There are various steps that an attacker must follow in order to execute any successful attack, with the initial compromise being just one stage in the overall attack chain. Once attackers have successfully breached the perimeter of an organization, they enter into the lateral movement phase where they attempt to tiptoe through a network, identifying the systems and data that are the ultimate target of their campaign.
Credential dumping is a technique frequently used by attackers during lateral movement to obtain account information, such as logins and passwords. Armed with this information, the attackers can then spread further within an organization and/or access restricted data. Attackers use a variety of different credential-dumping methods that require first obtaining administrator privileges. This process is known as privilege escalation and it must be performed before any attempts at credential dumping.
Detecting and blocking lateral movement activity is an important part of any organization’s defense strategy and our Symantec portfolio provides defense-in-depth across control points. Our solutions detect and prevent credential dumping, and also protect against precursor events such as threat delivery and privilege escalation, as well as post-theft credential use.
Detecting methods of credential dumping
Credential dumping has long been used as a step in post-breach lateral movement and is listed as T1003 in the MITRE ATT&CK™ Framework. One of the challenges in protecting against all forms of credential dumping is that attackers attempt to masquerade their methods as legitimate activity, sometimes leveraging standard administrative tools to achieve the dumping. There are also easily available tools online, such as Hacktool.Mimikatz, which use a variety of methods to dump credentials.
Attempts at credential dumping can be uncovered in a variety of ways by our Symantec solutions. Here, I will discuss how our Symantec Endpoint Detection and Response (SEDR) product provides visibility into attempted credential theft by identifying a wide range of credential-dumping techniques, including:
- Access to the Security Accounts Manager (SAM) area of the registry
- Sniffing credentials from network traffic
- Reading protected storage on the system
- Accessing memory of user applications where user credentials are stored (e.g. mail clients, internet browsers)
- Accessing credentials in the Windows Credential Manager
- Abusing Kerberos Ticket-Granting Services to harvest ticket hashes for offline cracking of credentials
- Injecting into Windows’ Local Security Authority Subsystem Service (LSASS)
- Reading LSASS memory
When any suspected credential theft is found, regardless of the specific tool used to access the credentials, SEDR reports exactly what was observed along with the relevant MITRE ATT&CK tactic (the attacker’s goal) and technique (how the attacker was trying to achieve that goal):