Windows Credential Editor is a security tool to list logon sessions and add, change, list, and delete associated credentials, such as Alert Logic® Log Manager™ hashes, plaintext passwords, and Kerberos tickets. This tool can be used to perform pass-the-hash on Windows, obtain Log Manager hashes from memory (from interactive logons, services, remote desktop connections, etc.), obtain Kerberos tickets and reuse them in other Windows or Unix systems, and dump cleartext passwords entered by users at logon.
- An attacker with administrator privileges uploads the WCE binary to the victim system and executes the binary to retrieve logon session information.
- The server will respond with the specified logon session information.
The attacker will need access to the target system and administrator privileges.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
Ensure that all public internet-facing hosts have available patches applied and are sufficiently hardened for public access.