Credential Replay Attacks
A credential replay attack is an attack that uses a captured authentication token to start an unauthorized session without having to discover the plaintext password for an account.
- mostly target Windows Active Directory networks
When is it Used
- Once an attacker gains initial foothold into a network,
- next objective is likely to identify data assets
- to do so, need to perform:
- lateral movement to compromise other hosts
- privilege escalation to gain more permissions over network assets
- credential replay is used to facilitate this
How it Works against AD
- If a user account on a Windows host has authenticated to an Active Directory domain network,
- the Local Security Authority Subsystem Service (LSASS) caches various secrets in memory and in the Security Account Manager (SAM) registry database
- to facilitate single sign-on
- secrets include:
- Kerberos Ticket Granting Ticket (TGT) and session key
- allows the host to request service tickets to access applications
- Service tickets for applications where the user has started a session
- NT hash of local and domain user and service accounts that are currently signed in
- NTLM protocol is deprecated for most uses
- but the NT hash is still used as the credential storage format
- can be involved in signing Kerberos requests and responses
- Kerberos Ticket Granting Ticket (TGT) and session key
- if different users are signed in on the same host,
- secrets for all these accounts could be cached by LSASS
- the Local Security Authority Subsystem Service (LSASS) caches various secrets in memory and in the Security Account Manager (SAM) registry database
Info
- LSASS purges hashes from memory within a few minutes of the user signing out
- The SAM database caches local and Microsoft account credentials,
- but not domain credentials
- Some editions of Windows implement a virtualization feature called Credential Guard to protect these secrets from malicious processes,
- even if they have SYSTEM permissions
- use various methods to obtain and exploit these locally stored secrets
- e.g.,
- if threat actors obtains an NT hash,
- can use pass the hash (PtH) attack to start a session on another host
- if that host is running a service that allows NTLM auth
- e.g., file sharing or RDP
- if that host is running a service that allows NTLM auth
- can use pass the hash (PtH) attack to start a session on another host
- if threat actors obtains an NT hash,
- e.g.,
How it Works against Kerberos
- Legacy NTLM is usually disabled for security, so attacking Kerberos may be used
- pass the ticket (PtT) attacks:
- a golden ticket attack attempts to forge a ticket granting ticket
- If successful,
- gives the threat actor effectively unrestricted access to all domain resources
- If successful,
- silver ticket attack attempts to forge service tickets
- a golden ticket attack attempts to forge a ticket granting ticket
Mitigation
- Ensure hosts are fully patched
- use secure configuration baselines
- configure detection system to correlate a sequence of security log events
- can be prone to false positives
- AV or IDS can detect the malware code used to dump credentials or launch ticket forgery attacks