Are primarely used to obfuscate a secret that otherwise be transmitted/stored in clear text.

Hashes are available in the LSASS process and can be extracted with admin privileges. Once dumped, hashes can be cracked or used immediately in a Pass the Hash attack.

Defences:

• Prevent admin account compromise
• Stop remote interactive sessions with highly privileged accounts
• Proper termination of RDP sessions
• Win8.1+ → force the use of Restricted Admin?
• Win10 → deploy Remote Credential Guard
• Upgrade to Windows 10
• Credential Guard
• TsPkg, WDigest, etc. -- SSO creds obsolescence
• Domain Protected Users Group (PtH mitigation)

https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf

The system uses an access token to identify the user when a thread interacts with a securable object or tries to perform a system task that requires privileges. 
The SeImpersonate privilege lets tokens be copied from processes. The new token can then be used to authenticate as the new user. A target user or service must be logged on or have running processes.

Defences:

• Prevent admin account compromise
• Stop remote interactive sessions with highly privileged accounts
• Proper termination of RDP sessions
• Win8.1+ →  force the use of Restricted Admin Mode?
• Win10 → deploy Remote Credential Guard
• Account designation of “Account is Sensitive and Cannot be Delegated” in Active Directory
• Domain Protected Users security group accounts do not create delegate tokens

Stored domain credentials to allow logons when domain controller access is unavailable. Most systems cache the last 10 logon hashes by default. (SAM.dat)

Cached credentials must be cracked. Hashes are salted and case-sensitive, making decryption very slow. These hashes cannot be used for Pass the Hash attacks.

Defences:

• Prevent admin account compromise
• Limit number of cached logon accounts
• SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon (cachedlogonscount value)
• A cachedlogonscount of zero or one is not always the right answer
• Enforce password length and complexity rules
• Brute force cracking is required for this attack
• Domain Protected Users security group accounts do not cache credentials

Credentials stored in the registry (HKEY_LOCAL_MACHINE/Security/Policy/Secrets) to allow services or tasks to be run with user privileges. In addition to service accounts, may also hold application passwords like VPN or auto-logon credentials.

Defences:

• Prevent admin account compromise
• Do not employ services or schedule tasks requiring privileged accounts on low trust systems
• Reduce number of services that require domain accounts to execute
• Heavily audit any accounts that must be used
• (Group) Managed Service Accounts

Kerberos issues tickets to authenticated users that can be reused without additional authentication. Tickets are cached in memory and are valid for 10 hours.

Defences:

• Credential Guard (Win10+)
• Domain Protected Users Group (Win8+) – Some attacks
• Remote Credential Guard (Win10+)
• Restricted Admin (Win8+)
• Long & complex passwords on service accounts (to prevent Kerberoasting)
• Change service account passwords regularly
• Group Managed Service Accounts are a great mitigation
• Audit service accounts for unusual activity
• Change KRBTGT password regularly (yearly) CHANGE NEEDS TO BE DONE TWICE TO BE EFFECTIVE

Mitigations:

(some) Detections

“Golden Ticket events may have one of these issues:
The Account Domain field is blank when it should be DOMAIN
The Account Domain field is DOMAIN FQDN when it should be DOMAIN.”
–Sean Metcalf, adsecurity.org

Kerberoasting uses RC4 encryption downgrade (Ticket Enc. Type = 0x17)

See FIRST page following 35.

Active Directory Domain Services (AD DS) database ( \Windows\NTDS\) holds all user and computer account hashes (LM/NT) in the domain. Encrypted, but algorithm is well known and easy to defeat.
The file is locked, so admin access is required to load a driver to access raw disk, or use the Volume Shadow Copy Service.

Defences:

Don’t allow Domain Admin accounts to be compromised.  LOL

c:\Windows\Prefetch

Description:

• Increases performance of a system by pre-loading code pages of commonly used applications. Cache Manager monitors all files and directories referenced for each application or process and maps them into a .pf file.
Utilized to know an application was executed on a system.
• Limited to 128 files on Win7
• Limited to 1024 files on Win8-10
• (exename)-(hash).pf

limited to 128 files / check file date for first/last execution

The prefetch directory is populated after an application is executed.

Prefetch has historically been the go to indication of process execution. If enabled, it can provide a wealth of useful data in an investigation or incident response. However, since Windows 7, systems with an SSD installed as the OS volume have had prefetch disabled by default during installation. With that said, I have seen plenty of systems with SSDs which have still had prefetch enabled (particularaly in businesses which push a standard image) so it is always worth checking for. Windows Server installations also have Prefetch disabled by default, but the same applies.

Increases performance of a system by pre-loading code pages of commonly used applications. Cache Manager monitors all files and directories referenced for each application or process and maps them into a .pf file.

Utilized to know an application was executed on a system.
• Limited to 128 files on Win7
• Limited to 1024 files on Win8-10
• (exename)-(hash).pf

The following registry key can be used to determine if it is enabled:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher
0 = Disabled
1 = Only Application launch prefetching enabled
2 = Only Boot prefetching enabled
3 = Both Application launch and Boot prefetching enabled

Interpretation:
• Each .pf will include last time of execution, number of times run, and device and file handles used by the program
• Date/Time file by that name and path was first executed
- Creation Date of .pf file (-10 seconds)
• Date/Time file by that name and path was last executed
- Embedded last execution time of .pf file
- Last modification date of .pf file (-10 seconds)
- Win8-10 will contain last 8 times of execution

HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache
Need to check for every control set found in the SYSTEM hive.

Description:
• Windows Application Compatibility Database is used by Windows to identify possible application compatibility challenges with executables.
• Tracks the executables’ file name, file size, last modified time Location:

Windows XP ShimCache is limited to 96 entries all versions since then retain up to 1024 entries.
Windows Server 2003 has 512 entries
Windows 7-10, Server 2008/2012/2016 has 1024 entries

The information is retained in memory and is only written to the registry when the system is shutdown. Data can be retrieved from a memory image if available.

The Shimcache tracks metadata such as the full file path, last modified date, and file size
The Shimcache only contains the information prior to the system’s last startup, as current entries are stored only in memory
Use Shimcache along with your timelines to recreate and determine malicious activities
Liears

Win7/8/10
SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Interpretation:
Any executable run on the Windows system could be found in this key. You can use this key to identify systems that specific malware was executed on. In addition, based on the interpretation of the time-based data you might be able todetermine the last time of execution or activity on the system.
• Windows 7/8/10 contains at most 1,024 entries
- LastUpdateTime does not exist on Win7/8/10 systems

C:\Windows\AppCompat\Programs\Amcache.hve (Windows 7/8/10)

Description:
ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation
Amcache.hve records the recent processes that were run 
Amcache.hve records the programs SHA1 so it can be researched with databases like VirusTotal for easy identifiacation
The Amcache.hve lists the path of the files that’s executed which can then be used to find the executed program

Interpretation:
• Amcache.hve – Keys = Amcache.hve\Root\File\{Volume GUID}\#######
• Entry for every executable run, full path information, File’s $StandardInfo Last Modification Time, and Disk volume the executable was run from
• First Run Time = Last Modification Time of Key
• SHA1 hash of executable also contained in the key

C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations (Win7/8/10)

Description:
• The Windows 7-10 task bar (Jump List) is engineered to allow users to “jump” or access items they have frequently or recently used quickly and easily. This functionality cannot only include recent media files; it must also include recent tasks.
• The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the associated application.

Interpretation:
• First time of execution of application.
- Creation Time = First time item added to the AppID file.
• Last time of execution of application with file open.
- Modification Time = Last time item added to the
AppID file.
• List of Jump List IDs → www.forensicswiki.org/wiki/List_of_Jump_List_IDs

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache. (Windows 2000, Windows XP, Windows Server 2003)
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache (Starting from Windows Vista)

Description:

Each time that you start using a new application, Windows operating system automatically extract the application name from the version resource of the exe file, and stores it for using it later, in Registry key known as the 'MuiCache'. 

Stores information about what programs ran under a user account
The user account an executable ran under and it's executable file path

NTUSER.DAT HIVE
NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count

Description:
GUI-based programs launched from the desktop are tracked in the launcher on a Windows System.

Interpretation:
All values are ROT-13 Encoded
• GUID for Win7/8/10
- CEBFF5CD Executable File Execution
- F4E57C4B Shortcut File Execution

NTUSER.DAT\Software\Microsoft\Windows\Current Version\Search\RecentApps (Win10)

Description:
Program execution launched on the Win10 system is tracked in the RecentApps key

Interpretation:
Each GUID key points to a recent application.
AppID = Name of Application
LastAccessTime = Last execution time in UTC
LaunchCount = Number of times executed

(Win10) SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
(Win10) SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}

Description:
Windows Background Activity Moderator (BAM)

Investigative Notes
Provides full path of the executable file that was run on the system and last execution date/time

Location

Logon Types

Use the logon ID to link a logON ( 4624) with a logOFF (better 4647) to determine the session length.

Workstation Logons are "Logon Events"
DC (i.e. Kerberos) verifications of credentials are " Account Logon Events"

Tracking Account and Group enumeration

Check the process name within the event to unviel the programm used

Network Shares

RunAs

Schedules Tasks

Can be an indicator of persistance (service failure recovery,dll hijacking, service replacement, etc.)

Althought it's usually all-or-nothing to be cleared, it might be worth evaluating the a manipulation like Danderspritz

Mitigation:

• Event log forwarding (i.e. Splunk)
• Logging heartbeat
• Log gap analysis