mirror of
https://github.com/pe3zx/my-infosec-awesome.git
synced 2024-12-14 10:34:31 -05:00
4.7 KiB
4.7 KiB
Windows Privileged Access Reference
Connectionmethod | Logon type | Reusable credentials on destination | Comments |
---|---|---|---|
Log on at console | Interactive | v | Includes hardware remote access / lights-out cards and network KVMs. |
RUNAS | Interactive | v | |
RUNAS /NETWORK | NewCredentials | v | Clones current LSA session for local access, but uses new credentials when connecting to network resources. |
Remote Desktop (success) | RemoteInteractive | v | If the remote desktop client is configured to share local devices and resources, those may be compromised as well. |
Remote Desktop (failure - logon type was denied) | RemoteInteractive | - | By default, if RDP logon fails credentials are only stored very briefly. This may not be the case if the computer is compromised. |
Net use * \\SERVER | Network | - | |
Net use * \\SERVER /u:user | Network | - | |
MMC snap-ins to remote computer | Network | - | Example: Computer Management, Event Viewer, Device Manager, Services |
PowerShell WinRM | Network | - | Example: Enter-PSSession server |
PowerShell WinRM with CredSSP | NetworkClearText | v | New-PSSession server-Authentication Credssp-Credential cred |
PsExec without explicit creds | Network | - | Example: PsExec \\server cmd |
PsExec with explicit creds | Network + Interactive | v | PsExec \\server -u user -p pwd cmdCreates multiple logon sessions. |
Remote Registry | Network | - | |
Remote Desktop Gateway | Network | - | Authenticating to Remote Desktop Gateway. |
Scheduled task | Batch | v | Password will also be saved as LSA secret on disk. |
Run tools as a service | Service | v | Password will also be saved as LSA secret on disk. |
Vulnerability scanners | Network | - | Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk. |
IIS "Basic Authentication" | NetworkCleartext(IIS 6.0+)Interactive(prior to IIS 6.0) | v | |
IIS "Integrated Windows Authentication" | Network | - | NTLM and Kerberos Providers. |
Logon type | # | Authenticators accepted | Reusable credentials in LSA session | Examples |
---|---|---|---|---|
Interactive (a.k.a., Logon locally) | 2 | Password, Smartcard,other | Yes | Console logon;RUNAS;Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server)IIS Basic Auth (before IIS 6.0) |
Network | 3 | Password,NT Hash,Kerberos ticket | No (except if delegation is enabled, then Kerberos tickets present) | NET USE;RPC calls;Remote registry;IIS integrated Windows auth;SQL Windows auth; |
Batch | 4 | Password (usually stored as LSA secret) | Yes | Scheduled tasks |
Service | 5 | Password (usually stored as LSA secret) | Yes | Windows services |
NetworkCleartext | 8 | Password | Yes | IIS Basic Auth (IIS 6.0 and newer);Windows PowerShell with CredSSP |
NewCredentials | 9 | Password | Yes | RUNAS /NETWORK |
RemoteInteractive | 10 | Password, Smartcard,other | Yes | Remote Desktop (formerly known as "Terminal Services") |