Credentials
Credentials:
Registry Hives:
Hive | Details | Format or credential material |
---|---|---|
SAM | stores locally cached credentials (referred to as SAM secrets) | LM or NT hashes |
SECURITY | stores domain cached credentials (referred to as LSA secrets) | Plaintext passwords Internet Explorer passwords SQL passwords Service/schtask account passwords LM or NT hashes Kerberos keys (DES, AES) Domain Cached Credentials (DCC1 and DCC2, can't be pth'd and must be cracked. ) Security Questions ( |
SYSTEM | contains enough info to decrypt SAM secrets and LSA secrets | N/A |
Cleartext Protocols:
Wdigest
LiveSSP
TsPkg
Tokens:
LSA Secrets:
Users passwords
Internet Explorer passwords
Service account passwords (Services on the machine that require authentication with secret)
Cached domain password encryption key
SQL passwords
SYSTEM account passwords
Account passwords for configured scheduled tasks
Time left until the expiration of an unactivated copy of Windows
LSASS:
Kerberos:
Mitigations:
What | Impact | Mitigation |
---|---|---|
Prevent remote sessions with privileged accounts | Privileged credentials can be stolen and used if note properly secured. | Use the tiering system to prevent privileged logons to non-secure workstation, etc. |
RDP session hygiene | RDP sessions can be hijacked without a password needed and dumped to steal user credentials. | Use Remote Credential Guard to prevent hashes or tokens from being available on remote systems. Terminate inactive RDP sessions to prevent session/cred stealing. |
Domain Protected Users Group do not create delegate tokens | ||
Avoid local admin password reuse | If the local admin password is the same across your environment, stealing the password once could give the TA access to every host that shares that password. | LAPS randomizes the local admin password and only allows certain users to reveal the password. |
LSA Secrets | Can be dumped and used. | Avoid placing using privileged accounts for schtask and service execution on low-trust hosts. Managed Service Accounts. |
Last updated