Home >
Enterprise >
Participants >
Palo Alto Networks >
Credential Access (TA0006)
|
|
Carbanak+FIN7 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
4.A.3
|
|
|||||||||
4.B.7
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||||||
9.A.2
|
|
|||||||||
9.B.2
|
|
|||||||||
15.A.6
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||||||
18.A.4
|
|
APT29 |
||||||||||||||
Step | ATT&CK Pattern |
|
||||||||||||
6.A.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|
||||||||||||
6.A.2
|
|
|||||||||||||
6.B.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Private Keys (T1552.004) |
|
||||||||||||
6.C.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: Security Account Manager (T1003.002) |
|
||||||||||||
14.B.4
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||||||||||
16.D.2
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
Procedure
Executed the CryptUnprotectedData API call to decrypt Chrome passwords
Criteria
accesschk.exe executing the CryptUnprotectedData API
Procedure
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
Criteria
m.exe injecting into lsass.exe to dump credentials
Footnotes
- According to the vendor, payload execution would have been prevented as Wildfire labeled the payload as malicious/malware.


[2]


[3]


Procedure
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
Criteria
m.exe injecting into lsass.exe to dump credentials
Footnotes
- According to the vendor, payload execution would have been prevented as Wildfire labeled the payload as malicious/malware.


APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
5.A.1.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||
5.A.2.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: Security Account Manager (T1003.002) |
|
||||
15.B.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|
||||
16.A.1.1
|
|
|||||
16.B.1.3
|
|