mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
88 lines
3.6 KiB
Markdown
88 lines
3.6 KiB
Markdown
# Standards and References - Credential Dumping Detection
|
|
|
|
## MITRE ATT&CK Mappings
|
|
|
|
### T1003 - OS Credential Dumping (Parent Technique)
|
|
|
|
| Sub-Technique | Name | Description |
|
|
|---------------|------|-------------|
|
|
| T1003.001 | LSASS Memory | Dumping credentials stored in LSASS process memory |
|
|
| T1003.002 | Security Account Manager | Extracting local hashes from SAM database |
|
|
| T1003.003 | NTDS | Stealing AD database from Domain Controllers |
|
|
| T1003.004 | LSA Secrets | Accessing stored service account credentials |
|
|
| T1003.005 | Cached Domain Credentials | Extracting DCC2 hashed credentials |
|
|
| T1003.006 | DCSync | Simulating DC replication to extract credentials |
|
|
| T1003.007 | Proc Filesystem (/proc) | Linux credential extraction |
|
|
| T1003.008 | /etc/passwd and /etc/shadow | Unix credential files |
|
|
|
|
### Related Techniques
|
|
- **T1555 - Credentials from Password Stores**: Browser, keychain, password manager credentials
|
|
- **T1552 - Unsecured Credentials**: Files, registry, bash history, cloud metadata
|
|
- **T1558 - Steal or Forge Kerberos Tickets**: Kerberoasting, Golden/Silver tickets
|
|
- **T1550 - Use Alternate Authentication Material**: Pass the Hash, Pass the Ticket
|
|
|
|
### Tactic
|
|
- **TA0006 - Credential Access**
|
|
|
|
## Detection Data Sources
|
|
|
|
### LSASS Access Detection
|
|
| Source | Event ID | Details |
|
|
|--------|----------|---------|
|
|
| Sysmon | 10 | ProcessAccess - TargetImage = lsass.exe |
|
|
| Windows Security | 4656 | Handle requested to process object |
|
|
| Windows Security | 4663 | Attempt to access process object |
|
|
| Windows Security | 4688 | Process creation with command line |
|
|
| ETW | Microsoft-Windows-Kernel-Process | Kernel-level process access |
|
|
|
|
### SAM/Registry Detection
|
|
| Source | Event ID | Details |
|
|
|--------|----------|---------|
|
|
| Sysmon | 1 | reg.exe with save SAM/SECURITY/SYSTEM |
|
|
| Windows Security | 4656 | Handle to registry key |
|
|
| Windows Security | 4688 | reg.exe/regedit.exe command line |
|
|
|
|
### DCSync Detection
|
|
| Source | Event ID | Details |
|
|
|--------|----------|---------|
|
|
| Windows Security | 4662 | DS-Replication-Get-Changes operation |
|
|
| Windows Security | 4624/4625 | Authentication to DC from non-DC source |
|
|
| Network | DRSUAPI | RPC calls for directory replication |
|
|
|
|
### NTDS Access Detection
|
|
| Source | Event ID | Details |
|
|
|--------|----------|---------|
|
|
| Sysmon | 1 | ntdsutil.exe, vssadmin.exe execution |
|
|
| Windows Security | 4688 | Shadow copy creation commands |
|
|
| VSS | 8224 | Volume Shadow Copy Service operations |
|
|
|
|
## LSASS Access Mask Reference
|
|
|
|
| Access Mask | Hex | Meaning |
|
|
|-------------|-----|---------|
|
|
| PROCESS_VM_READ | 0x0010 | Read process memory |
|
|
| PROCESS_QUERY_INFORMATION | 0x0400 | Query process info |
|
|
| 0x1010 | Combined | VM_READ + QUERY_INFO (Mimikatz default) |
|
|
| 0x1038 | Combined | Common credential dumping mask |
|
|
| 0x1FFFFF | PROCESS_ALL_ACCESS | Full access to process |
|
|
| 0x0410 | Combined | Query + VM_READ minimal |
|
|
|
|
## Known Credential Dumping Tools
|
|
|
|
| Tool | Technique | Detection Signature |
|
|
|------|-----------|-------------------|
|
|
| Mimikatz | T1003.001, T1003.006 | LSASS access with 0x1010, sekurlsa module |
|
|
| LaZagne | T1003.001, T1555 | Multi-credential extractor |
|
|
| ProcDump | T1003.001 | Signed MS tool, -ma lsass.exe |
|
|
| comsvcs.dll | T1003.001 | MiniDump via rundll32 |
|
|
| secretsdump.py | T1003.002, T1003.003, T1003.006 | Impacket DCSync/SAM |
|
|
| ntdsutil.exe | T1003.003 | IFM creation for NTDS |
|
|
| SharpDump | T1003.001 | .NET LSASS dumper |
|
|
| PPLdump | T1003.001 | PPL bypass LSASS dump |
|
|
| nanodump | T1003.001 | Stealthy minidump |
|
|
|
|
## Regulatory References
|
|
- NIST SP 800-171 Rev 2: 3.1.1 (Access Control)
|
|
- CIS Controls v8: Control 6 (Access Control Management)
|
|
- PCI DSS 4.0: Requirement 7 (Restrict Access)
|