Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

How to Mitigate Against Domain Credential Theft

Attackers routinely reuse stolen domain credentials. Here are some ways to thwart their access.

Stolen domain credentials are a much bigger problem than most realize. A recent Dark Web audit by the Digital Shadows Photon Research Team showed 15 billion stolen usernames and passwords circulating on the Dark Web — more than two sets of pilfered credentials for every living person. Furthermore, credential theft rose a staggering 300% from 2018 through 2020.

Related Content:

What We Know (and Don't Know) So Far About the 'Supernova' SolarWinds Attack

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

How Attackers Use Domain Credentials
Attackers reuse stolen domain credentials found on compromised machines.

Domain credentials are used by the operating system and authenticated by the Local Security Authority (LSA). Typically, they are established for users when their logon data is authenticated by a registered security package like the Kerberos protocol.

Microsoft Windows manages usernames and passwords of domain users using Local Security Authority Subsystem Service (LSASS). Attackers can dump the LSASS memory and use tools like Mimikatz to run the command sekurlsa::logonpasswords for access to passwords they can reuse on other computers.

When an attacker gains a foothold on a compromised machine, they first dump the LSASS memory, then use tools like Mimikatz to run the command: sekurlsa::logonpasswords

Output from logonpasswords resembles:

Authentication Id: 0 ; 515764 (00000000:0007deb4)
Session: Interactive from 2
User Name: Gentil Kiwi
Domain: vm-w7-ult-x
SID: S-1-5-21-1982681256-1210654043-1600862990-1000
        msv: [00000003] Primary
          Username : Gentil Kiwi
          Domain   : vm-w7-ult-x
          LM: d0e9aee149655a6075e4540af1f22d3b
          NTLM: cc36cf7a8514893efccd332446158b1a
          SHA1: a299912f3dc7cf0023aef8e4361abfc03e9a8c30
          Username: Gentil Kiwi
          Domain: vm-w7-ult-x
          Password: waza1234/

Each grouping of output reflects a Windows Logon Session. In each session, the grouping can be msv/tspkg/ssm/etc, representing Mimikatz modules used to extract passwords. Under each Mimikatz module, we find the password in various forms:

  • Cleartext: The actual password
  • NTLM (MD4): The most common form seen by attackers
  • LM: Old hash, not commonly used
  • SHA1
  • Kerberos Tickets: Like Ticket Granting Ticket (TGT) or TGS

With password hash, an attacker has three options. They can crack the password hash; use Pass the Hash or Pass the Ticket techniques. Regardless of password type, the attacker can connect to and run code on a remote computer in several ways, including, remote desktop, Windows management instrumentation WMI, service control manager, Windows task scheduler, remote registry, and Windows Remote Management.

Domain credentials can be used in both the same domain and different domains. Cross-domain use is visible to the users being authenticated. To enable cross-domain user authentication, use the Active Directory Trust capabilities.

When one domain trusts another, users can authenticate across them but still need permissions for the second domain to perform high-privileged operations like managing remote computers.

IT teams frequently add a Domain Admins group from one domain to the Domain Admins group of another. This gives every admin user access to every trusting domain. However, this practice is best avoided, as it often leads to cross-domain attacks.

To circumvent or prevent attacks and breaches, consider these best practices and mitigation steps.

Reduce Non-Essential Interactive Logons
The interactive logon method is often used to manage remote computers, but there are better ways to do so without leaving your credentials behind, like Microsoft Restricted Admin and other Network Logon methods. Read more here.

Monitor Logon Events
When interactive logon appears, event 4624 is generated, representing "an account was successfully logged on." You can monitor such events by filtering for event-id 4624 in the security event log.

From the filtered list, you can determine which users are connected via interactive login or have previously connected that way.

Entries tagged as Logon Type 2 indicate an interactive logon.

To run equivalent queries on the Event Log from the command line, enter:

WEVTUtil query-events /count:1000 Security /rd:true /format:text "/q:*[System [(EventID=4624)]] and *[EventData[Data[@Name='TargetUserName']='<SOME_USER>']]"

Logon events from the Security Event Log indicate the origin of an interactive logon, and often include the IP address of the computer that performed the authentication and ID of the process involved.

Use Credential Guard
The Credential Guard feature in Windows 10 employs a virtual machine to protect credentials from dumping tools like Mimikatz. Although attackers can bypass it using Access Tokens, Credential Guard is still the best passive protection currently available.

Activate Protected Process Light (PPL)
PPL provides protection around the LSASS process, limiting the ability of attackers to dump memory and steal passwords. While PPL can be bypassed with tools like Mimikatz signed driver, it's still recommended for protecting in-memory passwords from low-skill bad actors.

Monitor Protected Users
Microsoft Protected Users Group is an Active Directory that restricts users to Kerberos tickets for authentication. Since Kerberos tickets expire quickly and are not renewable, they protect against credential theft and abuse.

Install Two-Factor Authentication
Enabling multifactor increases the security of your environment. Without it, anyone who gets control of your credential can take over your user.

Adopt the Attacker Perspective
The best way to defeat an adversary is to view your defenses through their eyes. Focusing on attack-centric exposure prioritization can help you accomplish this. By simulating attacks across on-premises and cloud networks, these tools can help you find and remediate critical attack paths, demonstrably reducing the risk associated with credential theft and other common tactics. By looking through the attacker's eyes, you can see where you are vulnerable — and which vulnerabilities present grave risk to business-critical assets.

Domain credential theft numbers are skyrocketing, so cybersecurity teams must take concrete steps to improve their defenses. Following these best practices and deploying the right tools is the best way to ensure that happens.

Zur Ulianitzky ,  Head of Security Research ,  XM Cyber Zur Ulianitzky is an experienced information security researcher, skilled in red teaming and penetration testing. Prior to joining XM Cyber, he served as information security consultant at ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/&lt;id&gt;.html allows authenticated attackers to delete all users.
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This iss...