Exploit network clear text Windows 4624 logon type 8

Hi, I'm working with an application that triggers the 4624 logon type 8 Windows event. This means the password is being passed to the authentication package in cleartext, ie. unhashed. What are suggestions for exploiting this and gaining access to the password?

In this specific scenario, it's an app on a server with a service account. The service account is automatically used to run the app daily, triggering the event.
How does the app know the password of the service account to authenticate? During the initial set up we provided the app the creds, so are they stored in the app somewhere? And is it likely they're stored in plaintext?

As a tangential question, for Windows services with the run as account value, how do they have the password for that account to run the service? Are they hard coded into the app?

Thanks for all the info!

submitted by /u/Buttermytoast55
[link] [comments]

from hacking: security in practice https://ift.tt/37GUiN2

Comments