Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

Is Your Organization at Risk Because a Local Administrator Has a Weak Password?

In July, the media reported that SingHealth, Singapore’s largest health organization, was breached with 1.5 million medical records stolen. The stolen records included those of Singapore’s prime minister Lee Hsien Loong. Consequently, a special inquiry had taken place, revealing that SingHealth had several security gaps and vulnerabilities which could have easily been exploited by attackers, including a local administrator account with a very weak password (P@ssw0rd). In fact, one of the ways which enabled the attackers to move laterally in the network was by using compromised Citrix local accounts.

(Editors Note: The below section refers to Preempt Lite, which has been replaced by the more robust Preempt Lite.)

Do you know if your organization is at risk because of a weak local administrator password? To help organizations detect and prevent weak and vulnerable passwords and network configurations, we have released a new version of  Preempt Lite.

Preempt Lite is a free tool intended to help organizations discover potential weaknesses in their Active Directory environment and reduce their attack surface. The first version of Preempt Lite focused on detecting users having a password that can be easily compromised – either by simply using a weak password or by using a password that has been exposed during one of the largest breaches (such as the LinkedIn breach). The second version introduced some new features, one of them being discovering Stealthy Admins in Active Directory – users accounts that can easily obtain administrative privileges but are not members of any administrative groups. By analyzing the statistics, we have found that all organizations are vulnerable to most of these issues.

Weak Local Administrator Password

New features in Preempt Lite version 3

Version 3 of Preempt Lite does all the above with a few additional security features. Its main goal is to reduce the risk introduced by local administrators & prevent one of the most common attacks today: NTLM Relay.

Duplicate Local Admins

It is widely known that domain users are not the only ones which can put your organization at risk. Moreover, since most of the security products focus on protecting domain accounts, there is another type of account that is left for grabs for attackers to abuse – local accounts. One of the biggest issues related to local administrators is having a local administrator account with the same password on a group of domain machines (in the worst case, that group consists of all computers in the organization). In some cases, the duplication is intentional – such an account provides an easy way for the IT team to manage all domain computers.

In other cases, it might be caused by an “innocent mistake”: when new computers are created using the same image, all the SAM database, including all the local users and passwords, are cloned to all those machines. To make things even worse, in most cases, an attacker can detect such instances of cloned local admin passwords without any special privileges. The security impact is simple: it is enough to compromise a single machine to compromise the entire group. So, if the assistant and the CEO of the organization share a local administrator, an attacker which is able to take over the assistant’s computer, can then gain administrative access to the CEO’s machine as well.

In this version of Preempt Lite, we help organizations discover cloned local administrative accounts. To detect such cases of cloned passwords, Preempt Lite connects to remote machines and queries the ‘pwdLastSet’ attribute of local accounts using the SAMR protocol. This option is enabled on all Windows machines (up to Win10 anniversary update in which the default configuration allows only local administrators to perform such queries). The ‘pwdLastSet’ attribute gives a password change timestamp in a 100 nanoseconds resolution which would always be equal in cases of cloned machines (since this attribute is cloned along with the others from the SAM database). In most private preview customers, we were able to discover a large number of machines sharing a local administrator account.

We recommend that organizations configure a unique password for local administrators on different machines, either manually or by using LAPS, which provides a way to manage local administrator passwords on domain-joined computers.

NTLM Relay Mitigations

Another old but very effective attack technique is that of NTLM Relay. In an NTLM Relay attack, a compromised machine takes advantage of NTLM connections made to it and redirects the NTLM session to attack other, previously non-compromised, target servers. The attack is extremely powerful for several reasons: First, as long as NTLM is enabled in the network (not used, just enabled), any connection can be downgraded to NTLM. Second, most applications, by default, are not protected from NTLM Relay. For the Preempt Lite, we’ve focused on the two riskiest and most vulnerable protocols to NTLM Relay:

  1. LDAP Signing – An attacker that relays NTLM credentials to an LDAP connection, can perform any LDAP operation on behalf of the compromised user. If the compromised user is a domain admin, the most detrimental attack vector would be to create a new domain admin which would grant attackers full persistence over the domain environment. To have your LDAP protected against this attack you need to turn on LDAP signing in your domain. However, that alone is not enough – last year, Preempt researchers discovered CVE-2017-8563 that allows performing NTLM Relay in LDAP connections even when LDAP signing is enabled. To be fully protected from this vulnerability, a patch is required along with a special registry configuration in each domain controller. Preempt Lite scans all domain controllers and alerts on any unsafe LDAP configurations.
  2. SMB Signing – An attacker can also relay NTLM credentials to SMB connections. By default, SMB is enabled on all Windows machines and allows a user with sufficient privileges to download files, fetch sensitive configurations, and run code remotely. To be protected from SMB Relay you need to enable SMB signing on all machines in your network. For some obscure reason, only domain controller have SMB signing enabled by default. Preempt Lite scan all domain controller to verify default SMB signing setting is still enabled and samples several domain workstations to ascertain whether SMB signing is enabled on other machines.


Editor’s note: Yaron Zinar contributed to this blog.

Topics: Passwords, Stealthy Admin,

Posted by Marina Simakov on December 18, 2018 7:32 AM


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More


What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More


A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More


10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More