Section 1.6: Credential Theft Flashcards

1
Q

Methods used to detect signs of adversary movement in the enterprise.

A

Event logs, Auditing new accounts, Anomalous logins like workstation-to-workstation, sensitive networks, and after-hour logins.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Is it rare for a system’s local admin account to be used?

A

Yes. Any local admin in a system is for the most part off-limits. Logs of usage is very suspicious. The built-in admin account RID 500 should be disabled as well since it doesn’t offer protections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe the security methods Microsoft implemented in Windows 7.

A

User Account Control (UAC) was placed which placed restriction on admin accounts to user-level. Managed Service Accounts was implemented to mitigate Kerberos attacks by having users change passwords every 30 days. KB2871997 was installed to backport many Windows 8 protections to Windows 7.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Describe the security methods Microsoft implemented in Windows 8.

A

Single sign-ons (SSO) like CredSSP, TskPkg, and WDigest are no longer cached in memory so Mimikatz can’t recover plaintext passwords, a new security group was added to restrict local admin from remote interactive logons to domains thus removing WMI, PsExec, tasks, and shares from being established. It also has better credential cleanup after user sessions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe the introduction of protected processes in Windows 8.

A

Processes that are protected can only load signed code and can only be attached to other protected processes. LSASS process is singled out as protected. Mimikatz will break through the protection via a signed driver.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe the two account protections that debuted in Windows 8.

A

/restrictedadmin switch can now be used during RDP so it won’t pass credentials or tickets to target systems (it can be forced on accounts using Group Policy). The Domain Protected Users security group was also created to protect high-valued (priviledged) accounts. It removes the ability to use NTLM, CredSSP, or WDigest authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe the security features Microsoft implemented in Windows 10.

A

Credential Guard is one, it isolates hashes and tickets through virtualization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe the security features Microsoft implemented in Windows 10.

A

Credential Guard is one, it isolates hashes and tickets through virtualization. Remote Credential Guard is an update to Restricted Admin and extend to any account besides admin during RDP sessions. The last feature, Device Guard, locks down systems to prevent untrusted code (like cred dump tools) from running on systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Name the tools used by adversaries to extract hash credentials.

A

Mimikatz, fgdump, gsecdump, Metasploit, AceHash, PWDumpX, creddump, and Windows Credential Editor (WCE).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Name the hash formats Windows uses for credentials.

A

NT LM, TsPkg, WDigest, and LiveSSP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

To compromise credentials, what method do adversaries use?

A

They prioritize obtaining admin rights in order to be able to extract the LSASS process inside memory as the SAM hive on disk/memory. They can also use a technique called Pass-the-Hash which allows authentication without knowing the clear text password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How are credential formats exposed in the system?

A

TsPkg and WDigest are exposed through SSO usage while LiveSSP from the new Windows “Live” cloud accounts that can be used to log in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What tools can be used for Pass-the-Hash technique?

A

Metasploit PsExec Module, WCE, and SMBshell. The credential format they go for is NTLM. Adversaries focus on the SMB protocol to map file shares and perform PsExec remote commands or WMI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Name Administrative actions that will store credentials on target systems.

A

Console logon (if Credential Guard is disabled), RunAs (if Credential Guard is disabled), Remote Desktop (if Remote Credential Guard is disabled), PsExec alternate creds, Remote Scheduled Tasks, and Run as a Service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Name Administrative actions that will NOT store credentials on target systems.

A

Net Use, Powershell remoting, PsExec w/o explicit creds, and Remote Registry.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does the gsecdump tool do?

A

It dumps hashes from currently logged on sessions inside the Domain Controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How to defend hashes from being compromised?

A

Avoid remote interactive sessions with high-values accounts, terminate RDP sessions properly, use Retricted Admin, use Remote Credential Guard, reduce session timer if they aren’t terminated properly, and usage of Domain Protected Users group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How to defend hashes from being compromised?

A

Avoid remote interactive sessions with high-values accounts, terminate RDP sessions properly, use Restricted Admin, use Remote Credential Guard, reduce session timer if they aren’t terminated properly, usage of Domain Protected Users group, and unique passwords to local admins.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the Local Administrator Password Solution (LAPS)?

A

A centralized security that manages local system accounts within the Active Directory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Explain what the registry key “UseLogonCredential” do?

A

It is a key that is added by adversaries to allow WDigest credentials on a system. It is not available by default so its a good place to monitor. The location of the key is: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a token?

A

A token contains security context and privileges for an account. Every Windows logon and process has an associated security token.

20
Q

What are special tokens?

A

Special tokens are tokens that faciliate access control and SSO to specifically allow process to run under a different security context.

21
Q

What are impersonating tokens and delegating tokens?

A

They are special tokens. Impersonate tokens allows local security context shifts and delegate tokens allow authentication across network resources.

22
Q

What access to token stealing provide to adversaries?

A

Local privilege escalation, add users, manage group membership, share mapping or PsExec usage.

23
Q

What tools can be used to compromise tokens?

A

Mimikatz, Incognito, Metasploit, and Powershell.

24
Q

How to defend Tokens from compromise?

A

Dont use high privileged accounts for remote interactive sessions, terminate RDP sessions, use Domain Protected Users security group, Windows 10 security features, and Restricted Admin.

25
Q

What are cached credentials?

A

When a system is set offline or can’t communciate with the DC, the ability to access the system is through cached credentials. They are stored in the Security registry hive: SECURITY\Cache key. Admin rights are needed to access them. The hash format is mscash2.

26
Q

What are common tools to extract cached credentials?

A

Metasploit, PWDumpX, creddump, and AceHash.

27
Q

How to defend systems from cached credentials being compromised?

A

Limit the number of cached logon accounts, enforce long password and complexity rules since they are hard to crack, and use Domain Protected Security group.

28
Q

Where can can analysts change the number of cached logon accounts?

A

SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon. Change the value on (cachedlogonscount).

29
Q

What are LSA Secrets?

A

They are passwords stored inside the Windows Security registry hive and can contain domain accounts that establish services. Other passwords stored here are: RASS, VPN, default logon credentials, scheduled tasks credentials, and IIS application passwords.

30
Q

What is the location of LSA Secrets and what is needed to decrypt them?

A

Look inside the Security hive registry key: SECURITY\Policy\Secrets. SECURITY\Policy can decode secrets. Adversaries also need to dump the System hive to access the final decryption key. Admin rights are definitely needed. Adversary can access RDP with the secrets.

31
Q

What tools can be used to get LSA secrets?

A

Metasploit, Mimikatz, gsecdump, Acehash, creddump, and Powershell.

32
Q

Best ways to defend LSA secrets from being compromised.

A

Do not deploy tasks or services requiring privileged accounts on low-trust systems, reduce number of services that require domain account usage and use Manage Service Accounts to change passwords frequently.

33
Q

How and what tools can be used to compromise Kerberos tickets?

A

Kerberos tickets are stolen from memory. Tools used to steal tickets are: Mimikatz, WCE, and kerberoast.

34
Q

What Kerberos attacks are available to adversaries?

A

Pass-the-Ticket, Overpass the Hash, Kerberoasting, Golden Ticket, Silver Ticket, Skeleton Key, and DC Sync.

35
Q

Explain Pass-the-Ticket technique.

A

Adversary with admin rights dumps tickets from memory and pass them to other systems. No requirement of user hash or password needed.

36
Q

Explain the Overpass the Hash technique.

A

Adversary dumps account hashes from system to request tickets from those accounts in order to move laterally.

37
Q

Explain the Kerberoasting technique.

A

Adversary, domain user access, can request a ticket from the Domain Controller for any domain service. The ticket returned has a non-salted password hash for the account that runs that service. Adversary will seek tickets that run under domain users (admins even), to crack the password.

38
Q

Explain the Golden Ticket technique.

A

It is a ticket that does not expire with intention of having the adversary maintain domain admin privileges. What they do is extract the hash of the krbtgt account from the DC memory or NTDS.DIT file from the active directory. If adversary is kicked out, all they have to do is is have access to user level on any system and run Pass-the-Ticket to retrieve it.

39
Q

Explain the Silver Ticket technique.

A

Adversary will dump the computer account hash from memory and create the silver ticket. It gives all access pass through a single computer and it doesn’t matter the user since its based of the system alone. They don’t communicate with the DC so they can become backdoors. Adversaries will disable user password updates since that can maintain silver tickets.

40
Q

Explain the Skeleton Key technique.

A

Adversary targets the domain controller’s LSASS process to enable a backdoor password for any valid domain user. User will still authenticate with their password but also with the backdoor one even if they change passwords.

41
Q

Explain DC Sync technique.

A

DC’s that communcate with each other to sync and update data are run through MS-DRSR protocol. This protocol is abused for adversaries to impersonate a DC and request for password hashes, even krbtgt account. It doesn’t require logon to the DC so its done remotely. Compromised accounts with high priviledges can do this.

42
Q

Methods to defend tickets from being compromised.

A

Windows 10 security features, Restricted Admin, long and complex passwords on service accounts with frequent password changes, auditing those service accounts, limit domain admin usage, disable RC4 authentication and change krbtgt password.

43
Q

What is the Active Directory Domain Services (AD DS) database and what does it hold?

A

The database that holds all user and computer account hashes in the domain. It holds the NTDS.DIT file that carries all this information. The file is locked and protected so it can’t be copied.

44
Q

How can adversaries retrieve the NTDS.DIT file?

A

They must use a built-in tool such as ntdsutil or driver to get raw access to the disk. Another way is through shadow copies. They can create a shadow copy if there isn’t one. Another thing they need is the SAM and SYSTEM registry hives to decrypt the data within the database.

45
Q

What is a popular tool used to extract data offline?

A

Impacket secretsdump.py script.

46
Q

What is Bloodhound?

A

It is an Active Directory relationship graphing tool. Its usage is to reveal hidden and unintended relationships within the Active Directory such as: users, where those users are grouped to, and the accesses they have that can lead to higher users.

47
Q

How can Bloodhound be tracked?

A

It uses LDAP requests which, unfortunately, are very common in the enterprise. The best way to try and find it is by inappropriate use after credentials are stolen.

48
Q

What automation tools are used to quickly gain access to an enterprise?

A

Deathstar and GoFetch. They are likely to use Bloodhound to graph the enterprise in order to scope. These tools are very noisy.