Home >
Enterprise >
Participants >
VMware Carbon Black >
OS Credential Dumping (T1003)
|
|
See technique results for:
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
4.B.7
|
|
|||||||
15.A.6
|
|
APT29 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
6.C.1
|
|
|||||||||
14.B.4
|
|
|||||||||
16.D.2
|
|
Procedure
Dumped plaintext credentials using Mimikatz (m.exe)
Criteria
m.exe injecting into lsass.exe to dump credentials
Footnotes
- According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking powershell from executing untrusted applications or blocking PUP applications from executing. Credential dumping can be blocked by preventing untrusted applications from reading the memory of other processes.


Procedure
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
Criteria
m.exe injecting into lsass.exe to dump credentials
Footnotes
- According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking PUP applications from executing. Credential dumping can be prevented by implementing rules blocking untrusted applications reading the memory of another process.


APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
5.A.1.1
|
|
|||||
5.A.2.1
|
|