- Jun 9, 2013
- 6,720
CyberArk Labs unveiled new research detailing what it considers to be a significant risk across all Windows endpoints, including those on Windows 10 with Credential Guard enabled. The exploit could allow cyber attackers to harvest encrypted service credentials from the registry and inject them into a new malicious service to achieve lateral movement and full domain compromise.
Microsoft Credential Guard was introduced to mitigate the risk of lateral movement using compromised credentials, yet Credential Guard does not protect domain-level user and service credentials equally.
Despite being encrypted, domain-level service credentials remain in the registry, at risk of compromise by attackers who have obtained local administrator privileges on an infected endpoint.
Similar in concept to Pass-the-Hash attacks, if fully exploited, cyber attackers could compromise and reuse an encrypted service credential – without ever needing to decrypt it – to move laterally through the organization and ultimately be able to gain access to a domain controller.
From stolen credential to domain compromise
In a proof of concept, researchers were able to demonstrate that attackers with local administrator access on a single user’s machine could compromise domain-level service credentials and reuse them in encrypted form to achieve lateral movement and full domain compromise, even when Credential Guard is enabled.
The testing showed that an attacker with local administrator access would not have to use malware to execute this type of attack, and by exploiting this risk, an attacker could gain full ownership of the entire domain in just minutes.
Full Article. Researchers identify domain-level service credential exploit - Help Net Security
Microsoft Credential Guard was introduced to mitigate the risk of lateral movement using compromised credentials, yet Credential Guard does not protect domain-level user and service credentials equally.
Despite being encrypted, domain-level service credentials remain in the registry, at risk of compromise by attackers who have obtained local administrator privileges on an infected endpoint.
Similar in concept to Pass-the-Hash attacks, if fully exploited, cyber attackers could compromise and reuse an encrypted service credential – without ever needing to decrypt it – to move laterally through the organization and ultimately be able to gain access to a domain controller.
From stolen credential to domain compromise
In a proof of concept, researchers were able to demonstrate that attackers with local administrator access on a single user’s machine could compromise domain-level service credentials and reuse them in encrypted form to achieve lateral movement and full domain compromise, even when Credential Guard is enabled.
The testing showed that an attacker with local administrator access would not have to use malware to execute this type of attack, and by exploiting this risk, an attacker could gain full ownership of the entire domain in just minutes.
Full Article. Researchers identify domain-level service credential exploit - Help Net Security
