Home >
Enterprise >
Participants >
Microsoft >
Credential Access (TA0006)
|
|
Carbanak+FIN7 |
||||||||||||
Step | ATT&CK Pattern |
|
||||||||||
4.A.3
|
|
|||||||||||
4.B.7
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||||||||
9.A.2
|
|
|||||||||||
9.B.2
|
|
|||||||||||
15.A.6
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||||||||
18.A.4
|
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
6.A.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|
||||||
6.A.2
|
|
|||||||
6.B.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Private Keys (T1552.004) |
|
||||||
6.C.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: Security Account Manager (T1003.002) |
|
||||||
14.B.4
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||||
16.D.2
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
5.A.1.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||
5.A.2.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: Security Account Manager (T1003.002) |
|
||||
15.B.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|
||||
16.A.1.1
|
|
|||||
16.B.1.3
|
|
Procedure
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Footnotes
- Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. Vendor stated that Credential Guard can also mitigate this attack if enabled.


[2]


[3]


[4]


Procedure
Cobalt Strike: Built-in hash dump capability executed
Footnotes
- Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. Vendor stated that Credential Guard can also mitigate this attack if enabled.


[2]

