# Windows Credentials

## Attack • Mitigation • Defense

 Chad Tilbury

###### @chadtilbury


-----

###### 15+ YEARS

 Computer Crime Investigations CrowdStrike • Mandiant • US Air Force OSI Special Agent

 SANS INSTITUTE

 Senior Instructor and Co-Author:     FOR500: Windows Forensics      FOR508: Advanced Forensics and Incident Response

 CONNECT

 E-mail:   chad.tilbury@crowdstrike.com
 CHAD TILBURY
 LinkedIn: Chad Tilbury TECHNICAL ADVISOR

**CROWDSTRIKE SERVICES**


-----

###### Credentials



###### • Priority #1 post-exploitation

 • Domain admin is ultimate goal
 • Nearly everything in Windows is tied to an account

 • Difficult to move without one
 • Easy and relatively stealthy means to traverse the network

 • Account limitations are rare
 • “Sleeper” credentials can provide access after remediation


-----

######  User Access Control
 (UAC)

  Managed Service
 Accounts

  KB2871997


######  SSP plaintext
 password mitigations  Local admin remote 
 logon restrictions  Protected Processes  Restricted Admin  Domain Protected Users
 Security Group  LSA Cache cleanup  Group Managed Service 


######  Credential Guard

  Remote Credential  
 Guard

  Device Guard  
 (prevent execution of  
 untrusted code)


-----

### Hashes

###### Tokens

 Cached Credentials

 LSA Secrets

 Tickets

 NTDS.DIT

|Col1|The password for each user account in Windows is stored in multiple formats: LM and NT hashes are most well known. TsPkg, WDigest, and LiveSSP can be decrypted to provide plaintext passwords (prior to Win8.1) How are they acquired and used? Hashes are available in the LSASS process and can be extracted with admin privileges. Once dumped, hashes can be cracked or used immediately in a Pass the Hash attack. Common tools: Mimikatz • fgdump • gsecdump • Metasploit • SMBshell • PWDumpX • creddump • WCE|
|---|---|


-----

|Admin Action|Logon Type|Credentials on Target?|Notes|
|---|---|---|---|
|Console logon|2|Yes*|*Except when Credential Guard is enabled|
|Runas|2|Yes*|*Except when Credential Guard is enabled|
|Remote Desktop|10|Yes*|*Except for enabled Remote Credential Guard|
|Net Use|3|No|Including /u: parameter|
|PowerShell Remoting|3|No|Invoke-Command; Enter-PSSession|
|PsExec alternate creds|3 + 2|Yes|-u <username> -p <password)|
|PsExec w/o explicit creds|3|No||
|Remote Scheduled Task|4|Yes|Password saved as LSA Secret|
|Run as a Service|5|Yes|(w/ user account) -- Password saved as LSA Secret|


###### Remote Registry 3 No


-----

-----

-----

### • Prevent admin account compromise
 • Stop remote interactive sessions with highly
 privileged accounts

#### • Proper termination of RDP sessions

###### • Win8.1+  force the use of Restricted Admin?
 • Win10  deploy Remote Credential Guard

### • Upgrade to Windows 10

###### • Credential Guard
 • TsPkg, WDigest, etc. -- SSO creds obsolescence
 • Domain Protected Users Group (PtH mitigation)


-----

###### Hashes

### Tokens

###### Cached Credentials

 LSA Secrets

 Tickets

 NTDS.DIT


###### Common tools: Incognito • Metasploit • PowerShell 
```
• Mimikatz

```
|Col1|Delegate tokens are powerful authentication resources used for SSO. They allow attackers to impersonate a user’s security context, including over the network. How are they acquired and used? The SeImpersonate privilege lets tokens be copied from processes. The new token can then be used to authenticate as the new user. A target user or service must be logged on or have running processes. Common tools: Incognito • Metasploit • PowerShell • Mimikatz|
|---|---|


-----

-----

#### • Prevent admin account compromise
 • Stop remote interactive sessions with highly
 privileged accounts
 • Proper termination of RDP sessions

###### • Win8.1+  force the use of Restricted Admin Mode?
 • Win10  deploy Remote Credential Guard

#### • Account designation of “Account is Sensitive and
 Cannot be Delegated” in Active Directory
 • Domain Protected Users security group accounts do
 t t d l t t k


-----

###### Hashes

 Tokens

 Cached Credentials

 LSA Secrets

 Tickets

 NTDS.DIT

|Col1|Stored domain credentials to allow logons when domain controller access is unavailable. Most systems cache the last 10 logon hashes by default. How are they acquired and used? Cached credentials must be cracked. Hashes are salted and case-sensitive, making decryption very slow. These hashes cannot be used for Pass the Hash attacks. Common tools: cachedump • Metasploit • PWDumpX • creddump|
|---|---|


-----

###### Local NT Hashes

 Cached Hashes


###### The creddump utilities can extract hashes, cached credentials and LSA Secrets from offline registry hives: github com/Neohapsis/creddump7


-----

### • Prevent admin account compromise

 • Limit number of cached logon accounts

###### • SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
 (cachedlogonscount value)
 • A cachedlogonscount of zero or one is not always the right answer

### • Enforce password length and complexity rules

###### • Brute force cracking is required for this attack

### • Domain Protected Users security group accounts do
 not cache credentials


-----

###### Hashes

 Tokens

 Cached Credentials

 LSA Secrets

 Tickets

 NTDS.DIT


###### Common tools: Cain • Metasploit • Mimikatz 
```
• gsecdump • PWDumpX • creddump • PowerShell

```
|Col1|Credentials stored in the registry to allow services or tasks to be run with user privileges. In addition to service accounts, may also hold application passwords like VPN or auto-logon credentials. How are they acquired and used? Administrator privileges allow access to encrypted registry data and the keys necessary to decrypt. Passwords are plaintext Common tools: Cain • Metasploit • Mimikatz • gsecdump • PWDumpX • creddump • PowerShell|
|---|---|


-----

### Get-LsaSecret.ps1 from the Nishang PowerShell pentest framework used to dump (and decrypt) LSA Secrets

###### https://github com/samratashok/nishang


-----

### • Prevent admin account compromise

 • Do not employ services or schedule tasks       
 requiring privileged accounts on low trust systems

 • Reduce number of services that require domain
 accounts to execute

###### • Heavily audit any accounts that must be used

### • (Group) Managed Service Accounts


-----

###### Hashes

 Tokens

 Cached Credentials

 LSA Secrets

### Tickets

###### NTDS.DIT


###### How are they acquired and used? Tickets can be stolen from memory and used to authenticate elsewhere (Pass the Ticket). Further, access to the DC allows tickets to be created for any user with no expiration (Golden Ticket). Service account tickets can be requested and forged, including offline cracking of service account hashes (Kerberoasting).

 Common tools: Mimikatz • WCE • kerberoast

|Col1|Kerberos issues tickets to authenticated users that can be reused without additional authentication. Tickets are cached in memory and are valid for 10 hours. How are they acquired and used? Tickets can be stolen from memory and used to authenticate elsewhere (Pass the Ticket). Further, access to the DC allows tickets to be created for any user with no expiration (Golden Ticket). Service account tickets can be requested and forged, including offline cracking of service account hashes (Kerberoasting). Common tools: Mimikatz • WCE • kerberoast|
|---|---|


-----

-----

|Kerberos Attacks|Col2|
|---|---|
|Pass the Ticket|Steal ticket from memory and pass or import on other systems|
|Overpass the Hash|Use NT hash to request a service ticket for the same account|
|Kerberoasting|Request service ticket for highly privileged service & crack NT hash|
|Golden Ticket|Kerberos TGT for any account with no expiration. Survives full password reset|
|Silver Ticket|All-access pass for a single service or computer|


###### Skeleton Key Patch LSASS on domain controller to add backdoor password that works for any domain account


-----

### • Credential Guard (Win10+)

###### • Domain Protected Users Group (Win8+) – Some attacks

### • Remote Credential Guard (Win10+)

###### • Restricted Admin (Win8+)

### • Long & complex passwords on service accounts (to
 prevent Kerberoasting)

###### • Change service account passwords regularly
 • Group Managed Service Accounts are a great mitigation

### • Audit service accounts for unusual activity
 • Change KRBTGT password regularly (yearly)


-----

|Attack Type|Description|Mitigation|
|---|---|---|
|Pass the Ticket|Steal ticket from memory and pass or import on other systems|Credential Guard; Remote Credential Guard|
|Overpass the Hash|Use NT hash to request a service ticket for the same account|Credential Guard; Protected Users Group; Disable RC4 authentication|
|Kerberoasting|Request service ticket for highly privileged service & crack NT hash|Long and complex service account passwords; Managed Service Accounts|
|Golden Ticket|Kerberos TGT for any account with no expiration. Survives full password reset|Protect domain admin accounts; Change KRBTGT password regularly|
|Silver Ticket|All-access pass for a single service or computer|Regular computer account password updates|


###### Skeleton Key Patch LSASS on domain controller to add backdoor password to any account


###### Protect domain admin accounts; Smart card usage for privileged accounts


-----

###### Hashes

 Tokens

 Cached Credentials

 LSA Secrets

 Tickets

 NTDS.DIT

|Col1|Active Directory Domain Services (AD DS) database holds all user and computer account hashes (LM/NT) in the domain. Encrypted, but algorithm is well known and easy to defeat. How is it acquired and used? Located in the \Windows\NTDS folder on the domain controller. The file is locked, so admin access is required to load a driver to access raw disk, or use the Volume Shadow Copy Service. Common tools: ntdsutil • VSSAdmin • NTDSXtract • VSSOwn.vbs • PowerShell • ntdsdump|
|---|---|


-----

```
CommandProcess: conhost.exe Pid: 141716
CommandHistory: 0x1b8f80 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 12 LastAdded: 11 LastDisplayed: 11
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 @ 0x196970: vssadmin list shadows
Cmd #1 @ 0x1bd240: cd \
Cmd #2 @ 0x1b9290: dir
Cmd #3 @ 0x1bd260: cd temp
Cmd #4 @ 0x1b92b0: dir
Cmd #5 @ 0x19c6a0: copy
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\system32\config\SYSTEM .
Cmd #6 @ 0x19c760: dir
Cmd #7 @ 0x19c780: copy
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\system32\config\SAM .
Cmd #8 @ 0x19c830: copy
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy49\windows\ntds\ntds.dit .
Cmd #9 @ 0x1c1ab0: dir

```

-----

## Don’t allow Domain Admin accounts  
 to be compromised.


-----

# Credential Attack Detection


-----

### “As any pass-the-ticket attack, the attacker replays the golden ticket in a standard Kerberos protocol. Therefore, there is no clear indication of such attack in Windows logs.”


-----

### “Golden Ticket events may have one of these issues:

###### The Account Domain field is blank when it should be DOMAIN The Account Domain field is DOMAIN FQDN when it should be DOMAIN.” –Sean Metcalf, adsecurity.org


-----

### p

 Kerberoasting uses RC4 encryption downgrade

 (but almost no one logs these events)


-----

-----

##### Event logs are critical for detection

###### • Authentication events (EID 4624, 4762, 4648, 4720, etc.)
 • New services (EID 7045)
 • Application and Process Crashes
 • Failed and anomalous SMB activity (EID 5140)
 • AV / Security logs
 • Domain Protected User security group logs

 • Applications and Services Logs\Microsoft\Windows\Microsoft\Authentication
 • Process tracking

 • Command line captures
 • PowerShell auditing


-----

-----

###### Initiation of two near-simultaneous services by helpdesk account


-----

### ** Review and correlate your Anti-Virus logs ** 

###### A li ti E t L S t E t L


-----

-----

###### • Registry changes

 • Disabled computer account pwd updates (Silver Tickets) 
```
  SYSTEM\CurrentControlSet\Services\Netlogon\Parameters 
  DisablePasswordChange=1

 • Enabled WDigest credentials (post Win8.1)
  SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest

  UseLogonCredential=1
 • Memory Analysis

 • Process injection
 • Loaded drivers
 • Kernel-level security agent detections
 • Behavioral Analytics

```

-----

# Credential Best Practices


-----

### Restrict and Protect Privileged Domain Accounts

###### • Reduce the number of Domain/Enterprise Admins
 • Enforce multi-factor authentication (MFA) for all network
 and cloud admin accounts
 • Separate administrative accounts from user accounts for
 administrative personnel
 • Create specific administrative workstation hosts for
 administrators
 • Use the Domain Protected Users security group!


-----

### Limit Local Admin Accounts

###### • Don’t give users admin
 • Unique and complex
 passwords for local admin  (LAPS)
 • Deny network logons for
 local accounts

### Audit account usage and monitor for anomalies Image source: Local Administrator Password
**Solution https://technet.microsoft.com/en-**


**Image source: Local Administrator Password**


-----

### Use a Tiered Administrative Access Model

###### • Administration of AD
 • Servers and Applications
 • Workstations and Devices

**Image source:**
**Securing Privileged Access Reference Material by**



###### • Workstations and Devices


-----

### • Audit and limit the number of services running as
 system and domain accounts

###### • Utilize Group Managed Service Accounts
 • … or regularly change and use long & complex passwords

### • Upgrade to Windows 10 /Server 2016

###### • Enable Credential Guard & Remote Credential Guard

### • Force LSASS as protected process on legacy Win8.1
 • Establish remote connections using network logon
 instead of interactive logon when possible


-----

### • Limit workstation to workstation communication

###### • Restrict inbound NetBIOS, SMB traffic using the Windows
 Firewall
 • … or VLAN segmentation of workstations
 • So many hack tools leverage SMB authentication
 • Is workstation to workstation RDP really necessary?

### • Enable stricter Kerberos security

###### • Disable LM & NTLM (force Kerberos)
 • Short validity for tickets
 • No account delegation


-----

###### Chart by Benjamin Delpy: https://goo.gl/1K3AC7


-----

## Materials from:

###### http://dfir.to/FOR508


-----