OS Credential Dumping is a technique for obtaining the operating system login and password information for the target operating system. One of an attacker's main goals after gaining initial access to a system is to discover credentials that will allow them to access additional systems and resources inside the environment. Operating system credentials in particular are targeted because they are extremely valuable for other tactics including lateral movement, discovery, and collection.
The Local Security Authority Subsystem Service (LSASS) is used to facilitate quick access to network resources without requiring users to repeatedly enter their credentials.The LSASS memory is dumped by adversaries to extract credentials.
Sub-technique 1: T1003.001 LSASS Memory
The lsass.exe stores credentials in a variety of formats, such as NT hashes, LM hashes, reversibly encrypted plain text, and Kerberos tickets. To interact with the lsass.exe process and dump its memory, one must have either the SYSTEM or a local administrator privilege.
Attackers are utilizing direct system calls more frequently to get around security mechanisms . Attackers may be able to get around user-mode hooks used by security controls by directly executing system calls and avoiding the Windows and Native API. Dumpert is an LSASS memory dumper tool that makes advantage of API unhooking and direct system calls.
The Connection Manager service profiles are installed using the built-in Windows command-line tool CMSTP (the Microsoft Connection Manager Profile Installer). By giving installation information files (.inf) infected with malicious commands to CMSTP.exe, adversaries use it for proxy execution of these commands.
"No technology that’s connected to the Internet is unhackable." -Abhijit Naskar
Sub-technique #2: T1003.002 Security Account Manager
The SAM file is mounted on the HKEY LOCAL MACHINE/SAM registry hive and is located at %systemroot%system32configSAM. Additionally, in the %systemroot%system32configSYSTEM file, and backup copies of it are found in the %systemroot%repair directory.
Instead of storing plaintext passwords, the SAM database maintains hashes of user passwords in the Lan Manager (LM) or NT Lan Manager (NTLM/NTHash) hash formats. NTLM hashes have been in use since Windows Vista/Server 2008, although LM hashes were utilized in earlier Windows versions. It is challenging to extract cleartext passwords from the SAM database since user passwords are stored as hash values.
In order to crack password hashes and obtain cleartext credentials, attackers must get SAM file content. However, due to the exclusive filesystem lock that the Windows kernel has acquired, Windows forbids moving or copying the SAM file while the OS is in use. As a result, adversaries are unable to simply copy the SAM file and attempt to guess the usernames and passwords stored within. That being said, there are additional approaches, including in-memory, registry, and volume shadow copy techniques, to dump credentials in the SAM file.
The ntdsutil.exe program is widely used by threat actors. Ntdsutil.exe was used, for instance, by APT28 (also known as Sednit, Sofacy, Fancy Bear, and Strontium), to export the Active Directory database for credential access . Ntdsutil is also used by Menupass (also known as Stone Panda, APT10, or Cicada) for credential dumps. Another threat group, Chimera, used the following command to create a duplicate of the NTDS.dit file using ntdsutil and then repair a potentially corrupt NTDS.dit file using esentutl:
TLDR: keep your passwords safe and strong · Xi Qang