If you are reading this post on a PC, there is a good chance that your Windows® password is stored in its memory right now. If an attacker gets enough of a foothold on your computer, he or she may be able to pull your password straight out of its memory by using a tool like mimikatz, a program written for that purpose. The attacker might then be able to use it in other locations on the corporate network. Over the years, Microsoft has created many methods that allow us to prove who we are to other computers on our networks. Many of them have subtle flaws that can lead to a security compromise, and yet we still use them today. This post will discuss how to reduce the risk of one of the leading threats organizations face after they have been compromised – memory password scraping.
Windows passwords are stored on computers to accommodate backward compatibility and to make the operating system easier to use. Besides some of the changes we will discuss later, Microsoft hasn’t introduced many innovations for Windows and Active Directory® authentication in a while. We are learning that things we thought were secure 10 or 20 years ago often are not secure today.
Let’s go through a hypothetical scenario. If Bob in accounting calls Alice from IT to ask her to do some IT support on his computer, she may have to run some applications from her more privileged account on Bob’s computer. Once she logs into his computer, both of their passwords are stored in memory on Bob’s computer. If later that day Bob receives a malicious email giving an attacker access to the network, the attacker can then run mimikatz as though Bob were running it. Because Alice’s password is stored in memory as well, the attacker would have her username and password, and since Alice is in IT, that account likely has access to other resources on the network.
When an attacker is in a position to run mimikatz, traditional antivirus software has already failed to control the running of malicious applications. The same administrator privilege that allows someone to run mimikatz also can allow him or her to disable antivirus software. Many people don’t realize it, but most antivirus products scan only files already downloaded and stored on disk. Smart attackers make every attempt not to be detected by antivirus software. So, these attackers will load mimikatz directly into memory to be able to bypass most current antivirus protections. Preventing viruses with antivirus software tends to be a cat-and-mouse game between attackers and defenders and should not be relied on completely for preventing attacks like this one. Antivirus software is meant to stop the internet equivalent of driftwood. Stronger defenses are needed to catch more targeted attacks.
The first major step to helping prevent these kinds of attacks is to revisit end-user administrative access. Mimikatz requires administrator-level access to the computer to fetch passwords out of memory. In the Alice and Bob scenario, if Bob is not an administrator on the computer or the attacker is not able to escalate Bob’s privileges to those of an administrator, then the attacker should be unable to run mimikatz to get Alice’s password.
Administrator access to a computer is granted for many reasons. Three of the most common reasons are:
One of the features that Microsoft introduced in the latest version of Active Directory was the built-in group “Protected Users.” When the Active Directory domain is upgraded to a functional level of 2012 R2, this group is automatically available. The Protected Users group prevents plain-text passwords and NTLM hashes from being stored in memory by client computers. This feature also was provided for Windows 7, Windows Server 2008 R2, and Windows Server 2012 clients in the update KB2871997. NTLM is an authentication protocol that obfuscates a user’s password. Unfortunately, because of how NTLM authentication works, anyone who possesses the hash can impersonate the user. This is often called “pass the hash.”
If an attacker manages to run mimikatz on a computer, he or she will not have access to the plain-text passwords or the NTLM hashes of members of the Protected Users group. But the Protected Users group does have some drawbacks. It will prompt affected users more often for their usernames and passwords, may have compatibility issues with legacy applications, and is not appropriate for service accounts.
A new feature of Windows 10 Enterprise allows you to run the authentication process (lsass.exe) on its own virtual machine. This effectively puts Windows and the authentication process each in their own container and runs them in parallel. The technology is called Credential Guard and is used as a part of Virtual Secure Mode. This method does not always protect passwords because certain types of authentication, such as remote desktop and digest authentication, will still cause the credentials to be stored in memory. This setup also prevents some legacy authentication methods and limits client-side certificates that are used for domain authentication.
While Microsoft has provided some tools to help defend against password scraping attacks such as mimikatz, ultimately the most effective method of defense is limiting privileged and administrator access for all users, including IT personnel, to the Windows systems of the environment.
Microsoft, Windows, and Active Directory are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.
Steve Stevenson | Posted: Jan. 5, 2017
Great description of password scraping, I learnt a lot. Thank you!
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.