Posted on 08-12-2019 12:38 PM
Has anyone else been tasked with finding a method to prevent credential dumping in the form of using dscl to access user password hashes? I'm not having any luck investigating this, it seems to be a big deal on Windows with various solutions but it's quite trivial on Mac for any admin.
Posted on 08-12-2019 12:51 PM
I ran across this post a few days ago: https://www.crowdstrike.com/blog/mac-attack-credential-theft-video-rsa-2019/
Posted on 08-12-2019 03:30 PM
Yeah I ran across that article too, it was light on effective mitigation techniques (nothing about stopping a user from dslc'ing out a shadowhash), and of course is designed to sell Crowdstrike.
Posted on 08-12-2019 10:52 PM
What is the higher goal here? I had my bout with Crowdstrike before for this exact scenario (I was trying to script auto login) and all CS seemed to do was to listen to stdin
and check if I was doing anything with the ShadowHash, which was trivial to bypass by simply redirecting I/O.
Also, Apple has to most likely access that data for account and authentication purposes. Are you trying to prevent lateral hash exploits?
Posted on 08-13-2019 08:33 AM
Credential dumping via hashes for lateral exploits is our red team's crusade of the week. We have solutions on Windows to prevent this, but on Mac I don't see anything that can possibly do that since Apple doesn't make any effort to mitigate it.
Posted on 08-13-2019 09:31 AM
Do you have matching local accounts on your Mac fleet? This is pretty avoidable by not having a centralized management account or network/roaming/mobile accounts that can authenticate to the Mac. We use individual local accounts, thus bypassing this exact scenario by design.
Also, you would need local code execution to even do this
Posted on 08-15-2019 06:48 AM
separate/tiered accounts for accessing server infrastructure, and, if a management account is necessary on macs, usage of a tool like macOSLAPS will reduce the effectiveness of credential dumping on macOS. afaik there's no real way to mitigate credential dumping alone on macOS. or if there is, i'd love to know.
Posted on 08-15-2019 09:25 AM
Just use local accounts, only allow one local account per a Mac and use the FV2 keys for recovery. It completely stops lateral hash attacks