Atomic Red Team Tools -1: Cached Credential Dump via Cmdkey
15 November, 2022
0
0
0
Contributors
As I was working on a pentest report recently, I noticed that there were a few common wins for pentesters that came up with the ability to dump credentials from cache using a cmdkey.
Rule Name: Cached Credential Dump via Cmdkey
Now, what is cmdkey?
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines. It can Create, list, and delete stored user names and passwords or credentials.
1.
You can list and create credentials for cmdkey as a regular domain user
2.
It’s often used to perform administrative tasks on remote systems
This seems like an opportunity for privilege escalation! So, I decided to dig a bit deeper and play out a possible scenario for an internal penetration test.
An example of this might be that you have established a beacon on a Domain User workstation that does not have any local administrator rights, nor do they have any elevated privileges on any other systems. As a result, the user has a secondary account, which they use for remote administration, and they have cached the credentials with cmdkey to make their lives easier.
List credentials currently stored on the host via the built-in Windows utility cmdkey.exe Credentials listed with Cmdkey only pertain to the current user Passwords will not be displayed once they are stored.
Real Time example: Using Atomic Red Team Tools, we can generate events from the Windows using sysmon logs and ELK SIEM to monitor them
T1003.005 Cached Credential Dump Via Cmdkey
Let’s go and check in SIEM:
cmdkey events in ELK
Process executions displayed in SIEM
Let’s create alerts in ELK
Elk Query to detect cmdkey executions
The fields here in “winlog.event_data.Commandline” may differ from those in other SIEM tools and the data parsing and field mappings may differ from those in other SIEM tools as well
Alert triggered:
Alert trigged 🙂
It is not likely that this scenario is most likely to occur very often. This is something we can easily check for, but it’s not difficult to do! In order to determine if there are any quick wins for privilege escalation when dealing with a limited foothold, just run the command “cmdkey /list”.
Credits: Atomic Red Team Tools 🙂
Reference: