credential_dumping.yml

name: Credential Dumping
id: 854d78bf-d0e2-4f4e-b05c-640905f86d7a
version: 3
date: '2020-02-04'
author: Rico Valdez, Splunk
description: Uncover activity consistent with credential dumping, a technique wherein
  attackers compromise systems and attempt to obtain and exfiltrate passwords. The
  threat actors use these pilfered credentials to further escalate privileges and
  spread throughout a target environment. The included searches in this Analytic Story
  are designed to identify attempts to credential dumping.
narrative: 'Credential dumping—gathering credentials from a target system, often
  hashed or encrypted—is a common attack technique. Even though the credentials
  may not be in plain text, an attacker can still exfiltrate the data and set to cracking
  it offline, on their own systems. The threat actors target a variety of sources
  to extract them, including the Security Accounts Manager (SAM), Local Security Authority
  (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.

  Once attackers obtain valid credentials, they use them to move throughout a target
  network with ease, discovering new systems and identifying assets of interest. Credentials
  obtained in this manner typically include those of privileged users, which may provide
  access to more sensitive information and system operations.

  The detection searches in this Analytic Story monitor access to the Local Security
  Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential
  dumping and some other techniques for credential dumping.'
references:
- https://attack.mitre.org/wiki/Technique/T1003
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
tags:
  category:
  - Adversary Tactics
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  usecase: Advanced Threat Detection