Home >
Enterprise >
Participants >
GoSecure >
Credential Access (TA0006)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
4.A.3
|
|
|||||
4.B.7
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||
9.A.2
|
|
|||||
9.B.2
|
|
|||||
15.A.6
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||
18.A.4
|
|
Criteria
powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
6.A.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|
||||
6.A.2
|
|
|||||
6.B.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Private Keys (T1552.004) |
|
||||
6.C.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: Security Account Manager (T1003.002) |
|
||||
14.B.4
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||
16.D.2
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
Procedure
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
Criteria
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Footnotes
- Lsass.exe Registry read event exclusion was removed from the configuration. The exclusion is in place because it's noisy.


Procedure
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
Criteria
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Footnotes
- Lsass.exe Registry read event exclusion was removed from the configuration. The exclusion is in place because it's noisy.


APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
5.A.1.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||
5.A.2.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: Security Account Manager (T1003.002) |
|
||||
15.B.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|
||||
16.A.1.1
|
|
|||||
16.B.1.3
|
|
Procedure
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Footnotes
- According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as \"traits\"), which may give an analyst clues on what the process does.


[2]


[3]


Procedure
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


[3]


[4]


Procedure
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


Procedure
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]

