# T1003 OS Credential Dumping

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.


## Technique Detection

### Windows
Monitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.

Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well. 

On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.

Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like [Mimikatz](https://attack.mitre.org/software/S0002). [PowerShell](https://attack.mitre.org/techniques/T1059/001) scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols  (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015)

### Linux
To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path <code>/proc/<pid>/maps</code>, where the <code><pid></code> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.

-----------------------------------------------------------------------

### Tactics:

  *   Credential-Access

### Platforms:

  * Windows

  * Linux

  * macOS

### Adversary Required Permissions:

  * Administrator

  * SYSTEM

  * root

### Data Sources:

  * **Active Directory:** Active Directory Object Access

  * **Command:** Command Execution

  * **Network Traffic:** Network Traffic Flow

  * **File:** File Access

  * **Process:** OS API Execution

  * **Process:** Process Creation

  * **Network Traffic:** Network Traffic Content

  * **Process:** Process Access

  * **Windows Registry:** Windows Registry Key Access

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Tonto Team | [Tonto Team](https://attack.mitre.org/groups/G0131) has used a variety of credential dumping tools.(Citation: TrendMicro Tonto Team October 2020) | 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has harvested credentials from the victim's machine using [Empire](https://attack.mitre.org/software/S0363).(Citation: Talos Frankenstein June 2019)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used different versions of Mimikatz to obtain credentials.(Citation: BitDefender Chafer May 2020)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used publicly available tools to dump password hashes, including [HOMEFRY](https://attack.mitre.org/software/S0232).(Citation: FireEye APT40 March 2019)| 
| Sowbug | [Sowbug](https://attack.mitre.org/groups/G0054) has used credential dumping tools.(Citation: Symantec Sowbug Nov 2017)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) used GetPassword_x64 to harvest credentials.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)| 
| Suckfly | [Suckfly](https://attack.mitre.org/groups/G0039) used a signed credential-dumping tool to obtain victim account credentials.(Citation: Symantec Suckfly May 2016)| 
| Poseidon Group | [Poseidon Group](https://attack.mitre.org/groups/G0033) conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.(Citation: Kaspersky Poseidon Group)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) regularly deploys both publicly available (ex: [Mimikatz](https://attack.mitre.org/software/S0002)) and custom password retrieval tools on victims.(Citation: ESET Sednit Part 2)(Citation: DOJ GRU Indictment Jul 2018)(Citation: US District Court Indictment GRU Oct 2018)	| 
| Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has been known to dump credentials.(Citation: Novetta-Axiom)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1003)

  * [Medium Detecting Attempts To Steal Passwords From Memory](https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea), French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.

  * [Powersploit](https://github.com/mattifestation/PowerSploit), PowerSploit. (n.d.). Retrieved December 4, 2014.

  * [Microsoft Drsr Dec 2017](https://msdn.microsoft.com/library/cc228086.aspx), Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017.

  * [Microsoft Getnccchanges](https://msdn.microsoft.com/library/dd207691.aspx), Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017.

  * [Samba Drsuapi](https://wiki.samba.org/index.php/DRSUAPI), SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.

  * [Harmj0Y Dcsync Sept 2015](http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/), Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.

  * [Microsoft Nrpc Dec 2017](https://msdn.microsoft.com/library/cc237008.aspx), Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol. Retrieved December 6, 2017.

  * [Microsoft Samr](https://msdn.microsoft.com/library/cc245496.aspx), Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.

  * [Adsecurity Dcsync Sept 2015](https://adsecurity.org/?p=1729), Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 28 June 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use various executable files to dump credential information from LSASS or the SAM database.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | 3, 4 | |

#### APT28 
- Regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.

## Detection Blindspots

- Many of the techniques and tools used for administrative purposes can also be used for malicious Credential Dumping activity. As such, monitoring of processes without CLI and/or context can lead to a large number of false positives, particularly with processes such as adfind.exe, taskmgr.exe, ntdsutil.exe, reg.exe, vssadmin.exe, PowerShell, and adexplorer.exe.
- Although major antivirus vendors provide detection signatures for Mimikatz, because the source code is readily available, it becomes a trivial matter to compile a version of Mimikatz that evades detection by most antivirus products. Due to the difficulty in detecting Mimikatz, secondary behaviors should be analyzed to determine if Mimikatz has been used on a given system. These methods may include the use of false credentials, or ‘honeycreds’, or monitoring for the creation of unusual accounts.

## Analytical References

  * [RedCanary - Credential Dumping](https://redcanary.com/threat-detection-report/techniques/credential-dumping/)
  * [ESET - Sednit Part 2 2016 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf)
  * [Medium.com - Detecting Attempts to Steal Passwords from Memory](https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea)
  * [Atomic Red Team - T1003 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md)
  * [SANS - Mimikatz Overview Defense Detection (sans)](https://www.sans.org/reading-room/whitepapers/forensics/mimikatz-overview-defenses-detection-36780)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- This technique is frequently observed with PowerShell (T1086), which is likely because the most common invocation method for Mimikatz relies on PowerShell.
- There are 8 sub-techniques that operators should reference for more specific examples and queries.
- Linux: To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/###/maps, where the directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.

#### Analytic 1

  * **Information:** Monitor activity to identify possible baseline and suspicious usage.

  * **Source:** Windows Audits, Sysmon

  * **Tool:**  Kibana

  * **Notes:** False Positive Rate :  High

  * **Query:** ```processName : NTDSUtil```

#### Analytic 2

  * **Information:** The SAM can be extracted via reg.exe

  * **Source:** Windows Audits, Sysmon

  * **Tool:**  Kibana

  * **Notes:** False Positive Rate : Medium

  * **Query:** ```Process_commandLine : (reg save hklm\sam OR reg save HKLM\system system) OR Event_id : 12 or 13 or 14) and targetObject : (hklm\sam* or hklm\system)```

#### Analytic 3

  * **Information:** Monitor processes for known malicious binaries in combination with LSASS injection.

  * **Source:** Windows Audits, Sysmon

  * **Tool:**  Kibana

  * **Notes:** 

  * **Query:** ```Event_id : 10 AND sourceimage : lsass.exe AND targetimage : (mimikatz.exe or L0phtCrack or gsecdump or NPPSpy or pwdumpx or secretsdump.py)```

#### Analytic 4

  * **Information:** Monitor process command-line parameters for known malicious CLI syntaxes.

  * **Source:** Windows Audits, Sysmon

  * **Tool:**  Kibana

  * **Notes:** 

  * **Query:** ```Process_commandLine : (*Invoke-Mimikatz* or *DumpCreds* or *privilege::debug* or *sekurlsa::logonpasswords or *lsadump::*)```

#### Analytic 5

  * **Information:** cmdkey : Can display (/list), create (/add), or delete (/delete) login information. 

  * **Source:** Windows Audits, Sysmon

  * **Tool:**  Kibana

  * **Notes:** 

  * **Query:** ```process.name : cmdkey```

#### Analytic 6

  * **Information:** Identify any process that is attempting to access LSASS. Note processes that appear suspicious and contextual activity.

  * **Source:** Windows Audits, Sysmon

  * **Tool:**  Kibana

  * **Notes:** False Positive Rate : High

  * **Query:** ```Event:id : 10 AND sourceimage : lsass.exe```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

