Taking a deeper look at Windows Credential Roaming, it’s possible to get some more detail on why it works the way it does, and how to protect against abuse. In this article, we’ll go over a few of the most common reasons a roaming token is use by a threat actor. We’ll also go over how to configure profile management to sync saved passwords in Internet Explorer, and we’ll look at a few tools that can help you identify the roaming token.
Mimikatz
Mimikatz is a powerful credential stealing application that helps attackers to get more privileged access on a victim’s network. It is also use to perform other malicious activities.
Mimikatz can run manually, or remotely with the Microsoft PowerShell module. It is compatible with the latest Windows release and is designed to extract passwords and other credentials from memory. It can run on both 32-bit and 64-bit x86 architectures. It is compatible with the Windows CryptoAPI module, which allows it to extract private keys and certificates.
To execute Mimikatz, you need SYSTEM privileges. You must also turn off debug privileges.
msPKI-CredentialRoamingTokens
Credential Roaming is a Windows feature that helps to secure your PKI certificates and private keys. It helps reduce certificate management overhead by keeping your credentials up to date and in sync between workstations.
Credential Roaming allows users to access and manage PKI certificates and private keys from multiple workstations, even when they are inside a domain. This feature is not compatible with certificates that have their private key stored in hardware.
If your organization is using Windows Credential Roaming, you should consider decommissioning it. This will allow your certificate sets to move to a smart card. Smart cards have better security than Credential Roaming.
LSASS
LSASS (local security authority subsystem service) is a Windows service that stores user credentials. This can used to move laterally or escalate privileges.
There are a lot of ways to read the LSASS process memory. Some methods are better than others. Using a tool called MiniDumpWriteDump, I was able to write a complete snapshot of the LSASS process, which I can then read.
Another tool is a Metasploit module called Mimikatz. This tool manipulates the LSASS process memory to read and output password hashes in plain text. The resulting file is often block by local antivirus software, but it can still retrieve by a determined attacker.
Identifying the Windows Credential Roaming Token
The Windows Credential Roaming Token is a small piece of software that allows for the movement of credentials from one computer system to another. A cryptographic session key is used to ensure the security of the communications between the two computing systems.
This feature is not new, and it has been in existence since Windows Server 2003 SP1; however, it removed in Windows Vista. In Windows 7, Windows Vista’s credential roaming functionality disabled. A few years later, Microsoft published a white paper describing this feature and its shortcomings.
In the early twenty-first century, the Russian-linked APT29 group, also known as the Dukes, Cozy Bear, SVR group, and Nobelium, started using the Windows Credential Roaming Token to its advantage. Specifically, the APT29 group successfully phished a European diplomatic entity, using this feature to its full potential.
Configuring Profile Management to sync Saved Passwords in Internet Explorer
Microsoft Credential Roaming allows you to store certificates in Active Directory and then roam with users. It also eliminates duplicate certificates, reducing certificate management overhead. You may have noticed that your saved passwords aren’t retaining between sessions. Fortunately, there are several ways to fix this.
One way is to use Profile Management to migrate your profiles between operating systems. This can speed up your logon time and minimize the amount of re-keying that occurs during a login.
Another option is to move your files into a container. While you can’t do this on Windows 10 yet, you can on Vista and Windows Server 2008. However, you can’t have the container sync with the file server.
Mandiant identified situations that could allow a threat actor to abuse the Windows Credential Roaming feature
In early 2022, Mandiant researchers discovered that APT29, a nation-state hacking group, was exploiting the Windows Credential Roaming feature. This is a lesser-known feature that allows users to roam certificates from one workstation to another.
The threat actor used this feature to authenticate as a user on a victim account. This allowed the attacker to access sensitive data on the victim’s products and services. In addition, the actor had access to the user’s cleartext password, allowing them to pose as the victim.
In some cases, the threat actor was successful, logging on to devices and acquiring access to the enterprise network. The threat actor also downloaded the victim’s customer list.
