Written By: Austin Miller
MITRE ATTACK: T1003 – OS Credential Dumping
Onto the fifth most common attack vector in the MITRE ATT&CK – accessing and dumping credentials after initial access. Although credential dumping can be the primary objective of a cyberattack and lead to credential stuffing, the adversary will often try to maintain a foothold in a system and escalate privileges to cause maximal damage.
What is OS Credential Dumping?
Obtaining and dumping credentials is an easy way for the adversary to start lateral movement across the network. Many different tools are used, but popular open-source tools like Mimikatz, Gsecdump, and even Windows Task Manager are all commonly used by threat actors and ethical hackers alike to access credential stores.
By accessing credential stores such as lsass.exe, %systemroot%\system32\config\SYSTEM, or passwd, potentially organization-wide password leaks are easy-pickings. When the adversary has access to these file systems, it is generally too late to stop them from leaking sensitive password data. But building effective defenses that stop access is the best plan of action for security professionals.
How does the adversary use OS Credential Dumping?
As previously established, the adversary has numerous methods for accessing password data. This means that there is no easy, one-size-fits-all defense against this kind of attack vector. But understanding how the adversary may approach your systems can be broken down into eight subcategories. In the interest of brevity, here are the four most flexible types of attack that the adversary may use to access password stores.
T1003.01 – LSASS Memory
Accessing the Local Security Authority Subsystem Service (LSASS) gives the adversary access to all logged-in user credentials, including encrypted plain text passwords, Kerberos tickets, LAN Manager (LM) hashes, and New Technology LAN Manager (NT) hashes. To access these files, elevated permissions are necessary.
Many publicly available and custom tools have been observed in the wild, including the popular Mimikatz in the LAPSUS$ attack on Okta leak. Due to the ease of dumping the LSASS with Windows Task Manager, some threat actors even use Living of the Land (LotL) attacks in the form of the built-in Windows tool to steal password credentials.
Other tools that are popularly used for LSASS memory attacks include:
- Direct System Calls and API Unhooking
T1003.02 – SAM
Security Account Manager (SAM) is located in %systemroot%\system32\config\SAM and on the HKEY_LOCAL_MACHINE/SAM (HKLM/SAM) hive on Windows systems. Along with hashes that are easily accessible through %systemroot%\system32\config\SYSTEM and backups through %systemroot%\repair\, the threat actors have multiple ways to access these sensitive credentials.
Because there are so many tactics for dumping credentials from SAM, here is a list of techniques that the adversary has been observed to use:
- Offline password cracking
- Pass the Hash
- Registry technique
- In-memory technique
- Volume Shadow Copy technique
T1003.03 – NTDS
Utilising NTDSUtil or the Volume Shadow Copy technique, the adversary can leverage the New Technology Directory Services (NTDS) to dump credentials as well. The most common technique for this – using NTDS.dit – allowed access to Active Directory Domain Services (AD DS) databases, granting acccess to AD data about user objects, groups, and group membership.
By using the tool to export the AD database, threat actors can simply use the Install From Media (IFM) backup functionality to create a direct copy dump of all credentials stored (as long as they have administrator privileges). This has been a popular method used all around the world, including by APT28 and Chimera.
The Volume Shadow Copy technique also applies to this type of attack.
T1003.08 – passwd and shadow
Linux users, don’t think that you have gotten away with it! They are just as susceptible to OS Credential Dumping attacks.
If the adversary can access passwd and shadow, user account information and hashed passwords are free game. Although a variety of cryptographic techniques are used to encrypt this data, dumping the files is an easy way for the adversary to steal the information in the form of hashes for offline cracking attempts.
Unshadow is a Linux utility that allows access to the passwd and shadow file stores and open-source tools such as Jack the Ripper can be used to crack hashes and reveal the plaintext passwords. Other tools such as LaZagne can be used to dump credentials with the shadow.py module, which can then be followed by dictionary attacks against the preferred encryption method.
How can I defend my organization against OS Credential Dumping?
Due to the wide range of OS Credential Dumping tactics, there are multiple ways to mitigate the risk and make the adversary’s job more difficult. Here are nine of ways to improve your security posture against the threat of OS Credential Dumping.
- M1015 – Active Directory Configuration
- M1017 – User Training
- M1025 – Privileged Process Integrity
- M1026 – Privileged Account Management
- M1027 – Password Policies
- M1028 – Operating System Configuration
- M1040 – Behavior Prevention on Endpoint
- M1041 – Encrypt Sensitive Information
- M1043 – Credential Access Protection