Another Case For Behavior Analytics:
Hijacking Windows User Sessions
WHAT IT IS
Recently, security researchers identified, and Microsoft confirmed, that an insider (local) attacker can gain access to any local user accounts on a Windows machine to escalate privileges without having any log-in credentials. Microsoft provides for the use of built-in command line tools, that any user with system rights and permissions (which is usually a local administrator) can hijack the session of any logged-in Windows user.
An attacker can exploit this if they have access to the target’s machine, or remotely via Remote Desktop Protocol (RDP). A password is not needed to hijack the Windows user’s session. The vulnerability exists on every version on Windows, including if the workstation is locked. Details are provided in the reference links at the end of this blog post.
This vulnerability is not new. Microsoft does not deem it to be a vulnerability because the believe that this functionality is a feature within the Operating System. Also, it requires the attacker possess local admin rights on a machine on the network to be exploited.
WHY YOU CARE
Sticky Keys is a cmd backdoor on the Windows login screen that can connect to EVERY user session without asking for a password. Bad guys can hijack any currently logged in user's session without knowing the victim’s credentials. Because Microsoft considers this a legitimate function within the Windows OS, there will not be a patch or update to fix it. There is no way to detect the activity through security tools because the activity appears to the OS to be legitimate. There is also no way to block the activity.
Beyond the security concerns, this is important because it is yet another example of the vendor taking control of your security out of your hands. Because Microsoft considers this acceptable functionality and will not fix this issue you are left to figure out how to protect your environment yourself. This is not a unique occurance in technology and Microsoft is certainly not the only vendor whose code decisions put your security at risk.
WHAT YOU CAN DO ABOUT IT
There are a few things you can do to protect yourself and your organization, however. The following recommendations are identified to help you defend against this and other situations where your risk is increased by vendor decisions that take your security out of your hands.
Behavior Analytics & Monitoring
It is surprisingly difficult to record session hijacking. Microsoft offers only one event log (Microsoft-Windows-TerminalServices-LocalSessionManager/Operational) which records session connections. However, it does not appear to differentiate between a normal user connecting and tscon.exe being used. That being said, user Behavior Analytics could identify and potentially protect against this risk.
Behavior Analytics, when used to establish a baseline of normal behavior, can then help identify abnormal behavior when anomalies occur. For example, it could be used to help identify system misuse, not only user activities. Behavior Analytics are not only for user behavior baselines and anomalies, but also machine and connection normalization.
In this case, you could look for system misuse via abnormal service creation. Behaviors such as this and others like abnormal scheduled task creation should be logged centrally, and recorded for baselining. This is only effective, however, if you have established a baseline of normal activity and behaviors with which to compare potential anomalies against.
It is critical to note, however, that Behavior Analytics are a Prevention-based step. Without first having established a baseline of normal behavior, it will be nearly impossible to accurately identify abnormal behavior – particularly against an adversary who does not wish to be caught. Maverick always recommends Behavior Analytics as part of any sound security policy or process.
DO NOT expose RDS/RDP to the Internet without 2-factor authentication — You can use a wide variety of solutions for 2-factor authentication, from texting one-time passwords to tokens (like RSA) to fee-based software solutions like Microsoft RD Gateway or Azure Multi-Factor Authentication Server. But RDS/RDP must not be a available from the Internet without a 2-factor solution being in place.
Group Policy — Group Policy should automatically log off of disconnected sessions as soon as the user disconnects. No exceptions. Reauthentication is the only safe option.
Many vendors add capabilities they consider sound features at the time of delivery. But in the wrong hands, they can pose a greater security risk. Maverick recommends taking the proactive steps recommended above to secure your operations before the bad guys expose them for you. In particular, using Behavior Analytics to establish normal baselines of user, device, and connection behavior not only offer the ability to block unwanted or unauthorized behaviors by policy, they will permit the quick and accurate identification of abnormal behaviors which are not already blocked.
As always, if you have any questions, contact your Maverick Cyber-security Concierge today.