Full Report
Derek Banks, Beau Bullock, & Brian Fehrman // Our clients often ask how they could have detected and prevented the post-exploitation activities we used in their environment to gain elevated […] The post The CredDefense Toolkit appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: CredDefense Toolkit
## Overview
The CredDefense Toolkit is a free, open-source collection of tools designed to help organizations detect and prevent common credential abuse attacks, such as password spraying, Kerberoasting, and NBNS spoofing, which are frequently leveraged by pentesters and malicious actors.
## Technical Details
- Type: Tool/Toolkit (Collection of utilities)
- Platform: Windows Domains (Focuses on Domain Controllers and Windows Event logs)
- Capabilities: Implements domain password filtering, detects password spray, detects Kerberoast attempts, facilitates event log consolidation, detects NBNS spoofing, and includes a honey token submission mechanism.
- First Seen: Not explicitly stated, but presented in an article describing its creation/release.
## MITRE ATT&CK Mapping
Since the toolkit provides detection/prevention features for several attacks, the mappings cover the techniques it aims to counter:
- **T1110 - Credential Access: Brute Force** (Addressed via Password Filter and Spraying Detection)
- T1110.001 - Password Guessing: Password Guessing (e.g., Password Spraying)
- **T1558 - Credential Access: Steal or Forge Kerberos Tickets** (Addressed via Kerberoast Detection)
- T1558.003 - Kerberoasting
- **T1557 - Credential Access: Man-in-the-Middle** (Addressed via NBNS Spoofing Detection)
- T1557.001 - LLMNR/NBT-NS Poisoning and Relay
## Functionality
### Core Capabilities
- **Domain Password Filter (EasyPasswordFilter DLL):** Implements custom checks on Windows Domain Controllers when users set new passwords, preventing the use of weak or easily guessable passwords (like seasonal/yearly combinations) even if they meet basic complexity requirements.
- **Password Spraying Detection:** Uses the `CredDefenseEventParser.ps1` script to parse Windows Event Logs for any single IP address generating more than ten failed login attempts within one hour.
- **Kerberoast Detection:** Includes functionality to detect Kerberoasting activity.
- **NBNS Spoofing Detection & Honey Token Submission:** Detects Name Service Backbone (NBNS) spoofing (related to LLMNR poisoning) and submits data to a honey token when detected.
- **Password Doesn't Expire Policy Check:** Included as one of the features in the overall toolkit.
### Advanced Features
- **Credential Filter Management:** The Cred Defense interface allows for easy installation, uninstallation, and updating of the `EasyPasswordFilter` DLL and its associated password list across multiple Domain Controllers.
- **Intelligent Password Filtering:** The filter is case-insensitive and performs substring matching, meaning administrators only need to enter a base bad word (e.g., "winter") to block variations like "Winter2017" or "WinterWinter2017".
- **Event Log Analysis:** The parser script can run continually against a centralized forwarded events log file or analyze specific historical `.evtx` files.
## Indicators of Compromise
*Note: As this is a defensive toolkit, the indicators primarily relate to the components deployed when installing the Password Filter.*
- File Hashes: Not provided in the context.
- File Names:
- `EasyPasswordFilter.dll` (Deployed to %SystemRoot%\Windows\System32)
- Registry Keys:
- `HKLM\System\CurrentControlSet\Control\Lsa\Notifications`: Presence of the `EasyPasswordFilter` value indicates the password filter is active on the Domain Controller.
- Network Indicators: N/A (Focus is on internal authentication and log analysis).
- Behavioral Indicators:
- Rapid sequence of failed login attempts originating from a single source IP across the domain.
- Installation/modification of system DLLs on Domain Controllers related to password checking mechanisms.
## Associated Threat Actors
The article frames the toolkit as a defense against practices utilized by **Pentesters** and **truly malicious individuals**. No specific APT groups are named as users of this defensive tool.
## Detection Methods
- **Signature-based detection:** Detection rules could be created for the specific files deployed (`EasyPasswordFilter.dll`).
- **Behavioral detection:** Monitoring the configuration changes on Domain Controllers (specifically the LSA Notifications registry key).
- **YARA rules:** Not specified.
## Mitigation Strategies
- **Prevention (Primary Focus):** Implementing the Domain Password Filter to stop users from creating weak passwords at the source.
- **Hardening Recommendations:**
- Increase minimum password length requirements (though the toolkit aims to help when this isn't politically feasible).
- Consolidate Windows Event Logs for centralized analysis of potential credential attacks (like spray attempts).
- Monitor Kerberos monitoring (if the Kerberoast detection is implemented).
## Related Tools/Techniques
- **OpenPasswordFilter:** The open-source project upon which the CredDefense Password Filter component is based.
- **Password Spraying:** The attack technique the toolkit specifically targets for detection/prevention.
- **Kerberoasting:** The attack technique the toolkit specifically targets for detection.
- **LLMNR Poisoning:** Related to the NBNS Spoofing detection feature.