OS Credential Dumping: Cached Domain Credentials
Other sub-techniques of OS Credential Dumping (8)
Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds) On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires Password Cracking to recover the plaintext password.(Citation: ired mscache) With SYSTEM access, the tools/utilities such as Mimikatz, Reg, and secretsdump.py can be used to extract the cached credentials. Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)
Procedure Examples |
|
Name | Description |
---|---|
Okrum |
Okrum was seen using modified Quarks PwDump to perform credential dumping.(Citation: ESET Okrum July 2019) |
APT33 |
APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail) |
Leafminer |
Leafminer used several tools for retrieving login and password information, including LaZagne.(Citation: Symantec Leafminer July 2018) |
Cachedump |
Cachedump can extract cached password hashes from cache entry information.(Citation: Mandiant APT1) |
LaZagne |
LaZagne can perform credential dumping from MSCache to obtain account and password information.(Citation: GitHub LaZagne Dec 2018) |
OilRig |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019) |
Pupy |
Pupy can use Lazagne for harvesting credentials.(Citation: GitHub Pupy) |
MuddyWater |
MuddyWater has performed credential dumping with LaZagne.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018) |
Mitigations |
|
Mitigation | Description |
---|---|
Active Directory Configuration |
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc. |
User Training |
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. |
Password Policies |
Set and enforce secure password policies for accounts. |
Operating System Configuration |
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques. |
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Detection
Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Detection of compromised Valid Accounts in-use by adversaries may help as well.
References
- PowerSploit. (n.d.). Retrieved December 4, 2014.
- Mantvydas Baranauskas. (2019, November 16). Dumping and Cracking mscash - Cached Domain Credentials. Retrieved February 21, 2020.
- Eli Collins. (2016, November 25). Windows' Domain Cached Credentials v2. Retrieved February 21, 2020.
- Microsfot. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.
- Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
- Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
- Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Microsoft. (2016, October 12). Protected Users Security Group. Retrieved May 29, 2020.
- Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack, Mitigation, Defense. Retrieved February 21, 2020.
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
- Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
- Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
Связанные риски
Риск | Связи | |
---|---|---|
Раскрытие ключей (паролей) доступа
из-за
восстановления паролей из кэшированных учетных данных домена
в ОС Windows
Конфиденциальность
Повышение привилегий
Раскрытие информации
Подмена пользователя
|
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.