Home >
Enterprise >
Participants >
VMware Carbon Black >
Credential Access (TA0006)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
4.A.3
|
|
|||||||
4.B.7
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||||
9.A.2
|
|
|||||||
9.B.2
|
|
|||||||
15.A.6
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||||
18.A.4
|
|
APT29 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
6.A.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|
||||||||
6.A.2
|
|
|||||||||
6.B.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Private Keys (T1552.004) |
|
||||||||
6.C.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: Security Account Manager (T1003.002) |
|
||||||||
14.B.4
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||||||
16.D.2
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
Procedure
Dumped plaintext credentials using Mimikatz (m.exe)
Criteria
m.exe injecting into lsass.exe to dump credentials
Footnotes
- According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking powershell from executing untrusted applications or blocking PUP applications from executing. Credential dumping can be blocked by preventing untrusted applications from reading the memory of other processes.


Procedure
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
Criteria
m.exe injecting into lsass.exe to dump credentials
Footnotes
- According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking PUP applications from executing. Credential dumping can be prevented by implementing rules blocking untrusted applications reading the memory of another process.


APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
5.A.1.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||
5.A.2.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: Security Account Manager (T1003.002) |
|
||||
15.B.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|
||||
16.A.1.1
|
|
|||||
16.B.1.3
|
|
Procedure
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
Footnotes
- The capability was modified after the start of the evaluation enabling enrichment to appear, so the detection is identified as a configuration change.


[2]


Procedure
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
Footnotes
- The capability was modified after the start of the evaluation enabling enrichment to appear, so the detection is identified as a configuration change.


[2]

