Section 1.6: Credential Theft

Question 1

Methods used to detect signs of adversary movement in the enterprise.

Answer 1

Event logs, Auditing new accounts, Anomalous logins like workstation-to-workstation, sensitive networks, and after-hour logins.

Question 2

Is it rare for a system’s local admin account to be used?

Answer 2

Yes. Any local admin in a system is for the most part off-limits. Logs of usage is very suspicious. The built-in admin account RID 500 should be disabled as well since it doesn’t offer protections.

Question 3

Describe the security methods Microsoft implemented in Windows 7.

Answer 3

User Account Control (UAC) was placed which placed restriction on admin accounts to user-level. Managed Service Accounts was implemented to mitigate Kerberos attacks by having users change passwords every 30 days. KB2871997 was installed to backport many Windows 8 protections to Windows 7.

Question 4

Describe the security methods Microsoft implemented in Windows 8.

Answer 4

Single sign-ons (SSO) like CredSSP, TskPkg, and WDigest are no longer cached in memory so Mimikatz can’t recover plaintext passwords, a new security group was added to restrict local admin from remote interactive logons to domains thus removing WMI, PsExec, tasks, and shares from being established. It also has better credential cleanup after user sessions.

Question 5

Describe the introduction of protected processes in Windows 8.

Answer 5

Processes that are protected can only load signed code and can only be attached to other protected processes. LSASS process is singled out as protected. Mimikatz will break through the protection via a signed driver.

Question 6

Describe the two account protections that debuted in Windows 8.

Answer 6

/restrictedadmin switch can now be used during RDP so it won’t pass credentials or tickets to target systems (it can be forced on accounts using Group Policy). The Domain Protected Users security group was also created to protect high-valued (priviledged) accounts. It removes the ability to use NTLM, CredSSP, or WDigest authentication.

Question 7

Describe the security features Microsoft implemented in Windows 10.

Answer 7

Credential Guard is one, it isolates hashes and tickets through virtualization.

Question 7

Describe the security features Microsoft implemented in Windows 10.

Answer 7

Credential Guard is one, it isolates hashes and tickets through virtualization. Remote Credential Guard is an update to Restricted Admin and extend to any account besides admin during RDP sessions. The last feature, Device Guard, locks down systems to prevent untrusted code (like cred dump tools) from running on systems.

Question 8

Name the tools used by adversaries to extract hash credentials.

Answer 8

Mimikatz, fgdump, gsecdump, Metasploit, AceHash, PWDumpX, creddump, and Windows Credential Editor (WCE).

Question 9

Name the hash formats Windows uses for credentials.

Answer 9

NT LM, TsPkg, WDigest, and LiveSSP

Question 10

To compromise credentials, what method do adversaries use?

Answer 10

They prioritize obtaining admin rights in order to be able to extract the LSASS process inside memory as the SAM hive on disk/memory. They can also use a technique called Pass-the-Hash which allows authentication without knowing the clear text password.

Question 11

How are credential formats exposed in the system?

Answer 11

TsPkg and WDigest are exposed through SSO usage while LiveSSP from the new Windows “Live” cloud accounts that can be used to log in.

Question 12

What tools can be used for Pass-the-Hash technique?

Answer 12

Metasploit PsExec Module, WCE, and SMBshell. The credential format they go for is NTLM. Adversaries focus on the SMB protocol to map file shares and perform PsExec remote commands or WMI.

Question 13

Name Administrative actions that will store credentials on target systems.

Answer 13

Console logon (if Credential Guard is disabled), RunAs (if Credential Guard is disabled), Remote Desktop (if Remote Credential Guard is disabled), PsExec alternate creds, Remote Scheduled Tasks, and Run as a Service.

Question 14

Name Administrative actions that will NOT store credentials on target systems.

Answer 14

Net Use, Powershell remoting, PsExec w/o explicit creds, and Remote Registry.

Question 15

What does the gsecdump tool do?

Answer 15

It dumps hashes from currently logged on sessions inside the Domain Controller.

Question 16

How to defend hashes from being compromised?

Answer 16

Avoid remote interactive sessions with high-values accounts, terminate RDP sessions properly, use Retricted Admin, use Remote Credential Guard, reduce session timer if they aren’t terminated properly, and usage of Domain Protected Users group.

Question 16

How to defend hashes from being compromised?

Answer 16

Avoid remote interactive sessions with high-values accounts, terminate RDP sessions properly, use Restricted Admin, use Remote Credential Guard, reduce session timer if they aren’t terminated properly, usage of Domain Protected Users group, and unique passwords to local admins.

Question 17

What is the Local Administrator Password Solution (LAPS)?

Answer 17

A centralized security that manages local system accounts within the Active Directory.

Question 18

Explain what the registry key “UseLogonCredential” do?

Answer 18

It is a key that is added by adversaries to allow WDigest credentials on a system. It is not available by default so its a good place to monitor. The location of the key is: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.

Question 19

What is a token?

Answer 19

A token contains security context and privileges for an account. Every Windows logon and process has an associated security token.

Question 20

What are special tokens?

Answer 20

Special tokens are tokens that faciliate access control and SSO to specifically allow process to run under a different security context.

Question 21

What are impersonating tokens and delegating tokens?

Answer 21

They are special tokens. Impersonate tokens allows local security context shifts and delegate tokens allow authentication across network resources.

Question 22

What access to token stealing provide to adversaries?

Answer 22

Local privilege escalation, add users, manage group membership, share mapping or PsExec usage.

Question 23

What tools can be used to compromise tokens?

Answer 23

Mimikatz, Incognito, Metasploit, and Powershell.

Question 24

How to defend Tokens from compromise?

Answer 24

Dont use high privileged accounts for remote interactive sessions, terminate RDP sessions, use Domain Protected Users security group, Windows 10 security features, and Restricted Admin.

Question 25

What are cached credentials?

Answer 25

When a system is set offline or can’t communciate with the DC, the ability to access the system is through cached credentials. They are stored in the Security registry hive: SECURITY\Cache key. Admin rights are needed to access them. The hash format is mscash2.

Question 26

What are common tools to extract cached credentials?

Answer 26

Metasploit, PWDumpX, creddump, and AceHash.

Question 27

How to defend systems from cached credentials being compromised?

Answer 27

Limit the number of cached logon accounts, enforce long password and complexity rules since they are hard to crack, and use Domain Protected Security group.

Question 28

Where can can analysts change the number of cached logon accounts?

Answer 28

SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon. Change the value on (cachedlogonscount).

Question 29

What are LSA Secrets?

Answer 29

They are passwords stored inside the Windows Security registry hive and can contain domain accounts that establish services. Other passwords stored here are: RASS, VPN, default logon credentials, scheduled tasks credentials, and IIS application passwords.

Question 30

What is the location of LSA Secrets and what is needed to decrypt them?

Answer 30

Look inside the Security hive registry key: SECURITY\Policy\Secrets. SECURITY\Policy can decode secrets. Adversaries also need to dump the System hive to access the final decryption key. Admin rights are definitely needed. Adversary can access RDP with the secrets.

Question 31

What tools can be used to get LSA secrets?

Answer 31

Metasploit, Mimikatz, gsecdump, Acehash, creddump, and Powershell.

Question 32

Best ways to defend LSA secrets from being compromised.

Answer 32

Do not deploy tasks or services requiring privileged accounts on low-trust systems, reduce number of services that require domain account usage and use Manage Service Accounts to change passwords frequently.

Question 33

How and what tools can be used to compromise Kerberos tickets?

Answer 33

Kerberos tickets are stolen from memory. Tools used to steal tickets are: Mimikatz, WCE, and kerberoast.

Question 34

What Kerberos attacks are available to adversaries?

Answer 34

Pass-the-Ticket, Overpass the Hash, Kerberoasting, Golden Ticket, Silver Ticket, Skeleton Key, and DC Sync.

Question 35

Explain Pass-the-Ticket technique.

Answer 35

Adversary with admin rights dumps tickets from memory and pass them to other systems. No requirement of user hash or password needed.

Question 36

Explain the Overpass the Hash technique.

Answer 36

Adversary dumps account hashes from system to request tickets from those accounts in order to move laterally.

Question 37

Explain the Kerberoasting technique.

Answer 37

Adversary, domain user access, can request a ticket from the Domain Controller for any domain service. The ticket returned has a non-salted password hash for the account that runs that service. Adversary will seek tickets that run under domain users (admins even), to crack the password.

Question 38

Explain the Golden Ticket technique.

Answer 38

It is a ticket that does not expire with intention of having the adversary maintain domain admin privileges. What they do is extract the hash of the krbtgt account from the DC memory or NTDS.DIT file from the active directory. If adversary is kicked out, all they have to do is is have access to user level on any system and run Pass-the-Ticket to retrieve it.

Question 39

Explain the Silver Ticket technique.

Answer 39

Adversary will dump the computer account hash from memory and create the silver ticket. It gives all access pass through a single computer and it doesn’t matter the user since its based of the system alone. They don’t communicate with the DC so they can become backdoors. Adversaries will disable user password updates since that can maintain silver tickets.

Question 40

Explain the Skeleton Key technique.

Answer 40

Adversary targets the domain controller’s LSASS process to enable a backdoor password for any valid domain user. User will still authenticate with their password but also with the backdoor one even if they change passwords.

Question 41

Explain DC Sync technique.

Answer 41

DC’s that communcate with each other to sync and update data are run through MS-DRSR protocol. This protocol is abused for adversaries to impersonate a DC and request for password hashes, even krbtgt account. It doesn’t require logon to the DC so its done remotely. Compromised accounts with high priviledges can do this.

Question 42

Methods to defend tickets from being compromised.

Answer 42

Windows 10 security features, Restricted Admin, long and complex passwords on service accounts with frequent password changes, auditing those service accounts, limit domain admin usage, disable RC4 authentication and change krbtgt password.

Question 43

What is the Active Directory Domain Services (AD DS) database and what does it hold?

Answer 43

The database that holds all user and computer account hashes in the domain. It holds the NTDS.DIT file that carries all this information. The file is locked and protected so it can’t be copied.

Question 44

How can adversaries retrieve the NTDS.DIT file?

Answer 44

They must use a built-in tool such as ntdsutil or driver to get raw access to the disk. Another way is through shadow copies. They can create a shadow copy if there isn’t one. Another thing they need is the SAM and SYSTEM registry hives to decrypt the data within the database.

Question 45

What is a popular tool used to extract data offline?

Answer 45

Impacket secretsdump.py script.

Question 46

What is Bloodhound?

Answer 46

It is an Active Directory relationship graphing tool. Its usage is to reveal hidden and unintended relationships within the Active Directory such as: users, where those users are grouped to, and the accesses they have that can lead to higher users.

Question 47

How can Bloodhound be tracked?

Answer 47

It uses LDAP requests which, unfortunately, are very common in the enterprise. The best way to try and find it is by inappropriate use after credentials are stolen.

Question 48

What automation tools are used to quickly gain access to an enterprise?

Answer 48

Deathstar and GoFetch. They are likely to use Bloodhound to graph the enterprise in order to scope. These tools are very noisy.