Home >
Enterprise >
Participants >
GoSecure >
OS Credential Dumping (T1003)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
4.B.7
|
|
|||||
15.A.6
|
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
6.C.1
|
|
|||||
14.B.4
|
|
|||||
16.D.2
|
|
Procedure
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
Criteria
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Footnotes
- Lsass.exe Registry read event exclusion was removed from the configuration. The exclusion is in place because it's noisy.


Procedure
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
Criteria
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Footnotes
- Lsass.exe Registry read event exclusion was removed from the configuration. The exclusion is in place because it's noisy.


APT3 |
||||
Step | ATT&CK Pattern |
|
||
5.A.1.1
|
|
|||
5.A.2.1
|
|
Procedure
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Footnotes
- According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as \"traits\"), which may give an analyst clues on what the process does.


[2]


[3]

