How to Mitigate Against Domain Credential Theft

Stolen domain credentials are a much bigger problem than most realize. A recent Dark Web audit by the Digital Shadows Photon Research Team showed 15 billion stolen usernames and passwords circulating on the Dark Web — more than two sets of pilfered credentials for every living person. Furthermore, credential theft rose a staggering 300% from 2018 through 2020.

How Attackers Use Domain Credentials
Attackers reuse stolen domain credentials found on compromised machines.

Domain credentials are used by the operating system and authenticated by the Local Security Authority (LSA). Typically, they are established for users when their logon data is authenticated by a registered security package like the Kerberos protocol.

Microsoft Windows manages usernames and passwords of domain users using Local Security Authority Subsystem Service (LSASS). Attackers can dump the LSASS memory and use tools like Mimikatz to run the command sekurlsa::logonpasswords for access to passwords they can reuse on other computers.

When an attacker gains a foothold on a compromised machine, they first dump the LSASS memory, then use tools like Mimikatz to run the command: sekurlsa::logonpasswords

Output from logonpasswords resembles:

Authentication Id: 0 ; 515764 (00000000:0007deb4)
Session: Interactive from 2
User Name: Gentil Kiwi
Domain: vm-w7-ult-x

SID: S-1-5-21-1982681256-1210654043-1600862990-1000
   msv: [00000003] Primary
      Username : Gentil Kiwi
      Domain : vm-w7-ult-x
      LM: d0e9aee149655a6075e4540af1f22d3b
      NTLM: cc36cf7a8514893efccd332446158b1a
      SHA1: a299912f3dc7cf0023aef8e4361abfc03e9a8c30
      tspkg:
      Username: Gentil Kiwi
      Domain: vm-w7-ult-x
      Password: waza1234/

Each grouping of output reflects a Windows Logon Session. In each session, the grouping can be msv/tspkg/ssm/etc, representing Mimikatz modules used to extract passwords. Under each Mimikatz module, we find the password in various forms:

With password hash, an attacker has three options. They can crack the password hash; use Pass the Hash or Pass the Ticket techniques. Regardless of password type, the attacker can connect to and run code on a remote computer in several ways, including, remote desktop, Windows management instrumentation WMI, service control manager, Windows task scheduler, remote registry, and Windows Remote Management.

Domain credentials can be used in both the same domain and different domains. Cross-domain use is visible to the users being authenticated. To enable cross-domain user authentication, use the Active Directory Trust capabilities.

When one domain trusts another, users can authenticate across them but still need permissions for the second domain to perform high-privileged operations like managing remote computers.

IT teams frequently add a Domain Admins group from one domain to the Domain Admins group of another. This gives every admin user access to every trusting domain. However, this practice is best avoided, as it often leads to cross-domain attacks.

To circumvent or prevent attacks and breaches, consider these best practices and mitigation steps.

Reduce Non-Essential Interactive Logons
The interactive logon method is often used to manage remote computers, but there are better ways to do so without leaving your credentials behind, like Microsoft Restricted Admin and other Network Logon methods. Read more here.

Monitor Logon Events
When interactive logon appears, event 4624 is generated, representing "an account was successfully logged on." You can monitor such events by filtering for event-id 4624 in the security event log.

From the filtered list, you can determine which users are connected via interactive login or have previously connected that way.

Entries tagged as Logon Type 2 indicate an interactive logon.

To run equivalent queries on the Event Log from the command line, enter:

WEVTUtil query-events /count:1000 Security /rd:true /format:text "/q:*[System [(EventID=4624)]] and *[EventData[Data[@Name='TargetUserName']='<SOME_USER>']]"

Logon events from the Security Event Log indicate the origin of an interactive logon, and often include the IP address of the computer that performed the authentication and ID of the process involved.

Use Credential Guard
The Credential Guard feature in Windows 10 employs a virtual machine to protect credentials from dumping tools like Mimikatz. Although attackers can bypass it using Access Tokens, Credential Guard is still the best passive protection currently available.

Activate Protected Process Light (PPL)
PPL provides protection around the LSASS process, limiting the ability of attackers to dump memory and steal passwords. While PPL can be bypassed with tools like Mimikatz signed driver, it's still recommended for protecting in-memory passwords from low-skill bad actors.

Monitor Protected Users
Microsoft Protected Users Group is an Active Directory that restricts users to Kerberos tickets for authentication. Since Kerberos tickets expire quickly and are not renewable, they protect against credential theft and abuse.

Install Two-Factor Authentication
Enabling multifactor increases the security of your environment. Without it, anyone who gets control of your credential can take over your user.

Adopt the Attacker Perspective
The best way to defeat an adversary is to view your defenses through their eyes. Focusing on attack-centric exposure prioritization can help you accomplish this. By simulating attacks across on-premises and cloud networks, these tools can help you find and remediate critical attack paths, demonstrably reducing the risk associated with credential theft and other common tactics. By looking through the attacker's eyes, you can see where you are vulnerable — and which vulnerabilities present grave risk to business-critical assets.

Domain credential theft numbers are skyrocketing, so cybersecurity teams must take concrete steps to improve their defenses. Following these best practices and deploying the right tools is the best way to ensure that happens.