Credentials
Last updated
Credentials:
Registry Hives:
Hive
Details
Format or credential material
SAM
stores locally cached credentials (referred to as SAM secrets)
LM or NT hashes
SECURITY
stores domain cached credentials (referred to as LSA secrets)
Plaintext passwords
Internet Explorer passwords SQL passwords Service/schtask account passwords LM or NT hashes
Kerberos keys (DES, AES)
Domain Cached Credentials (DCC1 and DCC2, can't be pth'd and must be cracked. )
Security Questions
(L$SQSA<SID>)
SYSTEM
contains enough info to decrypt SAM secrets and LSA secrets
N/A
Cleartext Protocols:
Wdigest
LiveSSP
TsPkg
Tokens:
LSA Secrets:
Users passwords
Internet Explorer passwords
Service account passwords (Services on the machine that require authentication with secret)
Cached domain password encryption key
SQL passwords
SYSTEM account passwords
Account passwords for configured scheduled tasks
Time left until the expiration of an unactivated copy of Windows
LSASS:
Kerberos:
Mitigations:
What
Impact
Mitigation
Prevent remote sessions with privileged accounts
Privileged credentials can be stolen and used if note properly secured.
Use the tiering system to prevent privileged logons to non-secure workstation, etc.
RDP session hygiene
RDP sessions can be hijacked without a password needed and dumped to steal user credentials.
Use Remote Credential Guard to prevent hashes or tokens from being available on remote systems.
Terminate inactive RDP sessions to prevent session/cred stealing.
Domain Protected Users Group do not create delegate tokens
Avoid local admin password reuse
If the local admin password is the same across your environment, stealing the password once could give the TA access to every host that shares that password.
LAPS randomizes the local admin password and only allows certain users to reveal the password.
LSA Secrets
Can be dumped and used.
Avoid placing using privileged accounts for schtask and service execution on low-trust hosts. Managed Service Accounts.
