtheshelf COTS network devices which provide user access via applications or web portalscontaining predefined default credentials for their builtin administrative accounts9 Malicious actors and assessment teams regularly abuse default credentials byppIn addition to devices that provide network access printers scanners security cameras conference room audiovisual AV equipment voice over internet protocol VoIP phones and internet of things IoT devices commonly contain default credentials that can be used for easy unauthorized access to these devices as well Further compounding this problem printers and scanners may have privileged domain accounts loaded so that users can easily scan documents and upload them to a shared drive or email them Malicious actors who gain access to a printer or scanner using default credentials can use the loaded privileged domain accounts to move laterally from the device and compromise the domain T1078002ppCertain services may have overly permissive access controls or vulnerable configurations by default Additionally even if the providers do not enable these services by default malicious actors can easily abuse these services if users or administrators enable themppAssessment teams regularly find the followingppActive Directory Certificate Services ADCS is a feature used to manage Public Key Infrastructure PKI certificates keys and encryption inside of Active Directory AD environments ADCS templates are used to build certificates for different types of servers and other entities on an organizations networkppMalicious actors can exploit ADCS andor ADCS template misconfigurations to manipulate the certificate infrastructure into issuing fraudulent certificates andor escalate user privileges to domain administrator privileges These certificates and domain escalation paths may grant actors unauthorized persistent access to systems and critical data the ability to impersonate legitimate entities and the ability to bypass security measuresppAssessment teams have observed organizations with the following misconfigurationsppNote For more information on known escalation paths including PetitPotam NTLM relay techniques see Domain Escalation PetitPotam NTLM Relay to ADCS Endpoints and Certified PreOwned Active Directory Certificate Services101112ppMany vulnerable network services are enabled by default and assessment teams have observed them enabled in production environments Specifically assessment teams have observed LinkLocal Multicast Name Resolution LLMNR and NetBIOS Name Service NBTNS which are Microsoft Windows components that serve as alternate methods of host identification If these services are enabled in a network actors can use spoofing poisoning and relay techniques T1557001 to obtain domain hashes system access and potential administrative system sessions Malicious actors frequently exploit these protocols to compromise entire Windows environmentsppMalicious actors can spoof an authoritative source for name resolution on a target network by responding to passing traffic effectively poisoning the service so that target computers will communicate with an actorcontrolled system instead of the intended one If the requested system requires identificationauthentication the target computer will send the users username and hash to the actorcontrolled system The actors then collect the hash and crack it offline to obtain the plain text password T1110002ppThe Server Message Block service is a Windows component primarily for file sharing Its default configuration including in the latest version of Windows does not require signing network messages to ensure authenticity and integrity If SMB servers do not enforce SMB signing malicious actors can use machineinthemiddle techniques such as NTLM relay Further malicious actors can combine a lack of SMB signing with the name resolution poisoning issue see above to gain access to remote systems T1021002 without needing to capture and crack any hashesppAdministrators often assign multiple roles to one account These accounts have access to a wide range of devices and services allowing malicious actors to move through a network quickly with one compromised account without triggering lateral movement andor privilege escalation detection measuresppAssessment teams have observed the following common account separation misconfigurationsppAccount privileges are intended to control user access to host or application resources to limit access to sensitive information or enforce a leastprivilege security model When account privileges are overly permissive users can see andor do things they should not be able to which becomes a security issue as it increases risk exposure and attack surfaceppExpanding organizations can undergo numerous changes in account management personnel and access requirements These changes commonly lead to privilege creepthe granting of excessive access and unnecessary account privileges Through the analysis of topical and nested AD groups a malicious actor can find a user account T1078 that has been granted account privileges that exceed their needtoknow or leastprivilege function Extraneous access can lead to easy avenues for unauthorized access to data and resources and escalation of privileges in the targeted domainppApplications often operate using user accounts to access resources These user accounts which are known as service accounts often require elevated privileges When a malicious actor compromises an application or service using a service account they will have the same privileges and access as the service accountppMalicious actors can exploit elevated service permissions within a domain to gain unauthorized access and control over critical systems Service accounts are enticing targets for malicious actors because such accounts are often granted elevated permissions within the domain due to the nature of the service and because access to use the service can be requested by any valid domain user Due to these factors kerberoastinga form of credential access achieved by cracking service account credentialsis a common technique used to gain control over service account targets T1558003ppIT personnel use domain administrator and other administrator accounts for system and network management due to their inherent elevated privileges When an administrator account is logged into a compromised host a malicious actor can steal and use the accounts credentials and an ADgenerated authentication token T1528 to move using the elevated permissions throughout the domain T1550001 Using an elevated account for normal daytoday nonadministrative tasks increases the accounts exposure and therefore its risk of compromise and its risk to the networkppMalicious actors prioritize obtaining valid domain credentials upon gaining access to a network Authentication using valid domain credentials allows the execution of secondary enumeration techniques to gain visibility into the target domain and AD structure including discovery of elevated accounts and where the elevated accounts are used T1087ppTargeting elevated accounts such as domain administrator or system administrators performing daytoday activities provides the most direct path to achieve domain escalation Systems or applications accessed by the targeted elevated accounts significantly increase the attack surface available to adversaries providing additional paths and escalation optionsppAfter obtaining initial access via an account with administrative permissions an assessment team compromised a domain in under a business day The team first gained initial access to the system through phishing T1566 by which they enticed the end user to download T1204 and execute malicious payloads The targeted enduser account had administrative permissions enabling the team to quickly compromise the entire domainppSome organizations do not optimally configure host and network sensors for traffic collection and endhost logging These insufficient configurations could lead to undetected adversarial compromise Additionally improper sensor configurations limit the traffic collection capability needed for enhanced baseline development and detract from timely detection of anomalous activityppAssessment teams have exploited insufficient monitoring to gain access to assessed networks For exampleppNetwork segmentation separates portions of the network with security boundaries Lack of network segmentation leaves no security boundaries between the user production and critical system networks Insufficient network segmentation allows an actor who has compromised a resource on the network to move laterally across a variety of systems uncontested Lack of network segregation additionally leaves organizations significantly more vulnerable to potential ransomware attacks and postexploitation techniquesppLack of segmentation between IT and operational technology OT environments places OT environments at risk For example assessment teams have often gained access to OT networksdespite prior assurance that the networks were fully air gapped with no possible connection to the IT networkby finding special purpose forgotten or even accidental network connections T1199ppVendors release patches and updates to address security vulnerabilities Poor patch management and network hygiene practices often enable adversaries to discover open attack vectors and exploit critical vulnerabilities Poor patch management includesppFailure to apply the latest patches can leave a system open to compromise from publicly available exploits Due to their ease of discoveryvia vulnerability scanning T1595002 and open source research T1592and exploitation these systems are immediate targets for adversaries Allowing critical vulnerabilities to remain on production systems without applying their corresponding patches significantly increases the attack surface Organizations should prioritize patching known exploited vulnerabilities in their environments2ppAssessment teams have observed threat actors exploiting many CVEs in publicfacing applications T1190 includingppUsing software or hardware that is no longer supported by the vendor poses a significant security risk because new and existing vulnerabilities are no longer patched Malicious actors can exploit vulnerabilities in these systems to gain unauthorized access compromise sensitive data and disrupt operations T1210ppAssessment teams frequently observe organizations using unsupported Windows operating systems without updates MS17010 and MS0867 These updates released years ago address critical remote code execution vulnerabilities1718ppA malicious actor can bypass system access controls by compromising alternate authentication methods in an environment If a malicious actor can collect hashes in a network they can use the hashes to authenticate using nonstandard means such as passthehash PtH T1550002 By mimicking accounts without the cleartext password an actor can expand and fortify their access without detection Kerberoasting is also one of the most timeefficient ways to elevate privileges and move laterally throughout an organizations networkppSome networks generally government or DoD networks require accounts to use smart cards or tokens Multifactor requirements can be misconfigured so the password hashes for accounts never change Even though the password itself is no longer usedbecause the smart card or token is required insteadthere is still a password hash for the account that can be used as an alternative credential for authentication If the password hash never changes once a malicious actor has an accounts password hash T1111 the actor can use it indefinitely via the PtH technique for as long as that account existsppSome forms of MFA are vulnerable to phishing push bombing T1621 exploitation of Signaling System 7 SS7 protocol vulnerabilities andor SIM swap techniques These attempts if successful may allow a threat actor to gain access to MFA authentication credentials or bypass MFA and access the MFAprotected systems See CISAs Fact Sheet Implementing PhishingResistant MFA for more information3ppFor example assessment teams have used voice phishing to convince users to provide missing MFA information T1598 In one instance an assessment team knew a users main credentials but their login attempts were blocked by MFA requirements The team then masqueraded as IT staff and convinced the user to provide the MFA code over the phone allowing the team to complete their login attempt and gain access to the users email and other organizational resourcesppData shares and repositories are primary targets for malicious actors Network administrators may improperly configure ACLs to allow for unauthorized users to access sensitive or administrative data on shared drivesppActors can use commands open source tools or custom malware to look for shared folders and drives T1135ppMalicious actors can then collect and exfiltrate the data from the shared drives and folders They can then use the data for a variety of purposes such as extortion of the organization or as intelligence when formulating intrusion plans for further network compromise Assessment teams routinely find sensitive information on network shares T1039 that could facilitate followon activity or provide opportunities for extortion Teams regularly find drives containing cleartext credentials T1552 for service accounts web applications and even domain administratorsppEven when further access is not directly obtained from credentials in file shares there can be a treasure trove of information for improving situational awareness of the target network including the networks topology service tickets or vulnerability scan data In addition teams regularly identify sensitive data and PII on shared drives eg scanned documents social security numbers and tax returns that could be used for extortion or social engineering of the organization or individualsppPoor credential hygiene facilitates threat actors in obtaining credentials for initial access persistence lateral movement and other followon activity especially if phishingresistant MFA is not enabled Poor credential hygiene includesppEasily crackable passwords are passwords that a malicious actor can guess within a short time using relatively inexpensive computing resources The presence of easily crackable passwords on a network generally stems from a lack of password length ie shorter than 15 characters and randomness ie is not unique or can be guessed This is often due to lax requirements for passwords in organizational policies and user training A policy that only requires short and simple passwords leaves user passwords susceptible to password cracking Organizations should provide or allow employee use of password managers to enable the generation and easy use of secure random passwords for each accountppOften when a credential is obtained it is a hash oneway encryption of the password and not the password itself Although some hashes can be used directly with PtH techniques many hashes need to be cracked to obtain usable credentials The cracking process takes the captured hash of the users plaintext password and leverages dictionary wordlists and rulesets often using a database of billions of previously compromised passwords in an attempt to find the matching plaintext password T1110002ppOne of the primary ways to crack passwords is with the open source tool Hashcat combined with password lists obtained from publicly released password breaches Once a malicious actor has access to a plaintext password they are usually limited only by the accounts permissions In some cases the actor may be restricted or detected by advanced defenseindepth and zero trust implementations as well but this has been a rare finding in assessments thus farppAssessment teams have cracked password hashes for NTLM users Kerberos service account tickets NetNTLMv2 and PFX stores T1555 enabling the team to elevate privileges and move laterally within networks In 12 hours one team cracked over 80 of all users passwords in an Active Directory resulting in hundreds of valid credentialsppStoring passwords in cleartext is a serious security risk A malicious actor with access to files containing cleartext passwords T1552001 could use these credentials to log into the affected applications or systems under the guise of a legitimate user Accountability is lost in this situation as any system logs would record valid user accounts accessing applications or systemsppMalicious actors search for text files spreadsheets documents and configuration files in hopes of obtaining cleartext passwords Assessment teams frequently discover cleartext passwords allowing them to quickly escalate the emulated intrusion from the compromise of a regular domain user account to that of a privileged account such as a Domain or Enterprise Administrator A common tool used for locating cleartext passwords is the open source tool Snaffler23ppIf unverified programs are allowed to execute on hosts a threat actor can run arbitrary malicious payloads within a networkppMalicious actors often execute code after gaining initial access to a system For example after a user falls for a phishing scam the actor usually convinces the victim to run code on their workstation to gain remote access to the internal network This code is usually an unverified program that has no legitimate purpose or business reason for running on the networkppAssessment teams and malicious actors frequently leverage unrestricted code execution in the form of executables dynamic link libraries DLLs HTML applications and macros scripts used in office automation documents T1059005 to establish initial access persistence and lateral movement In addition actors often use scripting languages T1059 to obscure their actions T1027010 and bypass allowlistingwhere organizations restrict applications and other forms of code by default and only allow those that are known and trusted Further actors may load vulnerable drivers and then exploit the drivers known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the device T1068ppNSA and CISA recommend network defenders implement the recommendations that follow to mitigate the issues identified in this advisory These mitigations align with the CrossSector Cybersecurity Performance Goals CPGs developed by CISA and the National Institute of Standards and Technology NIST as well as with the MITRE ATTCK Enterprise Mitigations and MITRE D3FEND frameworksppThe CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats tactics techniques and procedures Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protections24ppMisconfigurationppRecommendations for Network DefendersppDefault configurations of software and applicationsppDefault configurations of software and applications Default CredentialsppDefault service permissions and configuration settings Insecure Active Directory Certificate ServicesppDefault service permissions and configuration settings Insecure legacy protocolsservicesppDefault service permissions and configuration settings Insecure SMB serviceppMisconfigurationppRecommendations for Network DefendersppImproper separation of useradministrator privilegeppMisconfigurationppRecommendations for Network DefendersppInsufficient internal network monitoringppMisconfigurationppRecommendations for Network DefendersppLack of network segmentationppMisconfigurationppRecommendations for Network DefendersppPoor patch management Lack of regular patchingppPoor patch management Use of unsupported OSs and outdated firmwareppMisconfigurationppRecommendations for Network DefendersppBypass of system access controlsppMisconfigurationppRecommendations for Network DefendersppWeak or misconfigured MFA methods Misconfigured smart cards or tokenspp ppWeak or misconfigured MFA methods Lack of phishingresistant MFAppMisconfigurationppRecommendations for Network DefendersppInsufficient ACLs on network shares and servicesppMisconfigurationppRecommendations for Network DefendersppPoor credential hygiene easily crackable passwordspp ppPoor credential hygiene cleartext password disclosurepp ppMisconfigurationppRecommendations for Network DefendersppUnrestricted code executionppNSA and CISA recommend software manufacturers implement the recommendations in Table 11 to reduce the prevalence of misconfigurations identified in this advisory These mitigations align with tactics provided in joint guide Shifting the Balance of Cybersecurity Risk Principles and Approaches for SecuritybyDesign and Default NSA and CISA strongly encourage software manufacturers apply these recommendations to ensure their products are secure out of the box and do not require customers to spend additional resources making configuration changes performing monitoring and conducting routine updates to keep their systems secure1ppMisconfigurationppRecommendations for Software ManufacturersppDefault configurations of software and applicationsppDefault configurations of software and applications Default credentialsppDefault configurations of software and applications Default service permissions and configuration settingsppImproper separation of useradministrator privilegeppInsufficient internal network monitoringpp ppLack of network segmentationppPoor patch management Lack of regular patchingppPoor patch management Use of unsupported operating OSs and outdated firmwareppBypass of system access controlsppWeak or Misconfigured MFA Methods Misconfigured Smart Cards or Tokenspp ppWeak or Misconfigured MFA Methods Lack of phishingresistant MFAppInsufficient ACL on network shares and servicesppPoor credential hygiene easily crackable passwordspp ppPoor credential hygiene cleartext password disclosureppUnrestricted code executionppIn addition to applying mitigations NSA and CISA recommend exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory NSA and CISA recommend testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppCISA and NSA recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppThe misconfigurations described above are all too common in assessments and the techniques listed are standard ones leveraged by multiple malicious actors resulting in numerous real network compromises Learn from the weaknesses of others and implement the mitigations above properly to protect the network its sensitive information and critical missionspp1 Joint Guide Shifting the Balance of Cybersecurity Risk Principles and Approaches for SecuritybyDesign and Default 2023 httpswwwcisagovsitesdefaultfiles202306principlesapproachesforsecuritybydesigndefault508cpdf
2 CISA Known Exploited Vulnerabilities Catalog httpswwwcisagovknownexploitedvulnerabilitiescatalog
3 CISA Implementing PhishingResistant MFA httpswwwcisagovsitesdefaultfilespublicationsfactsheetimplementingphishingresistantmfa508cpdf
4 MITRE ATTCK for Enterprise httpsattackmitreorgversionsv13matricesenterprise
5 MITRE D3FEND httpsd3fendmitreorg
6 CISA Best Practices for MITRE ATTCK Mapping httpswwwcisagovnewseventsnewsbestpracticesmitreattckrmapping
7 CISA Decider Tool httpsgithubcomcisagovDecider
8 CISA Cyber Assessment Fact Sheet httpswwwcisagovsitesdefaultfilespublicationsVMAssessmentsFactSheetRVA508Cpdf
9 Joint CSA Weak Security Controls and Practices Routinely Exploited for Initial Access httpsmediadefensegov2022May172002998718110CSAWEAKSECURITYCONTROLSPRACTICESEXPLOITEDFORINITIALACCESSPDF
10 Microsoft KB5005413 Mitigating NTLM Relay Attacks on Active Directory Certificate Services AD CS httpssupportmicrosoftcomenustopickb5005413mitigatingntlmrelayattacksonactivedirectorycertificateservicesadcs3612b77340434aa9b23db87910cd3429
11 Raj Chandel Domain Escalation PetitPotam NTLM Relay to ADCS Endpoints httpswwwhackingarticlesindomainescalationpetitpotamntlmrelaytoadcsendpoints
12 SpecterOps Will Schroeder Certified PreOwned httpspostsspecteropsiocertifiedpreownedd95910965cd2
13 CISA CSA CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks httpswwwcisagovnewseventscybersecurityadvisoriesaa23059a
14 Joint CSA Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple US Government IIS Servers httpswwwcisagovnewseventscybersecurityadvisoriesaa23074a
15 Joint CSA Iranian GovernmentSponsored APT Actors Compromise Federal Network Deploy Crypto Miner Credential Harvester httpswwwcisagovnewseventscybersecurityadvisoriesaa22320a
16 Joint CSA Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite httpswwwcisagovnewseventscybersecurityadvisoriesaa22228a
17 Microsoft How to verify that MS17010 is installed httpssupportmicrosoftcomenustopichowtoverifythatms17010isinstalledf55d3f137a9c688c260b477d0ec9f2c8
18 Microsoft Microsoft Security Bulletin MS08067 Critical Vulnerability in Server Service Could Allow Remote Code Execution 958644 httpslearnmicrosoftcomenussecurityupdatesSecurityBulletins2008ms08067
19 Joint CSA Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization httpswwwcisagovnewseventscybersecurityadvisoriesaa22277a
20 CISA Malware Analysis Report 10365227r1v1 httpswwwcisagovsitesdefaultfiles202306mar10365227r1v1clearpdf
21 Joint CSA StopRansomware BianLian Ransomware Group httpswwwcisagovnewseventscybersecurityadvisoriesaa23136a
22 CISA Analysis Report FiveHands Ransomware httpswwwcisagovnewseventsanalysisreportsar21126a
23 Snaffler httpsgithubcomSnaffConSnaffler
24 CISA CrossSector Cybersecurity Performance Goals httpswwwcisagovcrosssectorcybersecurityperformancegoals
25 Defense Information Systems Agency DISA Security Technical Implementation Guides STIGs httpspubliccybermilstigs
26 NSA Network Infrastructure Security Guide httpsmediadefensegov2022Jun152003018261110CTRNSANETWORKINFRASTRUCTURESECURITYGUIDE20220615PDF
27 NSA Actively Manage Systems and Configurations httpsmediadefensegov2019Sep092002180326110Actively20Manage20Systems20and20Configurationsdocx2020Copypdf
28 NSA Cybersecurity Advisories Guidance httpswwwnsagovcybersecurityguidance
29 National Institute of Standards and Technologies NIST NIST SP 80063B Digital Identity Guidelines Authentication and Lifecycle Management httpscsrcnistgovpubssp80063bupd2final
30 Microsoft UninstallAdcsWebEnrollment httpslearnmicrosoftcomenuspowershellmoduleadcsdeploymentuninstalladcswebenrollment
31 Microsoft KB5021989 Extended Protection for Authentication httpssupportmicrosoftcomenautopickb5021989extendedprotectionforauthentication1b6ea84d377b4677a0b8af74efbb243f
32 Microsoft Network security Restrict NTLM NTLM authentication in this domain httpslearnmicrosoftcomenuswindowssecuritythreatprotectionsecuritypolicysettingsnetworksecurityrestrictntlmntlmauthenticationinthisdomain
33 Microsoft Network security Restrict NTLM Incoming NTLM traffic httpslearnmicrosoftcomenuswindowssecuritythreatprotectionsecuritypolicysettingsnetworksecurityrestrictntlmincomingntlmtraffic
34 Microsoft How to disable the Subject Alternative Name for UPN mapping httpslearnmicrosoftcomenustroubleshootwindowsserverwindowssecuritydisablesubjectalternativenameupnmapping
35 Microsoft Overview of Server Message Block signing httpslearnmicrosoftcomenustroubleshootwindowsservernetworkingoverviewservermessageblocksigning
36 Microsoft SMB signing required by default in Windows Insider httpsakamsSmbSigningRequired
37 NSA Defend Privileges and Accounts httpsmediadefensegov2019Sep092002180330110Defend20Privileges20and20Accounts2020Copypdf
38 NSA Advancing Zero Trust Maturity Throughout the User Pillar httpsmediadefensegov2023Mar142003178390110CSIZeroTrustUserPillarv11PDF
39 NSA Continuously Hunt for Network Intrusions httpsmediadefensegov2019Sep092002180360110Continuously20Hunt20for20Network20Intrusions2020Copypdf
40 Joint CSI Detect and Prevent Web Shell Malware httpsmediadefensegov2020Jun092002313081110CSIDETECTANDPREVENTWEBSHELLMALWARE20200422PDF
41 NSA Segment Networks and Deploy Applicationaware Defenses httpsmediadefensegov2019Sep092002180325110Segment20Networks20and20Deploy20Application20Aware20Defenses2020Copypdf
42 Joint CSA NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems httpsmediadefensegov2020Jul232002462846110OTADVISORYDUALOFFICIAL20200722PDF
43 NSA Stop Malicious Cyber Activity Against Connected Operational Technology httpsmediadefensegov2021Apr292002630479110CSASTOPMCAAGAINSTOTUOO13672321PDF
44 NSA Performing OutofBand Network Management httpsmediadefensegov2020Sep172002499616110PERFORMINGOUTOFBANDNETWORKMANAGEMENT20200911PDF
45 NSA Update and Upgrade Software Immediately httpsmediadefensegov2019Sep092002180319110Update20and20Upgrade20Software20Immediatelydocx2020Copypdf
46 Microsoft Microsoft Security Advisory 2871997 Update to Improve Credentials Protection and Management httpslearnmicrosoftcomenussecurityupdatesSecurityAdvisories20162871997
47 CISA Secure Cloud Business Applications Hybrid Identity Solutions Architecture httpswwwcisagovsitesdefaultfiles202303cssoscubaguidancedocumenthybrididentitysolutionsarchitecture20230322finalpdf
48 CISA Secure Cloud Business Applications SCuBA Project httpswwwcisagovresourcestoolsservicessecurecloudbusinessapplicationsscubaproject
49 NSA Transition to Multifactor Authentication httpsmediadefensegov2019Sep092002180346110Transition20to20Multifactor20Authentication2020Copypdf
50 Committee on National Security Systems CNSS CNSS Policy 15 httpswwwcnssgovCNSSissuancesPoliciescfm
51 NSA NSA Releases Future QuantumResistant QR Algorithm Requirements for National Security Systems httpswwwnsagovPressRoomNewsHighlightsArticleArticle3148990nsareleasesfuturequantumresistantqralgorithmrequirementsfornationalse
52 NSA Enforce Signed Software Execution Policies httpsmediadefensegov2019Sep092002180334110Enforce20Signed20Software20Execution20Policies2020Copypdf
53 Joint CSI Keeping PowerShell Security Measures to Use and Embrace httpsmediadefensegov2022Jun222003021689110CSIKEEPINGPOWERSHELLSECURITYMEASURESTOUSEANDEMBRACE20220622PDF
54 NIST NIST SP 800218 Secure Software Development Framework SSDF Version 11 Recommendations for Mitigating the Risk of Software Vulnerabilities httpscsrcnistgovpublicationsdetailsp800218finalppThe information and opinions contained in this document are provided as is and without any warranties or guarantees Reference herein to any specific commercial products process or service by trade name trademark manufacturer or otherwise does not constitute or imply its endorsement recommendation or favoring by the United States Government and this guidance shall not be used for advertising or product endorsement purposesppActive Directory Microsoft and Windows are registered trademarks of Microsoft Corporation
MITRE ATTCK is registered trademark and MITRE D3FEND is a trademark of The MITRE Corporation
SoftPerfect is a registered trademark of SoftPerfect Proprietary Limited Company
Telerik is a registered trademark of Progress Software Corporation
VMware is a registered trademark of VMWare Inc
Zimbra is a registered trademark of Synacor IncppThis document was developed in furtherance of the authoring cybersecurity organizations missions including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations This information may be shared broadly to reach all appropriate stakeholdersppCybersecurity Report Feedback CybersecurityReportsnsagov
General Cybersecurity Inquiries CybersecurityRequestsnsagov
Defense Industrial Base Inquiries and Cybersecurity Services DIBDefensecybernsagov
Media Inquiries Press Desk 4436340721 MediaRelationsnsagov ppTo report suspicious activity contact CISAs 247 Operations Center at reportcisagov or 888 2820870 When available please include the following information regarding the incident date time and location of the incident type of activity number of people affected type of equipment used for the activity the name of the submitting company or organization and a designated point of contactppSee Table 12Table 21 for all referenced threat actor tactics and techniques in this advisoryppTechnique TitleppIDppUseppActive Scanning Vulnerability ScanningppT1595002ppMalicious actors scan victims for vulnerabilities that be exploited for initial accessppGather Victim Host InformationppT1592ppMalicious actors gather information on victim client configurations andor vulnerabilities through vulnerabilities scans and searching the webppGather Victim Identity Information CredentialsppT1589001ppMalicious actors find default credentials through searching the webppPhishing for InformationppT1598ppMalicious actors masquerade as IT staff and convince a target user to provide their MFA code over the phone to gain access to email and other organizational resourcesppTechnique TitleppIDppUseppExternal Remote ServicesppT1133ppMalicious actors use default credentials for VPN access to internal networksppValid Accounts Default AccountsppT1078001ppMalicious actors gain authenticated access to devices by finding default credentials through searching the webppMalicious actors use default credentials for VPN access to internal networks and default administrative credentials to gain access to web applications and databasesppExploit PublicFacing ApplicationppT1190ppMalicious actors exploit CVEs in Telerik UI VM Horizon Zimbra Collaboration Suite and other applications for initial access to victim organizationsppPhishingppT1566ppMalicious actors gain initial access to systems by phishing to entice end users to download and execute malicious payloadsppTrust RelationshipppT1199ppMalicious actors gain access to OT networks despite prior assurance that the networks were fully air gapped with no possible connection to the IT network by finding special purpose forgotten or even accidental network connectionsppTechnique TitleppIDppUseppSoftware Deployment ToolsppT1072ppMalicious actors use default or captured credentials on software deployment tools to execute code and move laterallyppUser ExecutionppT1204ppMalicious actors gain initial access to systems by phishing to entice end users to download and execute malicious payloads or to run code on their workstationsppCommand and Scripting InterpreterppT1059ppMalicious actors use scripting languages to obscure their actions and bypass allowlistingppCommand and Scripting Interpreter Visual BasicppT1059005ppMalicious actors use macros for initial access persistence and lateral movementppTechnique TitleppIDppUseppAccount ManipulationppT1098ppMalicious actors reset builtin administrative accounts via predictable forgotten password questionsppTechnique TitleppIDppUseppValid AccountsppT1078ppMalicious actors analyze topical and nested Active Directory groups to find privileged accounts to targetppValid Accounts Domain AccountsppT1078002ppMalicious actors obtain loaded domain credentials from printers and scanners and use them to move laterally from the network deviceppExploitation for Privilege EscalationppT1068ppMalicious actors load vulnerable drivers and then exploit their known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the deviceppTechnique TitleppIDppUseppObfuscated Files or Information Command ObfuscationppT1027010ppMalicious actors often use scripting languages to obscure their actionsppTechnique TitleppIDppUseppAdversaryintheMiddleppT1557ppMalicious actors force a device to communicate through actorcontrolled systems so they can collect information or perform additional actionsppAdversaryintheMiddle LLMNRNBTNS Poisoning and SMB RelayppT1557001ppMalicious actors execute spoofing poisoning and relay techniques if LinkLocal Multicast Name Resolution LLMNR NetBIOS Name Service NBTNS and Server Message Block SMB services are enabled in a networkppBrute Force Password CrackingppT1110002ppMalicious actors capture user hashes and leverage dictionary wordlists and rulesets to extract cleartext passwordsppCredentials from Password StoresppT1555ppMalicious actors gain access to and crack credentials from PFX stores enabling elevation of privileges and lateral movement within networksppMultiFactor Authentication InterceptionppT1111ppMalicious actors can obtain password hashes for accounts enabled for MFA with smart codes or tokens and use the hash via PtH techniquesppMultiFactor Authentication Request GenerationppT1621ppMalicious actors use push bombing against nonphishing resistant MFA to induce MFA fatigue in victims gaining access to MFA authentication credentials or bypassing MFA and accessing the MFAprotected systemppSteal Application Access TokenppT1528ppMalicious actors can steal administrator account credentials and the authentication token generated by Active Directory when the account is logged into a compromised hostppSteal or Forge Authentication CertificatesppT1649ppUnauthenticated malicious actors coerce an ADCS server to authenticate to an actorcontrolled server and then relay that authentication to the web certificate enrollment application to obtain a trusted illegitimate certificateppSteal or Forge Kerberos Tickets Golden TicketppT1558001ppMalicious actors who have obtained authentication certificates can use the certificate for Active Directory authentication to obtain a Kerberos TGTppSteal or Forge Kerberos Tickets KerberoastingppT1558003ppMalicious actors obtain and abuse valid Kerberos TGTs to elevate privileges and laterally move throughout an organizations networkppUnsecured Credentials Credentials in FilesppT1552001ppMalicious actors find cleartext credentials that organizations or individual users store in spreadsheets configuration files and other documentsppTechnique TitleppIDppUseppAccount DiscoveryppT1087ppMalicious actors with valid domain credentials enumerate the AD to discover elevated accounts and where they are usedppFile and Directory DiscoveryppT1083ppMalicious actors use commands such as net share open source tools such as SoftPerfect Network Scanner or custom malware such as CovalentStealer to discover and categorize filesppMalicious actors search for text files spreadsheets documents and configuration files in hopes of obtaining desired information such as cleartext passwordsppNetwork Share DiscoveryppT1135ppMalicious actors use commands such as net share open source tools such as SoftPerfect Network Scanner or custom malware such as CovalentStealer to look for shared folders and drivesppTechnique TitleppIDppUseppExploitation of Remote ServicesppT1210ppMalicious actors can exploit OS and firmware vulnerabilities to gain unauthorized network access compromise sensitive data and disrupt operationsppRemote Services SMBWindows Admin SharesppT1021002ppIf SMB signing is not enforced malicious actors can use name resolution poisoning to access remote systemsppUse Alternate Authentication Material Application Access TokenppT1550001ppMalicious actors with stolen administrator account credentials and AD authentication tokens can use them to operate with elevated permissions throughout the domainppUse Alternate Authentication Material Pass the HashppT1550002ppMalicious actors collect hashes in a network and authenticate as a user without having access to the users cleartext passwordppTechnique TitleppIDppUseppData from Network Shared DriveppT1039ppMalicious actors find sensitive information on network shares that could facilitate followon activity or provide opportunities for extortionppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp