T1003 OS Credential Dumping Mappings

Credential Guard uses Intel VT-x for providing Virtualization-based security (VBS), to isolate secrets so that only privileged system software can access them. It isolates LSA-related processes and provides real-time protection against in-memory credential-stealing attempts. NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot (Intel PTT and Intel Boot Guard) and virtualization, to protect credentials. Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications such as domain credentials. However, it does not protect against all forms of credential dumping, such as registry dumping. Credential Guard benefits from enabling Secure Boot (BootGuard) and UEFI Lock. When Secure Boot is enabled, a secure and verified environment is established from the start of the boot process. With UEFI Lock, Credential Guard settings are stored in UEFI firmware, significantly increasing the difficulty of disabling Credential Guard through registry changes. This is marked as significant since it uses VBS to isolate LSA related processes and provide real-time protection against in-memory credential stealing attempts.

Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of OS Credential Dumping exploits. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. OS Credential Dumping attacks involve adversaries extracting and harvesting credentials (such as usernames and passwords) from an operating system’s memory or other storage locations. These credentials can then be used for lateral movement within the network, escalating privileges, or exfiltrating sensitive data. Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling the detection of abnormal behaviors that indicate unauthorized credential access or attempts to dump sensitive information from memory. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, enabling faster and more efficient detection of malicious activity without impacting system performance. CAMS helps identify suspicious behaviors, such as unauthorized credential extraction or memory dumping activities, providing proactive defense against these stealthy techniques used by attackers to gain access to critical systems.