Forum Discussion
Solved
Mitigating Lateral Movement Attacks
As I understand it, the risk of a lateral movement attack is increased where sensitive users (e.g. domain admins) log onto the same machine as std users (with Internet access / email access / etc) wh...
- Hi,
Cached credentials are used to verify authenticating user when there is no connectivity to the DC and not used for lateral movement since they are only valid for the machine itself. In addition, the hash is different than those used for NTLM/Kerberos so it won't be useful for moving laterally. Also they're considered quite hard to reverse/break, so limiting the cached creds to 0 or 1 would only cause issues than help.
Thanks. Which credentials does a lateral transfer attack use if it doesn't use the domain authenticated cached credentials?
igrady
Microsoft
MicrosoftCredentials stored in Credential manager, LSASS memory and other locations, but not cached credentials.
Thank you. That's is very helpful.
Also to clarify the latermal movement path with identify where a sensitive user has logged onto a machine where there is a non-sensitive user who is a member of the local administrators group. AATP will also then calculate the paths to this machine.
