28 November 2015


by mo

Your homework for Monday is to read this article and answer the following questions via email:


  • What is lsass, and how is it attacked with mimikatz?
  • What are access tokens and how are these abused?

    “When you log in into your system, Windows assign you an access token, which is an object, that contain all security context information about user and his privileges.”

  • What are cached credentials and how are they attacked?

    Windows cache and store domain user credentials(10 by default). This is used to validate domain users locally when domain controller is inaccessible, i.e. when traveling


  • What are some suggestions for detection?
    • “Alert on common names of tools like mimikatz.exe, wce.exe and the like.”
    • “alert on your AV event for those tools”
    • “Enable command line logging”
    • Alert on attempts to dump a registry like reg save HKLM\SAM.
    • Alert on injections in lsass.exe process
  • Which do you think would be the most effective to identify or stop the attacks we did this week?
    • Alert on common names of tools like mimikatz.exe.
    • run AV.
    • “Enable command line logging”


  • Why is it suggested to force idle RDP sessions to log off?
    • Lots of methods outlined depend on existence of user sessions, if there is no user sessions – there is nothing to steal.
  • What sort of local Windows security settings are recommended?
    • Deny access to this computer from the network: not defined
    • Deny logon as a batch job: /admin
    • Deny logon as a service: /admin
    • Deny logon locally: not defined
    • Deny logon through Remote Desktop Services: Local account and me..
    • Enable computer and user accounts to be trusted for delegation: Not defined

If you’re interested, you may also enjoy: