John Wunder
118 lines
10 KiB
JSON
118 lines
10 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--004a4b70-09ad-411d-a7dd-5760229cd4c4",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "attack-pattern",
|
|
"id": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"created": "2017-05-31T21:30:19.735Z",
|
|
"modified": "2018-01-17T12:56:55.080Z",
|
|
"name": "Credential Dumping",
|
|
"description": "Credential dumping is the process of obtaining account login and password information from the operating system and software. Credentials can be used to perform Lateral Movement and access restricted information.\n\nTools may dump credentials in many different ways: extracting credential hashes for offline cracking, extracting plaintext passwords, and extracting Kerberos tickets, among others. Examples of credential dumpers include pwdump7, Windows Credential Editor, Mimikatz, and gsecdump. These tools are in use by both professional security testers and adversaries.\n\nPlaintext passwords can be obtained using tools such as Mimikatz to extract passwords stored by the Local Security Authority (LSA). If smart cards are used to authenticate to a domain using a personal identification number (PIN), then that PIN is also cached as a result and may be dumped. (Citation: Github Mimikatz Module sekurlsa)\n\nDCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation. (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the \"lsadump\" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)\n\nDetection: Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.\n\nNTLM hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well. \n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015)\n\nPlatforms: Windows\n\nData Sources: API monitoring, Process command-line parameters, Process monitoring, PowerShell logs\n\nPermissions Required: Administrator, SYSTEM\n\nContributors: Vincent Le Toux",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "mitre-attack",
|
|
"phase_name": "credential-access"
|
|
}
|
|
],
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/wiki/Technique/T1003",
|
|
"external_id": "T1003"
|
|
},
|
|
{
|
|
"source_name": "Github Mimikatz Module sekurlsa",
|
|
"description": "Delpy, B. (2014, September 14). Mimikatz module ~ sekurlsa. Retrieved January 10, 2016.",
|
|
"url": "https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa"
|
|
},
|
|
{
|
|
"source_name": "Powersploit",
|
|
"description": "PowerSploit. (n.d.). Retrieved December 4, 2014.",
|
|
"url": "https://github.com/mattifestation/PowerSploit"
|
|
},
|
|
{
|
|
"source_name": "ADSecurity Mimikatz DCSync",
|
|
"description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017.",
|
|
"url": "https://adsecurity.org/?p=1729"
|
|
},
|
|
{
|
|
"source_name": "Harmj0y Mimikatz and DCSync",
|
|
"description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved August 7, 2017.",
|
|
"url": "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/"
|
|
},
|
|
{
|
|
"source_name": "GitHub Mimikatz lsadump Module",
|
|
"description": "Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017.",
|
|
"url": "https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump"
|
|
},
|
|
{
|
|
"source_name": "Microsoft DRSR Dec 2017",
|
|
"description": "Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017.",
|
|
"url": "https://msdn.microsoft.com/library/cc228086.aspx"
|
|
},
|
|
{
|
|
"source_name": "Microsoft GetNCCChanges",
|
|
"description": "Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017.",
|
|
"url": "https://msdn.microsoft.com/library/dd207691.aspx"
|
|
},
|
|
{
|
|
"source_name": "Samba DRSUAPI",
|
|
"description": "SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.",
|
|
"url": "https://wiki.samba.org/index.php/DRSUAPI"
|
|
},
|
|
{
|
|
"source_name": "Wine API samlib.dll",
|
|
"description": "Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.",
|
|
"url": "https://source.winehq.org/WineAPI/samlib.html"
|
|
},
|
|
{
|
|
"source_name": "InsiderThreat ChangeNTLM July 2017",
|
|
"description": "Warren, J. (2017, July 11). Manipulating User Passwords with Mimikatz. Retrieved December 4, 2017.",
|
|
"url": "https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM"
|
|
},
|
|
{
|
|
"source_name": "Microsoft NRPC Dec 2017",
|
|
"description": "Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol. Retrieved December 6, 2017.",
|
|
"url": "https://msdn.microsoft.com/library/cc237008.aspx"
|
|
},
|
|
{
|
|
"source_name": "AdSecurity DCSync Sept 2015",
|
|
"description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.",
|
|
"url": "https://adsecurity.org/?p=1729"
|
|
},
|
|
{
|
|
"source_name": "Harmj0y DCSync Sept 2015",
|
|
"description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.",
|
|
"url": "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/"
|
|
},
|
|
{
|
|
"source_name": "Microsoft SAMR",
|
|
"description": "Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.",
|
|
"url": "https://msdn.microsoft.com/library/cc245496.aspx"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"x_mitre_contributors": [
|
|
"Vincent Le Toux"
|
|
],
|
|
"x_mitre_data_sources": [
|
|
"API monitoring",
|
|
"Process command-line parameters",
|
|
"Process monitoring",
|
|
"PowerShell logs"
|
|
],
|
|
"x_mitre_permissions_required": [
|
|
"Administrator",
|
|
"SYSTEM"
|
|
],
|
|
"x_mitre_platforms": [
|
|
"Windows"
|
|
]
|
|
}
|
|
]
|
|
} |