Ready to learn?

Harvesting Plaintext Passwords in Windows OS

๐Ÿ”’ Secure Bits ๐Ÿ’ก
๐—›๐—ฎ๐—ฟ๐˜ƒ๐—ฒ๐˜€๐˜๐—ถ๐—ป๐—ด ๐—ฃ๐—น๐—ฎ๐—ถ๐—ป๐˜๐—ฒ๐˜…๐˜ ๐—ฃ๐—ฎ๐˜€๐˜€๐˜„๐—ผ๐—ฟ๐—ฑ๐˜€ ๐—ถ๐—ป ๐—ช๐—ถ๐—ป๐—ฑ๐—ผ๐˜„๐˜€

Where are your secrets hiding?

Youโ€™d be surprised how often I can extract plaintext credentials during assessments โ€” even in environments with Credential Guard enabled.

In this carousel, Iโ€™ll walk you through multiple real attack surfaces โ€” and how to prevent them:

๐Ÿ”ธ ๐— ๐—ฆ๐—ง๐—ฆ๐—– (๐—ฅ๐—ฒ๐—บ๐—ผ๐˜๐—ฒ ๐——๐—ฒ๐˜€๐—ธ๐˜๐—ผ๐—ฝ ๐—–๐—น๐—ถ๐—ฒ๐—ป๐˜)
Even with Credential Guard, passwords can be extracted from the MSTSC process memory during RDP sessions.
๐Ÿ” Not protected by Credential Guard
๐Ÿ›ก Use PAW, Tiering, and smartcards (even those have caveats)

๐Ÿ”ธ ๐—ฆ๐—ฒ๐—ฟ๐˜ƒ๐—ถ๐—ฐ๐—ฒ ๐—”๐—ฐ๐—ฐ๐—ผ๐˜‚๐—ป๐˜๐˜€
If services run under basic Active Directory account, the password can be dumped directly from registry using SYSTEM rights.
๐Ÿ›  No configuration needed โ€” default behavior
๐Ÿ›ก Use gMSA, VSA, or minimize privileges

๐Ÿ”ธ ๐—ช๐——๐—ถ๐—ด๐—ฒ๐˜€๐˜
WDigest used to store plaintext passwords by default (pre-Win10). Still exploitable via registry tweak.
๐Ÿ›  Enabled via registry: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential:1
๐Ÿ›ก Protected Users group or Credential Guard prevent this

๐Ÿ”ธ ๐——๐—ฒ๐—ณ๐—ฎ๐˜‚๐—น๐˜ ๐—–๐—ฟ๐—ฒ๐—ฑ๐—ฒ๐—ป๐˜๐—ถ๐—ฎ๐—น ๐——๐—ฒ๐—น๐—ฒ๐—ด๐—ฎ๐˜๐—ถ๐—ผ๐—ป
With โ€œAllow delegating default credentials,โ€ passwords are cached during initial logon for RDP SSO logins.
๐Ÿ›  Enabled via GPO / registry: Computer Configuration\Administrative Templates\System\Credentials Delegation\Allow delegeting default credentials
๐Ÿ›ก Avoid, or use Restricted Admin / Remote Credential Guard

๐Ÿ”ธ ๐—ช๐—ถ๐—ป๐—ฑ๐—ผ๐˜„๐˜€ ๐—–๐—ฟ๐—ฒ๐—ฑ๐—ฒ๐—ป๐˜๐—ถ๐—ฎ๐—น ๐— ๐—ฎ๐—ป๐—ฎ๐—ด๐—ฒ๐—ฟ
Storing credentials in Windows Credential Manager can expose them to an adversary. For example mapped drives using alternate credentials leave those secrets in LSASS.
๐Ÿ›  No special config โ€” happens when user selects โ€œUse different credentialsโ€
๐Ÿ›ก Block for admins via GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of passwords and credentials for network authentication

๐Ÿ” ๐—–๐—ฟ๐—ฒ๐—ฑ๐—ฒ๐—ป๐˜๐—ถ๐—ฎ๐—น ๐—ด๐—ฎ๐˜๐—ต๐—ฒ๐—ฟ๐—ถ๐—ป๐—ด ๐—ถ๐˜€ ๐—ฒ๐—ฎ๐˜€๐˜† โ€” ๐—ฑ๐—ผ๐—ปโ€™๐˜ ๐—บ๐—ฎ๐—ธ๐—ฒ ๐—ถ๐˜ ๐—ฒ๐˜ƒ๐—ฒ๐—ป ๐—ฒ๐—ฎ๐˜€๐—ถ๐—ฒ๐—ฟ

๐Ÿ’ฌ Which of these still exists in your environment?

๐Ÿ‘‰ Swipe through, check your systems, and let me know which surprised you most.

buy a course