Try in Splunk Security Cloud
Description
Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Authentication, Change, Endpoint
- Last Updated: 2020-02-04
- Author: Rico Valdez, Splunk
- ID: 854d78bf-d0e2-4f4e-b05c-640905f86d7a
Narrative
Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.
Once attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.
The detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.
Detections
Name |
Technique |
Type |
Access LSASS Memory for Dump Creation |
LSASS Memory, OS Credential Dumping |
TTP |
Attempted Credential Dump From Registry via Reg exe |
Security Account Manager, OS Credential Dumping |
TTP |
Attempted Credential Dump From Registry via Reg exe |
OS Credential Dumping, Security Account Manager |
TTP |
Create Remote Thread into LSASS |
LSASS Memory, OS Credential Dumping |
TTP |
Creation of Shadow Copy |
NTDS, OS Credential Dumping |
TTP |
Creation of Shadow Copy with wmic and powershell |
NTDS, OS Credential Dumping |
TTP |
Creation of lsass Dump with Taskmgr |
LSASS Memory, OS Credential Dumping |
TTP |
Credential Dumping via Copy Command from Shadow Copy |
NTDS, OS Credential Dumping |
TTP |
Credential Dumping via Symlink to Shadow Copy |
NTDS, OS Credential Dumping |
TTP |
Detect Copy of ShadowCopy with Script Block Logging |
Security Account Manager, OS Credential Dumping |
TTP |
Detect Credential Dumping through LSASS access |
LSASS Memory, OS Credential Dumping |
TTP |
Detect Mimikatz Using Loaded Images |
LSASS Memory, OS Credential Dumping |
TTP |
Dump LSASS via comsvcs DLL |
LSASS Memory, OS Credential Dumping |
TTP |
Dump LSASS via procdump |
LSASS Memory, OS Credential Dumping |
TTP |
Dump LSASS via procdump Rename |
LSASS Memory |
Hunting |
Enable WDigest UseLogonCredential Registry |
Modify Registry, OS Credential Dumping |
TTP |
Esentutl SAM Copy |
Security Account Manager, OS Credential Dumping |
Hunting |
Extraction of Registry Hives |
Security Account Manager, OS Credential Dumping |
TTP |
Ntdsutil Export NTDS |
NTDS, OS Credential Dumping |
TTP |
Potential password in username |
Local Accounts, Credentials In Files |
Hunting |
SAM Database File Access Attempt |
Security Account Manager, OS Credential Dumping |
Hunting |
SecretDumps Offline NTDS Dumping Tool |
NTDS, OS Credential Dumping |
TTP |
Set Default PowerShell Execution Policy To Unrestricted or Bypass |
Command and Scripting Interpreter, PowerShell |
TTP |
Unsigned Image Loaded by LSASS |
LSASS Memory |
TTP |
Windows AD Replication Request Initiated by User Account |
DCSync, OS Credential Dumping |
TTP |
Windows AD Replication Request Initiated from Unsanctioned Location |
DCSync, OS Credential Dumping |
TTP |
Windows Credential Dumping LSASS Memory Createdump |
LSASS Memory |
TTP |
Windows Hunting System Account Targeting Lsass |
LSASS Memory, OS Credential Dumping |
Hunting |
Windows Mimikatz Binary Execution |
OS Credential Dumping |
TTP |
Windows Non-System Account Targeting Lsass |
LSASS Memory, OS Credential Dumping |
TTP |
Windows OS Credential Dumping with Ntdsutil Export NTDS |
NTDS, OS Credential Dumping |
TTP |
Windows OS Credential Dumping with Procdump |
LSASS Memory, OS Credential Dumping |
TTP |
Windows Possible Credential Dumping |
LSASS Memory, OS Credential Dumping |
TTP |
Windows Rundll32 Comsvcs Memory Dump |
NTDS, OS Credential Dumping |
TTP |
Reference
source | version: 3