Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Connect Directly
E-Mail vvv

How to Mitigate Against Domain Credential Theft

Attackers routinely reuse stolen domain credentials. Here are some ways to thwart their access.

Stolen domain credentials are a much bigger problem than most realize. A recent Dark Web audit by the Digital Shadows Photon Research Team showed 15 billion stolen usernames and passwords circulating on the Dark Web — more than two sets of pilfered credentials for every living person. Furthermore, credential theft rose a staggering 300% from 2018 through 2020.

Related Content:

What We Know (and Don't Know) So Far About the 'Supernova' SolarWinds Attack

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

How Attackers Use Domain Credentials
Attackers reuse stolen domain credentials found on compromised machines.

Domain credentials are used by the operating system and authenticated by the Local Security Authority (LSA). Typically, they are established for users when their logon data is authenticated by a registered security package like the Kerberos protocol.

Microsoft Windows manages usernames and passwords of domain users using Local Security Authority Subsystem Service (LSASS). Attackers can dump the LSASS memory and use tools like Mimikatz to run the command sekurlsa::logonpasswords for access to passwords they can reuse on other computers.

When an attacker gains a foothold on a compromised machine, they first dump the LSASS memory, then use tools like Mimikatz to run the command: sekurlsa::logonpasswords

Output from logonpasswords resembles:

Authentication Id: 0 ; 515764 (00000000:0007deb4)
Session: Interactive from 2
User Name: Gentil Kiwi
Domain: vm-w7-ult-x
SID: S-1-5-21-1982681256-1210654043-1600862990-1000
        msv: [00000003] Primary
          Username : Gentil Kiwi
          Domain   : vm-w7-ult-x
          LM: d0e9aee149655a6075e4540af1f22d3b
          NTLM: cc36cf7a8514893efccd332446158b1a
          SHA1: a299912f3dc7cf0023aef8e4361abfc03e9a8c30
          Username: Gentil Kiwi
          Domain: vm-w7-ult-x
          Password: waza1234/

Each grouping of output reflects a Windows Logon Session. In each session, the grouping can be msv/tspkg/ssm/etc, representing Mimikatz modules used to extract passwords. Under each Mimikatz module, we find the password in various forms:

  • Cleartext: The actual password
  • NTLM (MD4): The most common form seen by attackers
  • LM: Old hash, not commonly used
  • SHA1
  • Kerberos Tickets: Like Ticket Granting Ticket (TGT) or TGS

With password hash, an attacker has three options. They can crack the password hash; use Pass the Hash or Pass the Ticket techniques. Regardless of password type, the attacker can connect to and run code on a remote computer in several ways, including, remote desktop, Windows management instrumentation WMI, service control manager, Windows task scheduler, remote registry, and Windows Remote Management.

Domain credentials can be used in both the same domain and different domains. Cross-domain use is visible to the users being authenticated. To enable cross-domain user authentication, use the Active Directory Trust capabilities.

When one domain trusts another, users can authenticate across them but still need permissions for the second domain to perform high-privileged operations like managing remote computers.

IT teams frequently add a Domain Admins group from one domain to the Domain Admins group of another. This gives every admin user access to every trusting domain. However, this practice is best avoided, as it often leads to cross-domain attacks.

To circumvent or prevent attacks and breaches, consider these best practices and mitigation steps.

Reduce Non-Essential Interactive Logons
The interactive logon method is often used to manage remote computers, but there are better ways to do so without leaving your credentials behind, like Microsoft Restricted Admin and other Network Logon methods. Read more here.

Monitor Logon Events
When interactive logon appears, event 4624 is generated, representing "an account was successfully logged on." You can monitor such events by filtering for event-id 4624 in the security event log.

From the filtered list, you can determine which users are connected via interactive login or have previously connected that way.

Entries tagged as Logon Type 2 indicate an interactive logon.

To run equivalent queries on the Event Log from the command line, enter:

WEVTUtil query-events /count:1000 Security /rd:true /format:text "/q:*[System [(EventID=4624)]] and *[EventData[Data[@Name='TargetUserName']='<SOME_USER>']]"

Logon events from the Security Event Log indicate the origin of an interactive logon, and often include the IP address of the computer that performed the authentication and ID of the process involved.

Use Credential Guard
The Credential Guard feature in Windows 10 employs a virtual machine to protect credentials from dumping tools like Mimikatz. Although attackers can bypass it using Access Tokens, Credential Guard is still the best passive protection currently available.

Activate Protected Process Light (PPL)
PPL provides protection around the LSASS process, limiting the ability of attackers to dump memory and steal passwords. While PPL can be bypassed with tools like Mimikatz signed driver, it's still recommended for protecting in-memory passwords from low-skill bad actors.

Monitor Protected Users
Microsoft Protected Users Group is an Active Directory that restricts users to Kerberos tickets for authentication. Since Kerberos tickets expire quickly and are not renewable, they protect against credential theft and abuse.

Install Two-Factor Authentication
Enabling multifactor increases the security of your environment. Without it, anyone who gets control of your credential can take over your user.

Adopt the Attacker Perspective
The best way to defeat an adversary is to view your defenses through their eyes. Focusing on attack-centric exposure prioritization can help you accomplish this. By simulating attacks across on-premises and cloud networks, these tools can help you find and remediate critical attack paths, demonstrably reducing the risk associated with credential theft and other common tactics. By looking through the attacker's eyes, you can see where you are vulnerable — and which vulnerabilities present grave risk to business-critical assets.

Domain credential theft numbers are skyrocketing, so cybersecurity teams must take concrete steps to improve their defenses. Following these best practices and deploying the right tools is the best way to ensure that happens.

Zur Ulianitzky ,  Head of Security Research ,  XM Cyber Zur Ulianitzky is an experienced information security researcher, skilled in red teaming and penetration testing. Prior to joining XM Cyber, he served as information security consultant at ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.