Credentials

Credentials:

Registry Hives:

Hive Details Format or credential material

Hive	Details	Format or credential material
SAM	stores locally cached credentials (referred to as SAM secrets)	LM or NT hashes
SECURITY	stores domain cached credentials (referred to as LSA secrets)	Plaintext passwords Internet Explorer passwords SQL passwords Service/schtask account passwords LM or NT hashes Kerberos keys (DES, AES) Domain Cached Credentials (DCC1 and DCC2, can't be pth'd and must be cracked. ) Security Questions (`L$SQSA<SID>`)
SYSTEM	contains enough info to decrypt SAM secrets and LSA secrets	N/A

SAM

stores locally cached credentials (referred to as SAM secrets)

LM or NT hashes

SECURITY

stores domain cached credentials (referred to as LSA secrets)

Plaintext passwords

Internet Explorer passwords SQL passwords Service/schtask account passwords LM or NT hashes

Kerberos keys (DES, AES)

Domain Cached Credentials (DCC1 and DCC2, can't be pth'd and must be cracked. )

Security Questions

(L$SQSA<SID>)

SYSTEM

contains enough info to decrypt SAM secrets and LSA secrets

N/A

SAM & LSA secretsThe Hacker Recipes

Cleartext Protocols:

Wdigest
LiveSSP
TsPkg

Tokens:

LSA Secrets:

Users passwords
Internet Explorer passwords
Service account passwords (Services on the machine that require authentication with secret)
Cached domain password encryption key
SQL passwords
SYSTEM account passwords
Account passwords for configured scheduled tasks
Time left until the expiration of an unactivated copy of Windows

Dumping LSA SecretsRed Teaming Experiments

LSASS:

Kerberos:

Mitigations:

What	Impact	Mitigation
Prevent remote sessions with privileged accounts	Privileged credentials can be stolen and used if note properly secured.	Use the tiering system to prevent privileged logons to non-secure workstation, etc.
RDP session hygiene	RDP sessions can be hijacked without a password needed and dumped to steal user credentials.	Use Remote Credential Guard to prevent hashes or tokens from being available on remote systems. Terminate inactive RDP sessions to prevent session/cred stealing.
		Domain Protected Users Group do not create delegate tokens
Avoid local admin password reuse	If the local admin password is the same across your environment, stealing the password once could give the TA access to every host that shares that password.	LAPS randomizes the local admin password and only allows certain users to reveal the password.
LSA Secrets	Can be dumped and used.	Avoid placing using privileged accounts for schtask and service execution on low-trust hosts. Managed Service Accounts.

What

Impact

Mitigation

Prevent remote sessions with privileged accounts

Privileged credentials can be stolen and used if note properly secured.

Use the tiering system to prevent privileged logons to non-secure workstation, etc.

RDP session hygiene

RDP sessions can be hijacked without a password needed and dumped to steal user credentials.

Use Remote Credential Guard to prevent hashes or tokens from being available on remote systems.

Terminate inactive RDP sessions to prevent session/cred stealing.

Domain Protected Users Group do not create delegate tokens

Avoid local admin password reuse

If the local admin password is the same across your environment, stealing the password once could give the TA access to every host that shares that password.

LAPS randomizes the local admin password and only allows certain users to reveal the password.

LSA Secrets

Can be dumped and used.

Avoid placing using privileged accounts for schtask and service execution on low-trust hosts. Managed Service Accounts.

PreviousLogs NextVulnerabilities

Last updated 6 months ago