Analytics Story: Credential Dumping

Date: 2020-02-04 ID: 854d78bf-d0e2-4f4e-b05c-640905f86d7a Author: Rico Valdez, Splunk Product: Splunk Enterprise Security

Description

Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.

Why it matters

Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files. Once attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations. The detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Dump LSASS via procdump Rename LSASS Memory Hunting
Unsigned Image Loaded by LSASS LSASS Memory TTP
Access LSASS Memory for Dump Creation LSASS Memory, OS Credential Dumping TTP
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping TTP
Create Remote Thread into LSASS LSASS Memory, OS Credential Dumping TTP
Creation of lsass Dump with Taskmgr LSASS Memory, OS Credential Dumping TTP
Creation of Shadow Copy NTDS, OS Credential Dumping TTP
Creation of Shadow Copy with wmic and powershell NTDS, OS Credential Dumping TTP
Credential Dumping via Copy Command from Shadow Copy NTDS, OS Credential Dumping TTP
Credential Dumping via Symlink to Shadow Copy NTDS, OS Credential Dumping TTP
Detect Copy of ShadowCopy with Script Block Logging Security Account Manager, OS Credential Dumping TTP
Detect Credential Dumping through LSASS access LSASS Memory, OS Credential Dumping TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Dump LSASS via procdump LSASS Memory, OS Credential Dumping TTP
Enable WDigest UseLogonCredential Registry Modify Registry, OS Credential Dumping TTP
Esentutl SAM Copy Security Account Manager, OS Credential Dumping Hunting
Extraction of Registry Hives Security Account Manager, OS Credential Dumping TTP
Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
Potential password in username Local Accounts, Credentials In Files Hunting
SAM Database File Access Attempt Security Account Manager, OS Credential Dumping Hunting
SecretDumps Offline NTDS Dumping Tool NTDS, OS Credential Dumping TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell TTP
Windows AD Replication Request Initiated by User Account DCSync, OS Credential Dumping TTP
Windows AD Replication Request Initiated from Unsanctioned Location DCSync, OS Credential Dumping TTP
Windows Credential Dumping LSASS Memory Createdump LSASS Memory TTP
Windows Hunting System Account Targeting Lsass LSASS Memory, OS Credential Dumping Hunting
Windows Mimikatz Binary Execution OS Credential Dumping TTP
Windows Non-System Account Targeting Lsass LSASS Memory, OS Credential Dumping TTP
Windows Possible Credential Dumping LSASS Memory, OS Credential Dumping TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Linux Secure Linux icon Linux linux_secure /var/log/secure
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4624 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4662 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 3