What You'll Learn
- Explain how NTLM authentication works (challenge-response flow) and differentiate NTLMv1 from NTLMv2
- Describe the Kerberos authentication process including the roles of the KDC, TGT, TGS, and service tickets
- Identify where Windows stores credentials: the SAM database, LSASS process memory, NTDS.dit, LSA Secrets, and the credential cache
- Recognize common credential theft techniques including Mimikatz, DCSync, Pass-the-Hash, Pass-the-Ticket, Kerberoasting, and Golden Ticket attacks
- Map credential theft activity to specific Windows Event IDs and Sysmon telemetry for detection
- Connect these concepts to the hands-on exercises in Lab 3.4 (Credential Theft Detection)
Why Authentication Is the Attacker's Favorite Target
Every attacker who gains a foothold on a Windows machine has the same next question: how do I get credentials? Credentials are the keys that unlock lateral movement, privilege escalation, and domain dominance. A single compromised Domain Admin hash can turn a foothold on one workstation into full control of an entire enterprise.
Windows authentication is complex by design — it has to support single sign-on across thousands of machines, backward compatibility with systems from the 1990s, and seamless delegation between services. That complexity creates a large attack surface. Understanding how Windows authenticates users and where it stores their credentials is not optional for a SOC analyst — it is the foundation for detecting every credential theft technique you will encounter in the field.
NTLM Authentication
NTLM (NT LAN Manager) is the older of Windows' two authentication protocols. Despite Microsoft's long-running efforts to deprecate it, NTLM remains active in virtually every Windows environment because legacy applications, network devices, and cross-forest trusts still rely on it.
The Challenge-Response Flow
NTLM uses a three-step challenge-response mechanism. The user's password never crosses the network — only a cryptographic proof that the client knows the password.
| Step | Action | Description |
|---|---|---|
| 1 | NEGOTIATE | Client sends a request to the server saying "I want to authenticate" along with supported NTLM features |
| 2 | CHALLENGE | Server responds with a random 8-byte (NTLMv1) or 16-byte (NTLMv2) nonce — the challenge |
| 3 | AUTHENTICATE | Client encrypts the challenge using the NTLM hash of the user's password and sends the result back. Server (or domain controller) performs the same operation and compares |
The critical detail: the client never sends the password or even the hash directly. It sends an encrypted challenge response. But this design has a fatal weakness — the NTLM hash itself is sufficient to generate valid responses. If an attacker steals the hash, they do not need the plaintext password. This is the foundation of Pass-the-Hash attacks.
NTLM Hash Format
The NTLM hash is an unsalted MD4 hash of the user's password encoded in UTF-16LE:
NTLM Hash = MD4(UTF-16LE(password))
Example for the password "P@ssw0rd":
a4f49c406510bdcab6824ee7c30fd852
NTLM hashes are unsalted. Two users with the same password produce identical hashes. This makes NTLM hashes vulnerable to rainbow table attacks and allows attackers to identify password reuse across accounts by comparing hashes — without ever cracking them.
NTLMv1 vs NTLMv2
| Feature | NTLMv1 | NTLMv2 |
|---|---|---|
| Challenge size | 8 bytes | 16 bytes (server) + client nonce |
| Hash algorithm | DES-based | HMAC-MD5 |
| Client nonce | No | Yes (prevents replay attacks) |
| Timestamp in response | No | Yes (limits response validity) |
| Security | Critically weak — can be cracked in hours | Significantly stronger but still vulnerable to relay |
| Relay attacks | Trivially relayable | Relayable unless EPA/signing enforced |
NTLMv1 should be disabled in every environment. It can be cracked offline in hours using tools like hashcat mode 5500. If your environment still uses NTLMv1, you will see Event ID 4624 logon events with LmPackageName: NTLM V1 — treat these as a critical security finding. In Lab 3.4, you will search for NTLMv1 authentications in Wazuh alerts.
Kerberos Authentication
Kerberos is the default authentication protocol for Active Directory environments. Named after the three-headed dog from Greek mythology, Kerberos is fundamentally a ticket-based system: instead of proving your identity to every service, you prove it once to a trusted third party that issues tickets on your behalf.
Key Components
| Component | Role |
|---|---|
| KDC (Key Distribution Center) | Runs on every Domain Controller. Contains the Authentication Service (AS) and Ticket Granting Service (TGS) |
| TGT (Ticket Granting Ticket) | The "master ticket" — proves you authenticated to the KDC. Valid for 10 hours by default |
| TGS (Ticket Granting Service) | Issues service-specific tickets when you present a valid TGT |
| Service Ticket (ST) | Grants access to a specific service (file share, SQL server, web app). Contains session key encrypted with the service account's hash |
| krbtgt account | Special domain account whose password hash encrypts all TGTs. Compromise of this hash = Golden Ticket |
The Ticket-Granting Process
Step 1 — AS-REQ (Authentication Service Request): The client sends a timestamp encrypted with the user's password hash to the KDC. This proves the user knows the password without sending it.
Step 2 — AS-REP (Authentication Service Response): The KDC verifies the encrypted timestamp, then returns a TGT encrypted with the krbtgt account's hash. The client cannot read inside the TGT — only the KDC can.
Step 3 — TGS-REQ (Ticket Granting Service Request): When the user needs to access a service (e.g., a file share), the client presents the TGT to the TGS and requests a service ticket.
Step 4 — TGS-REP (Ticket Granting Service Response): The KDC decrypts the TGT (using krbtgt hash), validates it, and issues a Service Ticket encrypted with the target service account's password hash.
Step 5 — AP-REQ (Application Request): The client presents the service ticket to the target service. The service decrypts it using its own password hash and grants access.
Step 6 — AP-REP (Application Response): Optional mutual authentication — the service proves its identity back to the client.
Why Kerberos is better than NTLM for security: The user's password hash is only used in Step 1 — after that, everything runs on tickets. Tickets have expiration times, are bound to specific services, and use stronger cryptography. However, Kerberos introduces its own attack surface: any service account with a weak password can be Kerberoasted, and compromise of the krbtgt hash means game over for the entire domain.
Where Windows Stores Credentials
Understanding credential storage locations is essential for detection — every credential theft technique targets one of these specific locations.
| Location | What It Stores | Where It Lives | Who Can Access It |
|---|---|---|---|
| SAM Database | NTLM hashes for local accounts | C:\Windows\System32\config\SAM (locked file) | SYSTEM only (requires offline access, reg save, or shadow copy) |
| LSASS Process | Plaintext passwords (if WDigest enabled), NTLM hashes, Kerberos tickets, all logon session credentials | lsass.exe process memory (PID varies) | SYSTEM / SeDebugPrivilege |
| NTDS.dit | NTLM hashes for every domain account, Kerberos keys, password history | C:\Windows\NTDS\NTDS.dit on Domain Controllers | Domain Admins / SYSTEM |
| LSA Secrets | Service account passwords, auto-logon credentials, VPN passwords, DPAPI keys | Registry under HKLM\SECURITY\Policy\Secrets | SYSTEM |
| Credential Cache | Cached domain logon verifiers (default: last 10 logons) | Registry under HKLM\SECURITY\Cache | SYSTEM |
The SAM Database
Every Windows machine has a SAM (Security Account Manager) database containing NTLM hashes for local accounts. The file is locked while Windows is running, but attackers extract it using:
reg save HKLM\SAM sam.save— dumps the SAM registry hive- Volume Shadow Copy — accesses a snapshot of the locked file
- Offline boot from USB — reads the file directly from the disk
LSASS: The Crown Jewels
lsass.exe (Local Security Authority Subsystem Service) is the most targeted process on any Windows machine. It handles all authentication and stores credentials for every active logon session in memory. When you log into a Windows machine, LSASS caches your NTLM hash and Kerberos tickets so you do not have to re-enter your password for every network resource.
On older systems (Windows Server 2012 and below) or systems with WDigest authentication enabled, LSASS stores plaintext passwords in memory. This is why Mimikatz was so devastating when it was released — it could read cleartext passwords directly from LSASS. Modern Windows versions disable WDigest by default, but attackers can re-enable it via registry: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 1. In Lab 3.4, you will detect this registry modification.
NTDS.dit: The Domain's Password Vault
On Domain Controllers, the NTDS.dit file is the Active Directory database. It contains NTLM hashes and Kerberos keys for every account in the domain — often tens of thousands of accounts. Extracting NTDS.dit gives an attacker the ability to authenticate as any user in the domain.
Credential Caching
Windows caches the last 10 domain logon credentials by default (configurable via CachedLogonsCount registry value). This allows users to log in when the Domain Controller is unreachable (e.g., laptop off the corporate network). Cached credentials are stored as MS-Cache v2 hashes — harder to crack than NTLM but not immune.
How Attackers Steal Credentials
Every technique below targets one of the credential storage locations described above. Understanding the technique helps you understand what to detect.
LSASS Memory Dumping
The most direct approach: read credentials straight from LSASS memory.
| Tool/Method | Command | Detection Clue |
|---|---|---|
| Mimikatz | sekurlsa::logonpasswords | Sysmon Event 10 — process accessing lsass.exe |
| comsvcs.dll MiniDump | rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> dump.bin full | Sysmon Event 10 + Event 1 (rundll32 with comsvcs.dll) |
| ProcDump (Sysinternals) | procdump -ma lsass.exe lsass.dmp | Sysmon Event 10 + Event 1 |
| Task Manager | Right-click lsass.exe → Create dump file | Sysmon Event 10 (source: taskmgr.exe) |
| Direct syscalls | Custom tools using NtReadVirtualMemory | Hardest to detect — may bypass userland hooks |
Credential Guard (Windows 10 Enterprise / Server 2016+) moves LSASS credential storage into a hardware-isolated Virtual Secure Mode (VSM) container. Even SYSTEM-level access cannot read credentials from the isolated LSASS. If your environment supports it, Credential Guard is the single most effective mitigation against LSASS dumping.
SAM Database Extraction
reg save HKLM\SAM C:\temp\sam.save
reg save HKLM\SYSTEM C:\temp\system.save
Then offline: secretsdump.py -sam sam.save -system system.save LOCAL
DCSync
DCSync is a domain-level attack where the attacker impersonates a Domain Controller and requests password hashes via the Directory Replication Service (MS-DRSR) protocol. No malware on the DC required — just a compromised account with replication rights.
mimikatz # lsadump::dcsync /domain:corp.local /user:Administrator
DCSync generates Event ID 4662 with specific replication GUIDs on the Domain Controller. In Lab 3.4, you will build a detection rule for this exact event pattern.
Pass-the-Hash (PtH)
The attacker uses a stolen NTLM hash to authenticate without knowing the plaintext password. This works because NTLM challenge-response only requires the hash:
mimikatz # sekurlsa::pth /user:admin /domain:corp.local /ntlm:a4f49c406510bdcab6824ee7c30fd852
PtH generates Event ID 4624 Logon Type 9 (NewCredentials) with NTLM as the authentication package.
Pass-the-Ticket (PtT)
The Kerberos equivalent of Pass-the-Hash. The attacker steals a Kerberos TGT or service ticket from memory and injects it into their own session:
mimikatz # kerberos::ptt stolen_ticket.kirbi
Kerberoasting
Kerberoasting exploits a design feature of Kerberos: any authenticated domain user can request a service ticket for any service account. The service ticket is encrypted with the service account's password hash — so the attacker requests tickets and cracks them offline.
GetUserSPNs.py corp.local/jsmith:Password1 -request -outputfile hashes.txt
hashcat -m 13100 hashes.txt wordlist.txt
Kerberoasting generates Event ID 4769 with encryption type 0x17 (RC4-HMAC) — weaker encryption that is easier to crack. Requests for AES-encrypted tickets (type 0x12) are normal; RC4 requests from a user workstation are suspicious.
Golden Ticket
The ultimate Kerberos attack. If an attacker obtains the krbtgt account's password hash (via DCSync or NTDS.dit extraction), they can forge TGTs for any user — including non-existent users — with any group membership, including Domain Admins.
mimikatz # kerberos::golden /user:FakeAdmin /domain:corp.local /sid:S-1-5-21-... /krbtgt:<HASH> /ticket:golden.kirbi
Golden Tickets are valid for 10 years by default and bypass normal authentication logging because the forged TGT was never issued by the real KDC. Detection relies on spotting anomalies: TGTs with impossibly long lifetimes, tickets for non-existent users, or TGS requests (4769) without a corresponding AS request (4768).
Detecting Credential Theft
Every technique above leaves traces. The table below maps attacks to the telemetry that exposes them.
| Attack | Primary Event ID | Key Fields to Examine | What to Look For |
|---|---|---|---|
| LSASS access | Sysmon 10 (ProcessAccess) | TargetImage, SourceImage, GrantedAccess | TargetImage = lsass.exe, GrantedAccess includes 0x1010 or 0x1FFFFF |
| NTLMv1 usage | 4624 (Logon) | LmPackageName | NTLM V1 in any logon event |
| Pass-the-Hash | 4624 (Logon) | LogonType, AuthPackage, LogonProcessName | Type 9 + NTLM + seclogo |
| Kerberoasting | 4769 (TGS Request) | TicketEncryptionType, ServiceName | Encryption type 0x17 (RC4) for non-computer accounts |
| DCSync | 4662 (Directory Access) | Properties (GUIDs) | Replication GUIDs: 1131f6aa-... and 1131f6ad-... from non-DC source |
| Golden Ticket | 4769 without 4768 | Correlation | TGS request with no prior TGT request for that user |
| SAM extraction | 4688 (Process Creation) | CommandLine | reg save targeting HKLM\SAM or HKLM\SECURITY |
| WDigest re-enable | Sysmon 13 (Registry) | TargetObject, Details | UseLogonCredential set to 1 |
In Lab 3.4, you will work with Wazuh alerts that contain all of these event patterns. The lab environment has pre-loaded alerts for LSASS access, NTLMv1 authentication, Kerberoasting ticket requests, and suspicious process creation events. Your task is to identify the credential theft technique from the alert data and trace the attack path — exactly the way you would in a real SOC.
Building a Kerberoasting Detection Rule
Here is what a Wazuh rule for Kerberoasting detection looks like in practice:
<rule id="100410" level="12">
<if_sid>60106</if_sid>
<field name="win.eventdata.ticketEncryptionType">0x17</field>
<field name="win.eventdata.serviceName" negate="yes">krbtgt|\$</field>
<description>Possible Kerberoasting: RC4 TGS request for service account</description>
<mitre>
<id>T1558.003</id>
</mitre>
</rule>
This rule triggers on Event ID 4769 (via parent rule 60106), filters for RC4 encryption (0x17), and excludes the krbtgt account and computer accounts (which end with $). A hit means someone requested a service ticket using deliberately weak encryption — a hallmark of Kerberoasting.
Sysmon Event ID 10: Your LSASS Sentinel
Sysmon Event 10 (ProcessAccess) logs every time a process opens a handle to another process. For LSASS protection, you monitor for:
TargetImage: C:\Windows\System32\lsass.exe
GrantedAccess: 0x1010 (PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ)
GrantedAccess: 0x1FFFFF (PROCESS_ALL_ACCESS)
Legitimate processes that access LSASS include csrss.exe, services.exe, svchost.exe, and security products. Any other source process accessing LSASS with read permissions is suspicious and should trigger an alert.
Key Takeaways
- NTLM uses challenge-response and is vulnerable to Pass-the-Hash because the hash alone is sufficient to authenticate — the plaintext password is not needed
- Kerberos is ticket-based and more secure, but introduces its own attack surface: Kerberoasting targets service accounts with weak passwords, and Golden Tickets exploit the krbtgt hash
- Credentials are stored in five locations: SAM (local hashes), LSASS (in-memory credentials), NTDS.dit (all domain hashes), LSA Secrets (service account passwords), and the credential cache (last 10 domain logons)
- LSASS is the #1 target — every credential dumping tool (Mimikatz, comsvcs.dll, ProcDump) targets this process. Sysmon Event 10 is your primary detection for LSASS access
- Kerberoasting is detectable via Event ID 4769 with RC4 encryption (type 0x17) for non-computer service accounts
- DCSync generates Event ID 4662 with specific replication GUIDs — watch for replication requests from non-Domain Controller sources
- Credential Guard is the single most effective mitigation: it isolates LSASS credentials in hardware-backed Virtual Secure Mode, making memory dumping impossible even for SYSTEM-level attackers
What's Next
Now that you understand how Windows authenticates users and where credentials live — and how attackers steal them — Lesson 3.5 shifts focus to Windows Services, Tasks & Persistence. You will learn how attackers maintain access after stealing credentials: creating malicious services, scheduled tasks, and registry-based persistence mechanisms that survive reboots. The credential theft techniques from this lesson become the "how they got in" that persistence mechanisms turn into "how they stayed."
Knowledge Check: Windows Authentication & Credential Storage
10 questions · 70% to pass
In NTLM authentication, why is stealing the NTLM hash equivalent to stealing the password?
What is the critical weakness of NTLM hashes that makes password reuse easily detectable by attackers?
In Kerberos authentication, what role does the krbtgt account play?
In Lab 3.4, you investigate LSASS access alerts. Which Sysmon Event ID specifically logs when a process opens a handle to another process like lsass.exe?
Which Windows process caches NTLM hashes and Kerberos tickets for active logon sessions in memory?
A Kerberoasting attack requests service tickets using a specific weak encryption type. In Lab 3.4, what Event ID and encryption type combination indicates Kerberoasting?
An attacker runs 'mimikatz # lsadump::dcsync /domain:corp.local /user:Administrator'. What does this attack do and which Event ID detects it?
What is the most effective single mitigation against LSASS memory credential dumping?
In Lab 3.4, you see a Wazuh alert for Event ID 4624 with 'LmPackageName: NTLM V1'. Why is this a critical security finding?
How can a SOC analyst detect a Golden Ticket attack when the forged TGT was never issued by the real KDC?
0/10 answered