Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
Angreifer können versuchen, Anmeldedaten auszuspionieren, um vom Betriebssystem und der Software Material für die Kontoanmeldung und Anmeldedaten zu erhalten, normalerweise in Form eines Hash oder eines Klartextpassworts. Die Zugangsdaten können dann verwendet werden, um Lateral Movement durchzuführen und auf eingeschränkte Informationen zuzugreifen.
Mehrere der in den zugehörigen Untertechniken genannten Tools können sowohl von Angreifern als auch von professionellen Sicherheitstestern verwendet werden. Wahrscheinlich gibt es auch noch weitere benutzerdefinierte Tools.
Les adversaires peuvent tenter de vider les informations d'identification pour obtenir des informations de connexion et d'identification de compte, normalement sous la forme d'un hachage ou d'un mot de passe en texte clair, à partir du système d'exploitation et du logiciel. Les informations d'identification peuvent ensuite être utilisées pour effectuer un [Mouvement latéral] (https://attack.mitre.org/tactics/TA0008) et accéder à des informations restreintes.
Plusieurs des outils mentionnés dans les sous-techniques associées peuvent être utilisés à la fois par les adversaires et les testeurs de sécurité professionnels. D'autres outils personnalisés existent probablement aussi.
Gli avversari possono tentare di scaricare le credenziali per ottenere materiale di login e credenziali dell'account, normalmente sotto forma di hash o password in chiaro, dal sistema operativo e dal software. Le credenziali possono poi essere usate per eseguire Lateral Movement e accedere a informazioni riservate.
Molti degli strumenti menzionati nelle sotto-tecniche associate possono essere usati sia da avversari che da tester di sicurezza professionisti. Probabilmente esistono anche altri strumenti personalizzati.
ID | Name | Description |
---|---|---|
G0007 | APT28 |
APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.[1][2][3] |
G0050 | APT32 | |
G0087 | APT39 |
APT39 has used different versions of Mimikatz to obtain credentials.[6] |
G0001 | Axiom | |
S0030 | Carbanak | |
G0101 | Frankenstein |
Frankenstein has harvested credentials from the victim's machine using Empire.[9] |
S0232 | HOMEFRY | |
G0065 | Leviathan |
Leviathan has used publicly available tools to dump password hashes, including HOMEFRY.[11] |
S0052 | OnionDuke | |
S0048 | PinchDuke |
PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated many sources such as WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP).[12] |
G0033 | Poseidon Group |
Poseidon Group conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.[13] |
S0379 | Revenge RAT |
Revenge RAT has a plugin for credential harvesting.[14] |
G0054 | Sowbug | |
G0039 | Suckfly |
Suckfly used a signed credential-dumping tool to obtain victim account credentials.[16] |
G0131 | Tonto Team |
Tonto Team has used a variety of credential dumping tools.[17] |
S0094 | Trojan.Karagany |
Trojan.Karagany can dump passwords and save them into |
ID | Mitigation | Description |
---|---|---|
M1015 | Active Directory Configuration |
Manage the access control list for "Replicating Directory Changes" and other permissions associated with domain controller replication. [19] [20] Consider adding users to the "Protected Users" Active Directory security group. This can help limit the caching of users' plaintext credentials.[21] |
M1040 | Behavior Prevention on Endpoint |
On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. [22] |
M1043 | Credential Access Protection |
With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. [23] It also does not protect against all forms of credential dumping. [24] |
M1041 | Encrypt Sensitive Information |
Ensure Domain Controller backups are properly secured. |
M1028 | Operating System Configuration |
Consider disabling or restricting NTLM.[25] Consider disabling WDigest authentication.[26] |
M1027 | Password Policies |
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
M1026 | Privileged Account Management |
Windows:Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.[27] Linux:Scraping the passwords from memory requires root privileges. Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive regions of memory. |
M1025 | Privileged Process Integrity |
On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.[28] |
M1017 | User Training |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
Monitor for unexpected processes interacting with lsass.exe.[29] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.
Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.
On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.
Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [30] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [31] [32] [33] Note: Domain controllers may not log replication requests originating from the default domain controller account. [34]. Also monitor for network protocols [31] [35] and other replication requests [36] from IPs not associated with known domain controllers. [19]
To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/
, where the
directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.
Überwachen Sie unerwartete Prozesse, die mit lsass.exe interagieren.(Zitat: Medium Detecting Attempts to Steal Passwords from Memory) Gängige Credential Dumpers wie Mimikatz greifen auf den LSA Subsystem Service (LSASS) Prozess zu, indem sie den Prozess öffnen, den LSA Secrets Key ausfindig machen und die Abschnitte im Speicher entschlüsseln, in denen Credential Details gespeichert sind. Credential Dumpers können auch Methoden zur reflektierenden Process Injection verwenden, um mögliche Indikatoren für bösartige Aktivitäten zu reduzieren.
Hash-Dumper öffnen den Security Accounts Manager (SAM) im lokalen Dateisystem (%SystemRoot%/system32/config/SAM) oder erstellen einen Dump des SAM-Schlüssels in der Registrierung, um auf gespeicherte Passwort-Hashes zuzugreifen. Einige Hash-Dumpers öffnen das lokale Dateisystem als Gerät und analysieren die SAM-Tabelle, um Abwehrmassnahmen gegen den Dateizugriff zu vermeiden. Andere erstellen eine In-Memory-Kopie der SAM-Tabelle, bevor sie Hashes lesen. Die Erkennung von kompromittierten Valid Accounts, die von Angreifern verwendet werden, kann ebenfalls hilfreich sein.
Unter Windows 8.1 und Windows Server 2012 R2 überwachen Sie die Windows-Protokolle auf die Erstellung von LSASS.exe, um zu überprüfen, ob LSASS als geschützter Prozess gestartet wurde.
Überwachen Sie Prozesse und Befehlszeilenargumente auf die Ausführung von Programmen, die auf ein Credential Dumping hindeuten könnten. Tools für den Fernzugriff können eingebaute Funktionen enthalten oder vorhandene Tools wie Mimikatz einbeziehen. Es gibt auch PowerShell Skripte, die Funktionen für das Dumping von Anmeldeinformationen enthalten, wie z.B. das Invoke-Mimikatz-Modul von PowerSploit (Zitat: Powersploit), für das möglicherweise zusätzliche Protokollierungsfunktionen im Betriebssystem konfiguriert werden müssen, um die für die Analyse erforderlichen Informationen zu sammeln.
Überwachen Sie die Domänencontroller-Protokolle auf Replikationsanforderungen und andere ungeplante Aktivitäten, die möglicherweise mit DCSync zusammenhängen. (Zitat: Microsoft DRSR Dec 2017) (Zitat: Microsoft GetNCCChanges) (Zitat: Samba DRSUAPI) Hinweis: Domänencontroller protokollieren möglicherweise keine Replikationsanforderungen, die vom Standard-Domänencontrollerkonto stammen. (Zitat: Harmj0y DCSync Sept 2015). Überwachen Sie auch Netzwerkprotokolle (Zitat: Microsoft DRSR Dez 2017) (Zitat: Microsoft NRPC Dez 2017) und andere Replikationsanforderungen (Zitat: Microsoft SAMR) von IPs, die nicht mit bekannten Domänencontrollern verbunden sind. (Zitat: AdSecurity DCSync Sept 2015)
Um an die im Speicher gespeicherten Passwörter und Hashes zu gelangen, müssen Prozesse im Dateisystem /proc für den zu analysierenden Prozess eine maps-Datei öffnen. Diese Datei ist unter dem Pfad /proc/
gespeichert, wobei das Verzeichnis
die eindeutige pid des Programms ist, das nach solchen Authentifizierungsdaten abgefragt wird. Mit dem Überwachungsprogramm AuditD, das in vielen Linux-Distributionen enthalten ist, können Sie nach feindlichen Prozessen Ausschau halten, die diese Datei im proc-Dateisystem öffnen, und sich über die pid, den Prozessnamen und die Argumente solcher Programme informieren.
Surveillez les processus inattendus qui interagissent avec lsass.exe.(Citation : Medium Detecting Attempts to Steal Passwords from Memory) Les dumpers d'informations d'identification courants tels que Mimikatz accèdent au processus LSASS (LSA Subsystem Service) en ouvrant le processus, en localisant la clé secrète LSA et en décryptant les sections de la mémoire où sont stockées les informations d'identification. Les dumpers d'informations d'identification peuvent également utiliser des méthodes de réflexion Process Injection pour réduire les indicateurs potentiels d'activité malveillante.
Les dumpers de hachage ouvrent le Security Accounts Manager (SAM) sur le système de fichiers local (%SystemRoot%/system32/config/SAM) ou créent un dump de la clé SAM du registre pour accéder aux hachages de mots de passe des comptes stockés. Certains dumpers de hachage ouvriront le système de fichiers local comme un périphérique et analyseront la table SAM pour éviter les défenses d'accès aux fichiers. D'autres font une copie en mémoire de la table SAM avant de lire les hachages. La détection des [Comptes valides] (/techniques/T1078) compromis utilisés par les adversaires peut également être utile.
Sous Windows 8.1 et Windows Server 2012 R2, surveillez la création de LSASS.exe dans les journaux Windows pour vérifier que LSASS a démarré en tant que processus protégé.
Surveillez les processus et les arguments de ligne de commande pour détecter l'exécution de programmes qui pourraient indiquer un dumping d'informations d'identification. Les outils d'accès à distance peuvent contenir des fonctions intégrées ou incorporer des outils existants comme Mimikatz. Il existe également des scripts PowerShell qui contiennent une fonctionnalité de vidage d'informations d'identification, comme le module Invoke-Mimikatz de PowerSploit, (Citation : Powersploit) qui peut nécessiter la configuration de fonctions de journalisation supplémentaires dans le système d'exploitation pour collecter les informations nécessaires à l'analyse.
Surveillez les journaux des contrôleurs de domaine pour détecter les demandes de réplication et toute autre activité non programmée pouvant être associée à DCSync. (Citation : Microsoft DRSR Dec 2017) (Citation : Microsoft GetNCCChanges) (Citation : Samba DRSUAPI) Remarque : les contrôleurs de domaine peuvent ne pas consigner les demandes de réplication provenant du compte de contrôleur de domaine par défaut. (Citation : Harmj0y DCSync Sept 2015). Surveillez également les protocoles réseau (Citation : Microsoft DRSR Dec 2017) (Citation : Microsoft NRPC Dec 2017) et les autres demandes de réplication (Citation : Microsoft SAMR) provenant d'IP non associées à des contrôleurs de domaine connus. (Citation : AdSecurity DCSync Sept 2015)
Pour obtenir les mots de passe et les hachages stockés en mémoire, les processus doivent ouvrir un fichier de cartes dans le système de fichiers /proc pour le processus analysé. Ce fichier est stocké sous le chemin /proc/
, où le répertoire
est le pid unique du programme interrogé pour de telles données d'authentification. L'outil de surveillance AuditD, qui est livré en standard dans de nombreuses distributions Linux, peut être utilisé pour surveiller les processus hostiles ouvrant ce fichier dans le système de fichiers proc, en signalant le pid, le nom du processus et les arguments de tels programmes.
Monitorare i processi inaspettati che interagiscono con lsass.exe.(Citazione: Medium Detecting Attempts to Steal Passwords from Memory) I comuni dumper di credenziali come Mimikatz accedono al processo LSA Subsystem Service (LSASS) aprendo il processo, individuando la chiave LSA secrets e decrittando le sezioni in memoria dove sono memorizzati i dettagli delle credenziali. I dumper di credenziali possono anche usare metodi di Process Injection riflessivi per ridurre i potenziali indicatori di attività malevola.
Gli hash dumpers aprono il Security Accounts Manager (SAM) sul file system locale (%SystemRoot%/system32/config/SAM) o creano un dump della chiave SAM del registro per accedere agli hash delle password degli account memorizzati. Alcuni hash dumpers apriranno il file system locale come un dispositivo e faranno il parsing alla tabella SAM per evitare le difese di accesso ai file. Altri faranno una copia in memoria della tabella SAM prima di leggere gli hash. Anche il rilevamento di Valid Accounts compromessi in uso dagli avversari può essere d'aiuto.
Su Windows 8.1 e Windows Server 2012 R2, controlla i registri di Windows per la creazione di LSASS.exe per verificare che LSASS sia partito come processo protetto.
Monitorare i processi e gli argomenti della linea di comando per l'esecuzione di programmi che possono essere indicativi di un dumping di credenziali. Gli strumenti di accesso remoto possono contenere funzioni integrate o incorporare strumenti esistenti come Mimikatz. Esistono anche script PowerShell che contengono funzionalità di dumping delle credenziali, come il modulo Invoke-Mimikatz di PowerSploit, (Citazione: Powersploit) che può richiedere la configurazione di funzioni di log aggiuntive nel sistema operativo per raccogliere le informazioni necessarie all'analisi.
Monitorare i log del controller di dominio per richieste di replica e altre attività non programmate possibilmente associate a DCSync. (Citazione: Microsoft DRSR Dec 2017) (Citazione: Microsoft GetNCCChanges) (Citazione: Samba DRSUAPI) Nota: i controller di dominio potrebbero non registrare le richieste di replica provenienti dall'account predefinito del controller di dominio. (Citazione: Harmj0y DCSync Sept 2015). Monitorare anche i protocolli di rete (Citazione: Microsoft DRSR Dic 2017) (Citazione: Microsoft NRPC Dic 2017) e altre richieste di replicazione (Citazione: Microsoft SAMR) da IP non associati a controller di dominio noti. (Citazione: AdSecurity DCSync Sett. 2015)
Per ottenere le password e gli hash memorizzati, i processi devono aprire un file di mappe nel filesystem /proc per il processo da analizzare. Questo file è memorizzato sotto il percorso /proc/
, dove la directory
è il pid unico del programma che viene interrogato per tali dati di autenticazione. Lo strumento di monitoraggio AuditD, fornito di serie in molte distribuzioni Linux, può essere usato per osservare i processi ostili che aprono questo file nel file system proc, avvisando su pid, nome del processo e argomenti di tali programmi.