Skip to content
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
Cannot retrieve contributors at this time
name: Credential Dumping
id: 854d78bf-d0e2-4f4e-b05c-640905f86d7a
version: 3
date: '2020-02-04'
author: Rico Valdez, Splunk
description: Uncover activity consistent with credential dumping, a technique wherein
attackers compromise systems and attempt to obtain and exfiltrate passwords. The
threat actors use these pilfered credentials to further escalate privileges and
spread throughout a target environment. The included searches in this Analytic Story
are designed to identify attempts to credential dumping.
narrative: 'Credential dumping—gathering credentials from a target system, often
hashed or encrypted—is a common attack technique. Even though the credentials
may not be in plain text, an attacker can still exfiltrate the data and set to cracking
it offline, on their own systems. The threat actors target a variety of sources
to extract them, including the Security Accounts Manager (SAM), Local Security Authority
(LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.\
Once attackers obtain valid credentials, they use them to move throughout a target
network with ease, discovering new systems and identifying assets of interest. Credentials
obtained in this manner typically include those of privileged users, which may provide
access to more sensitive information and system operations.\
The detection searches in this Analytic Story monitor access to the Local Security
Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential
dumping and some other techniques for credential dumping.'
analytic_story: Credential Dumping
- Adversary Tactics
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection