Avoiding credentials reuse attacks


Adversaries are reusing credentials all the time, How can you check and prevent credential reuse attacks?

Deny them by leveraging new (and old) security features.

Reusable credentials

Method

Log Type

Reusable credentials 

Log to console (+KVM)

Interactive

Yes

RUNAS

Interactive

Yes

Remote desktop

RemoteInteractive

Yes

WinRM+CredSSP

NetworkClearText

Yes

PSExec with explicit credentials

Network+Interactive

Yes

Scheduled Task

Batch

Yes (as LSA secret)

Services

Service

Yes (as LSA secret)

IIS Basic Authentication

NetworkClearText

Yes

 

 

 

 

 

Protecting credentials

Method

Mitigation

Log to console (+KVM)

Credential Guard (Windows 10/Windows Server 2016)

RUNAS

Credential Guard (Windows 10/Windows Server 2016)

Remote desktop

Remote Credential Guard (Windows 10/Windows Server
2016)

WinRM+CredSSP

Just Enough Administration or Invoke-Command (Windows
Server 2012)

PSExec with explicit credentials

Use WINRM (without credSSP)

Scheduled Task

Group Managed Service Account (Windows Server 2012 R2)

Services

Group Managed Service Account (Windows Server 2012 R2)

IIS Basic Authentication

Windows Authentication

 

Additional reading:

Comments (0)

Skip to main content