1. Home
  2. Techniques
  3. Enterprise
  4. OS Credential Dumping

OS Credential Dumping

ID Name
T1003.001 LSASS Memory
T1003.002 Security Account Manager
T1003.003 NTDS
T1003.004 LSA Secrets
T1003.005 Cached Domain Credentials
T1003.006 DCSync
T1003.007 Proc Filesystem
T1003.008 /etc/passwd and /etc/shadow

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

Angreifer können versuchen, Anmeldedaten auszuspionieren, um vom Betriebssystem und der Software Material für die Kontoanmeldung und Anmeldedaten zu erhalten, normalerweise in Form eines Hash oder eines Klartextpassworts. Die Zugangsdaten können dann verwendet werden, um Lateral Movement durchzuführen und auf eingeschränkte Informationen zuzugreifen.

Mehrere der in den zugehörigen Untertechniken genannten Tools können sowohl von Angreifern als auch von professionellen Sicherheitstestern verwendet werden. Wahrscheinlich gibt es auch noch weitere benutzerdefinierte Tools.

Les adversaires peuvent tenter de vider les informations d'identification pour obtenir des informations de connexion et d'identification de compte, normalement sous la forme d'un hachage ou d'un mot de passe en texte clair, à partir du système d'exploitation et du logiciel. Les informations d'identification peuvent ensuite être utilisées pour effectuer un [Mouvement latéral] (https://attack.mitre.org/tactics/TA0008) et accéder à des informations restreintes.

Plusieurs des outils mentionnés dans les sous-techniques associées peuvent être utilisés à la fois par les adversaires et les testeurs de sécurité professionnels. D'autres outils personnalisés existent probablement aussi.

Gli avversari possono tentare di scaricare le credenziali per ottenere materiale di login e credenziali dell'account, normalmente sotto forma di hash o password in chiaro, dal sistema operativo e dal software. Le credenziali possono poi essere usate per eseguire Lateral Movement e accedere a informazioni riservate.

Molti degli strumenti menzionati nelle sotto-tecniche associate possono essere usati sia da avversari che da tester di sicurezza professionisti. Probabilmente esistono anche altri strumenti personalizzati.

Login
ID: T1003
Sub-techniques:  T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008
Tactic: Credential Access
Platforms: Linux, Windows, macOS
Permissions Required: Administrator, SYSTEM, root
Contributors: Ed Williams, Trustwave, SpiderLabs; Vincent Le Toux
Version: 2.1
Created: 31 May 2017
Last Modified: 15 October 2021
Translations:  DE FR IT EN
Provided by LAYER 8

Procedure Examples

ID Name Description
G0007 APT28

APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.[1][2][3]

G0050 APT32

APT32 used GetPassword_x64 to harvest credentials.[4][5]
G0087 APT39

APT39 has used different versions of Mimikatz to obtain credentials.[6]
G0001 Axiom

Axiom has been known to dump credentials.[7]
S0030 Carbanak

Carbanak obtains Windows logon password details.[8]
G0101 Frankenstein

Frankenstein has harvested credentials from the victim's machine using Empire.[9]
S0232 HOMEFRY

HOMEFRY can perform credential dumping.[10]
G0065 Leviathan

Leviathan has used publicly available tools to dump password hashes, including HOMEFRY.[11]
S0052 OnionDuke

OnionDuke steals credentials from its victims.[12]
S0048 PinchDuke

PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated many sources such as WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP).[12]
G0033 Poseidon Group

Poseidon Group conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.[13]
S0379 Revenge RAT

Revenge RAT has a plugin for credential harvesting.[14]
G0054 Sowbug

Sowbug has used credential dumping tools.[15]
G0039 Suckfly

Suckfly used a signed credential-dumping tool to obtain victim account credentials.[16]
G0131 Tonto Team

Tonto Team has used a variety of credential dumping tools.[17]

S0094 Trojan.Karagany

Trojan.Karagany can dump passwords and save them into \ProgramData\Mail\MailAg\pwds.txt.[18]

Mitigations

ID Mitigation Description
M1015 Active Directory Configuration

Manage the access control list for "Replicating Directory Changes" and other permissions associated with domain controller replication. [19] [20] Consider adding users to the "Protected Users" Active Directory security group. This can help limit the caching of users' plaintext credentials.[21]
M1040 Behavior Prevention on Endpoint

On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. [22]
M1043 Credential Access Protection

With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. [23] It also does not protect against all forms of credential dumping. [24]
M1041 Encrypt Sensitive Information

Ensure Domain Controller backups are properly secured.
M1028 Operating System Configuration

Consider disabling or restricting NTLM.[25] Consider disabling WDigest authentication.[26]
M1027 Password Policies

Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
M1026 Privileged Account Management

Windows:Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.[27]

Linux:Scraping the passwords from memory requires root privileges. Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive regions of memory.
M1025 Privileged Process Integrity

On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.[28]
M1017 User Training

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

Detection

ID Data Source Data Component
DS0026 Active Directory Active Directory Object Access
DS0017 Command Command Execution
DS0022 File File Access
DS0029 Network Traffic Network Traffic Content
Network Traffic Flow
DS0009 Process OS API Execution
Process Access
Process Creation
DS0024 Windows Registry Windows Registry Key Access

Windows

Monitor for unexpected processes interacting with lsass.exe.[29] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.

Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.

On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.

Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [30] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [31] [32] [33] Note: Domain controllers may not log replication requests originating from the default domain controller account. [34]. Also monitor for network protocols [31] [35] and other replication requests [36] from IPs not associated with known domain controllers. [19]

Linux

To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc//maps, where the directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.

Windows

Überwachen Sie unerwartete Prozesse, die mit lsass.exe interagieren.(Zitat: Medium Detecting Attempts to Steal Passwords from Memory) Gängige Credential Dumpers wie Mimikatz greifen auf den LSA Subsystem Service (LSASS) Prozess zu, indem sie den Prozess öffnen, den LSA Secrets Key ausfindig machen und die Abschnitte im Speicher entschlüsseln, in denen Credential Details gespeichert sind. Credential Dumpers können auch Methoden zur reflektierenden Process Injection verwenden, um mögliche Indikatoren für bösartige Aktivitäten zu reduzieren.

Hash-Dumper öffnen den Security Accounts Manager (SAM) im lokalen Dateisystem (%SystemRoot%/system32/config/SAM) oder erstellen einen Dump des SAM-Schlüssels in der Registrierung, um auf gespeicherte Passwort-Hashes zuzugreifen. Einige Hash-Dumpers öffnen das lokale Dateisystem als Gerät und analysieren die SAM-Tabelle, um Abwehrmassnahmen gegen den Dateizugriff zu vermeiden. Andere erstellen eine In-Memory-Kopie der SAM-Tabelle, bevor sie Hashes lesen. Die Erkennung von kompromittierten Valid Accounts, die von Angreifern verwendet werden, kann ebenfalls hilfreich sein.

Unter Windows 8.1 und Windows Server 2012 R2 überwachen Sie die Windows-Protokolle auf die Erstellung von LSASS.exe, um zu überprüfen, ob LSASS als geschützter Prozess gestartet wurde.

Überwachen Sie Prozesse und Befehlszeilenargumente auf die Ausführung von Programmen, die auf ein Credential Dumping hindeuten könnten. Tools für den Fernzugriff können eingebaute Funktionen enthalten oder vorhandene Tools wie Mimikatz einbeziehen. Es gibt auch PowerShell Skripte, die Funktionen für das Dumping von Anmeldeinformationen enthalten, wie z.B. das Invoke-Mimikatz-Modul von PowerSploit (Zitat: Powersploit), für das möglicherweise zusätzliche Protokollierungsfunktionen im Betriebssystem konfiguriert werden müssen, um die für die Analyse erforderlichen Informationen zu sammeln.

Überwachen Sie die Domänencontroller-Protokolle auf Replikationsanforderungen und andere ungeplante Aktivitäten, die möglicherweise mit DCSync zusammenhängen. (Zitat: Microsoft DRSR Dec 2017) (Zitat: Microsoft GetNCCChanges) (Zitat: Samba DRSUAPI) Hinweis: Domänencontroller protokollieren möglicherweise keine Replikationsanforderungen, die vom Standard-Domänencontrollerkonto stammen. (Zitat: Harmj0y DCSync Sept 2015). Überwachen Sie auch Netzwerkprotokolle (Zitat: Microsoft DRSR Dez 2017) (Zitat: Microsoft NRPC Dez 2017) und andere Replikationsanforderungen (Zitat: Microsoft SAMR) von IPs, die nicht mit bekannten Domänencontrollern verbunden sind. (Zitat: AdSecurity DCSync Sept 2015)

Linux

Um an die im Speicher gespeicherten Passwörter und Hashes zu gelangen, müssen Prozesse im Dateisystem /proc für den zu analysierenden Prozess eine maps-Datei öffnen. Diese Datei ist unter dem Pfad /proc//maps gespeichert, wobei das Verzeichnis die eindeutige pid des Programms ist, das nach solchen Authentifizierungsdaten abgefragt wird. Mit dem Überwachungsprogramm AuditD, das in vielen Linux-Distributionen enthalten ist, können Sie nach feindlichen Prozessen Ausschau halten, die diese Datei im proc-Dateisystem öffnen, und sich über die pid, den Prozessnamen und die Argumente solcher Programme informieren.

Windows

Surveillez les processus inattendus qui interagissent avec lsass.exe.(Citation : Medium Detecting Attempts to Steal Passwords from Memory) Les dumpers d'informations d'identification courants tels que Mimikatz accèdent au processus LSASS (LSA Subsystem Service) en ouvrant le processus, en localisant la clé secrète LSA et en décryptant les sections de la mémoire où sont stockées les informations d'identification. Les dumpers d'informations d'identification peuvent également utiliser des méthodes de réflexion Process Injection pour réduire les indicateurs potentiels d'activité malveillante.

Les dumpers de hachage ouvrent le Security Accounts Manager (SAM) sur le système de fichiers local (%SystemRoot%/system32/config/SAM) ou créent un dump de la clé SAM du registre pour accéder aux hachages de mots de passe des comptes stockés. Certains dumpers de hachage ouvriront le système de fichiers local comme un périphérique et analyseront la table SAM pour éviter les défenses d'accès aux fichiers. D'autres font une copie en mémoire de la table SAM avant de lire les hachages. La détection des [Comptes valides] (/techniques/T1078) compromis utilisés par les adversaires peut également être utile.

Sous Windows 8.1 et Windows Server 2012 R2, surveillez la création de LSASS.exe dans les journaux Windows pour vérifier que LSASS a démarré en tant que processus protégé.

Surveillez les processus et les arguments de ligne de commande pour détecter l'exécution de programmes qui pourraient indiquer un dumping d'informations d'identification. Les outils d'accès à distance peuvent contenir des fonctions intégrées ou incorporer des outils existants comme Mimikatz. Il existe également des scripts PowerShell qui contiennent une fonctionnalité de vidage d'informations d'identification, comme le module Invoke-Mimikatz de PowerSploit, (Citation : Powersploit) qui peut nécessiter la configuration de fonctions de journalisation supplémentaires dans le système d'exploitation pour collecter les informations nécessaires à l'analyse.

Surveillez les journaux des contrôleurs de domaine pour détecter les demandes de réplication et toute autre activité non programmée pouvant être associée à DCSync. (Citation : Microsoft DRSR Dec 2017) (Citation : Microsoft GetNCCChanges) (Citation : Samba DRSUAPI) Remarque : les contrôleurs de domaine peuvent ne pas consigner les demandes de réplication provenant du compte de contrôleur de domaine par défaut. (Citation : Harmj0y DCSync Sept 2015). Surveillez également les protocoles réseau (Citation : Microsoft DRSR Dec 2017) (Citation : Microsoft NRPC Dec 2017) et les autres demandes de réplication (Citation : Microsoft SAMR) provenant d'IP non associées à des contrôleurs de domaine connus. (Citation : AdSecurity DCSync Sept 2015)

Linux

Pour obtenir les mots de passe et les hachages stockés en mémoire, les processus doivent ouvrir un fichier de cartes dans le système de fichiers /proc pour le processus analysé. Ce fichier est stocké sous le chemin /proc//maps, où le répertoire est le pid unique du programme interrogé pour de telles données d'authentification. L'outil de surveillance AuditD, qui est livré en standard dans de nombreuses distributions Linux, peut être utilisé pour surveiller les processus hostiles ouvrant ce fichier dans le système de fichiers proc, en signalant le pid, le nom du processus et les arguments de tels programmes.

Windows

Monitorare i processi inaspettati che interagiscono con lsass.exe.(Citazione: Medium Detecting Attempts to Steal Passwords from Memory) I comuni dumper di credenziali come Mimikatz accedono al processo LSA Subsystem Service (LSASS) aprendo il processo, individuando la chiave LSA secrets e decrittando le sezioni in memoria dove sono memorizzati i dettagli delle credenziali. I dumper di credenziali possono anche usare metodi di Process Injection riflessivi per ridurre i potenziali indicatori di attività malevola.

Gli hash dumpers aprono il Security Accounts Manager (SAM) sul file system locale (%SystemRoot%/system32/config/SAM) o creano un dump della chiave SAM del registro per accedere agli hash delle password degli account memorizzati. Alcuni hash dumpers apriranno il file system locale come un dispositivo e faranno il parsing alla tabella SAM per evitare le difese di accesso ai file. Altri faranno una copia in memoria della tabella SAM prima di leggere gli hash. Anche il rilevamento di Valid Accounts compromessi in uso dagli avversari può essere d'aiuto.

Su Windows 8.1 e Windows Server 2012 R2, controlla i registri di Windows per la creazione di LSASS.exe per verificare che LSASS sia partito come processo protetto.

Monitorare i processi e gli argomenti della linea di comando per l'esecuzione di programmi che possono essere indicativi di un dumping di credenziali. Gli strumenti di accesso remoto possono contenere funzioni integrate o incorporare strumenti esistenti come Mimikatz. Esistono anche script PowerShell che contengono funzionalità di dumping delle credenziali, come il modulo Invoke-Mimikatz di PowerSploit, (Citazione: Powersploit) che può richiedere la configurazione di funzioni di log aggiuntive nel sistema operativo per raccogliere le informazioni necessarie all'analisi.

Monitorare i log del controller di dominio per richieste di replica e altre attività non programmate possibilmente associate a DCSync. (Citazione: Microsoft DRSR Dec 2017) (Citazione: Microsoft GetNCCChanges) (Citazione: Samba DRSUAPI) Nota: i controller di dominio potrebbero non registrare le richieste di replica provenienti dall'account predefinito del controller di dominio. (Citazione: Harmj0y DCSync Sept 2015). Monitorare anche i protocolli di rete (Citazione: Microsoft DRSR Dic 2017) (Citazione: Microsoft NRPC Dic 2017) e altre richieste di replicazione (Citazione: Microsoft SAMR) da IP non associati a controller di dominio noti. (Citazione: AdSecurity DCSync Sett. 2015)

Linux

Per ottenere le password e gli hash memorizzati, i processi devono aprire un file di mappe nel filesystem /proc per il processo da analizzare. Questo file è memorizzato sotto il percorso /proc//maps, dove la directory è il pid unico del programma che viene interrogato per tali dati di autenticazione. Lo strumento di monitoraggio AuditD, fornito di serie in molte distribuzioni Linux, può essere usato per osservare i processi ostili che aprono questo file nel file system proc, avvisando su pid, nome del processo e argomenti di tali programmi.

References

  1. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  2. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  3. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  4. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  5. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  6. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  7. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  8. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  9. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  10. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  11. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
  12. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  13. Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
  14. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  15. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  16. DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
  17. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  18. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  1. Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.
  2. Microsoft. (n.d.). How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account. Retrieved December 4, 2017.
  3. Microsoft. (2016, October 12). Protected Users Security Group. Retrieved May 29, 2020.
  4. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  5. Lich, B. (2016, May 31). Protect derived domain credentials with Credential Guard. Retrieved June 1, 2016.
  6. NSA IAD. (2017, April 20). Secure Host Baseline - Credential Guard. Retrieved April 25, 2017.
  7. Microsoft. (2012, November 29). Using security policies to restrict NTLM traffic. Retrieved December 4, 2017.
  8. Microsoft. (2014, May 13). Microsoft Security Advisory: Update to improve credentials protection and management. Retrieved June 8, 2020.
  9. Plett, C., Poggemeyer, L. (12, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017.
  10. Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.
  11. French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.
  12. PowerSploit. (n.d.). Retrieved December 4, 2014.
  13. Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017.
  14. Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017.
  15. SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
  16. Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.
  17. Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol. Retrieved December 6, 2017.
  18. Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.