Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. Native Microsoft debuggers, such as kd, ntkd, livekd and windbg, can be leveraged to read credential material directly from memory and process dumps.
- Type: TTP
- Product: Splunk Behavioral Analytics
- Last Updated: 2020-10-18
- Author: Stanislav Miskovic, Splunk
- ID: adc51a77-90c9-4358-b43c-f10dd1a27d05
|T1003||OS Credential Dumping||Credential Access|
| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null), event_id=ucast(map_get(input_event, "event_id"), "string", null) | where cmd_line != null AND process_name != null AND ( match_regex(process_name, /^(?i)ntkd\.exe/)=true OR match_regex(process_name, /^(?i)kd\.exe/)=true ) AND match_regex(cmd_line, /(?i)\-z\s+/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name]) | into write_ssa_detected_events();
Associated Analytic Story
How To Implement
You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.
Kill Chain Phase
- Actions on Objectives
Known False Positives
Although unlikely, using debuggers this way may be indicative of developers analyzing crash dumps of their code. Note, even for developers this is an unusual way of working on code - debuggers are mostly used to step through code, not analyze its crash dumps.
|63.0||70||90||Malicious actor is extracting/decoding encoded credentials via Microsoft's native debugging tools. Operation is performed at the device $dest_device_id$, by the account $dest_user_id$ via command $cmd_line$|
source | version: 1