Credential dumping prevention techniques?

alexjdale
Valued Contributor III

Has anyone else been tasked with finding a method to prevent credential dumping in the form of using dscl to access user password hashes? I'm not having any luck investigating this, it seems to be a big deal on Windows with various solutions but it's quite trivial on Mac for any admin.

7 REPLIES 7

sshort
Valued Contributor

alexjdale
Valued Contributor III

Yeah I ran across that article too, it was light on effective mitigation techniques (nothing about stopping a user from dslc'ing out a shadowhash), and of course is designed to sell Crowdstrike.

tlarkin
Honored Contributor

What is the higher goal here? I had my bout with Crowdstrike before for this exact scenario (I was trying to script auto login) and all CS seemed to do was to listen to stdin and check if I was doing anything with the ShadowHash, which was trivial to bypass by simply redirecting I/O.

Also, Apple has to most likely access that data for account and authentication purposes. Are you trying to prevent lateral hash exploits?

alexjdale
Valued Contributor III

Credential dumping via hashes for lateral exploits is our red team's crusade of the week. We have solutions on Windows to prevent this, but on Mac I don't see anything that can possibly do that since Apple doesn't make any effort to mitigate it.

tlarkin
Honored Contributor

Do you have matching local accounts on your Mac fleet? This is pretty avoidable by not having a centralized management account or network/roaming/mobile accounts that can authenticate to the Mac. We use individual local accounts, thus bypassing this exact scenario by design.

Also, you would need local code execution to even do this

geoffrepoli
Contributor

separate/tiered accounts for accessing server infrastructure, and, if a management account is necessary on macs, usage of a tool like macOSLAPS will reduce the effectiveness of credential dumping on macOS. afaik there's no real way to mitigate credential dumping alone on macOS. or if there is, i'd love to know.

tlarkin
Honored Contributor

Just use local accounts, only allow one local account per a Mac and use the FV2 keys for recovery. It completely stops lateral hash attacks