Section 1.6: Credential Theft Flashcards
Methods used to detect signs of adversary movement in the enterprise.
Event logs, Auditing new accounts, Anomalous logins like workstation-to-workstation, sensitive networks, and after-hour logins.
Is it rare for a system’s local admin account to be used?
Yes. Any local admin in a system is for the most part off-limits. Logs of usage is very suspicious. The built-in admin account RID 500 should be disabled as well since it doesn’t offer protections.
Describe the security methods Microsoft implemented in Windows 7.
User Account Control (UAC) was placed which placed restriction on admin accounts to user-level. Managed Service Accounts was implemented to mitigate Kerberos attacks by having users change passwords every 30 days. KB2871997 was installed to backport many Windows 8 protections to Windows 7.
Describe the security methods Microsoft implemented in Windows 8.
Single sign-ons (SSO) like CredSSP, TskPkg, and WDigest are no longer cached in memory so Mimikatz can’t recover plaintext passwords, a new security group was added to restrict local admin from remote interactive logons to domains thus removing WMI, PsExec, tasks, and shares from being established. It also has better credential cleanup after user sessions.
Describe the introduction of protected processes in Windows 8.
Processes that are protected can only load signed code and can only be attached to other protected processes. LSASS process is singled out as protected. Mimikatz will break through the protection via a signed driver.
Describe the two account protections that debuted in Windows 8.
/restrictedadmin switch can now be used during RDP so it won’t pass credentials or tickets to target systems (it can be forced on accounts using Group Policy). The Domain Protected Users security group was also created to protect high-valued (priviledged) accounts. It removes the ability to use NTLM, CredSSP, or WDigest authentication.
Describe the security features Microsoft implemented in Windows 10.
Credential Guard is one, it isolates hashes and tickets through virtualization.
Describe the security features Microsoft implemented in Windows 10.
Credential Guard is one, it isolates hashes and tickets through virtualization. Remote Credential Guard is an update to Restricted Admin and extend to any account besides admin during RDP sessions. The last feature, Device Guard, locks down systems to prevent untrusted code (like cred dump tools) from running on systems.
Name the tools used by adversaries to extract hash credentials.
Mimikatz, fgdump, gsecdump, Metasploit, AceHash, PWDumpX, creddump, and Windows Credential Editor (WCE).
Name the hash formats Windows uses for credentials.
NT LM, TsPkg, WDigest, and LiveSSP
To compromise credentials, what method do adversaries use?
They prioritize obtaining admin rights in order to be able to extract the LSASS process inside memory as the SAM hive on disk/memory. They can also use a technique called Pass-the-Hash which allows authentication without knowing the clear text password.
How are credential formats exposed in the system?
TsPkg and WDigest are exposed through SSO usage while LiveSSP from the new Windows “Live” cloud accounts that can be used to log in.
What tools can be used for Pass-the-Hash technique?
Metasploit PsExec Module, WCE, and SMBshell. The credential format they go for is NTLM. Adversaries focus on the SMB protocol to map file shares and perform PsExec remote commands or WMI.
Name Administrative actions that will store credentials on target systems.
Console logon (if Credential Guard is disabled), RunAs (if Credential Guard is disabled), Remote Desktop (if Remote Credential Guard is disabled), PsExec alternate creds, Remote Scheduled Tasks, and Run as a Service.
Name Administrative actions that will NOT store credentials on target systems.
Net Use, Powershell remoting, PsExec w/o explicit creds, and Remote Registry.
What does the gsecdump tool do?
It dumps hashes from currently logged on sessions inside the Domain Controller.
How to defend hashes from being compromised?
Avoid remote interactive sessions with high-values accounts, terminate RDP sessions properly, use Retricted Admin, use Remote Credential Guard, reduce session timer if they aren’t terminated properly, and usage of Domain Protected Users group.
How to defend hashes from being compromised?
Avoid remote interactive sessions with high-values accounts, terminate RDP sessions properly, use Restricted Admin, use Remote Credential Guard, reduce session timer if they aren’t terminated properly, usage of Domain Protected Users group, and unique passwords to local admins.
What is the Local Administrator Password Solution (LAPS)?
A centralized security that manages local system accounts within the Active Directory.
Explain what the registry key “UseLogonCredential” do?
It is a key that is added by adversaries to allow WDigest credentials on a system. It is not available by default so its a good place to monitor. The location of the key is: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.