Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Connect Directly
E-Mail vvv

How to Mitigate Against Domain Credential Theft

Attackers routinely reuse stolen domain credentials. Here are some ways to thwart their access.

Stolen domain credentials are a much bigger problem than most realize. A recent Dark Web audit by the Digital Shadows Photon Research Team showed 15 billion stolen usernames and passwords circulating on the Dark Web — more than two sets of pilfered credentials for every living person. Furthermore, credential theft rose a staggering 300% from 2018 through 2020.

Related Content:

What We Know (and Don't Know) So Far About the 'Supernova' SolarWinds Attack

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

How Attackers Use Domain Credentials
Attackers reuse stolen domain credentials found on compromised machines.

Domain credentials are used by the operating system and authenticated by the Local Security Authority (LSA). Typically, they are established for users when their logon data is authenticated by a registered security package like the Kerberos protocol.

Microsoft Windows manages usernames and passwords of domain users using Local Security Authority Subsystem Service (LSASS). Attackers can dump the LSASS memory and use tools like Mimikatz to run the command sekurlsa::logonpasswords for access to passwords they can reuse on other computers.

When an attacker gains a foothold on a compromised machine, they first dump the LSASS memory, then use tools like Mimikatz to run the command: sekurlsa::logonpasswords

Output from logonpasswords resembles:

Authentication Id: 0 ; 515764 (00000000:0007deb4)
Session: Interactive from 2
User Name: Gentil Kiwi
Domain: vm-w7-ult-x
SID: S-1-5-21-1982681256-1210654043-1600862990-1000
        msv: [00000003] Primary
          Username : Gentil Kiwi
          Domain   : vm-w7-ult-x
          LM: d0e9aee149655a6075e4540af1f22d3b
          NTLM: cc36cf7a8514893efccd332446158b1a
          SHA1: a299912f3dc7cf0023aef8e4361abfc03e9a8c30
          Username: Gentil Kiwi
          Domain: vm-w7-ult-x
          Password: waza1234/

Each grouping of output reflects a Windows Logon Session. In each session, the grouping can be msv/tspkg/ssm/etc, representing Mimikatz modules used to extract passwords. Under each Mimikatz module, we find the password in various forms:

  • Cleartext: The actual password
  • NTLM (MD4): The most common form seen by attackers
  • LM: Old hash, not commonly used
  • SHA1
  • Kerberos Tickets: Like Ticket Granting Ticket (TGT) or TGS

With password hash, an attacker has three options. They can crack the password hash; use Pass the Hash or Pass the Ticket techniques. Regardless of password type, the attacker can connect to and run code on a remote computer in several ways, including, remote desktop, Windows management instrumentation WMI, service control manager, Windows task scheduler, remote registry, and Windows Remote Management.

Domain credentials can be used in both the same domain and different domains. Cross-domain use is visible to the users being authenticated. To enable cross-domain user authentication, use the Active Directory Trust capabilities.

When one domain trusts another, users can authenticate across them but still need permissions for the second domain to perform high-privileged operations like managing remote computers.

IT teams frequently add a Domain Admins group from one domain to the Domain Admins group of another. This gives every admin user access to every trusting domain. However, this practice is best avoided, as it often leads to cross-domain attacks.

To circumvent or prevent attacks and breaches, consider these best practices and mitigation steps.

Reduce Non-Essential Interactive Logons
The interactive logon method is often used to manage remote computers, but there are better ways to do so without leaving your credentials behind, like Microsoft Restricted Admin and other Network Logon methods. Read more here.

Monitor Logon Events
When interactive logon appears, event 4624 is generated, representing "an account was successfully logged on." You can monitor such events by filtering for event-id 4624 in the security event log.

From the filtered list, you can determine which users are connected via interactive login or have previously connected that way.

Entries tagged as Logon Type 2 indicate an interactive logon.

To run equivalent queries on the Event Log from the command line, enter:

WEVTUtil query-events /count:1000 Security /rd:true /format:text "/q:*[System [(EventID=4624)]] and *[EventData[Data[@Name='TargetUserName']='<SOME_USER>']]"

Logon events from the Security Event Log indicate the origin of an interactive logon, and often include the IP address of the computer that performed the authentication and ID of the process involved.

Use Credential Guard
The Credential Guard feature in Windows 10 employs a virtual machine to protect credentials from dumping tools like Mimikatz. Although attackers can bypass it using Access Tokens, Credential Guard is still the best passive protection currently available.

Activate Protected Process Light (PPL)
PPL provides protection around the LSASS process, limiting the ability of attackers to dump memory and steal passwords. While PPL can be bypassed with tools like Mimikatz signed driver, it's still recommended for protecting in-memory passwords from low-skill bad actors.

Monitor Protected Users
Microsoft Protected Users Group is an Active Directory that restricts users to Kerberos tickets for authentication. Since Kerberos tickets expire quickly and are not renewable, they protect against credential theft and abuse.

Install Two-Factor Authentication
Enabling multifactor increases the security of your environment. Without it, anyone who gets control of your credential can take over your user.

Adopt the Attacker Perspective
The best way to defeat an adversary is to view your defenses through their eyes. Focusing on attack-centric exposure prioritization can help you accomplish this. By simulating attacks across on-premises and cloud networks, these tools can help you find and remediate critical attack paths, demonstrably reducing the risk associated with credential theft and other common tactics. By looking through the attacker's eyes, you can see where you are vulnerable — and which vulnerabilities present grave risk to business-critical assets.

Domain credential theft numbers are skyrocketing, so cybersecurity teams must take concrete steps to improve their defenses. Following these best practices and deploying the right tools is the best way to ensure that happens.

Zur Ulianitzky ,  Head of Security Research ,  XM Cyber Zur Ulianitzky is an experienced information security researcher, skilled in red teaming and penetration testing. Prior to joining XM Cyber, he served as information security consultant at ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type=&quot;text&quot;` via a javascript &quot;Show Password&quot; button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn&acirc;&euro;&trade;t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file