What is the primary goal of the Credential Access tactic [TA0006]?
An adversary attempts to steal authentication material of users, such as usernames, passwords, hashes, or Kerberos tickets.
Why might an adversary prefer using legitimate credentials over exploiting software vulnerabilities?
Leveraging legitimate credentials to access resources is often less suspicious and easier to perform.
The technique of stealing credentials from web browsers is tracked under which MITRE ATT&CK ID?
T1555.003.
How do web browsers typically encrypt saved credentials on Windows?
They use the Windows Data Protection API (DPAPI) and store them in a local database.
What is the typical file path structure for the SQLite database where Chromium-based browsers store login data?
%LOCALAPPDATA%<vendor><browser>\User Data\Default\Login Data.
What tool is mentioned for automatically reading and decrypting credentials from a browser’s database?
SharpChrome.
What command would you use with SharpChrome to extract saved logins?
execute-assembly C:\Tools\SharpDPAPI\SharpChrome\bin\Release\SharpChrome.exe logins
What integrity context is required to extract saved credentials from web browsers using a tool like SharpChrome?
A medium-integrity context.
What type of credentials does the Windows Credential Manager typically store?
Credentials the user has asked Windows to save, such as those for Remote Desktop connections.
The technique of stealing credentials from the Windows Credential Manager is tracked under which MITRE ATT&CK ID?
T1555.004.
Which native Windows utility can be used to show the presence of saved credentials in the Credential Manager?
vaultcmd.
What is the vaultcmd command to list all credentials stored under ‘Windows Credentials’?
vaultcmd /listcreds:”Windows Credentials” /all
In the Windows Credential Manager, credential blobs are encrypted with a randomly-generated AES key, which is itself encrypted using the user’s _____.
master DPAPI key
What tool can automate the process of decrypting credentials stored in the Windows Credential Manager?
SharpDPAPI.
What is the purpose of the /rpc argument in the SharpDPAPI.exe credentials command?
It leverages the Microsoft BackupKey Remote Protocol (MS-BKRP) to ask the domain controller to decrypt the AES key.
Why does using the MS-BKRP protocol with SharpDPAPI work for decrypting credentials?
Because Domain Controllers keep a copy of the user’s master DPAPI key for emergencies.
OS Credential Dumping techniques, such as accessing LSASS memory or the SAM database, generally require what privilege level?
SYSTEM privileges.
What is the primary responsibility of the Local Security Authority Subsystem Service (LSASS) on Windows?
It is responsible for verifying user credentials, handling password changes, and creating access tokens.
The technique of dumping credentials from LSASS memory is tracked under which MITRE ATT&CK ID?
T1003.001.
The Windows _____ provides different authentication mechanisms, such as NTLM and Kerberos, which are loaded by LSASS as DLLs.
Security Support Provider Interface (SSPI)
In Cobalt Strike’s implementation of Mimikatz, what does prepending a command with a ‘!’ character do?
It makes Mimikatz elevate to SYSTEM before running the specified command.
What is the Mimikatz command for dumping NTLM hashes for recently authenticated users?
sekurlsa::logonpasswords.
What is the corresponding Hashcat hash mode for cracking NTLM hashes?
Mode 1000.
Besides cracking, what is another common technique for using stolen NTLM hashes?
Pass-the-hash.
-
Module 144
-
Module 243
-
Module 360
-
Module 466
-
Module 550
-
Module 660
-
Module 762
-
Module 856
-
Module 918
-
Module 1052
-
Module 1153
-
Module 1250
-
Module 1336
-
Module 1441
-
Module 1567
-
Module 1653
-
Module 1728
-
Module 1851
-
Module 1954
-
Module 2022
-
Cobalt Strike User Guide161
-
Cobalt Strike Installation Guide37
