Snatch Ransomware Explained - CISA Alert AA23-263A
Read More
Huseyin Can YUCEEL & Picus Labs | March 23, 2022
Picus Labs analyzed millions of adversary techniques and published the Red Report 2023 and the 10 Most Prevalent MITRE ATT&CK techniques used by adversaries. We are continuing our blog series on the techniques in the Top Ten list.
This is the second blog of the series, and we explained the T1003 OS Credential Dumping technique of the MITRE ATT&CK framework. In the Red Report 2023, this technique is the second most used ATT&CK technique.
![]() |
The Red Report 2023
|
OS Credential Dumping is a technique for obtaining account login and password information for the victim’s operating system. Once adversaries establish initial access to a system, one of their primary objectives is to find credentials to access other systems and resources in the environment. Especially operating system credentials are targeted because these credentials have great value for other techniques such as Lateral Movement, Discovery, and Collection.
After compromising the target with elevated privileges, adversaries dump as many credentials as possible. OS Credential Dumping technique of the MITRE ATT&CK framework enables adversaries to obtain account login and password information from operating systems and software. These credentials could grant access to privileged accounts or other assets in the network. Adversaries use credentials acquired by this technique to:
access restricted information and critical assets
move laterally in the network and access other systems using the dumped credentials
create new accounts, perform actions, and remove accounts to clear tracks
analyze password patterns and password policies to reveal other credentials
The Local Security Authority Subsystem Service (LSASS) caches credentials of the logged-in users in memory to provide easy access to network resources without re-entering their credentials [1]. Adversaries dump LSASS memory to extract credentials.
The lsass.exe can store credentials in different forms, including Kerberos tickets, reversibly encrypted plain text, LM, and NT hashes. The SYSTEM or a local administrator privilege is required to interact with the lsass.exe process and dump its memory.
Adversaries use several methods and tools to dump credentials in memory:
Mimikatz: Mimikatz is the most commonly used tool for credential dumping. It can retrieve plaintext passwords, password hashes, and Kerberos tickets from memory [2].
Gsecdump: Gsecdump is a credential dumper tool that can collect password hashes from the Security Account Manager (SAM), Active Directory (AD), LSA secrets, and logon sessions.
ProcDump: Procdump is a command-line tool that is a part of the Microsoft Sysinternals suite [110]. Although its main purpose is monitoring applications for CPU spikes and generating crash dumps to understand the cause of the spike, it can create memory dumps for processes, like lsass.exe.
Windows Task Manager: Windows Task Manager has a feature called Create Dump File that can dump the memory of the lsass.exe process. This functionality is introduced in Windows Vista/Server 2008.
comsvcs.dll: comsvcs.dll has a MiniDump function to dump lsass.exe process memory to retrieve credentials. This function requires SYSTEM privileges.
Direct System Calls and API Unhooking: Attackers are increasingly abusing direct system calls in order to evade security [4]. Directly executing system calls and bypassing the Windows and Native API may allow attackers to bypass user-mode hooks used by security controls [5]. Dumpert is an LSASS memory dumper tool that uses direct system calls and API unhooking [6].
The Security Account Manager (SAM) database is stored as a file on the local disk and contains information relating to local accounts, including the username and the hashed password. Adversaries use several methods to dump credentials in the SAM file, such as registry, in-memory, and volume shadow copy techniques.
The SAM file can be found in %systemroot%\system32\config\SAM and is mounted on the HKEY_LOCAL_MACHINE/SAM registry hive. In addition, the password hashes are located in %systemroot%\system32\config\SYSTEM file, and its backup copies are located in %systemroot%\repair directory.
The SAM database stores hashes of user passwords in Lan Manager (LM) or NT Lan Manager (NTLM/NTHash) hash formats instead of plaintext passwords. While LM hash was used in the older Windows versions, NTLM hashes have been in use since Windows Vista/Server 2008. Since user passwords are stored as hash values, it is hard to extract cleartext passwords from the SAM database.
Although storing hashed passwords improves password security to some extent, it cannot keep attackers from launching high-impact attacks using the following techniques:
Offline password cracking: Attackers attempt to find cleartext passwords by:
trying every possible password combination for a given size and character set (brute-force attack)
trying a list of passwords (dictionary attack)
combining brute-force and dictionary attacks (hybrid attack)
comparing the password hash with pre-computed hashes (rainbow table attack). Rainbow tables substantially reduce the time needed to crack passwords.
hashcat [7] and John the Ripper [8] are commonly used tools for password cracking.
Pass the Hash (PtH):
Some authentication mechanisms use password hashes instead of the passwords themselves. Therefore, attackers can use the password hash for authentication without needing to crack the password hash. This technique is called T1075 Pass the Hash and is categorized under the Lateral Movement tactic of the MITRE ATT&CK framework [9].Attackers need to acquire SAM file content to crack password hashes and reveal cleartext credentials. However, Windows does not allow the SAM file to be moved or copied while the OS is running, thanks to the exclusive filesystem lock obtained by the Windows kernel. Therefore, attackers cannot simply copy the SAM file and crack usernames and passwords in the file. However, there are other methods to dump credentials in the SAM file, such as in-memory, registry, and volume shadow copy techniques.
Registry technique: reg.exe can be used to copy HKLM/SAM and HKLM/SYSTEM files from HKEY_LOCAL_MACHINE/SAM registry hive [10].
In-memory technique: By injecting DLL in the LSASS process or scanning the memory for specific patterns, attackers can create an in-memory dump of the SAM file.
Volume Shadow Copy technique: Attackers create a new shadow copy and copy the SAM file from that shadow copy. The tools below can be used for this technique:
create and delete volume shadow copies
start and stop the volume shadow copy service
manage volume shadow copy
mount a shadow copy to a given path.
vssadmin: vssadmin is a built-in Windows tool that shows current volume shadow copy backups and all installed shadow copy providers and writers [11].
vssown: vssown is a script that can
wmic: wmic [12] is a command-line utility to access Windows Management Instrumentation (WMI). WMI is the infrastructure for management data and operations on Windows-based operating systems [13]. wmic can be used to create and manage volume shadow copies.
Nishang: Nishang is a collection of PowerShell scripts and payloads for penetration testing and red teaming. Nishang's Copy-VSS PowerShell script can be used to copy the SAM file.
Extracting information from the SAM database requires system-level privileges. As a result, adversaries usually use various privilege escalation techniques to elevate their privileges.
NTDS.dit file is the Active Directory Domain Services database that contains information about user objects, groups, and group membership. NTDS.dit also contains the password hashes for all users in the domain.
Adversaries use the following methods and tools to capture the NTDS.dit file:
NTDSUtil:ntdsutil.exe is a native Windows command-line utility that can be found in the %systemroot%\system32\ directory. NTDSUtil can export the AD database NTDS.dit on a Domain Controller. This tool uses Install From Media (IFM) backup functionality to create a copy of the NTDS.dit file. It requires administrator privileges.
ntdsutil.exe is a native Windows command-line utility that can be found in the %systemroot%\system32\ directory. NTDSUtil can be used to export the AD database NTDS.dit on a Domain Controller. NTDSUtil uses Install From Media (IFM) backup functionality to duplicate the NTDS.dit file. It requires administrator privileges.
Threat actors frequently use the ntdsutil.exe utility. For example, APT28 (a.k.a. Sednit, Sofacy, Fancy Bear, Strontium) used ntdsutil.exe to export the Active Directory database for credential access [14]. Menupass (a.k.a. Stone Panda, APT10, Cicada) also use ntdsutil for credential dumping [15]. Another threat group, Chimera, used the following command to utilize ntdsutil to make a copy of the NTDS.dit file, then uses esentutl to repair a possibly corrupt NTDS.dit:
ntdsutil "ac i ntds" "ifm" "create full C:\Windows\Temp\tmp" q q
esentutl /p /o ntds.dit
The Volume Shadow Copy technique: NTDS.dit file can also be copied by using this technique. In this technique, a new volume shadow copy is created with the built-in vssadmin.exe tool. Then, the SAM file can be copied from the created shadow copy instance. Built-in Windows tools vssadmin.exe and diskshadow.exe can be used for this technique.
The Mustang Panda (TA416, RedDelta, BRONZE PRESIDENT) APT Group used the vssadmin tool on a domain controller to create a volume shadow copy with the following command [16]:
Then, Mustang Panda extracted the NTDS.dit file from the created volume shadow copy. After that, they saved the SYSTEM hive in the registry with the following command:
After saving both the NTDS.dit file and SYSTEM hive, the Mustang Panda threat group exfiltrated these files to retrieve user password hashes. These hashes could be cracked to obtain cleartext passwords, or they could be directly used to perform pass-the-hash attacks.
Local Security Authority (LSA) secrets store the user’s and system’s confidential data used by the LSA. The LSA allows applications to run with user privileges such as credentials for scheduled tasks, service accounts, VPNs, auto-logins, and account backup services. LSA secrets reside in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. Attackers with SYSTEM access to a host may attempt to dump LSA secrets, which may contain a variety of different credentials.
Local Security Authority (LSA) is a protected subsystem in Microsoft Windows operating systems that authenticate users onto the local system [17]. Additionally, LSA keeps information on all aspects of local security on a system, collectively referred to as the system's Local Security Policy.
Adversaries with SYSTEM privileges may attempt to dump LSA secrets, which may contain a range of different credentials, such as service account credentials.
Domain credentials are stored in the registry to provide credentials validation when a domain-joined computer cannot connect to Active Directory Domain Services during a user’s logon [1]. A user can still log on even if a domain controller cannot be contacted on subsequent logons because logon information for domain accounts can be stored locally [18].
Stored credentials are cached in DCC2 (Domain Cached Credentials version 2). DCC2 is also known as mscache2 and mscash2 (Microsoft CAched haSH) hash format in Windows [19].
These stored credentials do not expire, but they cannot be used for pass-the-hash attacks, so attackers must crack the password hash to recover the plaintext passwords [20].
cachedump post-exploitation module of Metasploit (/windows/gather/cachedump) uses the registry to extract the cached domain hashes that have been stored as a result of a GPO setting [21]. Windows stores the last ten successful logins in default settings.
Adversaries can impersonate a domain controller using the DCSync technique. It allows an attacker to compromise a whole Active Directory forest with a single domain administrator credential or even a domain user with proper permissions.
Adversaries simulate the behavior of a domain controller and ask other DCs to synchronize a specified entry and replicate information by using the Microsoft Directory Replication Service Remote (MS-DRSR) Protocol to perform a DCSync attack. MS-DRSR Protocol is an RPC protocol for replication and management of data in Active Directory [22]. As an outcome of this attack, adversaries would be able to change Active Directory databases, gain access to and compromise other Active Directory user accounts, and launch more post-exploitation attacks [23].
It's difficult to prevent DCSync attacks. MS-DRSR cannot be switched off or disabled because it is a legitimate and essential function of Active Directory (AD). Furthermore, while Domain Replication capabilities are governed by the Replicating Changes permissions specified on the domain and are by default limited to the Domain Admins, Enterprise Admins, Administrators, and DC groups, these rights can be granted to any account or group.
Mimikatz includes lsadump::dcsync module that mimics the behavior of a DC and asks other DCs to synchronize a specified entry and replicate information via the MS-DRSR [2]. NetSync, which implements DCSync over a traditional replication protocol, is also included in Lsadump.
Threat groups use DCSync in their attack campaigns. For example, APT29 (Nobelium) threat group used previously leveraged privileged accounts to replicate directory service data via Domain Controllers with a DCSync attack [24]. As another example, Operation Wakao used the Mimikatz’ DCSync function to dump credentials of accounts with elevated privileges by using the following command [14]:
The proc filesystem is a pseudo-filesystem that offers an interface to kernel data structures for Linux-based operating systems [25]. It is commonly mounted at /proc directory. Adversaries may dump process memory and extract plain text and hashed passwords to obtain credentials in Linux-based systems.
The proc filesystem is commonly mounted at /proc. It is usually mounted automatically by the system, but it can also be manually mounted using commands. Most files in the proc filesystem are read-only, although some are writable, allowing kernel variables to be altered.
Proc filesystem allows processes running with root privileges to acquire live memory from other running programs. If any program stores plain text or hashed passwords in memory, adversaries can extract these values.
MimiPenguin is an open-source tool that can dump process memory and harvest passwords and hashes by looking for text strings and regex patterns [26].
LaZagne can extract credential information from process memory with its memorydump.py module located in the Linux/lazagne/softwares/memory directory [27]. It includes regex patterns for passwords of common websites, such as Gmail, Dropbox, Salesforce, PayPal, Twitter, Github, and Slack. Lazagne uses these patterns to dump cleartext passwords from the browser's memory. Its mimipy.py module is a port of MimiPenguin in Python.
Procdump for Linux is a Linux reworking of the classic ProcDump tool from the Sysinternals suite of tools for Windows [28]. It enables Linux developers a simple way to create core dumps of their applications depending on performance triggers. Of course, adversaries also use this tool to dump process memory and extract credentials from dumped memory.
Modern Linux operating systems use the /etc/passwd file to store user account information and /etc/shadow file to store hashed passwords. MD5, SHA-256, and SHA-512 are some hash algorithms used for these passwords. Attackers may attempt to dump the contents of these files for offline password cracking.
The /etc/passwd file is a plain text file that contains essential information about user accounts, such as user ID, group ID, home directory, and login shell. It should have read permission since many command-line utilities use the /etc/passwd file to map user IDs to usernames. However, only the superuser/root account should have write access to /etc/passwd.
Figure 2: Example /etc/passwd file
The /etc/shadow file stores more sensitive information, including hashed forms of passwords and additional properties related to user passwords, such as account or password expiration values. The /etc/shadow file is readable to users with root privileges.
Unshadow is a Linux utility that can merge the /etc/passwd and /etc/shadow files [29]. John the Ripper can use the output of the Unshadow tool [30] to crack password hashes and reveal plaintext passwords.
LaZagne can get credential information from /etc/shadow with its shadow.py module located in the /Linux/lazagne/softwares/sysadmin directory [27]. It can perform dictionary attacks against MD5, Blowfish, SHA-256, and SHA-512 forms of passwords in the /etc/shadow file.
Adversaries also leverage the following resources for credential dumping:
Group Policy Preferences (GPP) is a set of Group Policy client-side extensions. These extensions deliver preference settings to domain-joined computers running Microsoft Windows desktop and server operating systems [31]. This powerful tool can create domain policies with embedded credentials. However, the credential storage mechanism has a vulnerability (CVE-2014-1812 [32]) that allows adversaries to retrieve and decrypt the password stored with GPP. This vulnerability is addressed in MS14-025 [33], but this patch only restricts new policies from being created.
SYSVOL is a folder that is stored on each and every domain controller within the domain [34]. SYSVOL contains the public files of the domain that clients need to access to be synchronized with domain controllers. All domain Group Policies are located in \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies. When a new GPP is created, it will interrelate with a Group.xml file created in SYSVOL with the appropriate configuration information and AES-256 bit encrypted passwords. Since domain Group Policies are located in SYSVOL on the domain controller, domain users can read the policy and decrypt the stored passwords.
Following tools are used to extract passwords from SYSVOL:
Windows Credential Manager uses Windows Data Protection API to store your saved login credentials in an encrypted format [38]. The Credential Manager stores web credentials used in Windows, Edge, Internet Explorer, Skype, and other apps. Windows login credentials are also stored in the Credential Manager, and it is used to log in to Windows services and applications automatically.
Third-party software also stores credentials. Password recovery utilities can reveal credentials stored by:
LaZagne project is an open-source tool used to retrieve passwords for the most commonly-used software [39].
[1] “Cached and Stored Credentials Technical Overview.” https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11).
[2] gentilkiwi, “gentilkiwi/mimikatz,” GitHub. https://github.com/gentilkiwi/mimikatz.
[3] markruss, “ProcDump - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
[4] https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/.
[5] Outflank, “Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR | Outflank Blog.” http://www.outflank.nl/publications.
[6] outflanknl, “outflanknl/Dumpert,” GitHub. https://github.com/outflanknl/Dumpert.
[7] “hashcat - advanced password recovery.” https://hashcat.net/hashcat/.
[8] “John the Ripper password cracker.” https://www.openwall.com/john/.
[9] “Pass the Hash, Technique T1075 - Enterprise | MITRE ATT&CK®.” https://attack.mitre.org/techniques/T1075/.
[10] coreyp-at-msft, “reg.” https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg.
[11] JasonGerend, “Vssadmin.” https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin.
[12] https://support.microsoft.com/en-us/help/290216/a-description-of-the-windows-management-instrumentation-wmi-command-li.
[13] stevewhims, “Windows Management Instrumentation - Win32 apps.” https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page.
[14] https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf.
[15] “Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign.” https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage.
[16] Counter Threat UnitTM Research Team, “BRONZE PRESIDENT Targets NGOs,” 29-Dec-2019. https://www.secureworks.com/research/bronze-president-targets-ngos.
[17] lastnameholiu, “L (Security Glossary).” https://docs.microsoft.com/en-us/windows/win32/secgloss/l-gly.
[18] “Interactive logon: Number of previous logons to cache (in case domain controller is not available).” https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852209(v=ws.11).
[19] “passlib.hash.msdcc2 - Windows’ Domain Cached Credentials v2 — Passlib v1.7.2 Documentation.” https://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html.
[20] “Dumping and Cracking mscash - Cached Domain Credentials.” https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials.
[21] “Windows Gather Credential Cache Dump,” Rapid7.https://www.rapid7.com/db/modules/post/windows/gather/cachedump.
[22] openspecs-office, “[MS-DRSR]: Directory Replication Service (DRS) Remote Protocol.” https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47.
[23] QOMPLX Staff, “DCSync Attacks Explained: How They Work - Blog,” 16-Apr-2020. https://www.qomplx.com/kerberos_dcsync_attacks_explained/.
[24] Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), and Microsoft Cyber Defense Operations Center (CDOC), “Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop,” 20-Jan-2021. https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.
[25] “proc(5) - Linux manual page.” https://man7.org/linux/man-pages/man5/proc.5.html.
[26] huntergregal, “huntergregal/mimipenguin,” GitHub. https://github.com/huntergregal/mimipenguin.
[27] AlessandroZ, “LaZagne/shadow.py at ab1e140051594262398e562fb3ab323583a19df1 · AlessandroZ/LaZagne.”https://github.com/AlessandroZ/LaZagne.
[28] Sysinternals, “GitHub - Sysinternals/ProcDump-for-Linux: A Linux version of the ProcDump Sysinternals tool.” https://github.com/Sysinternals/ProcDump-for-Linux.
[29] Canonical, “Ubuntu Manpage: unshadow - combines passwd and shadow files.” http://manpages.ubuntu.com/manpages/xenial/man8/unshadow.8.html.
[30] “John the Ripper password cracker.” https://www.openwall.com/john/.
[31] “Group Policy Preferences.” https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v=ws.11).
[32] “NVD - CVE-2014-1812.” https://nvd.nist.gov/vuln/detail/CVE-2014-1812.
[33] BetaFred, “Microsoft Security Bulletin MS14-025 - Important.” https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-025.
[34] “Active Directory Back to Basics - Sysvol - TechNet Articles - United States (English) - TechNet Wiki.” https://social.technet.microsoft.com/wiki/contents/articles/24160.active-directory-back-to-basics-sysvol.aspx.
[35] “SMB Group Policy Preference Saved Passwords Enumeration,” Rapid7.https://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_enum_gpp.
[36] “Windows Gather Group Policy Preference Saved Passwords,” Rapid7.https://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp.
[37] “gpp-decrypt.” https://tools.kali.org/password-attacks/gpp-decrypt.
[38] “How to use Credential Manager in Windows 10,” Infosec Resources.https://resources.infosecinstitute.com/category/certifications-training/securing-windows-ten/windows-10-authentication-mechanisms/credential-manager-windows-10/.
[39] AlessandroZ, “AlessandroZ/LaZagne,” GitHub. https://github.com/AlessandroZ/LaZagne.