Adversaries are reusing credentials all the time, How can you check and prevent credential reuse attacks?
Deny them by leveraging new (and old) security features.
Reusable credentials
|
Method |
Log Type |
Reusable credentials |
|
Log to console (+KVM) |
Interactive |
Yes |
|
RUNAS |
Interactive |
Yes |
|
Remote desktop |
RemoteInteractive |
Yes |
|
WinRM+CredSSP |
NetworkClearText |
Yes |
|
PSExec with explicit credentials |
Network+Interactive |
Yes |
|
Scheduled Task |
Batch |
Yes (as LSA secret) |
|
Services |
Service |
Yes (as LSA secret) |
|
IIS Basic Authentication |
NetworkClearText |
Yes |
 |
|
Protecting credentials
|
Method |
Mitigation |
|
Log to console (+KVM) |
Credential Guard (Windows 10/Windows Server 2016) |
|
RUNAS |
Credential Guard (Windows 10/Windows Server 2016) |
|
Remote desktop |
Remote Credential Guard (Windows 10/Windows Server |
|
WinRM+CredSSP |
Just Enough Administration or Invoke-Command (Windows |
|
PSExec with explicit credentials |
Use WINRM (without credSSP) |
|
Scheduled Task |
Group Managed Service Account (Windows Server 2012 R2) |
|
Services |
Group Managed Service Account (Windows Server 2012 R2) |
|
IIS Basic Authentication |
Windows Authentication |
Additional reading:
- https://download.microsoft.com/download/7/7/a/77abc5bd-8320-41af-863c-6ecfb10cb4b9/mitigating%20pass-the-hash%20(pth)%20attacks%20and%20other%20credential%20theft%20techniques_english.pdf
- https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard
- https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard
- https://blogs.technet.microsoft.com/motiba/2017/09/21/securing-remote-connections/
- https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/
- https://docs.microsoft.com/en-us/powershell/scripting/setup/winrmsecurity?view=powershell-6