When hackers are successful in accessing user credentials, they can access the resources of an organization and cause a lot of damage. This normally happens unnoticed as the platform trusts the user who has successfully been authenticated. Once authenticated, hackers can exploit other common weaknesses caused through misconfiguration and ultimately gain full domain admin access. This is a common attack technique and a challenge for organizations to detect and respond.
In a Microsoft Windows environment, credentials are cached on the endpoint. This is sometimes known as cached logon data. This cached information is encrypted using a complex hash known as DCC2 (Domain Cached Credentials version 2). Attempts to decrypt the cache would take far too long, instead a hacking technique known as pass the hash is used. This technique uses the encrypted NTLM hash of the cache credential to authenticate with the remote server in order to gain access. The attacker does not require to know the plain text password to become authenticated. This is a well-known weakness in the implementation of the authentication protocol because the password hash itself is static between sessions until the password is changed.
To help overcome this weakness, Microsoft introduced Credential Guard for Windows 10 operating system (Enterprise edition only). The solution uses a virtualization-based isolation technology which prevents attackers from stealing the hashed credentials. However, there are several ways hackers are able to bypass this mechanism such as: keylogging, the Internal Monologue attack or with admin rights, you can install an alternative Security Support Provider.
An alternative method is to use other mechanisms which will not cache the credentials such as Windows Hello or Smart Card authentication. However both of these are not popular choices within organizations from an operational standpoint.
Organizations who perform pen testing activities either themselves or by a cybersecurity specialist company should check for the existence of cached credentials. An open-source application called Mimikatz is commonly used to identify them. Whilst this will “do the job”, there are some disadvantages of taking this approach.
For most organizations, a pen test is only performed once or twice a year often due to the high cost, people resource time and disruption it causes to the platform. Yet, an attack based on pass the hash can happen at any time, therefore it is something which should be monitored constantly.
Pen Tests are normally performed on a small subset of endpoints of an organization, yet the exploitation of cached credentials is a high risk on all endpoints and users in an organization. Operationally, it would be nearly impossible to run Mimikatz on all endpoints. Not only would it be very time consuming, it would impact productivity of the organization.
One of the key benefits of Gytpol Validator is that we provide continuous monitoring of configuration security risks of all endpoint in the organization. This includes the identification of cached credentials which could be exploited as explained in this article.
SecOps and IT Admins now have total visibility of configuration security risks in their organization. Also, with the help of the Gytpol auto-remediation feature, the risk can be neutralized immediately without any interruption to the employee whether they are connected to the network or working from home remotely.