# Credentials

## Credentials:

### Registry Hives:

| Hive     | Details                                                        | Format or credential material                                                                                                                                                                                                                                                                                                                                                         |
| -------- | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| SAM      | stores locally cached credentials (referred to as SAM secrets) | LM or NT hashes                                                                                                                                                                                                                                                                                                                                                                       |
| SECURITY | stores domain cached credentials (referred to as LSA secrets)  | <p>Plaintext passwords</p><p><br>Internet Explorer passwords<br><br>SQL passwords<br><br>Service/schtask account passwords<br><br>LM or NT hashes</p><p><br>Kerberos keys (DES, AES)</p><p><br>Domain Cached Credentials (DCC1 and DCC2, can't be pth'd and must be cracked. )</p><p><br>Security Questions </p><p>(<code>L$</code><em><code>SQSA</code></em><code>\<SID></code>)</p> |
| SYSTEM   | contains enough info to decrypt SAM secrets and LSA secrets    | N/A                                                                                                                                                                                                                                                                                                                                                                                   |

{% embed url="<https://www.thehacker.recipes/ad/movement/credentials/dumping/sam-and-lsa-secrets>" %}

### Cleartext Protocols:

* Wdigest
* LiveSSP
* TsPkg

### Tokens:

*

### LSA Secrets:

* Users passwords
* Internet Explorer passwords
* Service account passwords (Services on the machine that require authentication with secret)
* Cached domain password encryption key
* SQL passwords
* SYSTEM account passwords
* Account passwords for configured scheduled tasks
* Time left until the expiration of an unactivated copy of Windows

{% embed url="<https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets>" %}

### LSASS:

*

### Kerberos:

### Mitigations:

| What                                             | Impact                                                                                                                                                        | Mitigation                                                                                                                                                                             |
| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Prevent remote sessions with privileged accounts | Privileged credentials can be stolen and used if note properly secured.                                                                                       | Use the tiering system to prevent privileged logons to non-secure workstation, etc.                                                                                                    |
| RDP session hygiene                              | RDP sessions can be hijacked without a password needed and dumped to steal user credentials.                                                                  | <p>Use Remote Credential Guard to prevent hashes or tokens from being available on remote systems. </p><p></p><p>Terminate inactive RDP sessions to prevent session/cred stealing.</p> |
|                                                  |                                                                                                                                                               | Domain Protected Users Group do not create delegate tokens                                                                                                                             |
| Avoid local admin password reuse                 | If the local admin password is the same across your environment, stealing the password once could give the TA access to every host that shares that password. | LAPS randomizes the local admin password and only allows certain users to reveal the password.                                                                                         |
| LSA Secrets                                      | Can be dumped and used.                                                                                                                                       | <p>Avoid placing using privileged accounts for schtask and service execution on low-trust hosts.<br><br>Managed Service Accounts.</p>                                                  |

<br>