MITRE’s data sources
- API monitoring
- Process monitoring
- PowerShell logs
- Process command-line parameters
MITRE ATT&CK does not include file monitoring (e.g., password files written to disk) among the data sources that are useful for observing Credential Dumping. While it may be an indication of credential theft activity along with other data sources—such as process monitoring or process command-line parameters—file monitoring by itself is not a reliable data source for Credential Dumping activity.
Process monitoring, however, is a data source that security teams should collect from if they want to observe Credential Dumping involving tools such as Mimikatz, Empire, L0phtCrack, and gsecdump. One quick and reliable way to observe and potentially detect credential harvesting is to monitor processes for known malicious binaries in combination with LSASS injection. Understanding the processes or programs in an environment that require access to LSASS will make this approach more effective.
Process command-line parameters
Monitoring process command-line parameters for known malicious CLI syntaxes may take some research and testing, but it’s also a reliable way to observe and/or detect credential harvesting activity emanating from tools such as Mimikatz and Empire. In order for this data source to be used effectively, command lines must be specific and not overly generalized (i.e., using only one command option filter).
Enabling and monitoring PowerShell logs for known malicious syntax can help to detect Credential Dumping activity as well. This is particularly useful for observing things such as Invoke-Mimikatz and POWELIKS. At times when malicious binaries may not be observed via process monitoring, PowerShell logs may help detect activity reliant on PowerShell.
API monitoring is another good source to collect on if you want to observe Credential Dumping. The key to API monitoring is knowing what and who should be directly connecting to the domain controller (DC). Knowing what IP address, applications, and user accounts typically make API calls to the DC will help to reduce false positives and create more reliable detections to Credential Dumping activity, particularly for tools such as DCSync, Mimikatz, and PowerSploit.
If you’re interested in generating reliable detection coverage for Credential Dumping activity, you’ll want to consider monitoring for the following behaviors:
- Unknown or known malicious processes injecting into LSASS
- DC connections from unusual IP addresses associated with non-standard or known compromised user accounts
- reg.exe usage with command-line
reg save hklm\sam
- The binary mimikatz.exe or references to Mimikatz arguments in the CLI
- Use of
Weeding out false positives
Many of the techniques and tools used for administrative purposes can also be used for malicious Credential Dumping activity. As such, monitoring of processes without CLI and/or context can lead to a large number of false positives, particularly with processes such as adfind.exe, taskmgr.exe, ntdsutil.exe, reg.exe, vssadmin.exe, PowerShell, and adexplorer.exe.