Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform Lateral Movement and access restricted information.
Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.PS-01.01 | Configuration baselines | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
PR.PS-01.02 | Least functionality | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
DE.CM-09.01 | Software and data integrity checking | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects against OS Credential Dumping through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
DE.CM-06.02 | Third-party access monitoring | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects against OS Credential Dumping through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
PR.PS-01.03 | Configuration deviation | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement provides protection from OS Credential Dumping through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
References
|
PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects against OS Credential Dumping through the use of revocation of keys and key management. Employing key protection strategies for key material used in protection of OS credential backups, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to obtain credentials from OS credential backups.
References
|
ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
PR.AA-01.02 | Physical and logical access | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
PR.AA-03.01 | Authentication requirements | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
ID.AM-08.05 | Data destruction procedures | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
PR.AA-01.01 | Identity and credential management | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects against OS Credential Dumping through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1003 | OS Credential Dumping | |
attribute.confidentiality.data_disclosure | None | related-to | T1003 | OS Credential Dumping |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1003 | OS Credential Dumping |
Comments
Most credential dumping operations do not require modifying resources that can be detected by this control (i.e. Registry and File system) and therefore its coverage is minimal.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1003 | OS Credential Dumping |
Comments
This control is only relevant for Linux environments, and provides partial coverage for one of the technique's two Linux-relevant sub-techniques.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1003 | OS Credential Dumping |
Comments
This control provides detection for a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal. Furthermore, its detection capability relies on detecting the usage of specific tools (e.g. sqldumper.exe) further adversely impacting its score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1003 | OS Credential Dumping |
Comments
This control only addresses a minority of this technique's procedure examples and one of its sub-techniques resulting in an overall Minimal score.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
google_secops | Google Security Operations | technique_scores | T1003 | OS Credential Dumping |
Comments
Google Security Operations is able to detect suspicious command-line process attempted to escalate privileges. Examples of credential access system events include:
(e.g.,"re.regex($selection.target.registry.registry_value_data, `.*DumpCreds.*`) or re.regex($selection.target.registry.registry_value_data, `.*Mimikatz.*`) or re.regex($selection.target.registry.registry_value_data, `.*PWCrack.*`) or $selection.target.registry.registry_value_data = "HTool/WCE" or re.regex($selection.target.registry.registry_value_data, `.*PSWtool.*`) or re.regex($selection.target.registry.registry_value_data, `.*PWDump.*`)).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/antivirus/antivirus_password_dumper_detection.yaral
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
amazon_inspector | Amazon Inspector | technique_scores | T1003 | OS Credential Dumping |
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1003.002 | Security Account Manager | 20 |
T1003.004 | LSA Secrets | 17 |
T1003.007 | Proc Filesystem | 18 |
T1003.001 | LSASS Memory | 30 |
T1003.005 | Cached Domain Credentials | 22 |
T1003.008 | /etc/passwd and /etc/shadow | 20 |
T1003.003 | NTDS | 25 |
T1003.006 | DCSync | 19 |