Try in Splunk Security Cloud

Description

Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication, Change, Endpoint
  • Last Updated: 2020-02-04
  • Author: Rico Valdez, Splunk
  • ID: 854d78bf-d0e2-4f4e-b05c-640905f86d7a

Narrative

Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.
Once attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.
The detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.

Detections

Name Technique Type
Access LSASS Memory for Dump Creation LSASS Memory, OS Credential Dumping TTP
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping TTP
Attempted Credential Dump From Registry via Reg exe OS Credential Dumping, Security Account Manager TTP
Create Remote Thread into LSASS LSASS Memory, OS Credential Dumping TTP
Creation of Shadow Copy NTDS, OS Credential Dumping TTP
Creation of Shadow Copy with wmic and powershell NTDS, OS Credential Dumping TTP
Creation of lsass Dump with Taskmgr LSASS Memory, OS Credential Dumping TTP
Credential Dumping via Copy Command from Shadow Copy NTDS, OS Credential Dumping TTP
Credential Dumping via Symlink to Shadow Copy NTDS, OS Credential Dumping TTP
Detect Copy of ShadowCopy with Script Block Logging Security Account Manager, OS Credential Dumping TTP
Detect Credential Dumping through LSASS access LSASS Memory, OS Credential Dumping TTP
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Dump LSASS via procdump LSASS Memory, OS Credential Dumping TTP
Dump LSASS via procdump Rename LSASS Memory Hunting
Enable WDigest UseLogonCredential Registry Modify Registry, OS Credential Dumping TTP
Esentutl SAM Copy Security Account Manager, OS Credential Dumping Hunting
Extraction of Registry Hives Security Account Manager, OS Credential Dumping TTP
Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
Potential password in username Local Accounts, Credentials In Files Hunting
SAM Database File Access Attempt Security Account Manager, OS Credential Dumping Hunting
SecretDumps Offline NTDS Dumping Tool NTDS, OS Credential Dumping TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell TTP
Unsigned Image Loaded by LSASS LSASS Memory TTP
Windows AD Replication Request Initiated by User Account DCSync, OS Credential Dumping TTP
Windows AD Replication Request Initiated from Unsanctioned Location DCSync, OS Credential Dumping TTP
Windows Credential Dumping LSASS Memory Createdump LSASS Memory TTP
Windows Hunting System Account Targeting Lsass LSASS Memory, OS Credential Dumping Hunting
Windows Mimikatz Binary Execution OS Credential Dumping TTP
Windows Non-System Account Targeting Lsass LSASS Memory, OS Credential Dumping TTP
Windows OS Credential Dumping with Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
Windows OS Credential Dumping with Procdump LSASS Memory, OS Credential Dumping TTP
Windows Possible Credential Dumping LSASS Memory, OS Credential Dumping TTP
Windows Rundll32 Comsvcs Memory Dump NTDS, OS Credential Dumping TTP

Reference

source | version: 3