Credentials Protections

WDigest

protocol was introduced in Windows XP and was designed to be used with HTTP Protocol for authentication. Microsoft has this protocol enabled by default in multiple versions of Windows (Windows XP — Windows 8.0 and Windows Server 2003 — Windows Server 2012) which means that plain-text passwords are stored in the LSASS (Local Security Authority Subsystem Service). Mimikatz can interact with the LSASS allowing an attacker to retrieve these credentials through the following command:

sekurlsa::wdigest

This behaviour can be deactivated/activated setting to 1 the value of UseLogonCredential and Negotiate in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest. If these registry keys don't exist or the value is "0", then WDigest will be deactivated.

reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential

LSA Protection

Microsoft in Windows 8.1 and later has provided additional protection for the LSA to prevent untrusted processes from being able to read its memory or to inject code. This will prevent regular mimikatz.exe sekurlsa:logonpasswords for working properly. To activate this protection you need to set the value RunAsPPL in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA to 1.

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL

Bypass

It is possible to bypass this protection using Mimikatz driver mimidrv.sys:

Credential Guard

In this case Mimikatz cannot do much to bypass this and extract the hashes from LSASS. But you could always add your custom SSP and capture the credentials when a user tries to login in clear-text. More information about **[SSP and how to do this here**](../active-directory-methodology/custom-ssp.md).

reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags

RDP RestrictedAdmin Mode

When you connect to a remote computer using RDP, your credentials are stored on the remote computer that you RDP into. Usually you are using a powerful account to connect to remote servers, and having your credentials stored on all these computers is a security threat indeed.

Using Restricted Admin mode for RDP, when you connect to a remote computer using the command, mstsc.exe /RestrictedAdmin, you will be authenticated to the remote computer, but your credentials will not be stored on that remote computer, as they would have been in the past. This means that if a malware or even a malicious user is active on that remote server, your credentials will not be available on that remote desktop server for the malware to attack.

Note that as your credentials are not being saved on the RDP session if try to access network resources your credentials won't be used. The machine identity will be used instead.

Cached Credentials

Domain credentials are used by operating system components and are authenticated by the Local Security Authority (LSA). Typically, domain credentials are established for a user when a registered security package authenticates the user's logon data. This registered security package may be the Kerberos protocol or NTLM.

Windows stores the last ten domain login credentials in the event that the domain controller goes offline. If the domain controller goes offline, a user will still be able to log into their computer. This feature is mainly for laptop users that do not regularly log into their company’s domain. The number of credentials that the computer stores can be controlled by the following registry key, or via group policy:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT

The credentials are hidden from normal users, even administrator accounts. The SYSTEM user is the only user that has privileges to view these credentials. In order for an administrator to view these credentials in the registry they must access the registry as a SYSTEM user. The Cached credentials are stored in the registry at the following registry location:

HKEY_LOCAL_MACHINE\SECURITY\Cache

Protected Users

When the signed in user is a member of the Protected Users group the following protections are applied:

• Credential delegation (CredSSP) will not cache the user's plain text credentials even when the Allow delegating default credentials Group Policy setting is enabled.

• Beginning with Windows 8.1 and Windows Server 2012 R2, Windows Digest will not cache the user's plain text credentials even when Windows Digest is enabled.

• NTLM will not cache the user's plain text credentials or NT one-way function (NTOWF).

• Kerberos will no longer create DES or RC4 keys. Also it will not cache the user's plain text credentials or long-term keys after the initial TGT is acquired.

• A cached verifier is not created at sign-in or unlock, so offline sign-in is no longer supported.