Avoiding credentials reuse attacks
Adversaries are reusingcredentials all the time, How can you check and prevent credential reuse attacks?
Deny them by leveraging new (and old) security features.
Reusable credentials
Method |
Log Type |
Reusable credentials |
Log to console (+KVM) |
Interactive |
Yes |
RUNAS |
Interactive |
Yes |
Remote desktop |
RemoteInteractive |
Yes |
WinRM+CredSSP |
NetworkClearText |
Yes |
PSExec with explicit credentials |
Network+Interactive |
Yes |
Scheduled Task |
Batch |
Yes (as LSA secret) |
Services |
Service |
Yes (as LSA secret) |
IIS Basic Authentication |
NetworkClearText |
Yes |
 |
|
Protecting credentials
Method |
Mitigation |
Log to console (+KVM) |
Credential Guard (Windows 10/Windows Server 2016) |
RUNAS |
Credential Guard (Windows 10/Windows Server 2016) |
Remote desktop |
Remote Credential Guard (Windows 10/Windows Server2016) |
WinRM+CredSSP |
Just Enough Administration or Invoke-Command (WindowsServer 2012) |
PSExec with explicit credentials |
Use WINRM (without credSSP) |
Scheduled Task |
Group Managed Service Account (Windows Server 2012 R2) |
Services |
Group Managed Service Account (Windows Server 2012 R2) |
IIS Basic Authentication |
Windows Authentication |
Additional reading:
- https://download.microsoft.com/download/7/7/a/77abc5bd-8320-41af-863c-6ecfb10cb4b9/mitigating%20pass-the-hash%20(pth)%20attacks%20and%20other%20credential%20theft%20techniques_english.pdf
- /en-us/windows/security/identity-protection/credential-guard/credential-guard
- /en-us/windows/security/identity-protection/remote-credential-guard
- https://blogs.technet.microsoft.com/motiba/2017/09/21/securing-remote-connections/
- https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/
- /en-us/powershell/scripting/setup/winrmsecurity?view=powershell-6