Task 1 : Introduction

Learning Objectives

After completing this room, you will be able to understand the following:

• What are credential access tactics

• Discuss various attack techniques and how they can be mitigated

• Review incidents related to a malicious credential access on the Microsoft Defender XDR portal

• Explain how to mitigate and respond to a credential access using Microsoft Defender XDR

Let's go!

No Answer Needed

TASK 2 : What is Credential Access

Credential access is a critical tactic in the attack kill chain, where threat actors can steal legitimate credentials such as usernames, passwords, tokens, or cryptographic keys to gain unauthorised access to systems, networks, or applications. This technique allows attackers to impersonate users, escalate privileges, move laterally, and maintain persistence across the network. Common methods include brute-force attacks, keylogging, credential dumping from memory, or exploiting a misconfigured authentication service. Because attackers appear as legitimate users, credential access is highly effective and dangerous.

For clarity, it's worth knowing that credential access is not the same as initial access. The major difference is that "initial access (getting in)" is how threat actors gain entry into the target environment, possibly through phishing or exploiting vulnerabilities to establish a first point of entry. On the other hand, credential access (taking control from within) happens after the attacker is already in the environment to steal account credentials, such as usernames, passwords, or hashes, which then provide a gateway to other attack tactics and techniques.

Common credential access techniques:

• Brute force: This is when an attacker systematically tries different password combinations to guess valid credentials, trying thousands of possible passwords on a login form until one works to gain unauthorised access.

• Credential dumping: This is the process of extracting credentials (usernames, hashes, passwords) from system memory, databases, or files, using tools like Mimikatz or ProcDump to read password hashes from LSASS on a Windows system to gain unauthorised access to the system.

• Man-in-the-middle (MitM): This is when a threat actor intercepts and potentially alters communications between two parties, such as intercepting traffic on an unsecured Wi-Fi network, capturing login credentials.

• Stealing web session cookies: This is when an attacker captures authentication cookies that keep a user logged in to web applications. A threat actor can steal a session cookie from the browser and use it to impersonate the user without needing a password.

• Input capture: This is when attackers capture user input such as keystrokes, screen content, or clipboard data. For example, keyloggers record everything typed by the user, including passwords and chat messages, stealing login information or sensitive details.

• Unsecured credentials: Poorly protected credentials, such as plaintext passwords, weak encryption, or credentials stored in insecure locations, are easy targets for malicious actors to retrieve either through direct theft or malware exploitation.

After a successful credential access tactic, can attackers blend in with legitimate users? (Yea/Nay)

Yea

What is the process of extracting credentials from system memory called?

Credential Dumping

Credential access can lead to privilege escalation, lateral movement, and?

Persistence

What factor increases the time required to crack a password exponentially?

Password Complexity

What should be implemented to mitigate automated multiple login attempts?

Account Lockout Policies

TASK 3 : Technique - Brute Force

A brute force attack is a technique in which attackers use automated tools to systematically guess passwords, encryption keys, or login credentials through trial and error, trying every possible combination until access is gained. However, as password complexity increases, the time required to crack them increases exponentially, making strong authentication and security controls effective in mitigating brute force attacks.

A brute force attack technique involves the following methods that attackers can use to gain authorised access to an organisation's network:

• Credential stuffing: This is when attackers use stolen username and password pairs from previous data breaches to fraudulently access user accounts. Exploiting password reuse, attackers automate login attempts across multiple platforms, systematically trying the compromised credentials to find a match. If a match is found, they gain unauthorised access.

• Password spraying: This is a type of brute force attack in which attackers attempt to access various accounts using a single common password instead of targeting a single account with various password guesses, potentially helping them evade account lockouts while exploiting weak or default credentials across applications. A threat actor can try simple passwords like “Password123” or “Company@123” on different usernames to gain unauthorised access without triggering security controls.

• Password cracking: This is an attack method where threat actors attempt to retrieve passwords from stored hashes or encrypted data to gain unauthorised access. Using specialised password-cracking tools and automated techniques, attackers may recover passwords in a hashed or encrypted format, exploit vulnerabilities, and leverage AI to accelerate cracking speed.

Mitigating Brute Force Techniques

Mitigating brute force attacks requires enforcing strong password policies and ensuring complex passwords are always used, making it difficult for attackers to crack passwords.

Enabling multi-factor authentication (MFA) will add an extra layer of protection. In addition, account lockout policies should be implemented to limit multiple login attempts, effectively frustrating automated attacks.

Deploy CAPTCHAs to block malicious bots and prevent automated credential stuffing.

Finally, all login attempts should be monitored, and anomaly alert notifications must be configured to ensure rapid detection and response to suspicious activity.

As security admins, what control can be implemented to prevent the use of dumped credentials?

Multi-Factor Authentication

What database do attackers target during NTDS dumping?

NTDS.dit

Task 4 : Technique - Credential Dumping

Credential dumping is a cyber attack technique in which threat actors extract usernames, passwords, hashes, or authentication tokens from system memory, databases, or registry files stored insecurely or temporarily to gain unauthorised access. Unlike brute force attacks, credential dumping retrieves valid credentials directly from compromised systems, allowing attackers to impersonate users, escalate privileges, and move laterally. This method is often a gateway to more advanced attacks, such as Pass-the-Hash (PTH) and Pass-the-Ticket (PTT).

Here are some common credential dumping techniques threat actors often use:

• LSASS memory dumping: Involves attackers extracting credentials from the Local Security Authority Subsystem Service (LSASS) using tools like Mimikatz or ProcDump.

• NTDS dumping: This is when threat actors compromise the Active Directory domain controllers by extracting credentials from the NTDS.dit database.

• LSA secrets dumping: This involves extracting service account passwords and auto-login credentials using Mimikatz or secretsdump.py.

• DCSync attack: Simulating a replication request to extract user password hashes from a Domain Controller using Mimikatz (lsadump::dcsync).

Mitigating Credential Dumping Techniques

Mitigating credential dumping requires a multi-layered approach to prevent attackers from extracting authentication credentials and escalating their access. Microsoft Defender XDR mitigates credential dumping by detecting, preventing, and responding to suspicious activities that target stored credentials.

• Protect LSASS memory: Ensure Credential Guard is implemented to protect LSASS memory from unauthorised access using Microsoft Defender XDR and EDR tools.

• Implement least privileges: Apply least privilege policies to limit administrative privileges and reduce the exposure of sensitive accounts.

• Harden active directory authentication: Disable unencrypted NTLM and restrict access to NTDS.dit and LSA secrets.

• Logging & monitoring: Ensure audit authentication events are logged and monitored, PowerShell usage is tracked, and suspicious privilege escalation is investigated.

• Implement multi-factor authentication (MFA): To prevent the use of dumped credentials.

Task 5 : Lab - Detect and Investigate Using Defender XDR

What do you click to go to the advanced hunting page of a specific device from the alert page?

go hunt

What is the name of the PowerShell script that was executed?

WinPwn.ps1

Task 6 : XDR: Prevent, Detect, and Mitigate Credential Access Attacks

Which ASR rule will prevent the delivery of initial payloads that often include credential dumping tools?

Block executable content from email client and webmail

Which defender for Office 365 policy will block access to websites hosting malicious scripts or executables?

Safe Links

What should be configured to protect the Local Security Authority Subsystem Service from attackers and stop credential dumping memory?

credential guard

Task 7 : Conclusion

In this room, we discussed credential access attack tactics and Microsoft Defender XDR's comprehensive approach to securing an organisation's digital environment through a layered defence strategy, ensuring enhanced protection against threat actors maliciously accessing credentials.

Specifically, we explored the following topics:

• An overview of credential access attack tactics

• Brute force technique

• Credential dumping technique

• Investigating a credential access incident

• Discussed detection, prevention and mitigation techniques with Microsoft Defender XDR

I can investigate and mitigate a credential access attack when I see one!

No Answer Needed

If u like my writeup pls subscribe guys I want your support