T1003 OS Credential Dumping Mappings

Credential Guard uses Intel VT-x for providing Virtualization-based security (VBS), to isolate secrets so that only privileged system software can access them. It isolates LSA-related processes and provides real-time protection against in-memory credential-stealing attempts. NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot (Intel PTT and Intel Boot Guard) and virtualization, to protect credentials. Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications such as domain credentials. However, it does not protect against all forms of credential dumping, such as registry dumping. Credential Guard benefits from enabling Secure Boot (BootGuard) and UEFI Lock. When Secure Boot is enabled, a secure and verified environment is established from the start of the boot process. With UEFI Lock, Credential Guard settings are stored in UEFI firmware, significantly increasing the difficulty of disabling Credential Guard through registry changes. This is marked as significant since it uses VBS to isolate LSA related processes and provide real-time protection against in-memory credential stealing attempts.

Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of OS Credential Dumping exploits. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. OS Credential Dumping attacks involve adversaries extracting and harvesting credentials (such as usernames and passwords) from an operating system’s memory or other storage locations. These credentials can then be used for lateral movement within the network, escalating privileges, or exfiltrating sensitive data. Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling the detection of abnormal behaviors that indicate unauthorized credential access or attempts to dump sensitive information from memory. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, enabling faster and more efficient detection of malicious activity without impacting system performance. CAMS helps identify suspicious behaviors, such as unauthorized credential extraction or memory dumping activities, providing proactive defense against these stealthy techniques used by attackers to gain access to critical systems.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.

CVE-2020-5902 is a RCE vulnerability in the Traffic Management User Interface (TMUI) that allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code.The Traffic Management User Interface (TMUI)

CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.

CVE-2019-11634 is a remote code execution vulnerability for Citrix Workspace Application and Receiver for Windows

CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.

CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.

This vulnerability is exploited through an authentication bypass weakness in the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure. Remote attackers leverage this vulnerability to perform remote arbitrary code execution on the Pulse Connect Secure gateway by bypassing authentication controls. The threat actor group UNC2630 has utilized this flaw to harvest login credentials, allowing them to move laterally within affected environments.

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE: