Mitigating Service Account Credential Theft

Blog Post created by hdmoore on Sep 16, 2014

I am excited to announce a new whitepaper, Mitigating Service Account Credential Theft on Windows. This paper was a collaboration between myself, Joe Bialek of Microsoft, and Ashwath Murthy of Palo Alto Networks. The executive summary is shown below,


Over the last 15 years, the Microsoft Windows ecosystem has expanded with the meteoric rise of the internet, business technology, and computing in general. The number of vendors that provide management, assessment, and monitoring tools has exploded, along with the need for these products to handle ever-growing networks and respond to evolving security threats. The networks themselves are now becoming less trusted, as targeted attacks, advanced malware, cloud services, and bring-your-own-device (BYOD) policies erode the historic trust model of internal versus external networks. The time has come to assume breach when considering all aspects of network security.


Mindsets about the network perimeter may be changing, but most management, assessment, and monitoring products still rely on trust boundaries and unidirectional authentication to the assets they access. For example, an automated backup service running on a central server under the context of a privileged account may automatically authenticate to workstations in order to access their file systems. A compromised or otherwise untrusted workstation can take advantage of this to steal the credentials of the backup service during the authentication process. Similar problems affect everything from network monitoring systems to vulnerability assessment products.


This has led to an "elephant in the room" mentality among security practitioners, where there is a tacit understanding that the automated tools they use to maintain the security of the network could end up enabling an attack instead. Security product vendors often call out these risks in their documentation, but the greater IT ecosystem is less likely to be aware of these problems.


This document describes practical mitigation strategies that reduce the effectiveness of attacks against automated authentication processes in a Windows environment, with a focus on accounts used by privileged services. Specific attacks are documented, along with mitigation techniques that apply to all commonly-used versions of the Windows operating system.


HD Moore

Chief Research Officer

Rapid7, Inc.



PS. The pass-the-hash guidance (v2) from Microsoft is a great read for anyone interested in learning more about Windows authentication and the NTLM protocol in particular. Many of the mitigations for service account protection are also applicable to defending against pass-the-hash attacks.