MITRE Technique [T1003] OS Credential Dumping

hendryadrian.com

hendryadrian.com

Description:

• Like a burglar rifling through a house to find spare keys, credential dumping probes system memory and files to pull out reusable secrets that unlock more systems.
• Attackers use native APIs and tools to read memory, registry, and credential stores (LSASS, SAM, /proc) to obtain hashes or cleartext passwords, enabling lateral movement, privilege escalation, and long-term access across environments.

Detection:

• Monitor process interactions with LSASS.exe and alert on unexpected process handles opened to LSASS using EDR process access events. Use Sysmon Event ID 10 (process access) and correlate with process names and parent-child relationships.
• Log and inspect command-line arguments and script execution for known credential-dumping modules (e.g., Invoke-Mimikatz) and unusual PowerShell behavior. Enable PowerShell Module Logging and Script Block Logging to capture payloads and obfuscated commands.
• Watch for access to SAM files or registry hive reads on Windows. Detect raw device reads or suspicious file open patterns against %SystemRoot%/system32/config/SAM using file access auditing and endpoint sensors.
• Detect DCSync-like activity by monitoring domain controller replication API calls and unexpected NTDS replication requests from non-DC hosts. Alert on anomalous use of DRSR/NRPC/SAMR protocols and replication-related RPC endpoints.
• On Linux, audit process reads of /proc//maps and /proc//mem; use AuditD rules to alert on programs opening these files and include PID, process name, and arguments for investigation.
• Instrument network and process telemetry to catch use of remote access tools that include credential-dumping features. Correlate network flows, process creation, and file drops to reduce false positives and identify multi-stage activity.
• Account for false positives by tuning baselines and allowlists (legitimate admin tools and backup software). Use behavioral detections that combine unusual parent/child processes, timing, and cross-host authentication rather than single indicators.

Tactics:
Credential Access

Platforms:
Linux, Windows, macOS

Data Sources:
Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, File: File Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access

Relationship Citations:
(Citation: Kaspersky Poseidon Group),(Citation: Picus BlackByte 2022),(Citation: Microsoft BlackByte 2023),(Citation: TrendMicro Tonto Team October 2020),(Citation: FireEye APT40 March 2019),(Citation: Symantec Suckfly May 2016),(Citation: DOJ GRU Indictment Jul 2018),(Citation: F-Secure The Dukes),(Citation: ESET Sednit Part 2),(Citation: Symantec Daggerfly 2023),(Citation: Symantec Sowbug Nov 2017),(Citation: Cybereason Oceanlotus May 2017),(Citation: BitDefender Chafer May 2020),(Citation: Cadet Blizzard emerges as novel threat actor),(Citation: FireEye CARBANAK June 2017),(Citation: Symantec Dragonfly),(Citation: Cybereason Cobalt Kitty 2017),(Citation: FireEye Periscope March 2018),(Citation: Novetta-Axiom),(Citation: Cylance Shaheen Nov 2018),(Citation: US District Court Indictment GRU Oct 2018),(Citation: Microsoft Securing Privileged Access),(Citation: win10_asr),(Citation: AdSecurity DCSync Sept 2015),(Citation: Microsoft Disable NTLM Nov 2012),(Citation: Microsoft LSA),(Citation: Microsoft Replication ACL),(Citation: Microsoft Protected Users Security Group),(Citation: GitHub SHB Credential Guard),(Citation: TechNet Credential Guard),(Citation: Microsoft WDigest Mit)

Read More: https://attack.mitre.org/techniques/T1003