Try in Splunk Security Cloud

Description

Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-02-04
  • Author: Rico Valdez, Splunk
  • ID: 854d78bf-d0e2-4f4e-b05c-640905f86d7a

Narrative

Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.
Once attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.
The detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.

Detections

Name Technique Type
Dump LSASS via procdump Rename LSASS Memory Hunting
Unsigned Image Loaded by LSASS LSASS Memory TTP
Access LSASS Memory for Dump Creation LSASS Memory, OS Credential Dumping TTP
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping TTP
Create Remote Thread into LSASS LSASS Memory, OS Credential Dumping TTP
Creation of lsass Dump with Taskmgr LSASS Memory, OS Credential Dumping TTP
Creation of Shadow Copy NTDS, OS Credential Dumping TTP
Creation of Shadow Copy with wmic and powershell NTDS, OS Credential Dumping TTP
Credential Dumping via Copy Command from Shadow Copy NTDS, OS Credential Dumping TTP
Credential Dumping via Symlink to Shadow Copy NTDS, OS Credential Dumping TTP
Detect Copy of ShadowCopy with Script Block Logging Security Account Manager, OS Credential Dumping TTP
Detect Credential Dumping through LSASS access LSASS Memory, OS Credential Dumping TTP
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Dump LSASS via procdump LSASS Memory, OS Credential Dumping TTP
Enable WDigest UseLogonCredential Registry Modify Registry, OS Credential Dumping TTP
Esentutl SAM Copy Security Account Manager, OS Credential Dumping Hunting
Extraction of Registry Hives Security Account Manager, OS Credential Dumping TTP
Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
SAM Database File Access Attempt Security Account Manager, OS Credential Dumping Hunting
SecretDumps Offline NTDS Dumping Tool NTDS, OS Credential Dumping TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell TTP
Windows Hunting System Account Targeting Lsass LSASS Memory, OS Credential Dumping Hunting
Windows Non-System Account Targeting Lsass LSASS Memory, OS Credential Dumping TTP
Windows Possible Credential Dumping LSASS Memory, OS Credential Dumping TTP

Reference

source | version: 3