Fantastic Clear-Text Passwords And Where To Collect Them

Yeah, let's see how advanced the techniques will be, but it's it's taken a lot uh of our incident response cases. So, let's get started. Thank you for the lovely introduction. Nothing to add here. Just maybe if you want to follow me on social media. I I re um I frequently blog and I also frequently post on Twitter or it's called X now, LinkedIn, whatever. I released a blog post, a new blog post this morning. So, if you have the chance, check it out, please. Yes. So why this talk? So I have only 25 minutes. It's will be a short talk. I plan also to release a blog post later on maybe next year to present more

techniques. There is a whole lot we could cover here. I came up with the idea of the talk because yeah attackers are dumping memory. They love dumping memory and I thought how a crazy noisy way to get credentials. Turns out this one the screenshot here is from a recent investigation we worked on. So the EDR picked it up dumping memory. So the Elsa's process was stumped but it was only only generated a medium alert and this was the only alert generated by the attackers. So given that most companies do not have 24/7. So Friday afternoon they clock off for the weekend and I as an attacker I have probably the keys to the kingdom just from that memory dump.

And this is really crazy for me to see that 25 we are still not better at this one. So yeah good luck with this one. So this is was really a crazy case because the attacker came in via VPN. They brute forced the login. It was Nexus username Nexus Nexus 123 the password they dump memory whatever. And then you thought yeah maybe the the pass. So it the talk is about clear text password Stefan right and now you are telling me dumping credentials from an Elon stump. This one contains only the hashes and pass the hash. Okay, this is really a thing but just given this is also a neat tricks by attackers. You can easily switch on W

digest in the registry when you compromise a server and you have administrative rights and then I just switch on this registry key W digest enabled on. What does that mean? As soon as you RDP into that server, your password will get stored in clear text in the memory. So as an attacker, I have administrative privilege on a jump post. Maybe not domain admin credentials, but I can easily switch that registry keys on and I wait one week, maybe two weeks and then I dump the memory. Maybe then I have hashes, not only hashes but also preax credentials. Clear text credentials are better than hashes because pass the hash might not work in a fully curorous environment and stuff

and so on. just the hurdle gets just lower and this is one really one of the keys I would monitor. So I keep preaching things about defenders about monitoring that stuff monitoring that stuff but if you monitoring registry key modifications in your environment this one might be one to look out because that's really uncommon that an administrator might do a downgrade like this. Okay, quick wins because you said it in the introduction, advanced techniques. But personally, I think and this is also state of cyber security 2025 as defenders we are really lacking behind. We a lot of customers when once they get breached they talked or they asked me was it a was it a nation state? I just

said no it was just dump. So your network was just not on top because the attackers just walked in, brute forced your credentials, whatever. It's just silly sometimes. It's so ridiculous. You're looking at the case data and you said, "Okay, okay, this is really ridiculous." So this one as as well here. So a company get breached the attacker ransomed about with publication of the data. The company paid to so that the data does not get published. And then the attacker gave us a hint and said we asked him so how did you breach the the pyimeter? How do you breach the network? And he said it was easy. Somebody executed malware on a on a

device computer. So on a laptop the stealer got clear text credentials or password or cookies out of it and I just logged into your Citrix environment. It was easy as that. So, and these credentials, so all these dealer locks, they get sold on the darknet on the on dark forums for $10 to $20 per piece, maybe less. So, the hurdle is really low. And I mean, all these dealers, they are all over the place. So, you don't have to burn a zero day to get access to your environment. Same as here, because that was was that was also from a real case here. So um an attacker was selling domain administrative right to another um network.

And this was funny because as soon as a customer calls us, we do a darknet search for the domain name, for the username and stuff. And in a lot of cases, we get hits back. That means that the credentials were exposed on the darknet. and with tools and with clear or with providers who search the darknet. You could find the leak credentials from your company there. It was just so silly in most cases. You don't need an exploit. You don't need a zero day or an end day to breach networks. It's just out there in the clear. And as soon as attackers are inside your network, it gets even better. just stating that okay as an

attacker I get a foothold in your organization mean uh VPN access without multiffactor authentication for example what I can do now as an attacker so a lot of screenshots are from real instant response cases this one here is the same what are you seeing here is the the company got fully encrypted and then we have done instant response and we looked at the forensic data and one thing you can look is at the forensic data is for example shim cache cache cache all these caches or last or last files open by the attackers and what we saw in that case was that the attacker as soon as he entered the network he start searching for password files and what you are

seeing here is from that incident response case we worked on I haven't modified the file names is called sapwtxt cred tempt txt whatever it was all over the place createx credentials and then I I talked with our pent testers from our company and they said first thing we do when we breached or when you get access to a network is searching for clear text password files. They are all over the place. Again you can easily jump from a unprivileged user to an administrator to a main user. Stop stop really stop talking about zero days about nations days about the threat of AI. the threat is inside your network because most users are just too lazy to

use a password manager, right? Proactive defense. So my recommendation is to use a tool regularly check your file shares. It's called a tool called snuffler. It's on GitHub. You can use it to find pro proactively. That's sometimes a really complicated word for me. Uh it's it works really well that you as defender if blue teamers are here in the room today especially I'm not only speaking to the red team here you can search for all these juicy documents before the attackers find them and also a tip from me is if you never heard of canary tokens canary tokens might be also a good signal that somebody is inside your network place a documents in a folder

which should not get opened by regular users if that file get open or reg get modified you get an alert and you instantly see some something is off. Might be a false positive, might be an active attacker. So that's something I would check out as well. This one here is safe and pretty cool. I was not aware of that one. So defender for endpoint there is a feature you could you could enable to disable the storing of clear text passwords just given the fact that most users will just be overwhelmed by such a popup and then we call the help desk I don't think that feature is practical in a large organization but just to let you know

there are defenses we could enable to stop that thing but I probably won't go that route here because that might be easier for the user otherwise you get a lot of calls to the help desk. underestimated as well is how many passwords we find in pass in in PowerShell locks because when we are doing instant response of course we are looking at the PowerShell locks because okay the attackers are are also love to to use PowerShell the offensive PowerShell download credles execute code in memory and stuff but we also searching for passwords in memory or in in PowerShell locks so that we and tell to the customers maybe the attackers got the credential while searching for the

PowerShell or searching inside the PowerShell locks. Again, a lot of passwords inside the PowerShell locks. Fear not, we also have a defense for that one because my recommendation is always turn on PowerShell script lock login. PowerShell is super super awesome when you're doing forensics, when doing instant response. I had a lot of discussions with customer who said we turned off PowerShell event lock script lock logging so the locking of PowerShell locks because it might leak secrets I on the other hand say yeah exactly it's it's I don't get it if you have really the concern that an attacker might read out secrets from PowerShell locks you can enable that one so PowerShell encryption so the script

block locks get encrypted with keys you can store the keys on a remote server It works perfectly fine. So there is no reasoning about do we turn on PowerShell script locking or not. Just turn it on. This one here is really really funny. That's is really a blast from the past. It's over 10 years old and we still continue to see it. So back in the days is really back in the days because Microsoft disabled that feature over 11 years ago. it was possible to store passwords in a thing called group policies. So for example for silent installations for software installation you um you placed your password inside a a group policy file so that the software

could install um the software on clients and servers silently so without without the help of an administrative user. The thing here is this one Microsoft accidentally not accidentally leaked the keys the encryption key to that password on a tech community site. So at one time, so over 11 years ago, somebody from Microsoft just pasted the AIS decryption key on a TechNet forum and said, "Here is the key." And everybody was said, "Okay, cool." And then they were able to decrypt these passwords. And what you're seeing here also from a live case is that the user support was part of the domain administrative group and his password was there in clear text. Well, encrypted but in clear text because the

attackers got hold of the encryption key, right? So, as soon as I enter the network, what I have to do is just looking for the G GP files, I find passwords, I find the key to the kingdom. How long does it takes me to get domain administrative right after breaching the the network? 3 minutes, 2 minutes? It's just crazy that such techniques are still working up up today. The other really crazy thing to me is I'm I'm working really as a a blue teamer. I love blue team. I worked also as in internal security teams. The thing I don't really get is how much time blue teamers or people are spending in meetings and not doing hands-on work.

You're nodding. It's just crazy because how many minutes or how many hours would you take it? How many just how complicated is it to search for passwords in your active directory objects? We see that a lot and really a lot when pentesters are here in the room they they still see that also a lot because in active directory you have attributes like comment like usernames and stuff. Companies frequently save passwords in the comment field. The reason I don't know is there really a good reason probably not but we still continue to see it in our instant response cases and the attackers are doing the same personally I think why haven't checked that somebody before how

long does it really takes to enumerate all your active directory objects and looking for passwords that's a oneliner oneliner in powershell 3 minutes tops it's just raising the bar for attackers all the way down we we talked about advanced techniques techniques. Sometimes I think we don't need to speak about advanced techniques. we must really talk about the basics because we as blue team we are really lacking the basics as you can see here and also on the on the previous slides again I don't work for Microsoft right so please don't get me wrong if I just keep repeating how how great defender or defend for identity is probably other vendors have similar products I don't

know but this one here is a good example that you don't need a tool to work for you. So even if a sales guys come and say Microsoft for identity could solve that problem what we are seeing here. So the clear test passwords in active directory you just I mean we see it here it's just really one line of powershell would do the same as the vendor for identity. So that's also one thing which really boggles me and really I think it's ridiculous how many software or how many products companies are buying and investing to make the network safer. You don't need another product. You don't need another software. You just need time. Stop wasting time in meetings and

get your hands dirty with with doing active security and not just looking at at whatever flip charts your manager is presenting you. This one is also fun. And then we come to the next um the next section of this presentation. This is one also we don't see that often but it's also from um from a real life instant response case. The attackers breached. It was just a workstation just a laptop. They got a foothold on the cobalt strike. So a beacon was running and what they did they used a PowerShell code which invokes a logging prompt. So all the time administrator administrator somebody an administrator must type in their password and the user got so

annoyed that they called the help desk and said hey an administrator must come over and tip tip in their passwords. So the administrator came along tipped the password in. Guess what? It was a domain administrative password. So the attackers got full uh full access to the domain controller game over and the the network got encrypted successfully. I think it's really cool. And coming back to PowerShell script lock login. What the attackers did was invoke expression new object just downloading string from local host because a cobalt strike beacon was running on that machine. If you are doing PowerShell analysis that should be really something standing out. So that's an anomaly you could easily detect as a defender.

Right? So I have a section about Windows. I have also a section about Linux. I don't think we have the time. So, let's get just move on. I have some backup slides if you have questions afterward. Again, maybe I will publish a blog post about all that stuff if it's interesting. Otherwise, I just skip it. Now, the cool thing here is and these are kind of three techniques which are kind of the same but same same but different. So there is a thing called security support provider in Windows and what that thing does it's it's an authentication method to be added or extended without modifying application code and you see that often not often when you buy a new

software product which must check your credentials. Password manager for example they must somehow get hold of your password for checking how strong is it or how bad is it right? The cool thing here is an attacker I could easily add a new DLL to that whole thing. So it's not baked into the operating system. All I have to do is add a new DL. So what the attackers are doing and which is really a nifty way is I create a new DLL with the authentication method and so on all programmed and I add my new DLL to that security package. Right? And as soon as I came along and I type in my password, my password get sent to

that new SP provider. And yeah, you're smiling. And and the the really cool thing here is and this is one is also from a recent instant response case. Well, not so recent, but we still keep seeing it. Uh the quality is really bad. So what the attackers have done here is they modified that DLL, so that registry key. They added their new DLL which gets all or the SP sends all the clear text passwords to your newly registered DL. And what we found here was a clear text file with all the clear text passwords. So a text file with all the clear text passwords because the attackers could easily fetch your passwords from the network as soon

as you log in to the box or you authenticate to a machine. So also my tip to attack to blue teamers is Mhm. Thank you. Yes. Monitor these keys. So it should be not happens every day that those keys get modified. I really checked it in large networks. You don't have that much keys or DLS registered here. But it's still I would say one of those um stealthier approaches. You can dump credentials here. not touching memory, not doing crazy malware stuff, not stealing like for example Chrome Chrome passwords and so on. The next thing here is on a proactive defense prevent custom SPS. Yes, of course, we also have a chance to disable the loading of these

SPs. Funny thing is um I did a a bit of research here and then on Reddit you I found a story of um of a guy working for a bigger company who disabled the loading of custom SPs. Turns out that broke the whole network because Microsoft forget to sign one of their own SPs and if you enable or disable that feature only signed SPS only signed DLS get loaded. So you have to be really careful with all the features. Like I said before, there are also different techniques. So for example, I want to check the strength of user passwords. So I'm a manufacturer of a password manager which I sell to your company. Somehow I got I must check the

the strength of your password, right? So when I change my password, that password must get checked somehow. The funny thing here is thank you Windows. We have also a mechanism which can help us here. It's called password filter DLL. Um and this written here in in yellow because filters must evaluate passwords in plain text. Attackers who register and manage this filter can intercept these credentials. So it's the same as before and you see here stealing passwords every time they change that one. That blog post was published 12 years ago and it's still working as up to date because I tested it in a lab. I love blue is the name of my DL and the same here. All I have to do as

an attacker I need admin right of course but then I can add these DLS to a registry keys and every time I change my password on the box it's the my my clear text password gets stored in a file or gets sent out to a different server. Again not dumping memory here not doing crazy malware stuff or so on. It's really just dropping a DL to disk and modifying a registry key. I wonder how many AV CDRs will pick up such a behavior. So that's really something I would change. I would check in the lab. Last thing, network provided DLL. It's probably the same. So we have three in a box here which might be the same but not the same. But again

when a user logs in the wind lock on comment responsible for managing interactive login passes the user credentials to something. It really boils down all these technique that Windows must somehow check your passwords. Lucky attackers they are sending clear text to all these DLS. It's the same here. Um DLL registry key. We got it. And again, we saw that in a real life case. It's not just me being funny talking or loving to talk about those stuff in my lab. That's also from a recent instant response case. Lucky us. A picked it up. So on the left hand side you see system 32 Elsa's DLL. Suspicious. Yes, it is. Then I did an a timeline analysis. So I looked all the

change files in the same time when that DL was dropped to disk which led me to that C windows temp tmp whatever temp file inside those temp files were clear credentials for a bunch of administrative users from the company because the attacker was sitting on a jump host which frequently was was locked into by domain admins by ad means he was able to dump credentials and it was a stealthy operation perhaps a as well because the attacker was really laying low dumping credentials or capturing credentials for weeks and they had I I was just looking at those files and I saw like 10 plus admin credentials in clear text there and again it's it was no no crazy stuff no zero day use no

malware um one minute yes I know just Um and the really the thing here is you have to be careful as defender because we all love sysmon. So we have sysmon which captures the modification and the writing of registry keys so on and recently I I've done a compromise assessment for a customer which gave me access to his his vast data in Splunk. The thing I did was I checked the setting at the modification of the registry keys. Turns out sysmon do not lock the registry key which get modified. So the details is just binary data which means in turns it's useless for monitoring it's useless for creating alerts and I told that the customer and

he was like really okay I was not aware of that and I said yes that's maybe also the problem we have in an industry coming back to we just keep on buying products we keep on buying software I will end the presentation shortly just let me finish the sentence here what we are not doing is hands-on work probably nobody have ever looked at the vast data in Splunk. Nobody Everybody is just trusting the EDRs, my my solutions, my vendors. Please, please, and this is my my final words here, get your hands dirty. Don't or just raise the bar for attackers because they have an easy time right now. And thank you so much for having me.

>> Thank you, Stefan. Um your presentation was a great walk through through how what do defenders uh miss? Uh and it actually reminded me of the XKCD comics. If for those of you who know that um there was very long time ago one about how can we like get into the system and there were some very complicated thoughts about how can we break the crypto and then there was somebody on the chair. Exactly. Um asking the admin to give them the password. So >> exactly. Um maybe one small followup. You talked about Windows um across environments maybe Windows and Linux. Is there some best practice you could share? >> Just just look at your stuff because um

that would be a slide for from Linux as well. We have also different modifications we could look at PAM modules the or not. I would say maybe the thing I would recommend is really check your environments. My recommendation is do not trust EDR vendors. Do not trust the systems, but also check your systems. Make your familiar with stuff and then you find the outliers. Thank you. Do we have any questions from the audience? We have one person there. Microphone is coming to you. >> There microphone. >> So, do you hear me? Okay. Uh if you have a cloud instant response case in the Asia cloud for example what would be the first place you would looking at?

>> Risky signings. >> Okay. Interesting. >> Yeah. Sure. Because I tweeted this last week. >> I saw it. Yeah. >> Yeah. Exactly. No, because that's also one thing which I'm I'm sorry this is really a heated topic for me because we see a lot of missed alerts. Again, risky signance. The first thing I do logging into the tenant go to risky signance. Oh, it's on. Okay. Oh wow. >> Okay. >> It's screaming literally attackers literally breached account. Nobody cares. >> Yeah. Interesting. I saw your post about that. >> But thank you. >> But I mean it's job security for me. But well >> yeah I believe so. Thank you. >> Yeah. Welcome. >> Thank you. Did we have another question

in the back or here in the middle?

Thanks. Yeah, thanks for the presentation. Really, really interesting. Um, one question I have is you mentioned, okay, you need to get your hands dirty. You need to give time to our blue team to actually do the job, not sit into the meetings. >> But most of the times we sit in an office where two people have to take care of 10,000 employees and you know, you have to have be in the meetings, you have to look at the sock uh the seams alert and whatnot. So, and you do this awareness training say you don't have to store your password. Please the password manager the company is paying for please use it and then they the users don't use

it anyway. So, what would you be your recommendation when there is no time to actually go and do the job the dirty job and you still need to keep the company running. >> Top 10. I also blogged about like active directory top 10 just start at the start at the top. Keraros like l a strong passwords for service accounts. We talked about Azure security baselining. Just do the quick wins. Really start with the quick wins. That's the 80 20% through you and then you will be much safer. >> Thanks. >> Thank you. Thank you Stefan. >> Welcome. I have luck. >> So, we learned that the easiest way in is the best way in for attackers. So, as

Blutmers, that's that's the way to go. Thank you. Cheers. >> Thank you.