Credentials

Credentials:

Registry Hives:

Hive	Details	Format or credential material
SAM	stores locally cached credentials (referred to as SAM secrets)	LM or NT hashes
SECURITY	stores domain cached credentials (referred to as LSA secrets)	Plaintext passwords Internet Explorer passwords SQL passwords Service/schtask account passwords LM or NT hashes Kerberos keys (DES, AES) Domain Cached Credentials (DCC1 and DCC2, can't be pth'd and must be cracked. ) Security Questions (L$SQSA<SID>)
SYSTEM	contains enough info to decrypt SAM secrets and LSA secrets	N/A

SAM & LSA secrets | The Hacker Recipeswww.thehacker.recipes

Cleartext Protocols:

• Wdigest

• LiveSSP

• TsPkg

Tokens:

LSA Secrets:

• Users passwords

• Internet Explorer passwords

• Service account passwords (Services on the machine that require authentication with secret)

• Cached domain password encryption key

• SQL passwords

• SYSTEM account passwords

• Account passwords for configured scheduled tasks

• Time left until the expiration of an unactivated copy of Windows

Dumping LSA Secrets | Red Team Noteswww.ired.team

LSASS:

Kerberos:

Mitigations:

What	Impact	Mitigation
Prevent remote sessions with privileged accounts	Privileged credentials can be stolen and used if note properly secured.	Use the tiering system to prevent privileged logons to non-secure workstation, etc.
RDP session hygiene	RDP sessions can be hijacked without a password needed and dumped to steal user credentials.	Use Remote Credential Guard to prevent hashes or tokens from being available on remote systems. Terminate inactive RDP sessions to prevent session/cred stealing.
		Domain Protected Users Group do not create delegate tokens
Avoid local admin password reuse	If the local admin password is the same across your environment, stealing the password once could give the TA access to every host that shares that password.	LAPS randomizes the local admin password and only allows certain users to reveal the password.
LSA Secrets	Can be dumped and used.	Avoid placing using privileged accounts for schtask and service execution on low-trust hosts. Managed Service Accounts.