MITRE ATT&CK: Credential dumping
When attackers have established a foothold in a system, one of their primary objectives is typically to find user (or otherwise privileged) credentials — usernames and passwords. Credentials are incredibly useful information, as they can give access to critical systems.
Did you know that uncovering credentials on one system can give you credentials for other users, where potentially one foothold on a system can branch out into almost every other system on that network? Attackers know this and use a technique called credential dumping to obtain these credentials in furtherance of their attack.
This article will detail the credential dumping attack technique as presented in the MITRE ATT&CK matrix. We’ll explore several different key concepts of credential dumping in both Windows and Linux systems.
What is MITRE ATT&CK?
MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.
To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use. More information on the MITRE ATT&CK matrix can be found here.
What is credential dumping?
Credential dumping refers to the obtaining login information (username and password) from a system’s operating system (OS) and software. These credentials are then used to access restricted information, perform lateral movements and install other malware. A security researcher compared this process to when a thief breaks into your house and steals a set of key copies — house, car, office and so on. Credential dumping is a textbook example of (user) convenience having its cost.
Security Accounts Manager (SAM)
For Windows systems, this is a database file containing the host’s local accounts. These accounts can normally be found with the “net user” command. SAM can be enumerated if you have system level access. This file can be retrieved through in-memory techniques, including:
- via the registry with Reg
The credential extracting tool Creddump7 can then be used to retrieve hashes from the SAM database.
When the domain controller is unavailable the Domain Cached Credentials version 2 (DCC2) hash caches credentials. Interestingly, DCC2 disallows pass-the-hash style attacks. The SAM file can be retrieved with the following tools using in-memory techniques:
- via the registry using reg.exe
Local Security Authority Secrets (LSAP)
System access on a host is required for the LSA secrets to allow a local account trivial access to domain-based credentials. The registry is used to store LSA secrets when local or domain users run services and when auto-logon is enabled.
The following tools can retrieve SAM files with in-memory techniques:
- via the Registry with reg.exe
Creddump7 can be used for credential gathering.
In Windows 10, Credential Guard can protect LSA secrets. However, it is not configured by default and will not successfully protect against every form of credential dumping.
NTDS from domain controller
Information used to verify domain (both user and device) credentials is stored in Active Directory (AD). The AD directory domain database can be found in the file NTDS.dit, which is located in %SystemRoot%NTDSNtds.dit on a domain controller.
The NTDS file, along with the active directory hashes, can be enumerated using the following:
- Volume shadow copy
Group Policy Preference (GPP) files
These are tools that allow for creation of domain policies that have embedded credentials (with administrator privileges, of course). Among other things, GPP can be used to set local accounts. GPP is stored on a domain controller in SYSVOL.
The tools and scripts below can gather and decrypt GPP’s password file located in the GPP XML files:
- “post/windows/gather/credentials/gpp” (Metasploit’s post exploitation module)
When users log on to a system, the credentials get stored in the memory process Local Security Authority Subsystem Service (LSASS). Both administrative users and SYSTEM can harvest these credentials.
Security Support Providers, or SSPs, are dynamic-link libraries (DLLs) that provide security packages to applications. You can use certain SSPs to access credentials, which are:
The tools below can enumerate credentials:
- Windows Credential Editor
LSASS’s memory can also be dumped from the host to a local system for analysis with one of the credential enumeration tools above.
On Linux, the /proc filesystem houses a sizable amount of information about the state of the OS. If a process runs with root privileges, it can use /proc filesystem to scrape live memory from other programs. Any credentials stored in password hashes or in cleartext can be harvested.
The following may help mitigating this attack technique:
- Manage domain controller replication permissions — for example, the access control list for replicating directory changes
- Configure Credential Guard in Windows 10
- Disable or restrict NTLM
- In Windows systems, do not commingle admin domain accounts in with local administrator groups
- In Linux systems, restrict access to privileged accounts because only root privileges can scrape passwords from memory
- Train administrators and users to refrain from using one password across multiple accounts
Credential dumping is an attack technique where attackers extract user authentication credentials such as usernames and passwords. This attack is only possible because operating systems store credentials in memory to save users from having to enter credentials whenever they want to use a service.
Following the mitigation tips offered above will take the edge off of this attack technique. This may make the difference between success and defeat in an attack campaign.