This topic contains 1 reply, has 2 voices, and was last updated by Wel_ok 1 month, 3 weeks ago.
- February 24, 2021 at 11:09 pm #366440
Hi, I’m working with an application that triggers the 4624 logon type 8 Windows event. This means the password is being passed to the authentication package in cleartext, ie. unhashed. What are suggestions for exploiting this and gaining access to the password?
In this specific scenario, it’s an app on a server with a service account. The service account is automatically used to run the app daily, triggering the event.
How does the app know the password of the service account to authenticate? During the initial set up we provided the app the creds, so are they stored in the app somewhere? And is it likely they’re stored in plaintext?
As a tangential question, for Windows services with the run as account value, how do they have the password for that account to run the service? Are they hard coded into the app?
Thanks for all the info!
- February 24, 2021 at 11:09 pm #366441
credentials for service accounts are stored in the local registry, as what’s called “LSA Secrets” in the registry key HKEY_LOCAL_MACHINE/Security/Policy/Secrets. Because the service needs to read the actual password to login as the service account, that password is in the registry in clear-text.
For apps it can be different
You must be logged in to reply to this topic.