MITRE ATT&CK™

MITRE ATT&CK vulnerability spotlight: Credentials in registry

Howard Poston
November 27, 2019 by
Howard Poston

Introduction

MITRE is a U.S. government federally-funded research and development center (FFRDC). Its purpose is to act as a trusted third-party for the U.S. government, perform research and development, and provide unbiased audits of commercial tools, processes and more for the government.

As part of MITRE’s research and development efforts, they have developed the MITRE ATT&CK tool to help formalize cybersecurity research and development, penetration testing exercises and design of cybersecurity defenses. The MITRE ATT&CK tool breaks the life cycle of a cyberattack into discrete stages with specific objectives and describes the various means by which each objective could be achieved by an attacker.

Why are credentials in the registry?

One of the attack stages as described in the MITRE ATT&CK tool is credential access, where a hacker tries to steal user credential information to gain access to new accounts or elevate privileges on a compromised system. One of the means by which an attacker can perform this stage of an attack is by extracting credentials from where they are stored in the Windows registry.

The Windows registry acts as a system-wide configuration file for the Windows OS and the applications running on it. It has a hierarchical structure with a few root “hives” and trees of subfolders. These subfolders can contain other folders and/or registry keys of a given parameter and its value.

Windows provides the ability to secure different keys within the Windows registry at different levels. Several different permissions can be given to a registry key and they include access control lists that describe who has those permissions.

If an attacker has the necessary level of access to a target system, they might be able to extract user credentials from the Windows registry. Credential information is stored in the registry for a few different reasons:

  • If a service is run under the context of a local or domain user
  • If a user has enabled auto-login for their account
  • If an application caches credentials in the registry.
  • The SAM file is cached in the registry while the system is running

If an attacker has the necessary level of permissions to access a certain section of the registry, they can leverage that access to steal user authentication information. Depending on the reason the credentials are cached, this could provide access to plaintext passwords or to password hashes that can then be cracked offline.

Examples of credentials in registry

Passwords can be cached in the Windows registry for a few different reasons. Several of these are intentional features of the Windows operating system while others are implemented by independent applications.

SAM file caching

The Windows SAM file contains the hashes of all of the accounts on the system. Gaining access to this file allows an attacker to crack the password hashes offline and gain access to legitimate credentials on the system.


The SAM file is stored HKEY_LOCAL_MACHINESAMSAM within the Windows registry. However, the hashes are only accessible to users with SYSTEM permissions. Several different tools, like Mimikatz and Pwdump, are designed to gain access to these credentials and dump them for the user.

Application credential caching

User credentials can also be placed within the Windows registry by individual applications. If this is the case, they may not be properly protected and accessible to less-privileged users.

Searching the registry for keywords can be accomplished using the reg command in PowerShell. For example, the command:

reg query HKLM /f password /t REG_SZ /s

… searches the HKEY_LOCAL_MACHINE hive for data containing the string “password” of type REG_SZ. The command can be used to search the HKEY_CURRENT_USER hive by substituting HKCU for HKLM and can be used to search for different keywords as well.

As shown in the screenshot above, searching the registry in this way can identify locations where applications have cached user credentials.

Camtasia is a video editing studio with the ability to upload edited videos to Vimeo. The registry key found above contains the user’s authentication information for a Vimeo account and was found by using the command above to search the HKCU hive. Similar cached passwords could give an attacker access to other useful online accounts.

Detection and mitigation

The best way to deal with the potential of credential compromise from the Windows registry is to ensure that none are placed there. Training developers not to cache credentials in the registry can decrease the probability of an application leaking sensitive data.

However, user credentials will probably still end up in the registry. Performing searches for cached credentials can help to detect and remove them before they can be stolen by an attacker. If credentials must be stored in the registry for some reason, then the associated accounts should be limited to the minimum possible set of privileges to limit the impact of a potential compromise.

Windows also caches credential information in the registry in the SAM folder, which can be accessed by some hacking tools. However, Windows also has built-in functionality to protect against this. Enabling Credential Guard on Windows 10 can prevent tools like Meterpreter from dumping the SAM file from the Windows registry.

Conclusion: Protecting against credentials in registry

The Windows registry is designed to store information that can be useful to the Windows operating system and the applications that run on it. However, this useful information includes credentials, which could be extracted and used by an attacker with the appropriate level of access to the system.

Minimizing the number of credentials exposed in the registry can be accomplished by limiting the applications that will cache them there, scanning for exposed credentials and activating built-in protections like Credential Guard on Windows. However, it is also important to minimize the impact of any credentials that are breached by implementing least privilege and deploying multi-factor authentication, especially for high-value accounts such as the administrator.

 

Sources

  1. Credentials in Registry, MITRE
  2. How to extract Cached Credentials & LSA secrets, Online Hash Crack
  3. Detecting And Defending Against Pass The Hash Attacks, Ipswitch
Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.