The Cached Credentials Saga: Defending Against Pass-the-Hash Exploits

When hackers are successful in accessing user credentials, they can access the resources of an organization and cause a lot of damage as they move laterally. This normally goes unnoticed as the platform trusts the user who has successfully been authenticated. Once authenticated, hackers can exploit other common weaknesses caused through misconfiguration and ultimately gain full domain admin access. This is a common attack technique and a challenge for organizations to detect and respond.

The Risk of Cached Credentials

In a Microsoft Windows environment, credentials are cached on the endpoint. This is sometimes known as cached logon data. This cached information is encrypted using a complex hash known as DCC2 (Domain Cached Credentials version 2). Attempts to decrypt the cache would take far too long, instead a hacking technique known as pass the hash is used.

This technique uses the encrypted NTLM hash of the cached credential to authenticate with the remote server in order to gain access. The attacker does not require to know the plain text password to become authenticated. This is a well-known weakness in the implementation of the authentication protocol because the password hash itself is static between sessions until the password is changed.

Where Current Solutions Fall Short

To help overcome this weakness, Microsoft introduced Credential Guard for Windows 10 operating system (Enterprise edition only). The solution uses a virtualization-based isolation technology which prevents attackers from stealing the hashed credentials.

However, there are several ways hackers are able to bypass this mechanism such as: keylogging, the Internal Monologue attack or with admin rights, you can install an alternative Security Support Provider.

An alternative method is to use other mechanisms that will not cache the credentials such as Windows Hello or Smart Card authentication. However both of these are not popular choices within organizations from an operational standpoint.

Organizations that perform pen testing activities either themselves or by a cybersecurity specialist company should check for the existence of cached credentials. An open-source application called Mimikatz is commonly used to identify them. While this will “do the job”, there are some disadvantages of taking this approach.

For most organizations, a pen test is only performed once or twice a year often due to the high cost, people resource time and disruption it causes to the platform. Yet, an attack based on pass the hash can happen at any time, therefore it is something which should be monitored constantly.

Pen Tests are normally performed on a small subset of endpoints of an organization, yet the exploitation of cached credentials is a high risk on all endpoints and users in an organization. Operationally, it would be nearly impossible to run Mimikatz on all endpoints. Not only would it be very time consuming, it would impact productivity of the organization.

Eliminating Security Risks from Cached Credentials

A comprehensive solution should provide continuous monitoring of configuration security risks of all endpoints without negatively impacting operations. GYTPOL delivers on this by providing real-time visibility into these risks, including the detection of cached credentials to prevent exploitation by bad actors.

With GYTPOL, SecOps and IT Admins gain complete oversight of configuration security risks, enabling proactive defense. Additionally, GYTPOL's auto-remediation feature instantly neutralizes threats without interrupting employees whether they are on the network or working remotely.