Combating Password Scraping in Your Environment

Jim Shaver
| 12/21/2016
risk17005-002G-password-scraping

If you are reading this post on a PC, there is a good chance that your Windows® password is stored in its memory right now. If an attacker gets enough of a foothold on your computer, he or she may be able to pull your password straight out of its memory by using a tool like mimikatz, a program written for that purpose. The attacker might then be able to use it in other locations on the corporate network. Over the years, Microsoft has created many methods that allow us to prove who we are to other computers on our networks. Many of them have subtle flaws that can lead to a security compromise, and yet we still use them today. This post will discuss how to reduce the risk of one of the leading threats organizations face after they have been compromised – memory password scraping.

Why Is My Password Stored on My Computer?

Windows passwords are stored on computers to accommodate backward compatibility and to make the operating system easier to use. Besides some of the changes we will discuss later, Microsoft hasn’t introduced many innovations for Windows and Active Directory® authentication in a while. We are learning that things we thought were secure 10 or 20 years ago often are not secure today.

How Does an Attacker Use Mimikatz?

Let’s go through a hypothetical scenario. If Bob in accounting calls Alice from IT to ask her to do some IT support on his computer, she may have to run some applications from her more privileged account on Bob’s computer. Once she logs into his computer, both of their passwords are stored in memory on Bob’s computer. If later that day Bob receives a malicious email giving an attacker access to the network, the attacker can then run mimikatz as though Bob were running it. Because Alice’s password is stored in memory as well, the attacker would have her username and password, and since Alice is in IT, that account likely has access to other resources on the network.

This Sounds Like a Job for Antivirus

When an attacker is in a position to run mimikatz, traditional antivirus software has already failed to control the running of malicious applications. The same administrator privilege that allows someone to run mimikatz also can allow him or her to disable antivirus software. Many people don’t realize it, but most antivirus products scan only files already downloaded and stored on disk. Smart attackers make every attempt not to be detected by antivirus software. So, these attackers will load mimikatz directly into memory to be able to bypass most current antivirus protections. Preventing viruses with antivirus software tends to be a cat-and-mouse game between attackers and defenders and should not be relied on completely for preventing attacks like this one. Antivirus software is meant to stop the internet equivalent of driftwood. Stronger defenses are needed to catch more targeted attacks.

Limiting Administrative Access

The first major step to helping prevent these kinds of attacks is to revisit end-user administrative access. Mimikatz requires administrator-level access to the computer to fetch passwords out of memory. In the Alice and Bob scenario, if Bob is not an administrator on the computer or the attacker is not able to escalate Bob’s privileges to those of an administrator, then the attacker should be unable to run mimikatz to get Alice’s password.

Administrator access to a computer is granted for many reasons. Three of the most common reasons are:

  1. To run software that requires administrative access to legacy hardware. In this case it may be time to rethink how this machine is used. Some good questions to ask may be: Should the hardware causing this constraint be upgraded? Should this computer be treated like an appliance rather than a computer? In other words, should it be used only to allow users to read email and access the internet? Should it be on the Active Directory domain?
  2. To access legacy software that doesn’t work for a user who is not an administrator. In this case, the software vendor should be questioned about why this level of access is required. In most of the cases that I have seen, the software vendor has developed the software without understanding modern Windows development methodologies.
  3. To give access to some or all members of IT to the “Domain Admins” group, which allows them to administer all of the computers in the environment. While this access is needed by at least some IT personnel, it is important to separate the roles of each IT employee into different accounts and to limit the privilege of these different roles as much as possible. For example, someone in IT might have one account for his or her own computer (nonprivileged), one account for support of servers or workstations (privileged), and one for domain administration (Domain Admin).

Preventing Storage of Legacy Authentication Credentials

One of the features that Microsoft introduced in the latest version of Active Directory was the built-in group “Protected Users.” When the Active Directory domain is upgraded to a functional level of 2012 R2, this group is automatically available. The Protected Users group prevents plain-text passwords and NTLM hashes from being stored in memory by client computers. This feature also was provided for Windows 7, Windows Server 2008 R2, and Windows Server 2012 clients in the update KB2871997. NTLM is an authentication protocol that obfuscates a user’s password. Unfortunately, because of how NTLM authentication works, anyone who possesses the hash can impersonate the user. This is often called “pass the hash.” If an attacker manages to run mimikatz on a computer, he or she will not have access to the plain-text passwords or the NTLM hashes of members of the Protected Users group. But the Protected Users group does have some drawbacks. It will prompt affected users more often for their usernames and passwords, may have compatibility issues with legacy applications, and is not appropriate for service accounts.

Virtual Secure Mode With Credential Guard

A new feature of Windows 10 Enterprise allows you to run the authentication process (lsass.exe) on its own virtual machine. This effectively puts Windows and the authentication process each in their own container and runs them in parallel. The technology is called Credential Guard and is used as a part of Virtual Secure Mode. This method does not always protect passwords because certain types of authentication, such as remote desktop and digest authentication, will still cause the credentials to be stored in memory. This setup also prevents some legacy authentication methods and limits client-side certificates that are used for domain authentication.

Limited Access Is Still the Best Defense

While Microsoft has provided some tools to help defend against password scraping attacks such as mimikatz, ultimately the most effective method of defense is limiting privileged and administrator access for all users, including IT personnel, to the Windows systems of the environment.


Microsoft, Windows, and Active Directory are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.