In many targeted attack case, harvesting windows credential play an important
role in later movement phase. Hacker can use psexec to remote access machine
with password hash directly. Hash dump technique and source code is public
availble, and maight be customised for attacks.
One of hash dump method is reading the sam information from registry.
Two keys accessed:
1 HKLM\SAM\SAM\Domains\Account\Users\
2 HKLM\System\CurrentControlSet\Control\Lsa
The first key can only be accessed with system privelege. Block it if it
accessed by un-trust process.
More reference:
http://media.blackhat.com/bh-us-
.rb
role in later movement phase. Hacker can use psexec to remote access machine
with password hash directly. Hash dump technique and source code is public
availble, and maight be customised for attacks.
One of hash dump method is reading the sam information from registry.
Two keys accessed:
1 HKLM\SAM\SAM\Domains\Account\Users\
2 HKLM\System\CurrentControlSet\Control\Lsa
The first key can only be accessed with system privelege. Block it if it
accessed by un-trust process.
More reference:
http://media.blackhat.com/bh-us-
12/Briefings/Reynolds/BH_US_12_Reynods_Stamp_Out_Hash_WP.pdf
.rb