Data from Local System
Data from Local System [T1005]
Last updated
Data from Local System [T1005]
Last updated
Name: Data from Local System
ID: T1005
Tactics:
Credential Dumping (MITRE ATT&CK Technique ID: T1003) refers to the practice of extracting account credentials from operating systems, software, or services. Attackers use this technique to obtain sensitive authentication information, such as usernames and passwords, hashes, or tokens, enabling them to escalate privileges, maintain persistence, and move laterally within a compromised network. Credential dumping is categorized under the Credential Access tactic in the MITRE ATT&CK framework and is widely recognized as a critical step in many cyber-attacks.
Credential dumping involves multiple methods and techniques, each tailored to specific environments or security contexts. Attackers typically use tools and procedures designed to extract credentials stored in memory, configuration files, or registries. Common credential dumping methods include:
Memory Dumping:
Extracting credentials directly from system memory (RAM), where plaintext passwords or hashes may temporarily reside.
Common tools: Mimikatz, Windows Credential Editor, ProcDump.
SAM Database Extraction:
Obtaining password hashes stored in the Windows Security Account Manager (SAM) database, typically located at %SystemRoot%\System32\config\SAM.
Attackers usually require administrative privileges to access SAM files.
Common tools: pwdump, Mimikatz, Impacket suite.
NTDS.dit Extraction (Active Directory):
Dumping credentials from domain controllers by accessing the NTDS.dit database, which stores Active Directory credentials.
Requires elevated privileges and access to domain controllers.
Common tools: NTDSUtil, Impacket Secretsdump, ntdsutil.exe.
LSASS Memory Dumping:
Targeting the Local Security Authority Subsystem Service (LSASS) process, which handles authentication and stores credentials temporarily in memory.
Attackers dump LSASS process memory to extract credentials.
Common tools: Task Manager (native Windows tool), Procdump, Mimikatz.
Credential Storage Files and Registry Keys:
Extracting credentials stored in plaintext or encrypted form in configuration files, registry keys, or application-specific storage (e.g., browsers, FTP clients, SSH clients).
Common targets: web browsers, email clients, SSH clients, FTP clients, VPN clients.
Credential dumping frequently appears in multiple stages and scenarios of cyber-attacks, including:
Privilege Escalation:
Attackers dump credentials to escalate privileges from standard user accounts to administrative or domain-level accounts.
Lateral Movement:
Attackers use dumped credentials to move laterally across systems within an organization, accessing additional resources or systems.
Persistence:
Attackers maintain persistent access by leveraging legitimate credentials obtained through credential dumping, reducing the likelihood of detection.
Reconnaissance and Initial Access:
Attackers may dump credentials early in an attack for reconnaissance purposes, enabling them to identify valuable accounts and assets.
Data Exfiltration and Impact:
Credential dumping can facilitate data exfiltration by providing attackers with privileged access to sensitive databases and file shares.
Detection of credential dumping typically involves monitoring system behaviors, events, and artifacts indicative of credential extraction activities. Common detection methods include:
Endpoint Detection and Response (EDR) Solutions:
Monitoring process memory access, suspicious LSASS memory dumps, and unauthorized access to SAM or NTDS.dit files.
Event Log Analysis:
Windows Security Event Logs (Event IDs 4624, 4625, 4672) indicating unusual login patterns or privilege escalation.
System event logs indicating suspicious process creation, memory dumps, or file access.
Behavioral Analytics and SIEM Solutions:
Detecting anomalies in user behavior, such as logins from unusual locations, times, or systems.
Correlating multiple suspicious events (e.g., LSASS memory dump followed by lateral movement attempts).
File Integrity Monitoring (FIM):
Monitoring and alerting on unauthorized access or modifications to sensitive files such as SAM, NTDS.dit, or registry hives.
Indicators of Compromise (IoCs):
Presence of known credential dumping tools (e.g., Mimikatz binaries or scripts).
Suspicious registry keys or file artifacts associated with credential dumping tools.
Unusual files created during credential extraction (e.g., memory dump files, temporary files).
Early detection of credential dumping is crucial to minimizing the impact of cyber-attacks and preventing attackers from escalating privileges or moving laterally within a network. Credential dumping poses significant risks, including:
Privilege Escalation:
Attackers can rapidly escalate privileges, gaining administrative or domain-level access to critical systems and data.
Lateral Movement:
Stolen credentials enable attackers to move undetected across internal systems, increasing the scope and severity of the compromise.
Data Exfiltration:
With privileged access, attackers can easily extract sensitive information, intellectual property, or personally identifiable information (PII).
Persistence and Long-Term Access:
Attackers can leverage legitimate credentials to maintain long-term access, bypassing traditional security controls.
Operational Disruption and Financial Loss:
Credential dumping can facilitate ransomware deployment, sabotage, or disruption of critical business operations, leading to significant financial and reputational damage.
Detecting credential dumping early allows organizations to respond promptly, isolate affected systems, rotate compromised credentials, and mitigate overall damage.
Real-world examples of credential dumping attacks include:
NotPetya Ransomware Attack (2017):
Attack Scenario:
Attackers leveraged the EternalBlue exploit to spread malware internally.
Credential dumping via Mimikatz was used to harvest credentials from memory, enabling lateral movement.
Tools Used:
Mimikatz, EternalBlue exploit, custom malware payloads.
Impact:
Massive global disruption, billions of dollars in damages, widespread operational downtime.
Operation Cloud Hopper (APT10):
Attack Scenario:
Attackers compromised Managed Service Providers (MSPs) and dumped credentials to access client networks.
Credential dumping facilitated lateral movement and persistence within multiple victim organizations.
Tools Used:
Mimikatz, custom credential dumping scripts, PowerShell-based attacks.
Impact:
Espionage, theft of intellectual property, compromise of sensitive client data across multiple industries.
SolarWinds Supply Chain Attack (2020):
Attack Scenario:
Attackers compromised SolarWinds Orion software, then leveraged credential dumping to escalate privileges and move laterally within victim networks.
Credential dumping enabled attackers to access sensitive email accounts, cloud environments, and internal systems.
Tools Used:
Custom malware (SUNBURST), Mimikatz, Cobalt Strike toolkit.
Impact:
Major cybersecurity incident affecting numerous government agencies and private organizations, significant data breaches, and compromised trust in software supply chains.
Colonial Pipeline Ransomware Attack (2021):
Attack Scenario:
Attackers gained initial access via compromised VPN credentials.
Credential dumping techniques were used to escalate privileges, move laterally, and deploy ransomware.
Tools Used:
DarkSide ransomware, credential dumping tools (likely Mimikatz or similar).
Impact:
Temporary shutdown of critical fuel pipeline infrastructure, severe disruption of fuel supply, significant financial loss, and widespread public concern.