💾
👁️
infosec stuff
infosec stuffwriteups
infosec stuff
infosec stuffwriteups
  • infosec stuff
  • Archive
    • Kerberos
  • Cheatsheet
    • Mimikatz
    • Rubeus
  • Initial Access
    • Passwords
    • Payloads
    • Recon-AssetDiscovery
  • Linux
    • Linux Enumeration
    • Command Cheatsheet
      • TAR
    • Privilege Escalation
      • Cron Jobs
      • Kernel Exploit
      • SUID
      • Sudo
      • Weak File Permission
  • Physical
    • Basics
  • Tools
    • Impacket
    • Msfvenom
    • psexec
  • Uncategorized
    • Alternate Data Stream
    • Check applocker rules/policy
    • UACme
    • Data Exfilteration
    • Port Forwarding
    • WebDAV Exploitation
    • WinRM
    • winexe
  • Windows
    • Windows Enumeration
    • Commands
      • net
      • reg
      • sc
    • Evasion
      • Query Installed Antivirus
    • Local Privilege Escalation
      • Automated Tools
      • Enterprise Application
      • Insecure GUI Apps
      • Kernel Exploitation
      • Passwords
      • Potato
      • Registry Exploits
      • Scheduled Tasks
      • Service Exploits
      • Startup Apps
      • Vulnerable Software
      • Windows Privileges
    • Persistence
      • Adding Privileged Users
      • Backdoor Files
      • Existing Services
      • Login Screen (RDP)
      • Logon Triggered
      • Scheduled Tasks
      • Services
    • Powershell
      • Cheatsheet
      • Detections & Bypass
    • System Programming
      • Fundamentals
    • Windows Internals
      • Process & Jobs
        • Fundamentals
        • Process Internals
      • Security
        • Access Token
        • Elevation
        • Integrity Levels
        • Privilege
        • SID
        • Security Descriptor
        • User Account Control
      • System Architecture
        • Architecture Overview
        • Operating System Model
      • Uncategorized
        • DPAPI
        • LocalAccountTokenFilterPolicy
        • Privileges
        • SID
        • accesschk.exe
        • WMI
  • Active Directory
    • AD Concepts
      • Authentication
      • Authorization
      • Basics
      • Computers
      • Credentials
      • Database
      • Group Policy
      • Groups
      • Kerberos
      • Logon Types
      • NetNTLM
      • Services
      • Trusts
      • Users
    • Credential Dumping
      • Credential Manager
      • DC Sync
      • Domain Controller
      • LAPS
      • LSASS
      • Local Credentials
    • Domain Enumeration
      • CMD
      • Credential Injection
      • Defence
      • Management Console
      • Sharphound-BloodHound
      • Powershell
        • ACLs
        • Computers
        • Domain
        • Forest
        • GPOs
        • Groups
        • Organisational Unit
        • Shares and File Servers
        • Trusts
        • Powerview
        • Users
    • Exploitation
      • ACLs
    • Initial Foothold
      • ASREPRoast
      • Kerberos
    • Lateral Movement and Pivoting
      • Abusing User Behaviour
      • Kerberos
      • NTLM
      • PSEXEC
      • Remote Windows Service
      • Schedule Tasks
      • WMI-CIM
      • WimRM (PowerShell Remoting)
    • Persistence
      • ACLs
      • Custom SSP
      • DSRM
      • Diamond Ticket
      • Golden Certificates
      • Golden Tickets
      • SID History
      • Silver Tickets
      • Skeleton Key
    • Privilege Escalation
      • Constrained Delegation
      • DNSAdmins
      • Kerberoast
      • Unconstrained Delegation
    • Protocols
      • MSRPC
      • SMB
      • WinRM
Powered by GitBook
On this page
  • LSASS
  • Registry Credentials
  • Powershell History
Edit on GitHub
  1. Active Directory
  2. AD Concepts

Credentials

LSASS

  • The credentials are cached in a process called LSASS (Local Security Authority Subsystem Service), which runs as lsass.exe.

  • Manages the security related operations of the computer, including user authentication.

  • Credentials are cached when a user performs an interactive logon, physically or via RDP.

  • LSASS uses the credentials cached by various SSPs like:

    • Kerberos SSP: Stores tickets and keys for logged on users.

    • NTLP SSP: Stores NTLM hash of the current users.

    • Digest SSP: Used to store clear text password in memory before windows 2008 R2.

  • LSASS process is accessible to users with SeDebugPrivilege (Administrators hold this privilege)

  • Mimikatz's sekurlsa module can be used to extract credentials from the LSASS memory.

  • LSASS is a very heavily monitored and secure process. MDR and EDRs keeps a big eye on LSASS all the time. Even if you open a handle to the process, EDRs will generate an alert.

Registry Credentials

SECURITY Hive

  • HKLM\Security\Policy\Secrets

  • Also knows as the LSA Secrets

  • A special storage in registry only accessible to SYSTEM.

  • Encrypted with SysKey or BootKey

  • The LSA Secrets stores:

    • Domain controller account: Username and password of the computer accounts are stored here.

    • Service User Passwords: when a service needs to be run by a user on the computer, the password for that user is stored here.

    • AutoLogon Password: If Auto-logon is enabled, the password is stored in the LSA secrets.

    • DPAPI Master Key: The master keys are stored here. If retrieved, user data can be decrypted.

SAM Hive

SAM hive contains the NT hash of the local users for that machine.

SYSTEM Hive

The System Hive contains the SysKey and BootKey that is used to encrypt the data in SAM and SECURITY hives.

Powershell History

  • Passwords can be stored in powershell history files.

  • Query powershell history file:

Get-PSReadLineOption).HistorySavePath

  • Get Powershell history for the user:

Get-childItem C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine\ConsoleHost_history.txt

  • To Disable history in powershell

Set-PSReadLineOption -HistorySaveStype SaveNothing # Disables history in powershell

Last updated 6 months ago