1WindowsCredentialsAttackMitigationDefenseChadTilbury@chadtilburySeniorInstructorandCo-Author:FOR500:WindowsForensicsFOR508:AdvancedForensicsandIncidentResponseE-mail:chad.
tilbury@crowdstrike.
comLinkedIn:ChadTilburyTwitter:@chadtilburyComputerCrimeInvestigationsCrowdStrikeMandiantUSAirForceOSISpecialAgentCHADTILBURYTECHNICALADVISORCROWDSTRIKESERVICESSANSINSTITUTECONNECT15+YEARSPriority#1post-exploitationDomainadminisultimategoalNearlyeverythinginWindowsistiedtoanaccountDifficulttomovewithoutoneEasyandrelativelystealthymeanstotraversethenetworkAccountlimitationsarerare"Sleeper"credentialscanprovideaccessafterremediationCompromisingCredentials3PillageAchieveDomainAdminDumpMoarCredentials_MoveLaterallyDumpCredentialsGainFootholdUserAccessControl(UAC)ManagedServiceAccountsKB2871997SSPplaintextpasswordmitigationsLocaladminremotelogonrestrictionsProtectedProcessesRestrictedAdminDomainProtectedUsersSecurityGroupLSACachecleanupGroupManagedServiceAccountsCredentialGuardRemoteCredentialGuardDeviceGuard(preventexecutionofuntrustedcode)EvolutionofCredentialAttackMitigation4CompromisingCredentials:HashesThepasswordforeachuseraccountinWindowsisstoredinmultipleformats:LMandNThashesaremostwellknown.
TsPkg,WDigest,andLiveSSPcanbedecryptedtoprovideplaintextpasswords(priortoWin8.
1)HowaretheyacquiredandusedHashesareavailableintheLSASSprocessandcanbeextractedwithadminprivileges.
Oncedumped,hashescanbecrackedorusedimmediatelyinaPasstheHashattack.
Commontools:MimikatzfgdumpgsecdumpMetasploitSMBshellPWDumpXcreddumpWCEHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT5AdminActionLogonTypeCredentialsonTargetNotesConsolelogon2Yes**ExceptwhenCredentialGuardisenabledRunas2Yes**ExceptwhenCredentialGuardisenabledRemoteDesktop10Yes**ExceptforenabledRemoteCredentialGuardNetUse3NoIncluding/u:parameterPowerShellRemoting3NoInvoke-Command;Enter-PSSessionPsExecalternatecreds3+2Yes-u-p
microsoft.
com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-materialHashDumping(Gsecdump)8PasstheHash(Mimikatz)10PreventadminaccountcompromiseStopremoteinteractivesessionswithhighlyprivilegedaccountsProperterminationofRDPsessionsWin8.
1+forcetheuseofRestrictedAdminWin10deployRemoteCredentialGuardUpgradetoWindows10CredentialGuardTsPkg,WDigest,etc.
--SSOcredsobsolescenceDomainProtectedUsersGroup(PtHmitigation)DefendingCredentials:Hashes12CompromisingCredentials:TokensDelegatetokensarepowerfulauthenticationresourcesusedforSSO.
Theyallowattackerstoimpersonateauser'ssecuritycontext,includingoverthenetwork.
HowaretheyacquiredandusedTheSeImpersonateprivilegeletstokensbecopiedfromprocesses.
Thenewtokencanthenbeusedtoauthenticateasthenewuser.
Atargetuserorservicemustbeloggedonorhaverunningprocesses.
Commontools:IncognitoMetasploitPowerShellMimikatzHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT13TokenStealing(Mimikatz)14PreventadminaccountcompromiseStopremoteinteractivesessionswithhighlyprivilegedaccountsProperterminationofRDPsessionsWin8.
1+forcetheuseofRestrictedAdminModeWin10deployRemoteCredentialGuardAccountdesignationof"AccountisSensitiveandCannotbeDelegated"inActiveDirectoryDomainProtectedUserssecuritygroupaccountsdonotcreatedelegatetokensDefendingCredentials:Tokens16CompromisingCredentials:CachedCredentialsStoreddomaincredentialstoallowlogonswhendomaincontrolleraccessisunavailable.
Mostsystemscachethelast10logonhashesbydefault.
HowaretheyacquiredandusedCachedcredentialsmustbecracked.
Hashesaresaltedandcase-sensitive,makingdecryptionveryslow.
ThesehashescannotbeusedforPasstheHashattacks.
Commontools:cachedumpMetasploitPWDumpXcreddumpHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT17Thecreddumputilitiescanextracthashes,cachedcredentialsandLSASecretsfromofflineregistryhives:github.
com/Neohapsis/creddump7OfflineCachedCredentialsExtraction(Creddump)18LocalNTHashesCachedHashesPreventadminaccountcompromiseLimitnumberofcachedlogonaccountsSOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon(cachedlogonscountvalue)AcachedlogonscountofzerooroneisnotalwaystherightanswerEnforcepasswordlengthandcomplexityrulesBruteforcecrackingisrequiredforthisattackDomainProtectedUserssecuritygroupaccountsdonotcachecredentialsDefendingCredentials:CachedCredentials20CompromisingCredentials:LSASecretsCredentialsstoredintheregistrytoallowservicesortaskstoberunwithuserprivileges.
Inadditiontoserviceaccounts,mayalsoholdapplicationpasswordslikeVPNorauto-logoncredentials.
HowaretheyacquiredandusedAdministratorprivilegesallowaccesstoencryptedregistrydataandthekeysnecessarytodecrypt.
PasswordsareplaintextCommontools:CainMetasploitMimikatzgsecdumpPWDumpXcreddumpPowerShellHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT21Get-LsaSecret.
ps1fromtheNishangPowerShellpentestframeworkusedtodump(anddecrypt)LSASecretshttps://github.
com/samratashok/nishangDecryptingLSASecrets(Nishang)22PreventadminaccountcompromiseDonotemployservicesorscheduletasksrequiringprivilegedaccountsonlowtrustsystemsReducenumberofservicesthatrequiredomainaccountstoexecuteHeavilyauditanyaccountsthatmustbeused(Group)ManagedServiceAccountsDefendingCredentials:LSASecrets23CompromisingCredentials:TicketsKerberosissuesticketstoauthenticatedusersthatcanbereusedwithoutadditionalauthentication.
Ticketsarecachedinmemoryandarevalidfor10hours.
HowaretheyacquiredandusedTicketscanbestolenfrommemoryandusedtoauthenticateelsewhere(PasstheTicket).
Further,accesstotheDCallowsticketstobecreatedforanyuserwithnoexpiration(GoldenTicket).
Serviceaccountticketscanberequestedandforged,includingofflinecrackingofserviceaccounthashes(Kerberoasting).
Commontools:MimikatzWCEkerberoastHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DIT24PasstheTicket(Mimikatz)25KerberosAttacks27PasstheTicketStealticketfrommemoryandpassorimportonothersystemsOverpasstheHashUseNThashtorequestaserviceticketforthesameaccountKerberoastingRequestserviceticketforhighlyprivilegedservice&crackNThashGoldenTicketKerberosTGTforanyaccountwithnoexpiration.
SurvivesfullpasswordresetSilverTicketAll-accesspassforasingleserviceorcomputerSkeletonKeyPatchLSASSondomaincontrollertoaddbackdoorpasswordthatworksforanydomainaccountCredentialGuard(Win10+)DomainProtectedUsersGroup(Win8+)–SomeattacksRemoteCredentialGuard(Win10+)RestrictedAdmin(Win8+)Long&complexpasswordsonserviceaccounts(topreventKerberoasting)ChangeserviceaccountpasswordsregularlyGroupManagedServiceAccountsareagreatmitigationAuditserviceaccountsforunusualactivityChangeKRBTGTpasswordregularly(yearly)DefendingCredentials:Tickets28AttackTypeDescriptionMitigationPasstheTicketStealticketfrommemoryandpassorimportonothersystemsCredentialGuard;RemoteCredentialGuardOverpasstheHashUseNThashtorequestaserviceticketforthesameaccountCredentialGuard;ProtectedUsersGroup;DisableRC4authenticationKerberoastingRequestserviceticketforhighlyprivilegedservice&crackNThashLongandcomplexserviceaccountpasswords;ManagedServiceAccountsGoldenTicketKerberosTGTforanyaccountwithnoexpiration.
SurvivesfullpasswordresetProtectdomainadminaccounts;ChangeKRBTGTpasswordregularlySilverTicketAll-accesspassforasingleserviceorcomputerRegularcomputeraccountpasswordupdatesSkeletonKeyPatchLSASSondomaincontrollertoaddbackdoorpasswordtoanyaccountProtectdomainadminaccounts;SmartcardusageforprivilegedaccountsKerberosAttackMitigations29CompromisingCredentials:NTDS.
DITHashesTokensCachedCredentialsLSASecretsTicketsNTDS.
DITActiveDirectoryDomainServices(ADDS)databaseholdsalluserandcomputeraccounthashes(LM/NT)inthedomain.
Encrypted,butalgorithmiswellknownandeasytodefeat.
HowisitacquiredandusedLocatedinthe\Windows\NTDSfolderonthedomaincontroller.
Thefileislocked,soadminaccessisrequiredtoloadadrivertoaccessrawdisk,orusetheVolumeShadowCopyService.
Commontools:ntdsutilVSSAdminNTDSXtractVSSOwn.
vbsPowerShellntdsdump30CommandProcess:conhost.
exePid:141716CommandHistory:0x1b8f80Application:cmd.
exeFlags:Allocated,ResetCommandCount:12LastAdded:11LastDisplayed:11FirstCommand:0CommandCountMax:50ProcessHandle:0x60Cmd#0@0x196970:vssadminlistshadowsCmd#1@0x1bd240:cd\Cmd#2@0x1b9290:dirCmd#3@0x1bd260:cdtempCmd#4@0x1b92b0:dirCmd#5@0x19c6a0:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\system32\config\SYSTEM.
Cmd#6@0x19c760:dirCmd#7@0x19c780:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\system32\config\SAM.
Cmd#8@0x19c830:copy\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\ntds\ntds.
dit.
Cmd#9@0x1c1ab0:dirStealingNTDS.
DIT31Don'tallowDomainAdminaccountstobecompromised.
DefendingCredentials:NTDS.
DIT32CredentialAttackDetection33"Asanypass-the-ticketattack,theattackerreplaysthegoldenticketinastandardKerberosprotocol.
Therefore,thereisnoclearindicationofsuchattackinWindowslogs.
"34"GoldenTicketeventsmayhaveoneoftheseissues:TheAccountDomainfieldisblankwhenitshouldbeDOMAINTheAccountDomainfieldisDOMAINFQDNwhenitshouldbeDOMAIN.
"–SeanMetcalf,adsecurity.
org3536Asanexample…KerberoastingusesRC4encryptiondowngrade(butalmostnoonelogstheseevents)AuthenticationAuditingMappingAdmin$SharesPsExecScheduledTasksVSSAdminRDP/VPNactivityToolArtifactsNewServicesRandomFile/HostnamesCodeInjectionCrashesandSecurityAlertsBehavioralAnalysisLocalAdminAccountUseDomainAdminAnomaliesServiceAccountAnomaliesWorkstation-to-workstationconnectionsCredentialAttackDetection38EventlogsarecriticalfordetectionAuthenticationevents(EID4624,4762,4648,4720,etc.
)Newservices(EID7045)ApplicationandProcessCrashesFailedandanomalousSMBactivity(EID5140)AV/SecuritylogsDomainProtectedUsersecuritygrouplogsApplicationsandServicesLogs\Microsoft\Windows\Microsoft\AuthenticationProcesstrackingCommandlinecapturesPowerShellauditingCredentialAttackDetection39CredentialAttackDetection:PasstheHash40CredentialAttackDetection:PsExecandfgdumpInitiationoftwonear-simultaneousservicesbyhelpdeskaccount42CredentialAttackDetection:LSASSCrashSystemEventLogApplicationEventLog**ReviewandcorrelateyourAnti-Viruslogs**44CredentialAttackDetection:CapturingCommandLines46RegistrychangesDisabledcomputeraccountpwdupdates(SilverTickets)SYSTEM\CurrentControlSet\Services\Netlogon\ParametersDisablePasswordChange=1EnabledWDigestcredentials(postWin8.
1)SYSTEM\CurrentControlSet\Control\SecurityProviders\WdigestUseLogonCredential=1MemoryAnalysisProcessinjectionLoadeddriversKernel-levelsecurityagentdetectionsBehavioralAnalyticsCredentialAttackDetection:OtherDataSources48CredentialBestPractices49RestrictandProtectPrivilegedDomainAccountsReducethenumberofDomain/EnterpriseAdminsEnforcemulti-factorauthentication(MFA)forallnetworkandcloudadminaccountsSeparateadministrativeaccountsfromuseraccountsforadministrativepersonnelCreatespecificadministrativeworkstationhostsforadministratorsUsetheDomainProtectedUserssecuritygroup!
BestPractices:ControlYourAdminAccounts50LimitLocalAdminAccountsDon'tgiveusersadminUniqueandcomplexpasswordsforlocaladmin(LAPS)DenynetworklogonsforlocalaccountsAuditaccountusageandmonitorforanomaliesBestPractices:ControlYourAdminAccounts(2)51Imagesource:LocalAdministratorPasswordSolutionhttps://technet.
microsoft.
com/en-us/mt227395.
aspxUseaTieredAdministrativeAccessModelAdministrationofADServersandApplicationsWorkstationsandDevicesBestPractices:ControlYourAdminAccounts(3)52Imagesource:SecuringPrivilegedAccessReferenceMaterialbyCoreyPlett(Microsoft)AuditandlimitthenumberofservicesrunningassystemanddomainaccountsUtilizeGroupManagedServiceAccounts…orregularlychangeanduselong&complexpasswordsUpgradetoWindows10/Server2016EnableCredentialGuard&RemoteCredentialGuardForceLSASSasprotectedprocessonlegacyWin8.
1EstablishremoteconnectionsusingnetworklogoninsteadofinteractivelogonwhenpossibleBestPractices:ReducetheCredentialAttackSurface53LimitworkstationtoworkstationcommunicationRestrictinboundNetBIOS,SMBtrafficusingtheWindowsFirewall…orVLANsegmentationofworkstationsSomanyhacktoolsleverageSMBauthenticationIsworkstationtoworkstationRDPreallynecessaryEnablestricterKerberossecurityDisableLM&NTLM(forceKerberos)ShortvalidityforticketsNoaccountdelegationBestPractices:ReducetheCredentialAttackSurface(2)54ChartbyBenjaminDelpy:https://goo.
gl/1K3AC7IncreaseAwarenessofNewAttacks5556Materialsfrom:http://dfir.
to/FOR508