Based on how the Windows authentication mechanism works the credentials are stored in memory of the svchost process in plain-text according to the discovery of Jonas Lyk. When a user authenticates via an RDP connection the terminal service is hosted by the svchost process. The service host (svchost.exe) is a system process which can host multiple services to prevent consumption of resources. The above processes can be targeted as an alternative method to retrieve credentials without touching lsass which is a heavily monitored process typically by endpoint detection and response (EDR) products. Processes which are associated with the RDP protocol can also be in the scope of red teams to harvest credentials. However even though this protocol is widely used most of the times it is not hardened or monitor properly.įrom red teaming perspective dumping credentials from the lsass process can lead either to lateral movement across the network or directly to full domain compromise if credentials for the domain admin account have been stored. It is also typical RDP to be enabled in systems that act as a jumpstation to enable users to reach other networks.
Administrators typically use Remote Desktop Protocol (RDP) in order to manage Windows environments remotely.
0 kommentar(er)
