Microsoft Security Essentials Offline Update
Albina Hickel
In our recent article Exploring an NTLM Brute Force Attack with Bloodhound, we explored how attackers are still abusing the NTLM authentication protocol. In this post, we will elaborate more generally about basic attacks against SAM, LSA secrets, SYSKEY and LSASS. We will explain how attackers use these to get credentials from a Windows machine in order to highlight the importance of having these methods monitored by security teams. Although these are well-known and relatively simple credential stealing attacks, they are still used in the wild, which suggests that there are security teams overlooking these tried-and-trusted techniques.
The Security Account Manager (SAM) database is where Windows stores information about user accounts. It stores usernames and hashes of user passwords, and it is used to authenticate users when they try to log in and provide their password.
Hash length and complexity vary according to the algorithm used to encrypt the password. This may be a simple DES-based LM (Lan Manager) encryption algorithm or one of the two versions of the NTHash algorithm: NTLMv1 or NTLMv2, both of which output 32 hexadecimal digits and are derived from the MD4 digest.
One of the most common methods of gaining user passwords is to dump the SAM database either with a tool that can extract the password hashes or by directly copying the registry to a file [reg.exe save hklmSAM] and working on it offline with a software utility to extract the stored user account password hashes.
Several fixes were suggested over time, each of which hardens LSASS usage making it harder to get even the hashed password. In Windows 10 Enterprise, Credential Guard is also available to isloate the LSASS process even from users with SYSTEM privileges.
This tool has many capabilities, but one that is relevant here is the ability to prompt users for credentials when certain network services are requested. This can result in clear text passwords or password hashes.
If the password is too hard to crack, we have other options such as a pass the hash attack. This involves leveraging any services on the network that authenticate by using a hash of the password rather than the password itself. A good example of this is psexec and other services that communicate over SMB.
In order to prevent credential dumping and exfiltration, it is recommended that organizations ensure that any older systems on the network do not still have LM encrypted passwords in the SAM database, and that LM (disabled by default) has not been enabled on newer systems. LM passwords use only a limited character set and are trivial to crack.
The most effective way for an organization to reduce its attack surface and protect against credential exfiltration is by deploying a next-gen security solution like SentinelOne that uses machine learning and Active EDR.
These basic attacks can be prevented by paying attention to your network architecture and the services being used in your environment. In particular, these kinds of attacks are most effective against Windows 7 (and below) targets, which despite their EOL status are still prevalent across many enterprise networks. These days, many organizations are rightly using more secure implementations like Kerberos in a group domain to avoid exactly the kind of vulnerabilities discussed here, as well as deploying a trusted, next-gen endpoint security platform to protect their devices and network
Microsoft Defender Antivirus (formerly Windows Defender) is an antivirus software component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It has evolved into a full antivirus program, replacing Microsoft Security Essentials in Windows 8 or later versions.[3]
In March 2019, Microsoft announced Microsoft Defender ATP for Mac for business customers to protect their Mac[4] devices from attacks on a corporate network, and a year later, to expand protection for mobile devices, it announced Microsoft Defender ATP for Android[5] and iOS[6] devices, which incorporates Microsoft SmartScreen, a firewall, and malware scanning. The mobile version of Microsoft Defender also includes a feature to block access to corporate data if it detects a malicious app is installed.
Microsoft Defender Antivirus provides several key features to protect endpoints from computer virus. In Windows 10, Windows Defender settings are controlled in the Windows Defender Security Center. Windows 10 Anniversary Update includes several improvements, including a new popup that announces the results of a scan.[16]
In the Windows Defender options, the user can configure real-time protection options. Windows 10's Anniversary Update introduced Limited Periodic Scanning, which optionally allows Windows Defender to scan a system periodically if another antivirus app is installed.[16] It also introduced Block at First Sight, which uses machine learning to predict whether a file is malicious.[17]
Integration with Internet Explorer and Microsoft Edge enables files to be scanned as they are downloaded to detect malicious software inadvertently downloaded. As of April 2018, Microsoft Defender is also available for Google Chrome via an extension[18] and works in conjunction with Google Safe Browsing, but as of late 2022, this extension is now deprecated.[19]
A feature released in early 2018, Windows Defender Application Guard is a feature exclusive to Microsoft Edge that allows users to sandbox their current browsing session from the system. This prevents a malicious website or malware from affecting the system and the browser. Application Guard is a feature only available on Windows 10 Pro and Enterprise. In May 2019, Microsoft announced Application Guard for Google Chrome and Firefox. The extension, once installed, will open the current tabs web page in Microsoft Edge with Application Guard enabled. In April 2024, Microsoft announced that Microsoft Defender Application Guard will be deprecated for Edge for Business. The Chrome and Firefox extensions will not be migrating to Manifest V3 and will be deprecated after May 2024.[20]
Controlled Folder Access is a feature introduced with Windows 10 Fall Creators Update to protect a user's important files from the growing threat of ransomware. This feature was released about a year later after the Petya family of ransomware first appeared. The feature will notify the user every time a program tries to access these folders and will be blocked unless given access via the user. Windows will warn the user with a User Account Control popup as a final warning if they opt to "Allow" a program to read Controlled Folders.
Windows Defender was initially based on GIANT AntiSpyware, formerly developed by GIANT Company Software, Inc.[21] The company's acquisition was announced by Microsoft on December 16, 2004.[22][23] While the original GIANT AntiSpyware officially supported older Windows versions, support for the Windows 9x line of operating systems was later dropped by Microsoft.
The first beta release of Microsoft AntiSpyware from January 6, 2005, was a repackaged version of GIANT AntiSpyware.[22] There were more builds released in 2005, with the last Beta 1 refresh released on November 21, 2005.
At the 2005 RSA Security conference, Bill Gates, the Chief Software Architect and co-founder of Microsoft, announced that Microsoft AntiSpyware would be made available free-of-charge to users with validly licensed Windows 2000, Windows XP, and Windows Server 2003 operating systems to secure their systems against the increasing malware threat.[24]
On November 4, 2005, it was announced that Microsoft AntiSpyware was renamed to Windows Defender.[25][26] Windows Defender (Beta 2) was released on February 13, 2006. It featured the program's new name and a redesigned user interface. The core engine was rewritten in C++, unlike the original GIANT-developed AntiSpyware, which was written in Visual Basic.[27] This improved the application's performance. Also, since Beta 2, the program works as a Windows service, unlike earlier releases, which enables the application to protect the system even when a user is not logged on. Beta 2 also requires Windows Genuine Advantage (WGA) validation. However, Windows Defender (Beta 2) did not contain some of the tools found in Microsoft AntiSpyware (Beta 1). Microsoft removed the System Inoculation, Secure Shredder and System Explorer tools found in MSAS (Beta 1) as well as the Tracks Eraser tool, which allowed users to easily delete many different types of temporary files related to Internet Explorer 6, including HTTP cookies, web cache, and Windows Media Player playback history.[22] German and Japanese versions of Windows Defender (Beta 2) were later released by Microsoft.[28][29]
On October 23, 2006, Microsoft released the final version of Windows Defender.[30] It supports Windows XP and Windows Server 2003; however, unlike the betas, it doesn't run on Windows 2000.[31] Some of the key differences from the beta version are improved detection, redesigned user interface and delivery of definition updates via Automatic Updates.[32]
Windows Defender includes has the ability to remove installed ActiveX software.[33] WindowsDefender featured an integrated support for Microsoft SpyNet that allows users to report to Microsoft what they consider to be spyware,[34] and what applications and device drivers they allow to be installed on their systems.
The Advanced Tools section allows users to discover potential vulnerabilities with a series of Software Explorers. They provide views of startup programs, currently running software, network connected applications, and Winsock providers (Winsock LSPs).
In each Explorer, every element is rated as either "Known", "Unknown" or "Potentially Unwanted". The first and last categories carry a link to learn more about the particular item, and the second category invites users to submit the program to Microsoft SpyNet for analysis by community members.[36][37] The Software Explorer feature has been removed from Windows Defender in Windows 7.[38]
687b7eae2f