Home >
Enterprise >
Participants >
SentinelOne >
Credential Access (TA0006)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
4.A.3
|
|
|||||
4.B.7
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||
9.A.2
|
|
|||||
9.B.2
|
|
|||||
15.A.6
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||
18.A.4
|
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
6.A.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|
||||||
6.A.2
|
|
|||||||
6.B.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Private Keys (T1552.004) |
|
||||||
6.C.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: Security Account Manager (T1003.002) |
|
||||||
14.B.4
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||||||
16.D.2
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
Procedure
Executed the CryptUnprotectedData API call to decrypt Chrome passwords
Criteria
accesschk.exe executing the CryptUnprotectedData API
Procedure
Dumped plaintext credentials using Mimikatz (m.exe)
Criteria
m.exe injecting into lsass.exe to dump credentials
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3 |
||||
Step | ATT&CK Pattern |
|
||
5.A.1.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: LSASS Memory (T1003.001) |
|
||
5.A.2.1
|
Technique OS Credential Dumping (T1003) Subtechnique OS Credential Dumping: Security Account Manager (T1003.002) |
|
||
15.B.1
|
Technique Unsecured Credentials (T1552) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|
||
16.A.1.1
|
|
|||
16.B.1.3
|
|
Procedure
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Footnotes
- Vendor states that the capability would normally block credential dumping activity like this, but the mitigation capability was disabled due to the evaluation parameters.
Procedure
Cobalt Strike: Built-in hash dump capability executed
Footnotes
- Vendor states that the capability would normally block credential dumping activity like this, but the mitigation capability was disabled due to the evaluation parameters.
Procedure
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)