Analytics Story: Credential Dumping

Date: 2020-02-04 ID: 854d78bf-d0e2-4f4e-b05c-640905f86d7a Author: Rico Valdez, Splunk Product: Splunk Enterprise Security

Description

Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.

Why it matters

Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files. Once attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations. The detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Access LSASS Memory for Dump Creation LSASS Memory TTP
Create Remote Thread into LSASS LSASS Memory TTP
Creation of lsass Dump with Taskmgr LSASS Memory TTP
Creation of Shadow Copy NTDS TTP
Creation of Shadow Copy with wmic and powershell NTDS TTP
Credential Dumping via Copy Command from Shadow Copy NTDS TTP
Credential Dumping via Symlink to Shadow Copy NTDS TTP
Detect Copy of ShadowCopy with Script Block Logging Security Account Manager TTP
Detect Credential Dumping through LSASS access LSASS Memory TTP
Dump LSASS via comsvcs DLL LSASS Memory TTP
Dump LSASS via procdump LSASS Memory TTP
Enable WDigest UseLogonCredential Registry Modify Registry, OS Credential Dumping TTP
Esentutl SAM Copy Security Account Manager Hunting
Ntdsutil Export NTDS NTDS TTP
Potential password in username Local Accounts, Credentials In Files Hunting
SAM Database File Access Attempt Security Account Manager Hunting
SecretDumps Offline NTDS Dumping Tool NTDS TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass PowerShell TTP
Windows AD Replication Request Initiated by User Account DCSync TTP
Windows AD Replication Request Initiated from Unsanctioned Location DCSync TTP
Windows Credential Dumping LSASS Memory Createdump LSASS Memory TTP
Windows Hunting System Account Targeting Lsass LSASS Memory Hunting
Windows Mimikatz Binary Execution OS Credential Dumping TTP
Windows Non-System Account Targeting Lsass LSASS Memory TTP
Windows Possible Credential Dumping LSASS Memory TTP
Windows Sensitive Registry Hive Dump Via CommandLine Security Account Manager TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Linux Secure Linux icon Linux linux_secure /var/log/secure
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4624 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4662 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 3