Try in Splunk Security Cloud

Description

Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-02-04
  • Author: Rico Valdez, Splunk
  • ID: 854d78bf-d0e2-4f4e-b05c-640905f86d7a

Narrative

Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.
Once attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.
The detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.

Detections

Name Technique Type
Access LSASS Memory for Dump Creation LSASS Memory, OS Credential Dumping TTP
Applying Stolen Credentials via Mimikatz modules Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, Boot or Logon Autostart Execution, Abuse Elevation Control Mechanism, Compromise Client Software Binary, Modify Authentication Process, Steal or Forge Kerberos Tickets TTP
Applying Stolen Credentials via PowerSploit modules Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, Boot or Logon Autostart Execution, Abuse Elevation Control Mechanism, Compromise Client Software Binary, Credentials from Password Stores, Steal or Forge Kerberos Tickets TTP
Assessment of Credential Strength via DSInternals modules Valid Accounts, Account Manipulation, Account Discovery, Password Policy Discovery, Unsecured Credentials, Credentials from Password Stores TTP
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping TTP
Attempted Credential Dump From Registry via Reg exe OS Credential Dumping TTP
Create Remote Thread into LSASS LSASS Memory, OS Credential Dumping TTP
Creation of Shadow Copy NTDS, OS Credential Dumping TTP
Creation of Shadow Copy with wmic and powershell NTDS, OS Credential Dumping TTP
Creation of lsass Dump with Taskmgr LSASS Memory, OS Credential Dumping TTP
Credential Dumping via Copy Command from Shadow Copy NTDS, OS Credential Dumping TTP
Credential Dumping via Symlink to Shadow Copy NTDS, OS Credential Dumping TTP
Credential Extraction indicative of FGDump and CacheDump with s option OS Credential Dumping TTP
Credential Extraction indicative of FGDump and CacheDump with v option OS Credential Dumping TTP
Credential Extraction indicative of Lazagne command line options OS Credential Dumping, Credentials from Password Stores TTP
Credential Extraction indicative of use of DSInternals credential conversion modules OS Credential Dumping TTP
Credential Extraction indicative of use of DSInternals modules OS Credential Dumping TTP
Credential Extraction indicative of use of Mimikatz modules OS Credential Dumping TTP
Credential Extraction indicative of use of PowerSploit modules OS Credential Dumping TTP
Credential Extraction native Microsoft debuggers peek into the kernel OS Credential Dumping TTP
Credential Extraction native Microsoft debuggers via z command line option OS Credential Dumping TTP
Credential Extraction via Get-ADDBAccount module present in PowerSploit and DSInternals OS Credential Dumping TTP
Detect Copy of ShadowCopy with Script Block Logging Security Account Manager, OS Credential Dumping TTP
Detect Credential Dumping through LSASS access LSASS Memory, OS Credential Dumping TTP
Detect Dump LSASS Memory using comsvcs NTDS, OS Credential Dumping TTP
Detect Kerberoasting Kerberoasting, Steal or Forge Kerberos Tickets TTP
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Dump LSASS via procdump LSASS Memory, OS Credential Dumping TTP
Enable WDigest UseLogonCredential Registry Modify Registry, OS Credential Dumping TTP
Esentutl SAM Copy Security Account Manager, OS Credential Dumping Hunting
Extraction of Registry Hives Security Account Manager, OS Credential Dumping TTP
Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
SAM Database File Access Attempt Security Account Manager, OS Credential Dumping Hunting
SecretDumps Offline NTDS Dumping Tool NTDS, OS Credential Dumping TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell TTP

Reference

source | version: 3