Поделиться через


Avoiding credentials reuse attacks

Adversaries are reusingcredentials all the time, How can you check and prevent credential reuse attacks?

Deny them by leveraging new (and old) security features.

Reusable credentials

Method

Log Type

Reusable credentials 

Log to console (+KVM)

Interactive

Yes

RUNAS

Interactive

Yes

Remote desktop

RemoteInteractive

Yes

WinRM+CredSSP

NetworkClearText

Yes

PSExec with explicit credentials

Network+Interactive

Yes

Scheduled Task

Batch

Yes (as LSA secret)

Services

Service

Yes (as LSA secret)

IIS Basic Authentication

NetworkClearText

Yes

 

 

 

 

 

Protecting credentials

Method

Mitigation

Log to console (+KVM)

Credential Guard (Windows 10/Windows Server 2016)

RUNAS

Credential Guard (Windows 10/Windows Server 2016)

Remote desktop

Remote Credential Guard (Windows 10/Windows Server2016)

WinRM+CredSSP

Just Enough Administration or Invoke-Command (WindowsServer 2012)

PSExec with explicit credentials

Use WINRM (without credSSP)

Scheduled Task

Group Managed Service Account (Windows Server 2012 R2)

Services

Group Managed Service Account (Windows Server 2012 R2)

IIS Basic Authentication

Windows Authentication

 

Additional reading: