| Connectionmethod |
Logon type |
Reusable credentials on destination |
Comments |
| Log on at console |
Interactive |
v |
Includes hardware remote access / lights-out cards and network KVMs. |
| RUNAS |
Interactive |
v |
|
| RUNAS /NETWORK |
NewCredentials |
v |
Clones current LSA session for local access, but uses new credentials when connecting to network resources. |
| Remote Desktop (success) |
RemoteInteractive |
v |
If the remote desktop client is configured to share local devices and resources, those may be compromised as well. |
| Remote Desktop (failure - logon type was denied) |
RemoteInteractive |
- |
By default, if RDP logon fails credentials are only stored very briefly. This may not be the case if the computer is compromised. |
| Net use * \\SERVER |
Network |
- |
|
| Net use * \\SERVER /u:user |
Network |
- |
|
| MMC snap-ins to remote computer |
Network |
- |
Example: Computer Management, Event Viewer, Device Manager, Services |
| PowerShell WinRM |
Network |
- |
Example: Enter-PSSession server |
| PowerShell WinRM with CredSSP |
NetworkClearText |
v |
New-PSSession server-Authentication Credssp-Credential cred |
| PsExec without explicit creds |
Network |
- |
Example: PsExec \\server cmd |
| PsExec with explicit creds |
Network + Interactive |
v |
PsExec \\server -u user -p pwd cmdCreates multiple logon sessions. |
| Remote Registry |
Network |
- |
|
| Remote Desktop Gateway |
Network |
- |
Authenticating to Remote Desktop Gateway. |
| Scheduled task |
Batch |
v |
Password will also be saved as LSA secret on disk. |
| Run tools as a service |
Service |
v |
Password will also be saved as LSA secret on disk. |
| Vulnerability scanners |
Network |
- |
Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk. |
| IIS "Basic Authentication" |
NetworkCleartext(IIS 6.0+)Interactive(prior to IIS 6.0) |
v |
|
| IIS "Integrated Windows Authentication" |
Network |
- |
NTLM and Kerberos Providers. |